3 parts, 24 points — Classify and respond to live security alerts at NovaTech Solutions
Score: 0 / 24Complete all parts to see your final score
Client Organization
NovaTech Solutions
NovaTech Solutions is a mid-size managed services provider (MSP) that remotely manages IT infrastructure for 40 client companies. Their Security Operations Center (SOC) runs a network-based IDS at the perimeter, host-based IPS sensors on all client servers, and a centralized SIEM that ingests firewall logs, endpoint telemetry, DNS queries, and authentication events. This morning the SOC received the following alert queue.
Alert ID
Source
Signature
Src IP
Sev
Count
A-001
Network IDS
SQL injection attempt - UNION SELECT
185.220.101.7
HIGH
847
A-002
Host IPS
Port scan detected - TCP SYN flood
10.4.22.19
MED
1
A-003
SIEM Correlation
Brute force threshold exceeded - 50 failures in 60s
192.168.3.45
HIGH
3
A-004
Network IDS
Anomaly: DNS query volume 400% above baseline
10.0.2.88
MED
1
A-005
Host IPS
Outbound connection blocked - known C2 domain
172.16.8.101
HIGH
12
Part 1 — Classify Each Alert
8 points
For each alert, select whether it is most likely a true positive, a false positive, or requires investigation before a determination can be made. Use the alert table and your knowledge of IDS/IPS behavior.
Alert A-004 (Anomaly-based DNS volume spike, single occurrence, internal)
Alert A-005 (Outbound blocked to known C2 domain, 12 attempts, internal server)
Part 2 — Prioritized Response Actions
8 points
Alert A-005 has been confirmed as a true positive — the host at 172.16.8.101 has malware that is attempting to communicate with a command-and-control server. Select all correct immediate response actions. Then select the highest priority single action.
Select ALL appropriate immediate response actions (select all that apply):
Which single action must happen FIRST?
Part 3 — SIEM Log Analysis
8 points
The SIEM generated the following correlated log excerpt after Alert A-003 was triggered. Analyze the log and answer both questions below.
Q1: The source IP 192.168.3.45 is an internal address. What does this tell you about where the brute force attack is likely originating from? What additional SIEM correlation would you run next?
Key terms: internal, compromised, pivot, lateral, insider, VPN, correlation, other hosts, same subnet
Q2: The SIEM triggered its brute force rule, but the attacker still successfully authenticated (08:43:14) and executed a command (08:43:19). What two control failures does this sequence reveal?
Key terms: automated block, no lockout, rule did not block, threshold too high, execution not prevented, IPS passive, detection only, no prevention
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.