Exercises: Emerging Threats

DataField.Dev

Exercises: Emerging Threats

These exercises move from understanding how threats evolve to building the resilience, verification, and migration postures the chapter demands. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before reading one.

Work in your own notebook or a private repository. Several exercises ask you to build a crypto-inventory, assess PQC readiness, design ransomware resilience, or spot deepfake indicators — these are the chapter's signature skills, so spend real time on them. Where an exercise asks you to score or rank, the reasoning matters more than the exact number.

Part A — How threats evolve (concepts) ⭐

1.† In one sentence each, define the three forces that drive threat evolution — commoditization, specialization, and adaptation to defenses — then give one real example of each from the chapter.

2. Define initial access broker and living-off-the-land. Explain how they relate to each other in a modern ransomware intrusion.

3. A colleague says, "We bought a great new tool and that whole class of attack disappeared from our environment — problem solved." Using the §35.1 forces, write two sentences explaining why this confidence may be misplaced and what you would watch for next.

4.† For each emerging threat below, name which of the three evolutionary forces most explains its recent growth, and justify in a phrase: (a) the explosion in the number of ransomware victims; (b) attackers shifting from malicious executables to abusing PowerShell; (c) voice-cloning fraud becoming available to ordinary criminals.

5. Explain in your own words why the chapter argues you should "model the market, not memorize the list" of threats. What does this buy a defender that a memorized list does not?

Part B — Ransomware's business model ⭐⭐

6.† Define ransomware-as-a-service (RaaS) and explain, using the operator/affiliate split, why the volume of ransomware can rise even when no new encryption technique appears.

7. Distinguish single, double, and triple extortion. For each, name the single defensive control that is most undermined by that stage of evolution (e.g., what does double extortion defeat that single extortion did not?).

8.† Design ransomware resilience. A mid-size company asks you to make them "ransomware-proof." Explain why that exact framing is wrong, then design a resilience posture instead: list five controls, and for each, state the specific failure it mitigates. Assume the encryption will succeed.

9. The chapter claims "the best time to catch ransomware is before the ransom note." Explain why, referencing the typical sequence of a modern intrusion (access → dwell → detonation). What telemetry would you hunt during the quiet phase?

10. ⭐⭐⭐ A board member asks: "We spent heavily on immutable backups. Are we now safe from ransomware?" Write a three-to-four-sentence answer that is honest about what backups do and do not protect, referencing the CIA triad.

Part C — Analyze this (telemetry & scenarios) ⭐⭐

11.† Analyze this log. You are handed this (illustrative) excerpt from internal data-transfer logs. All times are UTC; the destination is in the documentation range 198.51.100.0/24.

03:14:22  host=FILESRV-02  user=svc_backup  dst=198.51.100.77  bytes=8,930,221,118  proto=https
03:51:09  host=FILESRV-02  user=svc_backup  dst=198.51.100.77  bytes=9,104,556,402  proto=https
04:20:33  host=FILESRV-02  user=svc_backup  dst=198.51.100.77  bytes=7,884,201,990  proto=https

(a) What stage of a modern ransomware attack does this most likely represent? (b) Which fields are the strongest indicators, and why is the account used suspicious? (c) Which item on the ransomware-resilience checklist would have detected this, and which would have limited it? (d) If this is caught now, what is the one thing the team most urgently needs to determine?

12. Analyze this. A SOC sees a signed, trusted network-monitoring agent — installed for years — suddenly begin making outbound DNS queries to a never-before-seen domain every 30 minutes, and spawning a PowerShell process it has never spawned before. (a) What category of attack from §35.3 does this fit? (b) Why would no signature or integrity check have flagged the agent itself? (c) Name the two defensive principles from the "Defender's Lens" that make this detectable and containable.

13.† Spot the deepfake indicators. A finance employee forwards you this account of a call they almost acted on:

- Caller appeared on video as the CFO; face and voice matched.
- Call came from an external/unknown number, not the CFO's usual line.
- Request: wire $480,000 to a NEW vendor account, "before end of day, keep it confidential."
- Caller deflected when asked to confirm a detail only the real CFO would know.
- Caller stressed urgency and secrecy repeatedly.

Identify every procedural red flag (not visual artifacts) in this account, and for each, name the control from §35.4 that addresses it.

14. Respond to this incident. Your organization receives a credible report that a fabricated video of your CEO announcing a (false) data breach is spreading on social media, and customers are calling in a panic. Sketch the first five response steps, in order. (Hint: this is an availability/reputation incident as much as a security one — who needs to be involved?)

Part D — Build a crypto-inventory & assess PQC readiness ⭐⭐–⭐⭐⭐

15.† Build a crypto-inventory. For each system below, classify the quantum exposure as HIGH, MEDIUM, or LOW using the chapter's rule (asymmetric public-key + long-lived data → HIGH; asymmetric + short-lived data → MEDIUM; symmetric/hash → LOW), and justify each in a phrase. - (a) A VPN using ECDHE key exchange; tunnels carry session traffic only. - (b) A 15-year medical-records archive encrypted with RSA-wrapped AES-256. - (c) Stored password hashes using Argon2. - (d) A firmware code-signing system using ECDSA, for devices deployed for ~8 years. - (e) A TLS-protected public marketing website (no sensitive data).

16. Assess PQC readiness. Write a short checklist (six to eight items) a defender would use to judge whether an organization is ready to begin a post-quantum migration. (Hint: it starts before any algorithm is chosen — what must you know first? what property must your systems have?)

17.† Explain harvest-now-decrypt-later to a non-technical executive in three sentences, and use it to justify why a particular system (you choose which) should be migrated to PQC now rather than "when quantum computers exist."

18. Define crypto-agility. Give one concrete design choice that makes a system crypto-agile and one common practice that makes a system the opposite (hard to migrate). Why does the chapter call the PQC migration "a forcing function to finally build crypto-agility"?

19. ⭐⭐⭐ Two systems both use RSA-2048. System X protects a payment session that is worthless after ten minutes; System Y protects a contract archive that must stay confidential for twenty years. Both are "using broken-by-quantum crypto." Argue which to migrate first and why, and explain what this teaches about prioritizing by quantum exposure rather than by algorithm alone.

20. Name the three NIST post-quantum standards by their FIPS numbers and what each is for (key establishment vs. digital signatures). Why does an organization need more than one — i.e., why isn't a single PQC algorithm enough to replace all of today's public-key uses? (If you are unsure of an exact number, say so and describe the algorithm's purpose — citation honesty applies to you too.)

Part E — Write the policy / design it ⭐⭐–⭐⭐⭐

21.† Write the policy. Draft a short out-of-band verification policy (one paragraph plus a 3–5 step procedure) for any request to move money or change payment details. It must defeat a deepfake CFO on a video call. State explicitly what channel and what secret the verification relies on, and what role urgency plays.

22. Design the architecture. You are designing a new internal application from scratch. List four specific design decisions that would make its cryptography crypto-agile, so that a future PQC migration is a configuration change rather than a rebuild.

23. Write a Sigma-style rule (in words). Describe — in structured prose or pseudo-rule form, not production syntax — a detection for the quiet phase of a ransomware intrusion: anomalous use of a living-off-the-land binary. Name the data source, the condition, and one tuning consideration to reduce false positives (legitimate admins use these tools too).

24. Build the emerging-threat watch. Produce a five-row emerging-threat watch table for an organization of your choice. Columns: threat, triage decision (act now / prepare / watch / dismiss), owner role, and the one concrete next action. Include at least one prepare and one dismiss, and justify the dismiss (saying "this does not apply to us" is a real decision).

25. ⭐⭐⭐ Design horizon scanning. Specify a horizon-scanning process for a small security team: its inputs (sources), its cadence, its triage decision, and its output artifact. Then explain the one filter question from §35.1 that keeps the process from becoming either alarmism or theater.

Part F — CTF-style challenge ⭐⭐⭐

26.† The dependency you didn't know you had. A developer proudly reports: "I hardened our build — we now reject any package whose name doesn't exactly match our approved list, and we verify every public package's signature." A security architect replies: "Good, but you may still be exposed to dependency confusion and to a legitimately signed but malicious package." Explain both gaps the architect is pointing at: (a) how dependency confusion could still pull an attacker's package despite the name check, and (b) why signature verification does not stop the SolarWinds-class build-compromise pattern. Then propose one mitigation for each gap.

Part G — Interleaved & forward-looking ⭐⭐

27. Interleaved (Ch.4 + Ch.35). The quantum threat severely affects RSA and ECC but barely affects AES-256 and SHA-256. Using what you learned about symmetric vs. asymmetric cryptography in Chapter 4, explain why the impact is so different. What property of asymmetric cryptography is the vulnerability?

28. Interleaved (Ch.29 + Ch.35). Chapter 29 gave you SBOMs and vendor risk; this chapter gave you the "next generation" of supply chain attacks. Pick one next-generation attack (open-source dependency, dependency confusion, or hardware/firmware) and explain which Chapter 29 control helps and where it falls short — i.e., what new defensive capability this chapter adds.

29. Interleaved (Ch.2 + Ch.35). Map a modern double-extortion ransomware attack onto the cyber kill chain from Chapter 2. At which stages does the §35.2 resilience checklist give you a detection or prevention opportunity? (Identify at least three stage→control pairings.)

30. ⭐⭐⭐ Open reflection. The chapter argues the most durable skill is reasoning about a threat this book never named. Invent a plausible emerging threat that combines two forces from §35.1 (e.g., commoditized deepfakes + RaaS-style specialization), describe how it would work, and run it through the horizon-scanning triage. What decision would you reach, and why?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor. Several (8, 15, 21, 24, 25) double as starter artifacts for your capstone program; keep your answers.