AP Cybersecurity Unit 3 Lesson 5 Lab
Lab — Operation Silent Watch
SOC Analyst Scenario — Threat hunt an APT using SIEM event logs, identify the kill chain, and recommend response
You are a Tier 2 SOC analyst. The SIEM has surfaced a suspicious event chain across a 72-hour window at Crossroads Financial Services. Your mission: reconstruct the attack timeline, map it to the kill chain, and recommend an immediate containment plan.
SIEM Event Timeline — Last 72 Hours
User [email protected] clicked external URL from email. Destination: crossroads-secure-portal[.]net (lookalike domain). Browser: Chrome. Host: WS-WARREN-04.
DNS query for crossroads-secure-portal[.]net resolved to 91.92.240.88 (threat intel: credential harvesting page). No payload download detected by endpoint AV.
Successful authentication to VPN as j.warren from IP 185.220.101.33 (geolocation: Romania). User has no travel history. Source IP is a known Tor exit node.
Process cmd.exe executed net user /add svc_backup P@ssw0rd! /domain on WS-WARREN-04. This account does not exist in AD baseline. Alert auto-suppressed by R-04 (admin account rule disabled last week).
RDP session from WS-WARREN-04 to FS-FINANCE-01 (Finance file server). Source user: svc_backup (newly created account). Time: 2:11 AM — outside business hours.
FS-FINANCE-01: robocopy /e \\FS-FINANCE-01\shared\clients C:\temp\backup executed. 4.7 GB staged in C:\temp\backup. No DLP rule triggered (DLP only covers email, not internal copy).
Outbound HTTPS to filedrop-transfer[.]io from FS-FINANCE-01. Transfer size: 4.7 GB. Duration: 18 minutes. Firewall allowed — no outbound block rule for HTTPS to file-sharing domains.
Tier 1 analyst reviewing backlog flagged LATERAL_MOVE_RDP alert (discovered 31 hours after it fired). Escalated to Tier 2. This is the first analyst review of any event in this chain.
Map each SIEM event to the correct kill chain stage. The kill chain stages relevant here are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), and Actions on Objectives.
The attack succeeded in full — 4.7 GB of client data was exfiltrated over 72 hours before any analyst responded. Identify four specific security control failures that allowed this attack to proceed. For each, name the control that should have stopped it and the specific event where it failed.
It is now Day 3, 08:55 AM. The data has already been exfiltrated. Select the correct immediate actions for your containment plan. Then answer: given that exfiltration is complete, what is the most important reason to still contain and investigate?
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]