Chapter 2: Quiz — Threat Landscape and Attack Taxonomy

Test your understanding of the modern threat landscape, threat actor classifications, MITRE ATT&CK, the Cyber Kill Chain, and common attack vectors. Answer from memory before checking the chapter.

Multiple Choice Questions

Question 1

Which threat actor category is characterized by using pre-built tools without deeply understanding how they work?

a) Advanced Persistent Threats (APTs) b) Organized criminal groups c) Script kiddies d) Insider threats

Question 2

In the Cyber Kill Chain, what stage comes immediately after "Delivery"?

a) Weaponization b) Exploitation c) Installation d) Command and Control

Question 3

How many tactics are in the Enterprise MITRE ATT&CK matrix?

a) 7 b) 10 c) 14 d) 20

Question 4

Which of the following is an example of a supply chain attack?

a) An employee clicks a phishing link and downloads malware b) An attacker exploits a SQL injection in a public-facing web application c) A legitimate software update is compromised with a backdoor that is distributed to thousands of customers d) A brute-force attack successfully guesses an administrator's password

Question 5

According to the Verizon 2024 Data Breach Investigations Report, approximately what percentage of breaches involved compromised credentials?

a) 10% b) 25% c) 50% d) 75%

Question 6

What is the ATT&CK technique ID for Phishing?

a) T1190 b) T1566 c) T1059 d) T1195

Question 7

In the ransomware ecosystem, what is the role of an "Initial Access Broker"?

a) They develop the ransomware encryption algorithms b) They negotiate ransom payments with victims c) They sell compromised credentials and access to other criminal groups d) They launder cryptocurrency payments

Question 8

Which of the following is NOT one of the seven stages of the Cyber Kill Chain?

a) Reconnaissance b) Weaponization c) Lateral Movement d) Actions on Objectives

Question 9

What type of threat intelligence provides specific indicators of compromise such as IP addresses, domain names, and file hashes?

a) Strategic intelligence b) Tactical intelligence c) Operational intelligence d) Technical intelligence

Question 10

In the SolarWinds attack, the adversary's initial access method is best classified as:

a) Phishing (T1566) b) Supply Chain Compromise (T1195) c) Exploit Public-Facing Application (T1190) d) Valid Accounts (T1078)

Short Answer Questions

Question 11

Explain the difference between opportunistic, semi-targeted, and targeted threat actors. Provide one example of each that would be relevant to MedSecure Health Systems. (4-6 sentences)

Question 12

Describe three specific criticisms of the Cyber Kill Chain model. For each criticism, explain how MITRE ATT&CK addresses or improves upon the limitation. (4-6 sentences)

Question 13

List five common attack vectors and rank them in order of prevalence based on current industry data. For each vector, name one defensive control that mitigates it. (5-7 sentences)

Question 14

Explain what "double extortion" means in the context of ransomware. Why has this technique made ransomware attacks more profitable for criminals? (3-5 sentences)

Question 15

Describe three ways that threat intelligence can improve the quality and realism of a penetration test. Use specific examples related to either MedSecure or ShopStack. (4-6 sentences)

Scenario-Based Questions

Question 16

You are planning a penetration test for ShopStack. Based on the threat analysis in Section 2.6, identify the three highest-priority areas to test and justify your choices. For each area, name the most relevant MITRE ATT&CK tactic. (6-8 sentences)

Question 17

An attacker sends a spear-phishing email to a MedSecure administrator containing a malicious Word document. The administrator opens the document, which exploits a macro vulnerability to download a reverse shell. The attacker then uses Mimikatz to extract domain credentials, moves laterally to the Epic EHR server, and begins exfiltrating patient records.

Map this attack to: a) The Cyber Kill Chain (identify each stage) b) At least four MITRE ATT&CK techniques (with IDs) c) Two points where MedSecure's existing defenses (as described in Section 1.7) might have detected or prevented the attack

Question 18

A colleague argues that "we only need to worry about nation-state hackers because they are the most dangerous." In 3-5 sentences, explain why this reasoning is flawed. What other threat actors should an organization like ShopStack prioritize, and why?

Answer Key

  1. c) Script kiddies. They rely on automated tools and publicly available exploits without understanding the underlying mechanics.

  2. b) Exploitation. The Kill Chain stages in order are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives.

  3. c) 14. The Enterprise ATT&CK matrix contains 14 tactics from Reconnaissance through Impact.

  4. c) A legitimate software update compromised with a backdoor. This is the defining characteristic of a supply chain attack — weaponizing the trust in a legitimate vendor.

  5. c) 50%. Credentials were compromised in approximately half of all breaches analyzed.

  6. b) T1566. T1190 is Exploit Public-Facing Application, T1059 is Command and Scripting Interpreter, T1195 is Supply Chain Compromise.

  7. c) They sell compromised credentials and access to other criminal groups. Initial Access Brokers specialize in gaining initial footholds and then selling that access.

  8. c) Lateral Movement. The Kill Chain's seven stages are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Lateral Movement is an ATT&CK tactic, not a Kill Chain stage.

  9. d) Technical intelligence. Technical intelligence consists of specific, machine-readable IOCs that can be used for detection.

  10. b) Supply Chain Compromise (T1195). The attackers compromised the SolarWinds Orion build process to distribute a backdoored update.

  11. Opportunistic attackers scan broadly without targeting specific organizations — for MedSecure, this might be an automated scanner detecting an exposed medical device with default credentials. Semi-targeted attackers focus on a specific industry — a ransomware group specializing in healthcare would scan for healthcare organizations with known vulnerable external services. Targeted attackers choose specific victims — a nation-state APT seeking specific patient data or research from MedSecure would conduct extensive reconnaissance before crafting a tailored attack. MedSecure faces all three types, which is why their security program must address both broad vulnerability management and sophisticated threat-specific defenses.

  12. First, the Kill Chain assumes a linear progression, but real attacks often loop or skip stages — ATT&CK addresses this by organizing techniques by tactic without implying sequence. Second, the Kill Chain focuses on network-based external attacks and models insider threats poorly — ATT&CK includes techniques for insider actions like Valid Accounts and Data from Local System. Third, the Kill Chain does not adequately address cloud-native or supply chain attacks — ATT&CK includes specific techniques like Cloud Account manipulation and Supply Chain Compromise with continuously updated sub-techniques.

  13. In order of prevalence: (1) Phishing/social engineering (email filtering and security awareness training), (2) Exploitation of vulnerabilities (patch management programs), (3) Credential-based attacks (MFA and strong password policies), (4) Web application attacks (WAFs and secure development practices), (5) Supply chain attacks (vendor risk management and SCA tools). Rankings are based on Verizon DBIR and CrowdStrike threat report data showing phishing and credential compromise as the most common initial access vectors.

  14. Double extortion means that ransomware operators both encrypt the victim's data AND exfiltrate it before encryption. If the victim restores from backups instead of paying for decryption, the attacker threatens to publish the stolen data publicly. This is especially devastating for organizations that handle sensitive data like patient records (MedSecure) or payment information (ShopStack), where the data exposure alone causes massive regulatory, legal, and reputational damage. The technique has increased ransomware profitability because it removes the victim's primary leverage — the ability to simply restore from backup and refuse to pay.

  15. First, threat intelligence about which APT groups are actively targeting healthcare allows the pentest team to simulate the specific techniques those groups use, making the test more realistic — for MedSecure, knowing that Ryuk/Conti target healthcare would shape the initial access and post-exploitation approach. Second, intelligence about recently exploited CVEs in the client's technology stack helps prioritize testing — if a new vulnerability in Epic Systems was being actively exploited, the pentest should prioritize testing that integration. Third, industry-specific threat reports provide context for the pentest report, allowing findings to be connected to real threats — writing "this vulnerability has been exploited by Clop in similar healthcare environments" is far more compelling than a standalone CVSS score.

  16. The three highest priorities for ShopStack would be: (1) Web application testing of the GraphQL/REST APIs (ATT&CK tactic: Initial Access) — this is the primary external attack surface and the most likely vector for opportunistic and financially motivated attackers. (2) Authentication and authorization testing (ATT&CK tactic: Credential Access) — Auth0 integration misconfigurations could allow unauthorized access to seller accounts containing SSNs and bank information. (3) Cloud infrastructure configuration review (ATT&CK tactic: Privilege Escalation) — AWS misconfigurations like overly permissive IAM roles or exposed S3 buckets could allow attackers to escalate access beyond the application layer. These priorities align with ShopStack's primary threat profile: financially motivated attackers targeting payment data and PII through web application and cloud vulnerabilities.

  17. Kill Chain mapping: Reconnaissance (researching admin names), Weaponization (crafting malicious Word doc), Delivery (sending spear-phishing email), Exploitation (macro vulnerability triggers), Installation (reverse shell installed), C2 (reverse shell connects to attacker), Actions on Objectives (data exfiltration from EHR). ATT&CK techniques: T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1003.001 (LSASS Memory via Mimikatz), T1021 (Remote Services for lateral movement), T1041 (Exfiltration Over C2 Channel). Detection points: MedSecure's CrowdStrike Falcon EDR should have detected Mimikatz execution or the reverse shell installation. The Splunk SIEM, if properly configured with email security logs, might have flagged the malicious attachment or the anomalous outbound connection from the administrator's workstation.

  18. While nation-state actors are the most capable threat, they are not the most probable threat for most organizations. ShopStack is far more likely to be attacked by financially motivated cybercriminals seeking payment card data, opportunistic attackers scanning for common web vulnerabilities, or disgruntled former employees with knowledge of the codebase. Focusing exclusively on nation-state threats leads to overinvestment in advanced defenses while neglecting basic hygiene that would prevent the vast majority of actual attacks. ShopStack should prioritize defending against the threats they are most likely to face — credential attacks, web application exploitation, and ransomware — while maintaining awareness of more sophisticated threats.