AP Cybersecurity Unit 3 Lesson 5 Lab

Unit 3 • 3.5 • Lab

Lab — Operation Silent Watch

SOC Analyst Scenario — Threat hunt an APT using SIEM event logs, identify the kill chain, and recommend response

Score: 0 / 24Complete all 3 steps to see your final score
🔍
OPERATION SILENT WATCH
Classification: CONFIDENTIAL — SOC Internal — Incident #INC-2026-0418
You are a Tier 2 SOC analyst. The SIEM has surfaced a suspicious event chain across a 72-hour window at Crossroads Financial Services. Your mission: reconstruct the attack timeline, map it to the kill chain, and recommend an immediate containment plan.

SIEM Event Timeline — Last 72 Hours

Day 1 09:14
PHISHING_LINK_CLICKED

User [email protected] clicked external URL from email. Destination: crossroads-secure-portal[.]net (lookalike domain). Browser: Chrome. Host: WS-WARREN-04.

Day 1 09:17
CREDENTIAL_HARVEST_SUSPECTED

DNS query for crossroads-secure-portal[.]net resolved to 91.92.240.88 (threat intel: credential harvesting page). No payload download detected by endpoint AV.

Day 1 14:23
AUTH_SUCCESS_NEW_GEO

Successful authentication to VPN as j.warren from IP 185.220.101.33 (geolocation: Romania). User has no travel history. Source IP is a known Tor exit node.

Day 1 14:31
PRIV_ESC_ATTEMPT

Process cmd.exe executed net user /add svc_backup P@ssw0rd! /domain on WS-WARREN-04. This account does not exist in AD baseline. Alert auto-suppressed by R-04 (admin account rule disabled last week).

Day 2 02:11
LATERAL_MOVE_RDP

RDP session from WS-WARREN-04 to FS-FINANCE-01 (Finance file server). Source user: svc_backup (newly created account). Time: 2:11 AM — outside business hours.

Day 2 03:44
DATA_EXFIL_SUSPECTED — HIGH SEVERITY

FS-FINANCE-01: robocopy /e \\FS-FINANCE-01\shared\clients C:\temp\backup executed. 4.7 GB staged in C:\temp\backup. No DLP rule triggered (DLP only covers email, not internal copy).

Day 2 04:02
EXFIL_OUTBOUND — HIGH SEVERITY

Outbound HTTPS to filedrop-transfer[.]io from FS-FINANCE-01. Transfer size: 4.7 GB. Duration: 18 minutes. Firewall allowed — no outbound block rule for HTTPS to file-sharing domains.

Day 3 08:55
ANALYST_REVIEW_TRIGGERED

Tier 1 analyst reviewing backlog flagged LATERAL_MOVE_RDP alert (discovered 31 hours after it fired). Escalated to Tier 2. This is the first analyst review of any event in this chain.

Step 1 — Map Events to the Cyber Kill Chain
8 points

Map each SIEM event to the correct kill chain stage. The kill chain stages relevant here are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), and Actions on Objectives.

Day 1 09:14 — PHISHING_LINK_CLICKED
Day 1 14:23 — AUTH_SUCCESS_NEW_GEO (VPN login from Romania with stolen credentials)
Day 1 14:31 — PRIV_ESC_ATTEMPT (new admin account created via cmd.exe)
Day 2 02:11 — LATERAL_MOVE_RDP (RDP from workstation to finance server at 2 AM)
Day 2 04:02 — EXFIL_OUTBOUND (4.7 GB sent to external file drop)
Step 2 — Identify Security Control Failures
8 points

The attack succeeded in full — 4.7 GB of client data was exfiltrated over 72 hours before any analyst responded. Identify four specific security control failures that allowed this attack to proceed. For each, name the control that should have stopped it and the specific event where it failed.

Key terms: MFA, impossible travel, SIEM rule disabled, R-04, DLP, outbound block, HTTPS, alert suppressed, 31 hours, MTTD, automated response, account lockout, email filter, VPN geo-block
Step 3 — Immediate Containment Plan
8 points

It is now Day 3, 08:55 AM. The data has already been exfiltrated. Select the correct immediate actions for your containment plan. Then answer: given that exfiltration is complete, what is the most important reason to still contain and investigate?

Select ALL actions that should be taken immediately (check all that apply):
Even though exfiltration is complete, explain in 2–3 sentences why containment and investigation are still critical:
Key terms: persistence, backdoor, re-entry, additional exfil, attribution, legal, regulatory, notification, breach law, evidence, insurance, remediation
0 / 24
Operation Silent Watch — Final Score
Complete all 3 steps to see your result.
AP Cybersecurity · Unit 3 · Lesson 3.5 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]