AP Cybersecurity 4.4: Detecting Attacks on Devices

Score0 / 10
📅 Last Updated: June 2026 ~55 min 📚 Lesson 4 of 4 — Unit 4
AP Cybersecurity — Unit 4: Securing Devices

Topic 4.4: Detecting Attacks on Devices

Three IoC types (host-based, file-based, behavior-based), three detection method criteria, log analysis for password attack patterns, and the most important AP exam trap in Unit 4: offline password attacks cannot be detected.

Lesson 4 of 4 ~55 min LO 4.4.A – 4.4.D Skills: Detect Attacks
★ AP Exam Focus — Topic 4.4

• Classify the three IoC types: host-based (unusual files, unexpected processes, unauthorized config changes, unauthorized software install), file-based (hash matches known malware, known malware filenames, known malicious file paths), behavior-based (failed logins, unusual times/locations, unauthorized access to sensitive data, privilege escalation)
• Apply the three detection method criteria: performance (anomaly uses more resources; embedded devices often can’t run any tools), cost (per-device licensing; EDR = expensive but centralized), sensitivity/criticality (hybrid for devices storing sensitive data)
• Identify IoCs for each password attack type in log files: single user many failed attempts (online attack), unusual login time/location (compromised password), many users in seconds from one IP (password spraying), default user:password sequences (credential stuffing)
Critical AP exam trap: offline password attacks cannot be detected — the attack runs on the adversary’s machine; no logs are generated on the target system

College Board Essential Knowledge Coverage

Topic 4.4 — What Is Testable

CED Ref Essential Knowledge Covered In
4.4.A.1–A.3 System processes, login attempts, file downloads, and user actions are logged. Auth logs record every attempted login. Logs reconstruct events during a cyber incident. An IoC is evidence that an adversary has compromised a device or network. Section 2 — Logs and IoCs
4.4.A.4 Host-based IoCs (in auth logs, activity logs, config files): unusual files created/modified, unexpected processes/services, unauthorized config changes, unauthorized software install/update Section 2 — Host-Based IoCs
4.4.A.5 File-based IoCs (in executable files): file hash matches known malware, filename known to be created by specific malware, file path associated with malicious activity Section 2 — File-Based IoCs
4.4.A.6 Behavior-based IoCs (in auth and access logs): multiple failed login attempts, unusual login times or locations, unauthorized attempts to access sensitive data, privilege escalation attempts Section 2 — Behavior-Based IoCs
4.4.B.1 Performance criterion: anomaly-based uses more resources than signature-based; many embedded devices cannot run any detection tools Section 3 — Detection Criteria
4.4.B.2 Cost criterion: per-device licensing; EDR (endpoint detection and response) = expensive but holistic/unified/centralized alert platform Section 3 — Detection Criteria
4.4.B.3 Sensitivity/criticality criterion: devices storing sensitive data or providing critical services benefit from hybrid detection when possible Section 3 — Detection Criteria
4.4.C.1 Speed/performance factor: signature-based faster; effect compounded on resource-limited devices; resource-intensive tools degrade performance Section 4 — Evaluating Methods
4.4.C.2 Phase of attack factor: adversaries must bypass physical/network controls before reaching device level; detecting at device level can prevent access to sensitive data Section 4 — Evaluating Methods
4.4.C.3 False positive vs. bypass factor: signature-based = low false positives but easier to bypass; anomaly-based = harder to bypass Section 4 — Evaluating Methods
4.4.D.1 Online attack IoC: single user with many wrong password attempts in auth logs. If hash DB compromised: ALL users must reset passwords — all hashes considered insecure Section 5 — Log Analysis
4.4.D.2 Compromised password IoC: authorized user logging in from unexpected location, IP, or time Section 5 — Log Analysis
4.4.D.3 Password spraying IoC: many users attempting login within seconds from one IP or unusual IPs Section 5 — Log Analysis
4.4.D.4 Credential stuffing IoC: series of default user:password combinations attempted in quick succession, often same IP Section 5 — Log Analysis
4.4.D.5 Offline attacks cannot be detected — the attack runs on the adversary’s computer. No auth logs generated on target system. Section 5 — Log Analysis

Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 3.B Detection strategies • 3.D Detect and classify attacks via digital evidence

♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. An auth log shows user “jsmith” had 847 failed login attempts in 3 minutes, followed by a successful login. Which password attack type does this indicate, and which IoC category is this? What should the security team do next?
  2. A security analyst discovers a file on a server whose SHA-256 hash matches a known ransomware hash in their threat intelligence database. The file hasn’t executed yet. Which IoC type is this, and what should happen immediately?
  3. A company’s password database was stolen in a breach. The CISO asks: “Can we check our logs to see which passwords the adversary has already cracked from the database?” What is the correct answer and why?

Answers: (1) Online password attack / brute force or dictionary (one user, many attempts). Behavior-based IoC (multiple failed login attempts in auth logs, 4.4.A.6). Force password reset for jsmith; investigate the source IP; check for lateral movement after the successful login. (2) File-based IoC (4.4.A.5) — file hash matches known malware. Quarantine the file immediately before it executes; investigate how it arrived; scan for additional indicators. (3) No — offline password attacks cannot be detected (CED 4.4.D.5). The cracking runs on the adversary’s machine against the stolen database. No authentication attempts are made against the company’s systems, so no logs are generated. The correct response is to force all users to reset passwords immediately, since all hashes must be considered insecure (CED 4.4.D.1).

In This Lesson
  • 4.4.1 — Learning Objectives (3 min)
  • 4.4.2 — Logs and IoC Types (12 min)
  • 4.4.3 — Detection Method Criteria (10 min)
  • 4.4.4 — Evaluating Detection Methods (8 min)
Continued
  • 4.4.5 — Password Attack Log Analysis (10 min)
  • 4.4.6 — Worked Scenarios & CFUs (8 min)
  • 4.4.7 — Common Mistakes (3 min)
  • 4.4.8 — Key Terms & FAQ (4 min)

14.4.1 — Learning Objectives

  • Explain what system logs record and define an indicator of compromise (IoC) (4.4.A.1–A.3)
  • Classify IoCs as host-based, file-based, or behavior-based and identify examples of each (4.4.A.4–A.6)
  • Apply the three detection method criteria (performance, cost, sensitivity/criticality) to choose between signature-based, anomaly-based, and hybrid detection for a given device (4.4.B)
  • Evaluate detection methods using the three CED factors: speed, phase of attack, and false positive vs. bypass rate (4.4.C)
  • Identify IoCs for online attacks, compromised passwords, password spraying, and credential stuffing in auth logs — and explain why offline attacks produce no detectable log evidence (4.4.D)

24.4.2 — Logs and IoC Types (LO 4.4.A)

What Logs Record (CED 4.4.A.1, A.3) Computing systems log system processes and settings, login attempts, file download attempts, and user actions. Authentication logs (auth logs) record every attempted login on a system. An Indicator of Compromise (IoC) is evidence that an adversary has compromised a device or network. Logs reconstruct the sequence of events leading up to and during a cyber incident.

Three IoC Types

4.4.A.4Host-Based IoCs
Discovered by analyzing logs and configuration settings (authentication logs, user activity logs, system config files). The CED lists four host-based indicators:
Unusual files created or modified
Unexpected processes or services running
Unauthorized changes to system configuration settings
Unauthorized software installation or update
4.4.A.5File-Based IoCs
Discovered by analyzing files on the device, usually executable files. The CED lists three file-based indicators:
File whose hash matches known malware (compare file hash to threat intelligence database)
File name known to be created by a specific piece of malware
File path associated with malicious activity (certain directories are known malware staging areas)
4.4.A.6Behavior-Based IoCs
Discovered by analyzing authentication logs and access logs. The CED lists four behavior-based indicators:
Multiple failed login attempts
Unusual login times or locations
Unauthorized attempts to access sensitive data
Attempts to elevate user privileges on a system
Check for UnderstandingMatching
Q 1 of 10

Match each IoC description to its CED type.

Click an IoC description, then click the matching type.
IoC Description
1A SHA-256 hash of a file on a server matches a hash in a known malware database.
2Auth logs show a user successfully logged in at 3:47 AM from an IP address in another country — the user always logs in from the same office during business hours.
3System logs show a new service was installed and is running under an account that should not have admin privileges.
4Access logs show repeated attempts to read files in the /HR/Salaries/ directory by a user whose role does not include HR access.
IoC Type
AFile-Based IoC (4.4.A.5)
BBehavior-Based IoC (4.4.A.6)
CHost-Based IoC (4.4.A.4)
Check for UnderstandingI / II / III
Q 2 of 10

Which of the following are TRUE about IoCs per the CED?

I. Authentication logs record every attempted login, both successful and failed, and can be used to reconstruct events during a cyber incident.
II. File-based IoCs are discovered by monitoring network traffic for unexpected data flows between devices.
III. An unauthorized change to a system configuration setting is classified as a host-based IoC.

AI and II only
BII and III only
CI and III only
DI, II, and III

34.4.3 — Detection Method Criteria (LO 4.4.B)

Three criteria determine which detection method is appropriate for a given device. These parallel the network detection criteria from Topic 3.5 but apply specifically to devices.

Criterion CED Ref Signature-Based Anomaly-Based When to Choose
Performance 4.4.B.1 Less resource intensive Uses more system memory and processing power Signature for resource-limited devices. Many embedded devices cannot run any detection tools at all.
Cost 4.4.B.2 Per-device licensing costs Per-device licensing costs + more hardware EDR (endpoint detection and response) = expensive but provides holistic, unified, centralized alerting across all devices.
Sensitivity / Criticality 4.4.B.3 Fewer alerts, misses novel attacks More alerts, catches novel attacks Devices storing sensitive data or providing critical services benefit from hybrid detection when possible.
★ EDR — The CED’s Named Third Option

The CED (4.4.B.2) introduces Endpoint Detection and Response (EDR) as a specific type of detection service. EDR is purchased from a third-party vendor and is expensive — but it provides a holistic, unified approach to threat detection and a centralized alert platform for monitoring attacks across all of an organization’s devices. Know the tradeoff: EDR = high cost, centralized visibility across all devices. Per-device software = lower per-unit cost, but no unified view.

Check for UnderstandingScenario Application
Q 3 of 10

A hospital’s network includes: (A) pacemaker controllers embedded in the hospital network, (B) nurse workstations storing patient medical records, and (C) a public-facing appointment booking server. Apply all three CED criteria to recommend the best detection method for each device type.

AA: Hybrid (critical devices need maximum protection); B: Signature-based (lower cost for workstations); C: Anomaly-based (public-facing servers see novel attacks)
BA: No detection tools possible — embedded devices lack system resources; B: Hybrid when possible — sensitive patient data + critical service; C: Signature-based or hybrid depending on budget — public-facing, moderate traffic volume
CA: Anomaly-based (pacemakers are critical); B: Signature-based (workstations are low-risk); C: Hybrid (public-facing servers need both)
DAll three should use EDR since it provides centralized monitoring and the hospital can afford the cost

44.4.4 — Evaluating Detection Methods (LO 4.4.C)

Evaluation Factor CED Ref Signature-Based Anomaly-Based
Speed & Performance 4.4.C.1 Faster. Effect compounded on resource-limited devices. Slower. Resource-intensive tools degrade performance, especially on devices with limited processing power.
Phase of Attack 4.4.C.2 Both methods: adversaries must bypass physical/network controls before reaching the device. Detecting at the device level can prevent access to sensitive data or disruption of critical services — detection at this layer is a last line of defense.
False Positives vs. Bypass 4.4.C.3 Low false positive rate. Easier for adversaries to bypass (craft malware with no known signature). Higher false positive rate. Harder for adversaries to bypass (behavior-based, not pattern-based).
Check for UnderstandingI / II / III
Q 4 of 10

Which of the following statements about evaluating device detection methods are TRUE per the CED?

I. Signature-based detection has a low false positive rate but is easier for adversaries to bypass than anomaly-based detection.
II. Installing resource-intensive anomaly-based detection on a device will always improve security without any performance trade-offs.
III. Detecting an attack at the device level can prevent adversaries from accessing sensitive data, because adversaries must first bypass physical and network controls before reaching the device.

AI only
BII and III only
CI and II only
DI and III only

54.4.5 — Password Attack Log Analysis (LO 4.4.D)

⚠ AP Exam Critical Trap — CED 4.4.D.5

Offline password attacks cannot be detected. The attack runs on the adversary’s own computer against a stolen hash database. No authentication attempts are made against the target system. No logs are generated. This is directly and explicitly stated in the CED and is one of the highest-frequency exam targets in Topic 4.4. If a question asks how to detect an offline attack, the correct answer is that it cannot be detected through log analysis.

Log Patterns for Each Attack Type

Attack Type CED Ref Log Pattern (IoC) Detectable?
Online Password Attack (brute force / dictionary) 4.4.D.1 Single user with many failed login attempts in auth logs Yes — auth logs show repeated failures
Compromised Password 4.4.D.2 Authorized user logging in from unexpected location, IP address, or time Yes — location/time anomaly in auth logs
Password Spraying 4.4.D.3 Many different users each attempting login within seconds of each other from one IP or unusual IPs Yes — pattern visible across user accounts in logs
Credential Stuffing 4.4.D.4 Series of default user:password combinations attempted in quick succession, often from same IP Yes — default credential sequence visible in logs
Offline Attack (brute force / dictionary / rainbow table) 4.4.D.5 None — attack runs on adversary’s machine No — cannot be detected
CED 4.4.D.1 — The “All Users Reset” Rule If a user:password hash database has been compromised, all user passwords in the database should be considered insecure and all users should be forced to reset their passwords. The reason: the adversary may have already run offline cracking tools (undetectably) and recovered passwords. Every hash in the stolen database must be treated as if it has been or will be cracked.
Check for UnderstandingSpot the Error
Q 5 of 10

A CISO states: “We know our password database was stolen last month, but our auth logs show no unusual login activity, so the adversary probably hasn’t cracked any passwords yet. We’ll force password resets only for accounts we see attacked in the logs.” What is the error?

AThe CISO is correct — clean auth logs indicate the adversary has not yet attempted to use any cracked passwords.
BThe CISO is partially correct — clean logs are a good sign, but a 30-day forced reset for all users should be implemented as a precaution.
CThe CISO is wrong. Offline password cracking runs on the adversary’s machine — it generates no auth log entries. Clean logs prove nothing about whether passwords have been cracked. The CED requires forcing all users to reset passwords immediately when a hash database is compromised.
DThe CISO is wrong only because the logs should be checked going back further than one month to catch earlier activity.

64.4.6 — Worked Scenarios

Check for UnderstandingFill in the Blank
Q 6 of 10

Complete each statement with the correct CED term or phrase.

Word Bank cannot be detected credential stuffing password spraying all users host-based

1. Auth logs show 3,000 different user accounts each had exactly one failed login attempt within 8 seconds, all from the same IP. This is an indicator of .

2. Auth logs show a sequence of login attempts: admin:admin, admin:password, admin:1234, root:root, root:password in rapid succession from one IP. This is an indicator of .

3. An unauthorized change to system configuration settings is classified as a IoC.

4. When a password hash database is stolen, must be forced to reset their passwords because all hashes must be considered insecure.

5. Offline password attacks (brute force, dictionary, rainbow table) because the attack runs on the adversary’s own computer.

Check for UnderstandingLog Analysis
Q 7 of 10

An auth log shows: user “mjohnson” successfully authenticated at 2:13 AM from IP 185.220.101.47 (a Tor exit node in Eastern Europe). This user typically logs in between 8 AM and 6 PM from IP 10.0.0.45 (internal corporate network). Which IoC type and specific indicator does this represent?

ABehavior-based IoC (4.4.A.6) — unusual login time (2:13 AM vs. normal 8 AM–6 PM) and unusual location/IP (Tor exit node in Eastern Europe vs. normal internal network). Per CED 4.4.D.2, this is an indicator that mjohnson’s password has been compromised.
BFile-based IoC — the external IP address matches a known malicious IP in threat intelligence databases.
CHost-based IoC — unauthorized change to authentication system configuration allowing external login.
DNo IoC — since the login was successful, the credentials were valid and no attack is indicated.
Check for UnderstandingSpot the Error
Q 8 of 10

A security team’s incident report states: “We detected the rainbow table attack in progress by monitoring our authentication logs for the rapid hash comparison queries hitting our server.” What is the error?

AThe report is correct — rainbow table attacks do generate authentication log entries because they query the authentication server.
BRainbow table attacks are offline attacks that run on the adversary’s machine against a stolen hash database. They generate no queries to the company’s server and cannot be detected in auth logs. CED 4.4.D.5: offline attacks cannot be detected.
CThe report is partially correct — rainbow tables generate log entries, but only if the organization has specialized hash-comparison monitoring tools installed.
DThe report is wrong only because rainbow tables target network traffic, not authentication servers.
Check for UnderstandingI / II / III
Q 9 of 10

Which of the following are TRUE about password attack detection per the CED?

I. Password spraying can be detected because it generates a log pattern of many different user accounts attempting login within seconds of each other from one or unusual IP addresses.
II. If a user:password hash database is compromised, only users whose passwords appear in a dictionary should be forced to reset, since complex passwords cannot be cracked offline.
III. An authorized user logging in from an unexpected IP address or at an unusual time is a behavior-based IoC indicating the user’s password may be compromised.

AI only
BII and III only
CI and III only
DI, II, and III
End of LessonIntegrative Scenario
Q 10 of 10
A financial firm’s security team reviews the following events: (1) Auth logs show 8,500 user accounts each had one failed login attempt from IP 203.0.113.42 over 30 seconds. (2) User “rchen” successfully logged in at 4:22 AM from Singapore; she normally logs in from Chicago at 9 AM. (3) Server logs show a new process “svchost32.exe” (note: not the legitimate “svchost.exe”) started running under rchen’s account. (4) A file scan finds a file whose hash matches a known banking Trojan. (5) The firm’s password database was stolen 3 weeks ago.

Which response correctly identifies all IoC types AND addresses the offline attack gap?

AEvent 1 = behavior-based (spraying); Event 2 = behavior-based (compromised password); Event 3 = file-based (unknown process); Event 4 = host-based (hash match). Since the auth logs show no mass offline cracking activity, the database theft (Event 5) has not yet been exploited.
BEvent 1 = behavior-based IoC (password spraying — 4.4.D.3); Event 2 = behavior-based IoC (unusual time/location — 4.4.D.2, 4.4.A.6); Event 3 = host-based IoC (unexpected process — 4.4.A.4); Event 4 = file-based IoC (hash matches known malware — 4.4.A.5). Event 5: offline cracking cannot be detected in logs — all users must be forced to reset passwords immediately regardless of log activity.
CEvent 1 = file-based (IP matches threat intel); Event 2 = host-based (unauthorized config change); Event 3 = behavior-based (privilege escalation); Event 4 = file-based (hash match). Event 5 is low priority since no failed login spikes are visible.
DEvent 1 = behavior-based (spraying); Events 2–4 = behavior-based (all found in auth logs). Event 5 requires checking the next 30 days of logs before deciding on password resets.

!Common AP Exam Mistakes — Topic 4.4

Mistake Why It’s Wrong What to Do Instead
Thinking offline attacks are detectable in auth logs CED 4.4.D.5 is explicit: offline attacks run on the adversary’s machine. No authentication attempts reach the target system. Auth logs record only authentication events against the live system. Offline = no logs, no detection. The only response to a stolen hash database is forcing all users to reset passwords immediately.
Only resetting compromised-looking passwords after a database theft CED 4.4.D.1 requires forcing ALL users to reset. Offline cracking may have already occurred undetectably. Every hash in the stolen database must be treated as compromised. Stolen hash database = universal forced password reset. No exceptions for “complex” or “probably safe” accounts.
Classifying unexpected process as file-based IoC An unexpected process running on a system (CED 4.4.A.4) is a host-based IoC found in system logs. File-based IoCs (4.4.A.5) require analyzing the actual file: its hash, name, or path. Unexpected process = host-based (from system logs). File hash match = file-based (from file analysis).
Recommending anomaly-based detection for all embedded devices CED 4.4.B.1: many embedded devices “do not have enough system resources to run any detection tools on the device.” The choice isn’t signature vs. anomaly — it may be detection vs. no detection. For embedded devices: check whether any detection is feasible before recommending a method. Resource limitation is the primary constraint.
Confusing password spraying log pattern with brute force Brute force = many passwords against one account. Password spraying = one password against many accounts. The log patterns look different: brute force shows one user with many failures; spraying shows many users each with one failure from the same IP. Many failures, one user = brute force (online). One failure each, many users, same IP = password spraying. Both are behavior-based IoCs but different patterns.

84.4.8 — Key Terms & FAQ

Term Definition AP Exam Note
Indicator of Compromise (IoC) Evidence that an adversary has compromised a device or network Three types: host-based, file-based, behavior-based
Authentication Log (Auth Log) Records every attempted login on a system Primary source for detecting online attacks and compromised passwords
Host-Based IoC IoC found in auth logs, activity logs, or config files: unusual files, unexpected processes, unauthorized config changes, unauthorized software installs Discovered from logs and configuration analysis — not from the files themselves
File-Based IoC IoC found in files: hash matches known malware, known malware filename, known malicious file path Discovered by analyzing executable files themselves
Behavior-Based IoC IoC found in auth and access logs: failed logins, unusual time/location, unauthorized sensitive data access, privilege escalation attempts Also includes the specific password attack patterns in 4.4.D
EDR Endpoint Detection and Response — third-party service; expensive but holistic and centralized High cost; unified alert platform for all devices
  • Why does the CED treat offline attacks so differently from online attacks for detection?

    Online attacks interact with the target system. Every login attempt, successful or not, generates an auth log entry. The security team can see these in real time and respond. Offline attacks bypass the target system entirely — the adversary runs hash-cracking tools on their own hardware against a copy of the stolen database. Nothing touches the organization’s servers. No log is possible because no request reaches the organization’s systems. This is why CED 4.4.D.5 is absolute: offline attacks cannot be detected through any log analysis technique. Prevention (strong hashing, salting, database security) is the only defense before a breach; universal forced reset is the only response after.

  • What is the difference between host-based IoCs and behavior-based IoCs? They both come from logs.

    The CED distinguishes them by what the indicator describes. Host-based IoCs (4.4.A.4) describe changes to the system itself: new or modified files, unexpected processes running, unauthorized config changes, unauthorized software installs. Behavior-based IoCs (4.4.A.6) describe user actions: login failures, unusual access times or locations, attempts to access unauthorized data, privilege escalation. Think of it as: host-based = what happened to the machine; behavior-based = what actions were taken (usually by a compromised account or the adversary acting as one).

  • When would you choose EDR over per-device anti-malware software?

    The CED (4.4.B.2) positions EDR as expensive but holistic. You would choose EDR when: (a) the organization needs centralized visibility across all devices in one dashboard rather than checking each device separately; (b) the security team is small and cannot monitor many individual devices; or (c) the cost is justified by the sensitivity of the data or criticality of the devices. Per-device software is cheaper per unit but provides no unified correlation across devices. EDR can correlate events across the entire device fleet — seeing that three different workstations all started running the same unexpected process at the same time is something per-device tools miss.

📋 Exit Ticket — Topic 4.4 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name and define all three IoC types. For each, give two specific CED-listed examples and name the log or file source where it is discovered. (AP Skill: Detect Attacks)
  2. Apply all three detection method criteria to recommend a detection approach for: (a) a smart thermostat embedded in a corporate HVAC system; (b) a CFO’s laptop storing financial projections and acquisition plans. (AP Skill: Detect Attacks)
  3. Auth logs show: at 11:47 PM, 12,000 user accounts each had exactly one failed login attempt within 15 seconds from IP 198.51.100.0. What attack is this? What is the specific IoC? Why does account lockout fail to stop it? (AP Skill: Detect Attacks)
  4. A company discovers their password hash database was stolen 10 days ago. Their auth logs show no unusual activity since the theft. A security analyst says: “We’re safe — the logs are clean.” Why is this conclusion wrong, and what should the company do? (AP Skill: Detect Attacks)
  5. For each event below, classify the IoC type and identify the specific CED indicator: (a) file “update32.tmp” in C:\Windows\Temp whose hash matches a known RAT; (b) user “bsmith” logged in at 3 AM from Brazil when she works in Boston; (c) system logs show a new service called “winsvc64” started after a user opened an email attachment. (AP Skill: Detect Attacks)
Answer Key: (1) Host-based (from auth/activity logs/config files): unusual files created/modified, unexpected processes, unauthorized config changes, unauthorized software installs. File-based (from analyzing executable files): hash matches known malware, known malware filename, known malicious file path. Behavior-based (from auth/access logs): failed login attempts, unusual time/location, unauthorized sensitive data access, privilege escalation attempts. (2a) Thermostat = embedded device. CED 4.4.B.1: many embedded devices cannot run any detection tools due to insufficient resources. Likely answer: no detection tools feasible. (2b) CFO laptop = sensitive data + critical role. CED 4.4.B.3: hybrid detection when possible; EDR if budget allows for centralized monitoring. (3) Password spraying (CED 4.4.D.3). IoC: many different users, one failed attempt each, within seconds, from same IP. Account lockout: triggers per-account after N failures. With spraying, each account gets only one attempt — never reaches the lockout threshold. (4) Wrong because offline password cracking runs on the adversary’s machine — generates no auth log entries. CED 4.4.D.5: offline attacks cannot be detected. CED 4.4.D.1: when a hash database is compromised, all user passwords are insecure. Force all users to reset passwords immediately. (5a) File-based IoC — file hash matches known malware (CED 4.4.A.5). (5b) Behavior-based IoC — unusual login time and location, indicating compromised password (CED 4.4.D.2, 4.4.A.6). (5c) Host-based IoC — unexpected process/service running (CED 4.4.A.4).
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating 499+ Reviews
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
← Topic 4.3 Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]