Chapter 2: Exercises — Threat Landscape and Attack Taxonomy

These exercises progress from foundational knowledge of threat actors and frameworks to applied threat analysis. They will build your ability to think systematically about threats and connect that thinking to real-world penetration testing.

Beginner Exercises

Exercise 2.1: Threat Actor Classification

Classify each of the following threat actors by motivation, capability level, and targeting pattern (opportunistic, semi-targeted, or targeted). Justify each classification in 1-2 sentences.

a) A teenager who downloads Kali Linux and uses Metasploit to scan random IP addresses for vulnerable services.

b) The Lazarus Group (North Korea) conducting the SWIFT banking heist.

c) A disgruntled database administrator who copies the customer database to a USB drive before resigning.

d) The Clop ransomware group exploiting the MOVEit vulnerability across hundreds of organizations.

e) An independent security researcher who discovers a zero-day in Chrome and sells it to Zerodium for $500,000.

f) A competitor hiring a third-party firm to conduct corporate espionage against your company.

Exercise 2.2: Cyber Kill Chain Mapping

Map the following attack narrative to the seven stages of the Cyber Kill Chain. Identify which stage each action falls into.

An attacker researches a target company on LinkedIn and discovers the names of several IT administrators. They craft a phishing email impersonating the company's HR department, attaching a malicious Word document that exploits a macro vulnerability. An administrator opens the document, which downloads a PowerShell script. The script installs a reverse shell that connects back to the attacker's server. The attacker uses the administrator's credentials to access the Active Directory, creates a new admin account for persistence, and eventually locates and exfiltrates the company's financial records.

For each stage, also identify one defensive control that could have disrupted the attack at that point.

Exercise 2.3: MITRE ATT&CK Exploration

Navigate to attack.mitre.org and answer the following questions:

a) How many techniques are listed under the "Initial Access" tactic? List five of them.

b) Look up technique T1566 (Phishing). What sub-techniques does it have? For each sub-technique, give a brief description in your own words.

c) Look up the threat group APT29. What are three of their documented techniques?

d) Look up technique T1059 (Command and Scripting Interpreter). What sub-techniques exist, and which is most commonly used according to the procedure examples?

e) Find the MITRE ATT&CK data source for "Network Traffic." What types of detection does it enable?

Exercise 2.4: Attack Vector Identification

For each of the following breach descriptions, identify the primary attack vector used:

a) Employees received emails appearing to be from Microsoft 365, asking them to re-authenticate. Those who clicked the link were taken to a convincing replica of the Microsoft login page.

b) An attacker discovered that the company's Jenkins server was exposed to the Internet with default credentials.

c) A popular JavaScript npm package was compromised when an attacker gained access to the maintainer's npm account, and a malicious version was published that collected environment variables from machines where the package was installed.

d) An attacker purchased stolen credentials from a dark web marketplace and used them to log into the company's VPN, which did not require multi-factor authentication.

e) A zero-day vulnerability in the company's firewall was exploited before the vendor released a patch.

Exercise 2.5: Threat Intelligence Sources

For each type of threat intelligence (strategic, tactical, operational, technical), provide one specific, real-world example source where you could find that type of intelligence. Explain why each source qualifies as that particular type.

Intermediate Exercises

Exercise 2.6: ShopStack Threat Model

Using the ShopStack environment described in Section 2.6, develop a threat model that includes:

a) The three most likely threat actors targeting ShopStack, ranked by probability of attack b) The three most valuable assets to each identified threat actor c) The three most likely attack vectors for each threat actor d) An estimated risk level (High/Medium/Low) for each threat-vector combination e) One recommended mitigation for each identified risk

Present your threat model as a structured table.

Exercise 2.7: ATT&CK Navigator Exercise

Access the ATT&CK Navigator at mitre-attack.github.io/attack-navigator/. Create a layer that represents the attack techniques likely to be used against ShopStack. Color-code techniques by likelihood: - Red: Very likely (these techniques are commonly used against similar targets) - Yellow: Possible (these techniques could be used but are less common) - Green: Unlikely (these techniques target capabilities ShopStack does not have)

Export a screenshot of your layer and write a one-paragraph analysis of the results.

Exercise 2.8: Breach Analysis Using Frameworks

Choose one of the following real-world breaches and analyze it using both the Cyber Kill Chain and MITRE ATT&CK: - The 2017 Equifax breach - The 2020 SolarWinds supply chain attack - The 2021 Colonial Pipeline ransomware attack - The 2023 MGM Resorts attack - The 2023 MOVEit vulnerability exploitation by Clop

For your chosen breach, write a 750-1000 word analysis that: a) Maps the attack to the seven Kill Chain stages b) Identifies at least five specific ATT&CK techniques used c) Identifies at least three points where the attack could have been detected or disrupted d) Discusses what defensive improvements the organization implemented after the breach

Exercise 2.9: Comparing Kill Chain and ATT&CK

Write a 500-word comparison of the Cyber Kill Chain and MITRE ATT&CK frameworks. Address: - Strengths and weaknesses of each - Situations where one is more useful than the other - How they complement each other - Which is more useful for penetration testing planning, and why

Exercise 2.10: Ransomware Business Model Analysis

Research the ransomware-as-a-service (RaaS) business model. Write a one-page analysis that covers: - How the RaaS model works (developers, affiliates, revenue sharing) - Why this model has made ransomware more prevalent - How initial access brokers fit into the ecosystem - The role of cryptocurrency in enabling the ransomware economy - Three ways organizations can reduce their risk of ransomware attacks

Exercise 2.11: Supply Chain Attack Surface Mapping

For the ShopStack environment, map the complete supply chain attack surface. This includes: - Every third-party library and framework in the technology stack - Every SaaS service integrated into the platform - Every infrastructure provider - Every development tool and CI/CD component

For each supply chain dependency, assess: - What happens if this dependency is compromised? - Has there been a real-world supply chain attack against a similar dependency? - What mitigations can reduce the risk?

Advanced Exercises

Exercise 2.12: Threat Intelligence Report

Write a fictional threat intelligence briefing for MedSecure Health Systems. The briefing should be 1000-1500 words and include:

a) Executive Summary: Key threats facing the healthcare sector in the current quarter

b) Threat Actor Profiles: Brief profiles of two specific threat groups known to target healthcare organizations (use real APT groups)

c) Vulnerability Alerts: Three recently disclosed CVEs that are relevant to MedSecure's technology stack (use real CVEs)

d) Indicators of Compromise: Five fictional but realistic IOCs (IP addresses, domain names, file hashes) with context

e) Recommendations: Five specific, actionable recommendations based on the threat intelligence

Exercise 2.13: Pentest Scope Informed by Threat Intelligence

You have been hired to conduct a penetration test of ShopStack. Using the threat analysis from Section 2.6 and your work in Exercise 2.6, develop a pentest proposal that includes:

a) The most realistic threat scenarios to simulate (based on ShopStack's threat profile) b) Specific ATT&CK techniques to test c) Prioritized testing areas (which components get the most attention, and why) d) Proposed timeline and phases e) Expected deliverables

This exercise practices connecting threat intelligence to pentest planning — a skill that distinguishes strategic pentesters from tool operators.

Exercise 2.14: MedSecure vs. ShopStack Comparative Risk Assessment

Create a comparative risk assessment for MedSecure and ShopStack. For each organization, assess risk across the following categories using a 1-5 scale with justification:

Then write a 500-word analysis comparing their overall risk postures and explaining why different organizations face fundamentally different threat landscapes.

Exercise 2.15: Emerging Threat Analysis

Choose one emerging threat from Section 2.10 (AI-powered attacks, OT/IoT threats, quantum computing threats, or cloud-native threats). Write a 750-word analysis that includes:

a) Current state of the threat (what is happening now) b) Near-term evolution (next 2-3 years) c) Impact on ethical hacking methodology (how pentesters will need to adapt) d) Impact on one of our running examples (MedSecure or ShopStack) e) Three specific recommendations for organizations preparing for this threat

Exercise 2.16: Attack Tree Construction

An attack tree is a formal model that represents the various ways an attacker can achieve a goal. Construct an attack tree for the following goal:

Root Goal: Exfiltrate patient records from MedSecure's Epic EHR system

Your tree should: - Have at least three main branches (different attack paths) - Each branch should have at least three levels of sub-goals - Leaf nodes should be specific, actionable attack techniques - Each leaf should be annotated with the ATT&CK technique ID - Estimate the difficulty (Easy/Medium/Hard) of each path

Exercise 2.17: Threat Landscape Presentation

Prepare a 10-minute presentation (slide deck with speaker notes) on the current threat landscape for a non-technical board of directors. The presentation should: - Use minimal jargon (define any technical terms used) - Include relevant statistics and real-world examples - Explain why the board should care - Provide three specific budget recommendations - Be visually clear and professional

This exercise develops the communication skills essential for senior security roles.

Exercise 2.18: Defense Gap Analysis

Using the Kill Chain and ATT&CK frameworks, analyze MedSecure's described security controls (from Section 1.7) and identify defensive gaps:

a) For each Kill Chain stage, identify whether MedSecure has an effective defensive control. Rate each as Strong, Moderate, Weak, or Absent.

b) Identify five specific ATT&CK techniques that MedSecure would likely be unable to detect or prevent, given their described security posture.

c) For each identified gap, recommend a specific improvement with estimated cost and implementation complexity.

Practical Application

Exercise 2.19: Weekly Threat Monitoring

Set up a threat monitoring practice: 1. Subscribe to three cybersecurity news sources 2. Create a simple spreadsheet or document template 3. Each week for four weeks, record: - The most significant new vulnerability disclosed - The most significant breach or attack reported - One new threat actor report or campaign analysis - How the week's threats relate to MedSecure or ShopStack

This exercise builds the habit of continuous threat awareness that is essential for security professionals.

Exercise 2.20: MITRE ATT&CK Self-Study Plan

Create a self-study plan to deepen your ATT&CK knowledge: 1. Select five techniques from different tactics that you want to understand in depth 2. For each technique, plan to: - Read the ATT&CK page completely - Find and read one referenced report or paper - Identify a practical exercise you can do in your lab (Chapter 3) - Write a one-paragraph summary of the technique in your own words 3. Schedule the study across four weeks

Solutions to selected exercises are available in the appendix. Exercises marked with an asterisk () have model answers provided.*