AP Cybersecurity Unit 3 Lesson 2 Lab
Unit 3 • 3.2 • Lab
Lab — Operation Wirewatch: Network Breach Investigation
6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis
Score: 0 / 30Each step uses a different assessment format
Investigation Target
NovaTech Solutions
NovaTech’s SOC detected anomalous traffic patterns indicating a multi-stage network attack. The attacker used ARP spoofing to intercept traffic, then launched a man-in-the-middle attack to steal credentials, followed by a DDoS flood against the customer API. Trace each attack phase through 6 investigation steps.
Step 1Matching
Classify Each Attack Phase
The attacker executed three techniques in sequence. Match each to its attack category.
✎ Think first: Interception = reading traffic. Manipulation = altering traffic. Disruption = overwhelming resources.
ARP spoofing to redirect traffic through the attacker’s device
→
Capturing and replaying authentication tokens from intercepted sessions
→
SYN flood sending 500,000 half-open connections per second to the API server
→
ARP spoofing = Interception (positions attacker to read traffic). Token replay = Interception (stealing credentials from intercepted sessions). SYN flood = Disruption (overwhelming server resources to deny service).
Exam Tip: Network attacks fall into three categories: Interception (reading/stealing), Manipulation (altering), Disruption (denying). ARP spoofing enables MitM which enables interception. SYN floods are classic DoS disruption.
Step 2Fill in the Blank
Complete the Attack Technique Descriptions
Fill in the correct network attack term for each blank.
✎ Think first: Each term describes a specific technique at a specific network layer.
The attacker sent forged ARP replies to associate their MAC address with the gateway’s IP. This technique is called ARP .
By positioning between the client and server, the attacker performed a attack.
The SYN flood exploits the TCP by sending connection requests without completing them.
Sending 500,000 requests per second from multiple sources is a (Distributed Denial of Service) attack.
The defense that verifies ARP entries against a trusted table is called Dynamic ARP (DAI).
Answers: (1) spoofing/poisoning. (2) man-in-the-middle. (3) handshake (three-way handshake). (4) DDoS. (5) Inspection.
Exam Tip: ARP spoofing/poisoning poisons the ARP cache. MitM intercepts between two parties. SYN floods exploit the TCP three-way handshake. DDoS uses distributed sources. DAI validates ARP against DHCP snooping.
Step 3Select All That Apply
Identify Effective Countermeasures
Select ALL controls that would help defend against this multi-stage attack.
✎ Think first: Each attack phase needs a different countermeasure. Which controls address ARP spoofing, MitM, AND DDoS?
Correct: DAI (A) stops ARP spoofing. TLS (B) prevents credential interception even during MitM. SYN cookies (D) mitigate SYN floods. Segmentation (E) limits attack surface. Wrong: Longer passwords (C) don’t prevent interception of valid sessions. Disabling switches (F) destroys the network.
Exam Tip: Layered defense against network attacks: DAI at Layer 2 (ARP), TLS at Layer 4-7 (encryption), rate limiting at the application (DDoS), segmentation at network architecture. Each addresses a different attack phase.
Step 4Multiple Choice
Determine Why TLS Did Not Prevent the MitM
NovaTech’s internal API used HTTP (not HTTPS). The attacker intercepted credentials in plaintext. If the API had used TLS, which statement is MOST accurate?
✎ Predict first: What does TLS protect against, and what does it NOT protect against?
C is correct. TLS does not prevent ARP spoofing (Layer 2) but encrypts the traffic flowing through the MitM position. The attacker sees encrypted gibberish instead of plaintext credentials. TLS makes interception useless even when it cannot prevent it.
Exam Tip: TLS protects data in transit at Layer 4-7. It cannot prevent Layer 2 attacks (ARP spoofing) but renders intercepted data unreadable. This is why HTTPS matters even on internal networks.
Step 5Analysis
Evaluate the DDoS Response
The SYN flood took the customer API offline for 3 hours. NovaTech’s response: an engineer manually blocked the attack IPs in the firewall, one at a time, over 2.5 hours.
5a. Select why manual IP blocking was ineffective:
5b. Recommend an automated DDoS mitigation strategy.
Key terms: CDN, cloud, scrubbing, rate limit, SYN cookies, auto-scale, upstream, provider, threshold, detect, divert
B is correct. DDoS uses distributed sources (thousands of IPs); manual blocking cannot keep up. Recommended: Cloud-based DDoS scrubbing service (Cloudflare, AWS Shield) that automatically detects and absorbs volumetric attacks upstream. SYN cookies on the server handle incomplete handshakes efficiently. Rate limiting per source IP at the load balancer. Auto-scaling to absorb traffic spikes.
Exam Tip: DDoS defense must be automated and upstream. Manual firewall rules are always too slow. Cloud scrubbing services absorb attack traffic before it reaches your infrastructure.
Step 6Written Response
Write the Network Hardening Recommendation
Write a network hardening plan that addresses all three attack phases (ARP spoofing, MitM credential theft, DDoS). Map one specific control to each phase.
Key terms: DAI, ARP inspection, TLS, HTTPS, encrypt, certificate, SYN cookies, rate limit, CDN, scrubbing, cloud, upstream, segment, monitor
Model: Phase 1: Deploy Dynamic ARP Inspection (DAI) on all switches — validates ARP replies against DHCP snooping bindings, blocking forged ARP entries. Phase 2: Enforce TLS on ALL internal and external communications — encrypts credentials and data in transit so interception yields only encrypted gibberish. Phase 3: Deploy cloud-based DDoS scrubbing with automatic traffic diversion — absorbs volumetric attacks upstream before they reach NovaTech’s infrastructure.
Exam Tip: Network hardening addresses each OSI layer: DAI at Layer 2, TLS at Layer 4-7, DDoS mitigation at the network edge. Each control targets a specific attack technique at its operating layer.
AP Cybersecurity 3.2 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP® is a registered trademark of the College Board.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]