Check My Knowledge — How Attackers Plan Operations
Eight scenario-based questions. Select the best answer for each.
Score: 0/8
Scenario 1: An attacker compromised an M365 account three weeks ago. Since then, they've only accessed the CFO's shared mailbox on Tuesday and Thursday mornings between 09:00-10:30. No lateral movement, no discovery commands, no additional account compromises. What is the most likely objective?
Financial — they're waiting for the right invoice to redirect
BEC operators typically act within days once they identify a payment opportunity. A three-week cadence with no financial system access indicates ongoing collection, not transaction interception.
Intelligence — they're running a regular collection cadence against executive communications
The strict timing discipline (same days, same hours, same target) and three-week duration without escalation indicate a collection cadence — the hallmark of an intelligence objective. Section 1.11 covers this pattern: M-Trends 2026 reported 122-day median dwell for espionage-related intrusions.
Access — they're positioning for supply chain exploitation
Supply chain positioning requires access to build pipelines, source repositories, or distribution mechanisms. Mailbox access alone does not support supply chain objectives.
Disruption — they're mapping the environment before deploying a wiper
Disruption objectives require broad environmental access to critical systems. Accessing a single mailbox on a regular cadence without discovery commands is inconsistent with pre-disruption mapping.
Scenario 2: During an investigation, you observe that the initial access used a zero-day exploit against your VPN appliance, but post-exploitation used Mimikatz with default parameters and PsExec with default service names. What does this skill discontinuity suggest?
The attacker was highly skilled but chose commodity tools to save time
Skilled attackers with custom zero-day capability typically use modified or custom post-exploitation tools, not default-configuration commodity tools. The quality gap between phases is too large for operational efficiency choices.
The initial access was conducted by a different actor (likely an IAB) than the post-exploitation (likely an affiliate who purchased the access)
A zero-day exploit represents high budget and high capability. Default Mimikatz and PsExec represent medium capability at most. This skill discontinuity is the handoff signature from Section 1.9. The broker may have sold access to other organizations via the same zero-day.
The attacker's capability degraded during the operation due to tool failures
Capability does not degrade within a single operation. An attacker who can develop or acquire zero-day exploits has the technical depth to use non-default tool configurations.
This is normal — attackers routinely mix sophisticated and commodity techniques
While some mixing occurs, the gap between a zero-day exploit and default Mimikatz parameters is too large to be explained by routine variation. This pattern specifically indicates multiple actors with different capability levels.
Scenario 3: Your SIEM shows 200 failed authentication attempts across 200 unique user accounts over 48 hours. Each account has exactly one failure. Source IPs are distributed across residential proxy ranges. Your brute-force detection rule (5 failures per account in 5 minutes) did not fire. What are you observing?
A distributed denial-of-service attack against your authentication infrastructure
DDoS attacks aim to overwhelm infrastructure with volume. 200 attempts over 48 hours is far too low for DDoS. The distributed, per-account pattern indicates credential testing, not service disruption.
Normal authentication noise from employees with mistyped passwords
Organic typo noise is random: different times, different frequencies per account, source IPs matching known employee locations. Exactly one failure per account from residential proxy ranges over a controlled 48-hour window is too structured to be organic.
A low-and-slow password spray designed to stay below per-account alerting thresholds
One failure per account, distributed residential proxy IPs, and 48-hour distribution are textbook password-spray indicators as described in Section 1.6. The spray stays below your per-account threshold (5 failures in 5 minutes). Detection requires cross-account correlation. Check whether any of those 200 attempts subsequently succeeded.
An initial access broker testing credentials from a breach database
Credential stuffing from breach databases uses known passwords and typically produces successful authentications, not uniform single failures. A spray tests unknown passwords. The uniform one-failure-per-account pattern indicates password guessing, not credential validation.
Scenario 4: A ransomware incident is discovered at 07:00 Monday. The encryption started at 22:00 Friday. Forensic analysis shows the attacker moved from initial access to encryption in approximately 52 hours. Why did the attacker choose Friday evening for deployment?
The attacker works business hours in their timezone and Friday evening was the end of their workweek
Ransomware operators time deployment to the target's timezone and staffing patterns, not their own schedule. The attacker needs maximum uncontested encryption time, which is determined by the target's response capability.
Friday evening maximizes encryption time before Monday-morning discovery, exploiting reduced weekend staffing and delayed response capability
This is the documented ransomware timing pattern from Section 1.8. Semperis 2025 found 52% of organizations were targeted on holidays or weekends, and 78% cut SOC staffing by 50% or more during these periods. The attacker gains 34+ hours of uncontested encryption.
The 52-hour timeline was dictated by the ransomware's technical deployment requirements
Ransomware deployment is not technically constrained to 52 hours. Some affiliates compress the entire sequence to under 24 hours. The timeline reflects the attacker's operational pace, not technical requirements.
The timing was coincidental — ransomware operators deploy when they are ready regardless of the calendar
Ransomware timing is deliberate, not coincidental. The attacker was inside the environment for days conducting discovery and lateral movement during business hours, then held the deployment trigger for Friday evening. The timing is an operational weapon.
Scenario 5: You are building an Operational Profile 45 minutes into an incident. You observe: commodity tooling (Cobalt Strike with default malleable profile), rapid discovery commands within 20 minutes of access, and the attacker is already attempting lateral movement to SRV-BKP01 (the backup server). What is the correct response approach?
Silently scope the full extent of compromise before taking any containment action
Silent scoping is the correct approach for low-risk-tolerance adversaries (espionage). A high-risk-tolerance adversary moving rapidly toward backup infrastructure will complete their objective before scoping finishes. Section 1.12 covers matching containment approach to adversary classification.
Isolate the initially compromised endpoint and monitor for additional activity
Isolating only the initial endpoint is insufficient when the attacker has already moved laterally. The attacker is on multiple systems and targeting backup infrastructure. Single-endpoint isolation leaves the lateral movement path active.
Wait for the IR retainer to arrive before taking any containment action
With commodity tools, rapid pace, and backup targeting, this is a ransomware affiliate operating on a 24-48 hour timeline. Waiting for external IR support (hours to days) concedes the window the attacker needs to encrypt. Internal containment must begin immediately.
Immediately isolate backup systems and the domain controllers, contain lateral movement paths, and invoke the IR retainer in parallel
The constraint profile (commodity tools, rapid pace, backup targeting, high noise) maps to ransomware affiliate with a 24-48 hour timeline. The correct response is immediate aggressive containment focused on protecting what the attacker needs to complete their objective: backups and deployment infrastructure. Invoke the IR retainer simultaneously, not sequentially.
Scenario 6: Your investigation reveals an OAuth consent grant created 4 months ago for an application called "Productivity Analytics" with Mail.Read and Files.Read.All permissions on the engineering director's account. The application is not on your organization's approved list. Your IR team resets the user's password and revokes all active sessions. Is the threat contained?
No — the OAuth consent grant survives password reset and session revocation, so the application retains persistent API access to the user's mail and files
OAuth consent grants persist in the application registration, not in the user's session or password. Section 1.11 covers this: password resets, session revocations, and MFA changes do not affect the consent grant. The application continues accessing data through the Graph API until the consent is explicitly revoked in Entra ID.
Yes — revoking all active sessions terminates the application's access because it depends on the user's authentication token
The application uses its own credentials (client ID and secret) plus the consent grant to access data. It does not depend on the user's active session. Session revocation does not affect application-level access.
Yes — password reset forces re-authentication for all connected applications
Password reset affects user authentication but does not invalidate application consent grants. The application's access is authorized by the consent, not by the user's current password. This is the persistence mechanism that makes OAuth grants so valuable for espionage.
Uncertain — it depends on whether the application used delegated or application-level permissions
While there are differences between delegated and application permissions, even delegated permissions with a valid consent grant can continue to access data through refresh tokens that survive password reset. The consent grant must be explicitly revoked regardless of the permission type.
Scenario 7: Your organization's EDR detects anomalous behavior from a trusted business application after a routine software update. The application is vendor-signed with a valid certificate. The EDR alert shows the application making outbound connections to an IP address it has never contacted before. Two other SOC analysts have already marked similar alerts as false positives because the application is trusted. What should you do?
Mark as false positive — the application is vendor-signed and the update is legitimate
This is exactly what happened with the 3CX supply chain compromise. Organizations that suppressed EDR alerts from the trusted, vendor-signed application missed the supply chain compromise. Trust your detection over the vendor signature.
Escalate to the vendor and wait for their analysis before taking action
Vendor notification is appropriate but waiting for their analysis before investigating introduces dangerous delay. If this is a supply chain compromise, the attacker may be actively collecting data while you wait. Investigate internally in parallel with vendor notification.
Investigate the behavioral deviation — compare the application's current network connections to its pre-update baseline and escalate if the new connections cannot be explained by documented update changes
Section 1.11 covers supply chain detection: behavioral baselines for trusted software are the only detection surface when the payload arrives inside signed, legitimate software. A trusted application making new outbound connections after an update is the exact pattern that 3CX and SolarWinds SUNBURST produced. The vendor signature does not make the behavior safe.
Block the outbound connection and continue monitoring
Blocking the connection may disrupt legitimate functionality if the update genuinely added a new feature. Investigate first to determine whether the connection is expected. If investigation confirms the behavioral deviation is unexplained, then block and escalate.
Scenario 8: You are writing the leadership brief for an incident where you've observed custom unsigned malware, business-hours-only activity over two weeks, zero lateral movement, and access limited to a single executive's OneDrive via Graph API. Which brief is appropriate?
"We're responding to a ransomware affiliate. Recommend immediate containment of all endpoints and activation of the IR retainer."
The evidence (custom tooling, two-week timeline, business-hours only, no lateral movement, single-target API access) is inconsistent with a ransomware affiliate profile. Ransomware affiliates use commodity tools, move rapidly, touch many systems, and target backups. This brief would trigger the wrong response.
"We've detected a targeted intelligence operation using custom malware against one executive account. We're conducting covert scoping before containment. Update in 4 hours."
The constraint profile (custom tooling = high budget, two-week timeline, business-hours = low risk tolerance, API-only = high capability) maps to a state-sponsored or well-resourced intelligence operation. Section 1.12 teaches that the correct response is covert scoping to find all persistence mechanisms before containment. Aggressive containment tips off a patient adversary.
"We've detected an insider threat. Recommend HR involvement and employee interview."
Custom unsigned malware and residential proxy IPs indicate an external attacker, not an insider. An insider would use their own credentials from their own device without needing external malware or proxy infrastructure.
"We've detected suspicious activity but cannot determine the threat type. Recommend waiting for additional evidence before taking action."
The Operational Profile framework from Section 1.12 is designed to produce a classification from partial evidence. The available evidence is sufficient to classify this as an intelligence operation: two constraint dimensions (budget + risk tolerance) assessed with confidence provide the classification that drives the response.
💬
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
