Unit 3 Scenario Practice: Network Breach Investigations | AP Cybersecurity
Unit 3 Scenario Practice: Network Breach Investigations
15 questions across 3 linked scenarios — Each scenario builds through multiple investigation phases
Each scenario presents a multi-phase network breach investigation. Questions build on each other — your answer to Question 1 affects how you approach Question 2. Read each scenario carefully before answering.
(A) Legitimate traffic completes handshakes; 500K SYN-only is not normal.
(B) 30K unique IPs = botnet, not single attacker.
(C) DNS amplification uses UDP, not TCP SYN.
(B) Firewalls can process blocks; the issue is human speed.
(C) 200 of 30K = 0.7%. Attack continues at 99.3%.
(D) Blocking 443 also blocks all legitimate customers.
(A) The attacks are coordinated — DDoS covers the real objective.
(B) ARP operates on the local LAN, independent of internet-facing congestion.
(D) Ignoring a customer-facing outage is not viable; the solution is adequate staffing.
(A) HTTPS encrypts data specifically to prevent interception.
(C) TLS does not detect ARP spoofing; it renders intercepted data unreadable.
(D) HTTPS cannot prevent L2 attacks — it just protects the payload.
(A) Three different attacks need three different fixes.
(C) Mapping is incorrect — cloud scrubbing is for DDoS, not ARP.
(D) Removing any fix leaves a gap.
(B) Tagged frames do not crash switches.
(C) Trunk ports do not provide encryption.
(D) Trunk ports carry VLAN traffic, not public internet.
(A) Firewall was operational; traffic never reached it.
(B) Rule ordering is irrelevant — traffic never entered the firewall.
(C) DENY rules work on all traffic that reaches the firewall.
(A) No vulnerability needed; valid (default) credentials used.
(B) No brute-force needed; default password worked immediately.
(D) The console supports auth; it was using defaults.
(B) VLAN hopping bypasses inter-VLAN firewalls.
(C) Cameras detect after; access ports prevent.
(D) Password addresses default credentials, not VLAN hopping.
(A) Trunk + DTP enabled = the vulnerable configuration.
(B) Access alone is insufficient; DTP can override.
(C) Trunk on active ports recreates the vulnerability.
(A) Billing is serious but lower impact than SCADA.
(B) Firmware integrity is important but requires more steps to exploit than Telnet root.
(D) Age does not determine priority; impact does.
(A) SSH and Telnet have fundamentally different security.
(C) SSH encrypts the entire session, not selectively.
(D) SSH does not inherently detect all interception scenarios.
(B) Key length does not affect SSL stripping; it targets the redirect.
(C) Disabling port 80 helps but browser may still try HTTP first.
(D) Second redirect still travels over HTTP and can be stripped.
(A) DNSSEC = authentication/integrity, NOT encryption.
(B) DNSSEC verifies; it does not block.
(C) DNSSEC does not affect resolution speed.
(A) SCADA must come before customer-facing.
(C) Age does not determine priority.
(D) Simultaneous is reckless — cannot isolate failures.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]