Quiz: Threat Detection and Hunting

Twenty-five self-check questions: multiple choice, true/false with justification, and short answer. Several are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for (ISC)² CISSP (chiefly Domain 7, Security Operations). Answer before opening the key.

Multiple Choice

Q1. [Sec+] Which best distinguishes threat hunting from detection engineering? - A. Hunting is automated; detection engineering is manual. - B. Hunting proactively searches for adversary activity that no alert caught; detection engineering builds the automated rules that fire on anticipated activity. - C. They are synonyms for the same SOC activity. - D. Hunting only uses threat intelligence; detection engineering never does.

Q2. [Sec+] On the pyramid of pain, which indicator is the most painful for an adversary to change? - A. A file hash. - B. A command-and-control IP address. - C. A malicious domain name. - D. A tactic, technique, or procedure (TTP).

Q3. An adversary's malware is caught by its SHA-256 hash, so they recompile and the detection stops working. This is a direct consequence of detecting at which pyramid layer? - A. TTPs (top). - B. Tools. - C. Hash values (bottom). - D. Network/host artifacts.

Q4. [Sec+] What is a Sigma rule? - A. A proprietary Splunk-only detection format. - B. A generic, vendor-agnostic detection written in YAML that compiles to a specific SIEM's query language. - C. A network IDS signature for packet inspection. - D. A YARA rule for scanning files.

Q5. [CISSP] Which intelligence tier is most directly useful for building durable behavioral detections? - A. Strategic (who targets your sector and why). - B. Operational (campaign-level TTPs mapped to ATT&CK). - C. Tactical (specific hashes, IPs, domains). - D. Executive (board-level risk narrative).

Q6. A false negative is best described as: - A. A benign event that wrongly triggered an alert. - B. A real attack that produced no alert and went undetected. - C. An alert that fired but was closed without investigation. - D. A detection rule that failed to compile.

Q7. [Sec+] In a Sigma rule, what is the purpose of the tags: field containing values like attack.t1059.003? - A. It sets the alert's severity. - B. It maps the detection to a specific MITRE ATT&CK technique, enabling coverage measurement. - C. It tells the SIEM which index to query. - D. It lists the rule's expected false positives.

Q8. Why can the SolarWinds-style beaconing behavior not be expressed as a pure field-match Sigma rule? - A. Sigma cannot read network logs at all. - B. Beaconing is a statistical property across many events (regularity over time), not a single field value, so it needs a behavioral analytic on top of a selection. - C. The destination IP is unknown. - D. Beaconing only happens on encrypted channels Sigma cannot see.

Q9. [CISSP] Detection coverage mapping against ATT&CK is best understood as: - A. A compliance checkbox that proves detection exists. - B. A prioritization tool and data-source gap analysis that exposes which techniques you cannot detect. - C. A single percentage to report to the board as a score. - D. A replacement for threat hunting.

Q10. What is YARA primarily used for? - A. Matching log events in a SIEM. - B. Inspecting network packets at the perimeter. - C. Pattern-matching to identify and classify files and process memory by their content. - D. Aggregating threat-intelligence feeds.

Q11. [Sec+] A threat intelligence platform (TIP) primarily exists to: - A. Replace the SIEM. - B. Aggregate, normalize, de-duplicate, score, and distribute threat-intel feeds to detection tooling. - C. Run hypothesis-driven hunts automatically. - D. Block malicious IPs at the firewall.

Q12. Which of the following is the strongest example of a behavioral (TTP-level) detection? - A. Alert when a connection is made to IP 203.0.113.77. - B. Alert when a file with hash 5f4dcc3b... is seen. - C. Alert when a process spawned by a web server launches a command shell. - D. Alert when a connection is made to a domain on a blocklist.

Q13. [CISSP] The most important output of a successful threat hunt is: - A. A closed ticket. - B. A new durable detection (or a documented visibility gap) that improves the program permanently. - C. A report to the board. - D. A blocked IP address.

Q14. STIX and TAXII are best described as, respectively: - A. A SIEM and a firewall. - B. A structured language for describing threats, and a protocol for transporting that description between organizations. - C. Two competing threat-intel vendors. - D. A detection rule format and a hunting framework.

True / False (with one-sentence justification)

Q15. [Sec+] A quiet alert queue is reliable evidence that no attacker is present. True or false — justify.

Q16. Indicator-based detection should be abandoned in favor of behavioral detection. True or false — justify.

Q17. [CISSP] You can directly measure your program's false-negative rate by counting missed attacks. True or false — justify.

Q18. A detection tagged with its ATT&CK technique counts toward coverage even if the SIEM does not collect the data the rule needs. True or false — justify.

Q19. Tuning a detection to reduce false positives can increase false negatives. True or false — justify.

Q20. Operational threat intelligence (TTPs) is generally more durable for detection than tactical indicators (hashes/IPs). True or false — justify.

Short Answer

Q21. [Sec+] State the hypothesis-driven hunting template and give one concrete, well-formed hypothesis for detecting command-and-control beaconing.

Q22. Name the six steps of the hunt loop in order, and explain in one sentence why Step 6 (operationalize) is what makes a hunt different from a one-off investigation.

Q23. [CISSP] Explain the asymmetry between a false positive and a false negative in terms of visibility and cost, and name the two practices from this chapter that attack the (invisible) false-negative problem.

Q24. Why is an all-indicator-feed detection program described in the chapter as "optimized for the adversary's convenience"? Reference the pyramid of pain.

Q25. A threat-intel report on a campaign hitting your sector lists three C2 domains and a paragraph describing the adversary's persistence and beaconing techniques. Which part of the report is more valuable to a detection engineer, and what do you do with each part?

Answer Key

Click to reveal answers and explanations **Q1 — B.** Hunting is the proactive, human-led search for activity no rule caught; detection engineering builds and maintains the automated rules. (Hunting is *manual*, not automated — A inverts it.) *[§22.1]* **Q2 — D.** TTPs sit at the top of the pyramid; changing them forces the adversary to relearn how they operate, unlike a hash/IP/domain which is a cheap value swap. *[§22.2]* **Q3 — C.** The hash layer (bottom) is trivial to evade — recompiling yields a new hash for free while the behavior is unchanged. *[§22.2]* **Q4 — B.** Sigma is the vendor-agnostic YAML detection format that a backend compiles to SPL/KQL/etc.; YARA (D) is for files, Snort/Suricata (C) for packets. *[§22.4]* **Q5 — B.** Operational/TTP-level intelligence yields durable, top-of-pyramid behavioral detections; tactical indicators are short-lived; strategic informs priorities, not specific rules. *[§22.3]* **Q6 — B.** A false negative is a real attack that fired no alert — the invisible counterpart to the false positive (A). *[§22.6]* **Q7 — B.** The `attack.*` tags map the detection to an ATT&CK technique, which is what makes coverage measurement possible. `level` sets severity (A), `logsource` chooses the data (C). *[§22.4]* **Q8 — B.** Beaconing is a statistical pattern over many events (regular interval), so a field match can only select candidate connections; detecting the beacon requires an analytic (a `beacon_score`) on top. *[§22.4, §22.5]* **Q9 — B.** Coverage mapping is a prioritization/gap tool, not a compliance score or a hunting replacement; a flat percentage (C) is explicitly called misleading. *[§22.6]* **Q10 — C.** YARA pattern-matches the *content* of files and process memory; it is the file/memory counterpart to Sigma's log focus. *[§22.4]* **Q11 — B.** A TIP aggregates, normalizes, de-duplicates, scores, and distributes intel feeds — it complements the SIEM, it doesn't replace it. *[§22.3]* **Q12 — C.** "A web-server process launching a shell" is a *behavior/technique*; A, B, and D all match static indicators (bottom of the pyramid). *[§22.2]* **Q13 — B.** A hunt's defining output is a permanent program improvement — a new detection or a documented visibility gap — not a closed ticket. *[§22.5]* **Q14 — B.** STIX = the structured *language* for describing threats; TAXII = the *transport protocol* for sharing STIX. *[§22.3]* **Q15 — False.** Alerts fire only on anticipated activity, so a quiet queue can equally mean "no attacker" or "an attacker entirely within your blind spots" (as Sunburst was for ~9 months). *[§22.1]* **Q16 — False.** Indicator detection is cheap, precise, and worth doing — it is the *floor*, not to be abandoned; the point is to also climb toward behavior, not to replace one with the other. *[§22.2]* **Q17 — False.** False negatives are attacks that left no alert and thus no record you can count — by definition you cannot directly measure what you never saw. *[§22.6]* **Q18 — False.** Coverage depends on *data*, not just rules; a rule that needs telemetry the SIEM doesn't collect cannot fire, so it is not real coverage (a red cell can mean "no data"). *[§22.6]* **Q19 — True.** Tuning is a tradeoff: tightening a rule to cut noise (fewer false positives) admits more misses (more false negatives), and loosening it does the reverse. *[§22.6]* **Q20 — True.** TTPs sit at the top of the pyramid of pain and survive the adversary changing infrastructure, whereas hashes/IPs are trivially and frequently changed. *[§22.2, §22.3]* **Q21.** Template: *"If an adversary were performing [technique X], we would expect to see [observable Y] in [data source Z]."* Example: "If an adversary were running C2 (T1071.001), we would expect to see a server-tier host making repeated, low-jitter outbound HTTPS connections to a single external destination — look in Zeek conn.log / proxy logs." *[§22.5]* **Q22.** Hypothesize → scope data → query/analyze → triage → conclude → operationalize. Step 6 makes it a hunt because it turns the finding into a *durable detection or a documented visibility gap* — a permanent improvement — rather than a one-time answer. *[§22.5]* **Q23.** A false positive is *visible* (an analyst investigates and finds nothing) and costs *attention*; a false negative is *invisible* (a real attack that fired no alert) and costs an *undetected breach*. The two indirect attacks on false negatives are **coverage mapping** (reveals techniques with no detection/data) and **threat hunting** (proactively searches the uncovered space). *[§22.6]* **Q24.** Because indicators (hashes/IPs/domains) are the bottom of the pyramid — the things the adversary can change in seconds for free — so a program built entirely on them catches commodity and reused-infra attacks while a targeted adversary evades it by changing values that cost them nothing. *[§22.2]* **Q25.** The *techniques* paragraph is more valuable: techniques are top-of-pyramid and yield durable behavioral detections or hunt hypotheses. Turn the techniques into detections/hunts; load the three domains too (they cost nothing) but know they are short-lived and likely already burned. *[§22.3]*

Topics to Review by Question

  • Q1, Q13, Q15, Q22 → §22.1 & §22.5 (detection vs. hunting; the hunt loop; absence-of-alerts).
  • Q2, Q3, Q12, Q16, Q20, Q24 → §22.2 (pyramid of pain; indicator vs. behavioral).
  • Q5, Q11, Q14, Q25 → §22.3 (threat intelligence, tiers, TIP, STIX/TAXII).
  • Q4, Q7, Q8, Q10, Q18 → §22.4 (Sigma anatomy, ATT&CK tags, YARA).
  • Q21 → §22.5 (hypothesis template).
  • Q6, Q9, Q17, Q19, Q23 → §22.6 (coverage, false negatives, tuning tradeoff).