Unit 3 Scenario Practice: Network Breach Investigations | AP Cybersecurity

Unit 3 • Scenario Practice

Unit 3 Scenario Practice: Network Breach Investigations

15 questions across 3 linked scenarios — Each scenario builds through multiple investigation phases

Score: 0 / 0 Read the full scenario before answering. Questions are linked.
Assessment Format
3 Linked Scenarios

Each scenario presents a multi-phase network breach investigation. Questions build on each other — your answer to Question 1 affects how you approach Question 2. Read each scenario carefully before answering.

Q1 Scenario A — NovaTech DDoS (Q1)
Scenario A: NovaTech Solutions — The SOC detects 500,000 SYN packets/sec from 30,000 IPs targeting the customer API. The API goes down in 2 minutes.
The traffic pattern (500K SYN packets/sec from 30K IPs, no ACK completion) indicates:
Q2 Scenario A (Q2)
An engineer manually blocks attacker IPs one at a time. After 45 minutes, only 200 of 30,000 are blocked. Why is this failing?
Q3 Scenario A (Q3)
While the DDoS distracts the SOC, an internal attacker performs ARP spoofing between engineering workstations and the database server. The SOC misses it because all analysts are triaging the DDoS.
Q4 Scenario A (Q4)
The attacker captures plaintext database queries via ARP spoofing. The internal interface uses HTTP. If it had used HTTPS, what would the attacker see?
Q5 Scenario A (Q5)
NovaTech implements: (1) cloud DDoS scrubbing, (2) DAI on switches, (3) mandatory HTTPS internally. Which threat does each fix address?
Q6 Scenario B — Harborview VLAN Hopping (Q6)
Scenario B: Harborview Regional Bank — A pen tester plugs into a lobby Ethernet jack configured as a trunk port. They send 802.1Q-tagged frames for VLAN 30 (ATM Management) and access the ATM controller at 10.30.1.50 with admin/admin.
The misconfigured trunk port allowed the attacker to:
Q7 Scenario B (Q7)
The inter-VLAN firewall has DENY Guest to ATM. But the attacker was not blocked. Why?
Q8 Scenario B (Q8)
The attacker logs into the ATM console with admin/admin. The root cause is:
Q9 Scenario B (Q9)
Which fix addresses the root cause of the VLAN hopping?
Q10 Scenario B (Q10)
Which combination of switch hardening measures prevents VLAN hopping?
Q11 Scenario C — Meridian Protocol Exploit (Q11)
Scenario C: Meridian Energy Grid — An audit finds: (1) Telnet with root on SCADA servers, (2) FTP for firmware, (3) HTTP on billing portal, (4) unencrypted Modbus to substations.
Which finding should be fixed FIRST?
Q12 Scenario C (Q12)
If SSH replaced Telnet, what would an interceptor see?
Q13 Scenario C (Q13)
SSL stripping is demonstrated on the billing portal. What defense eliminates this vulnerability?
Q14 Scenario C (Q14)
What does DNSSEC provide that standard DNS does NOT?
Q15 Scenario C (Q15)
Which migration priority order is correct?
Questions Correct
Unit 3 Project → Course Hub
AP Cybersecurity Unit 3 • Scenario Practice | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]