Exercises: Case Studies — The Breaches That Changed the Industry

DataField.Dev

Exercises: Case Studies — The Breaches That Changed the Industry

These exercises ask you to do what a defender does after an incident: read a breach for its missing controls, map failures to the fixes in this book, decide what would actually have stopped it, and apply the lesson to your own organization. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

This is the last exercise set in the book, so several problems interleave across the whole of it. Work in your own notebook or a private repository. Where an exercise asks you to "score," "rank," or "decide," the reasoning matters far more than the answer; a defensible "it depends, and here's what it depends on" often beats a confident wrong number.

⚖️ Authorization & Ethics: Every case here is a matter of public record, drawn from official incident reports. Study them to defend. Nothing in these exercises asks you to reproduce an attack; apply any technique only to systems you own or are explicitly authorized to test.

Part A — Read the breach (method & vocabulary) ⭐

1.† State the six steps of the §40.1 method for reading a breach, in order, in your own words.

2. A control "failed" in an incident. Define the three failure modes from §40.1 (absent, misconfigured, working-but-unwatched) and give a one-line remediation for each.

3.† For each of the three anchor breaches, write its transferable lesson (the principle, not the specifics) in a single sentence: (a) SolarWinds; (b) Colonial Pipeline; (c) Log4Shell.

4. Why does §40.1 insist you begin a breach analysis from "this was stoppable" rather than "the attackers were sophisticated"? What does each starting assumption lead a defender to do next?

5. Distinguish verified fact from speculation in breach reporting, and name two source types this chapter treats as authoritative (Tier 1) for incident facts.

Part B — Analyze this breach ⭐⭐

6.† SolarWinds, from the victim's seat. A customer organization ran the trojanized Orion update. (a) Why did the customer's patch-management program and code-signature verification both correctly pass the malicious update? (b) Name two stages after installation at which the customer could still have detected or contained SUNBURST, with the control for each. (c) Was this a failure of the customer's controls, or of something else? Defend your answer.

7. Colonial, the decisive control. The public record indicates initial access was a single legacy VPN account without MFA, using a password found in a breached-credential dataset. Identify the single control with the highest leverage to prevent this initial access, and explain why it would likely have stopped the whole incident. Then name the second control that would have caught the access if the first were somehow bypassed.

8.† Colonial, the defender's decision. The pipeline shutdown was a choice made by Colonial, not an action of the malware. (a) Explain, using the OT material (Ch.33), why the organization halted the physical process even though the ransomware reportedly hit IT systems. (b) What architectural control would have let the organization answer "is OT affected?" confidently enough to avoid a full shutdown? (c) Which Chapter 24 activity best prepares a team to make this call well under pressure?

9. Log4Shell, the real problem. In the days after disclosure, most teams could not begin patching because they could not answer one question. (a) What was the question? (b) Why was it so hard to answer (use the word transitive)? (c) Which control most directly turns that question into a fast query?

10.† Log4Shell, buying time. Patching could not be instantaneous, and exploitation began immediately. Name three defense-in-depth controls that protected internet-facing vulnerable applications before they were patched, and state precisely what each one did to break the attack chain.

11. Read a fourth breach. Pick any landmark breach not covered in §§40.2–40.4 (e.g., Equifax, Target, NotPetya, the MOVEit campaign, or Change Healthcare). Run it through the full §40.1 method: timeline (verified vs. uncertain), kill chain, controls that failed and how, controls that would have changed the outcome (by chapter), and the transferable lesson. One page.

Part C — Map controls to the failure ⭐⭐

12.† Build a controls-to-failure table for SolarWinds: for each of at least five failure points in the kill chain, name the control from this book that addresses it and the chapter that owns it. Mark each control as primarily preventive, detective, or corrective.

13. Build the same table for Colonial Pipeline (at least five rows). Then circle the one row you would fund first if you could only fund one, and justify the choice in two sentences.

14.† Build the same table for Log4Shell (at least five rows). Note which controls are about visibility (knowing your exposure) versus protection (blocking exploitation) versus detection (seeing exploitation attempts), and explain why all three categories were needed.

15. Across all three matrices you just built, which single control class appears most often as "highest-leverage" or "deciding factor"? Argue for why that capability deserves disproportionate investment, referencing at least two of the three cases.

Part D — What would have stopped it ⭐⭐–⭐⭐⭐

16.† For SolarWinds, §40.2 argues prevention was nearly impossible for victims, yet the breach was still "survivable or not" depending on the defender. Reconcile these two claims. What does this tell you about the relationship between prevention and detection in a mature program?

17. A board member, having read about Colonial, asks: "Can you promise this exact thing will never happen to us?" Write a three-to-four-sentence answer in the spirit of this book — honest about residual risk, specific about the controls that reduce it, and free of both false reassurance and fatalism.

18. Rank these four investments by expected risk reduction per dollar for a typical mid-size organization, and justify your ranking: (a) a next-generation firewall refresh; (b) phishing-resistant MFA on all remote access; (c) a software bill of materials / SCA program; (d) an additional threat-intel feed. Reference the three cases where relevant.

19. ⭐⭐⭐ §40.5 Pattern 5 says "the next breach will be different in detail, identical in shape." For each of the three anchor shapes (weaponized trust; the forgotten door; the invisible dependency), describe a plausible future incident — with a different technology and threat actor — that would have the same shape, and name the early-warning sign a defender would watch for.

Part E — Apply it to your org (Meridian and your own) ⭐⭐–⭐⭐⭐

20.† The breach stress-test (Meridian). For one of the three anchor breaches, trace its attack path against Meridian's completed program: name each Meridian control that engages, in order, from initial access to objective, and identify the single residual gap. Conclude with one sentence the CISO could say to the board about Meridian's readiness for that breach class.

21. Repeat Exercise 20 for a second anchor breach. Then state, in one sentence, the difference in Meridian's posture between the two — is the bank better defended against one than the other, and why?

22. ⭐⭐⭐ Apply it to your own organization. Take an organization you know well (employer, school, or a small business you invent). For each of the three breach shapes, answer honestly: could it happen here, what control reduces it, and is that control present, misconfigured, or absent today? Where you find a gap, write the one-line remediation. Two pages maximum.

23. The forgotten door audit. Colonial began with an account no one remembered. Design a lightweight, repeatable process (the "minimum viable" version) that an under-resourced organization could run quarterly to find and kill stale, orphaned, and unused-but-privileged accounts. Reference the relevant chapters and name what telemetry the process consumes.

Part F — Respond / write it / design it ⭐⭐

24.† Write the detection. SUNBURST and Log4Shell both defeated indicator-based detection but were catchable behaviorally. In plain language (no product-specific syntax required), write the logic of two behavioral detection use cases: (a) one that would surface SolarWinds-style C2 (describe the condition on outbound traffic from internal servers); (b) one that would surface Log4Shell exploitation (describe the condition relating inbound external input to an unexpected outbound request or child process). For each, state the false-positive risk and one tuning idea.

25. Write the policy snippet. Draft a two-to-three-sentence vendor software requirement for Meridian's TPRM standard that, had every vendor met it, would have reduced the impact of both SolarWinds and Log4Shell. (Hint: it concerns what the vendor must disclose and prove about their software and build process.)

26. Respond to this incident (tabletop). You are the incident commander. At 09:14, your behavioral detection fires: a server running a trusted, recently-updated vendor agent has begun making regular outbound connections to a never-before-seen external domain. Walk through your first hour: triage decision, who you engage, what you do not do yet and why, and what evidence you preserve. Reference the IR lifecycle (Ch.24) and the SolarWinds lesson.

27. Design it. Sketch (words or a simple diagram) the IT/OT boundary architecture that would let an organization confidently answer "is OT affected?" during an IT-side ransomware incident, so it does not have to halt the physical process out of pure uncertainty. Label the boundary zone and the monitoring, and reference the Purdue model (Ch.33).

Part G — Interleaved (across the whole book) ⭐⭐

28.† Identity ↔ Colonial. Colonial's stale account ties to Chapters 16, 18, and 19. Explain the distinct role each plays: which prevents the credential from working at all, which finds and removes the account before it can be used, and which limits the damage if a valid privileged account is compromised.

29. Crypto ↔ SolarWinds. SolarWinds turned on the difference between "this artifact is signed" and "this artifact's origin and build are trustworthy." Using the cryptography of Chapters 4–5 and the provenance idea of Chapter 29, explain exactly what a digital signature does and does not guarantee, and what must be added to cover the gap.

30. Risk ↔ all three. For each breach, would a qualitative likelihood × impact score (Ch.1, 27) have flagged the underlying risk before the incident, given what was knowable at the time? Where the simple model would have understated the risk, explain why (consider the "interacts with everything" limitation from Ch.1's Case Study 1).

31. Metrics ↔ readiness. Pick three security metrics (Ch.36) that, if Meridian tracked them, would serve as leading indicators of resilience against these three breach classes. For each, state what good looks like and what a worrying trend would be.

Part H — CTF-style challenge ⭐⭐⭐

32.† The reassuring report. An external consultant delivers a glowing assessment of "BorderTrust Financial": "Fully PCI-DSS compliant. All vendor software is digitally signed and patched within 30 days. Firewalls are next-generation. No critical findings." Using everything this chapter taught about how SolarWinds, Colonial, and Log4Shell actually unfolded, identify at least five dangerous blind spots this report leaves unaddressed — places where a real adversary could still get in despite every claim being true. For each blind spot, name the breach whose shape it matches and the control that would close it. (The challenge is that every statement in the report is true — and the organization is still exposed.)

Part I — Synthesis & reflection ⭐⭐⭐

33. The five themes, proven. For each of the five recurring themes, name the one anchor breach (of the three) that most vividly demonstrates it, and explain the connection in two sentences.

34. ⭐⭐⭐ Your defender's creed. You have finished the book. In half a page, write — in your own voice — the three convictions you will carry into your security career, drawn from the five themes and these three cases. This is not a quiz; it is the thing you will want to have written down on a hard day.

35. ⭐⭐⭐ Open reflection. §40.5 argues that "studying breaches is not about the breaches" but about training pattern-recognition for the next, novel incident. Pick a recent breach from the news (after this book's writing) that you believe has one of the three shapes. Make the case for which shape it matches, what early sign a defender should have watched for, and which control from this book most directly addresses it. Bring it to a study group — disagreement is the point.

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, your instructor, or your future team. This is the last exercise set in the book; if you can do these, you can read the next breach the way a defender does.