4.2 Exercise 2: Applied Challenge

🎯 Before You Start

Exercise 1 trained single-category identification. Exercise 2 pushes further: blended scenarios with overlapping behaviors, analyst-report critiques, and detection-strategy tradeoffs. Expect tougher distractors — multiple options will feel plausible on first read. That is intentional.

Strategy: identify the ONE detail in the stem that eliminates each distractor. Slash the trash before you commit.

✎ Applied Challenge — 4 Questions
Question 1 of 4 — Multi-Select Evidence Evaluation A security analyst must decide whether an active incident is a ransomware outbreak or a worm. Which of the following observations would support classifying it as a worm rather than ransomware? Select ALL that apply. No credit for selecting incorrect options.
Question 2 of 4 — Spot the Error in the Playbook A new incident responder wrote this playbook for detecting fileless malware. Which step is WRONG and why?
FILELESS MALWARE DETECTION - DRAFT
Step 1: Run full antivirus scan of the hard drive for known signatures.
Step 2: Check memory for suspicious PowerShell / WMI processes.
Step 3: Review EDR behavioral alerts for unusual child-process chains.
Step 4: Capture a memory dump before rebooting the machine.
Question 3 of 4 — Detection Strategy Tradeoff An organization is evaluating three detection approaches. Which statement BEST captures the tradeoff a CISO must weigh when choosing between signature-based detection and behavioral detection?
Question 4 of 4 — Attribute the Delivery Vector A school district’s MDM suddenly pushes a “routine security update” signed by the correct certificate. The update contains malware. Within hours, 2,000 student devices are compromised. Which delivery vector BEST describes how the malware arrived?
0 / 4 Questions correct — review any incorrect answers above, then move to the Lab.
🚀 Extension Challenge

Pick one of the four malware families from Lesson 4.2 (virus, worm, trojan, ransomware, spyware, rootkit, botnet agent, fileless). Find one recent (2022 or later) real-world incident in that family. In 3–5 sentences, describe: (1) the delivery vector, (2) the payload’s goal, (3) how it was detected, and (4) what defenders could have done earlier to prevent it.

This is the exact structure AP Cyber FRQ-style scenario questions expect. Practicing it now pays off on exam day.

AP Cybersecurity · Unit 4 · Lesson 4.2 · Exercise 2
LessonExercise 1Exercise 2Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]