5.6 Detecting Attacks on Data and Applications
Detecting Attacks on Data and Applications
Accounting and log analysis, honeypots, cryptographic hash verification, DLP, and identifying attack indicators in server logs.
• Accounting = recording/monitoring user activities; suspicious patterns: accessing unusual files, off-hours access, attempts to delete/copy sensitive data
• Honeypot: fake data file that alerts defenders when accessed (no legitimate reason to access it); near-instant detection but cannot detect adversaries who avoid it
• Hash verification: same input always produces same hash; changed hash = file altered; does NOT detect theft without alteration
• Hash commands: PowerShell = Get-FileHash testfile -Algorithm SHA256; BASH = sha256sum testfile; zsh = shasum -a 256 testfile
• Log analysis for SQL injection indicators: single/double quotes, OR 1=1, --, SQL keywords (WHERE, IN, FROM)
• Log analysis for XSS: tags in input
• Log analysis for buffer overflow: abnormally long URL, cookie, or query string fields
• Log analysis for directory traversal: ../ sequences in HTTP GET requests
• DLP (Data Loss Prevention): monitors data access/usage/transmission; strong detection at higher cost
• Real-time vs retrospective: honeypots, real-time DLP, automated log analysis = detect during attack; hash verification, retrospective logs = detect after
Topic 5.6 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 5.6.A.1 | Accounting: recording/monitoring user activities. Suspicious patterns: accessing unusual files, accessing outside normal patterns (time/location/device), attempts to delete/copy sensitive files. | Section 2 — Accounting and Logs |
| 5.6.A.2 | Honeypot: fake file with fake valuable data; alerts defenders if accessed; no legitimate reason = indicator of malicious activity. | Section 2 — Honeypots |
| 5.6.A.3 | Cryptographic hash functions generate a digest; if file changes unexpectedly, hash changes = possible malicious activity. | Section 3 — Hash Verification |
| 5.6.B.1 | Cost criterion: honeypots and hash checks are inexpensive; DLP services are higher-cost but stronger. | Section 4 — Detective Controls |
| 5.6.B.2 | Sensitivity criterion: more sensitive/critical data should be monitored more closely. | Section 4 — Detective Controls |
| 5.6.B.3 | Classification criterion: PII, PHI, financial, and educational data often have legal monitoring requirements. | Section 4 — Detective Controls |
| 5.6.C.1 | Log analysis needs automation for effective speed; honeypots offer near-instantaneous detection. | Section 4 — Detection Timing |
| 5.6.C.2 | Real-time: DLP, honeypots, automated log analysis — alert during attack. Retrospective: manual log analysis, hash verification — identify after attack. | Section 4 — Detection Timing |
| 5.6.C.3 | False negatives: hash functions only detect alteration, not theft. Honeypots cannot detect adversaries that do not access them. | Section 4 — False Negatives |
| 5.6.D.1 | Hash functions are repeatable: same input always produces same output. | Section 3 — Hash Properties |
| 5.6.D.2 | Hash commands: PowerShell = Get-FileHash testfile -Algorithm SHA256; BASH = sha256sum testfile; zsh = shasum -a 256 testfile | Section 3 — Hash Commands |
| 5.6.D.3 | Record hash, rehash later, compare: if different, file was altered. | Section 3 — Hash Comparison |
| 5.6.E.1 | SQL injection indicators in logs: single/double quotes, OR 1=1, --, SQL keywords (WHERE, IN, FROM in all caps). | Section 5 — Log Analysis |
| 5.6.E.2 | XSS indicators: script tags in user input (). | Section 5 — Log Analysis |
| 5.6.E.3 | Buffer overflow indicators: abnormally long URL, cookie, query string, or total request length. | Section 5 — Log Analysis |
| 5.6.E.4 | Directory traversal indicators: HTTP GET requests with ../ sequences in path parameters. | Section 5 — Log Analysis |
Answer independently. No notes.
- An organization places a file named
credit_card_database.csvin a shared folder. The file contains entirely fake card numbers. A system alert fires whenever the file is accessed. What type of detective control is this, and what does any access to this file indicate? - A system administrator hashes a configuration file and records the output:
a3f5b2.... Two weeks later they hash the file again and get9e7c41.... What does this tell them? What does it NOT tell them? - A security analyst reviews server logs and finds the entry:
GET /search?q=%27+OR+%271%27%3D%271 HTTP/1.1. The%27is URL-encoding for a single quote. What attack type is indicated? Name two other log indicators of the same attack type.
Q1: This is a honeypot (5.6.A.2). Since the file contains fake data, there is no legitimate reason for any user to access it. Any access immediately indicates suspicious or malicious activity — an adversary probing for valuable data.
Q2: The changed hash tells them: the file was altered between the first and second hash (5.6.D.3). It does NOT tell them: whether anyone read or copied the file. Hash verification only detects modification, not theft (5.6.C.3).
Q3: SQL injection. The decoded query is ' OR '1'='1 — a classic authentication bypass. Other indicators: double-dash (--) comment operator; SQL keywords in all caps (WHERE, SELECT, DROP, FROM); OR 1=1 boolean condition.
In This Lesson
- 5.6.1 — Learning Objectives
- 5.6.2 — Accounting and Log Analysis (5.6.A)
- 5.6.3 — Hash Verification (5.6.D)
- 5.6.4 — Detective Controls: Cost, Sensitivity, Classification (5.6.B–C)
- 5.6.5 — Identifying Attack Indicators in Logs (5.6.E)
- 5.6.6 — Check for Understanding (10 Questions)
- 5.6.7 — Common AP Exam Mistakes
- 5.6.8 — Key Terms & FAQ
1 5.6.1 — Learning Objectives
- Explain how accounting and log analysis reveal malicious activity; describe honeypots and their limitations (5.6.A)
- Use hash commands in PowerShell, BASH, and zsh to verify file integrity; explain what a hash change indicates and what it cannot detect (5.6.D)
- Evaluate detective controls using cost, sensitivity, and classification criteria; distinguish real-time from retrospective detection; identify false negatives (5.6.B–C)
- Identify indicators of SQL injection, XSS, buffer overflow, and directory traversal from HTTP server log entries (5.6.E)
- Accounting
- Recording and monitoring user activities to reveal malicious behavior through log analysis.
- Honeypot
- A file containing fake valuable data that alerts defenders when accessed. No legitimate access expected, so any access is suspicious.
- DLP (Data Loss Prevention)
- Third-party service that monitors data access, usage, and transmission throughout an organization. Strong detection at higher cost.
- Hash function
- A mathematical function that produces a fixed-length digest from input data. Same input always produces the same output (repeatable).
- Hash digest
- The fixed-length output of a hash function. Also called a hash, checksum, or fingerprint.
- Retrospective detection
- Identifying an attack after it has already occurred (e.g., manual log analysis, hash comparison after the fact).
- Real-time detection
- Identifying an attack while it is in progress (e.g., honeypot alerts, automated DLP, real-time log analysis).
- False negative
- A failure to detect an actual attack. Occurs when the detection method has inherent blind spots (e.g., hashing cannot detect theft without alteration).
2 5.6.2 — Accounting and Log Analysis (5.6.A)
Devices record when data are accessed and by whom. This process — accounting — creates logs that defenders analyze to detect malicious activity. Logs are the primary evidence source for both real-time alerts and forensic investigation after a breach.
Suspicious Access Patterns
- Accessing files not typically accessed by that user or account
- Accessing files or applications outside a user's normal patterns: unexpected time of day, unusual location, unfamiliar device type
- Attempts to delete or copy sensitive files (especially bulk operations or unauthorized accounts)
Honeypots
A honeypot is a file that looks like it contains valuable data (credit card numbers, PII, passwords) but actually contains entirely fake data. The system is configured to alert defenders immediately when the honeypot is accessed.
Why it works: There is no legitimate reason for any user to access the honeypot. Any access is automatically suspicious — an adversary probing for valuable data will access the bait.
Limitation: Honeypots cannot detect adversaries who do not attempt to access them (5.6.C.3). An adversary who targets only specific known files will never trigger the honeypot alert.
3 5.6.3 — Hash Verification (5.6.D)
Cryptographic hash functions take an input file and produce a fixed-length digest (hash) that is unique to that exact content. The same input always produces the same output — the function is repeatable. This makes hashes useful for detecting whether files have been modified.
Hash Verification Process (5.6.D.3)
- Hash the file and record the output (the baseline digest).
- Store the recorded hash securely.
- Hash the file again at a later time.
- Compare the new hash to the recorded baseline.
- If the hashes match: file is unchanged. If they differ: the file was altered.
Hash Commands (5.6.D.2 — CED Exact)
| Shell | Command for SHA256 Hash of testfile
|
|---|---|
| Windows PowerShell | Get-FileHash testfile -Algorithm SHA256 |
| Linux/Unix BASH | sha256sum testfile |
| macOS zsh | shasum -a 256 testfile |
A cryptographic hash only detects whether the file's content has changed. An adversary who reads a file, copies its contents, and does not modify it produces no hash change. The hash before and after their visit is identical — the theft is invisible to hash verification.
This is a false negative: an attack (data theft) occurred, but the detection method (hashing) did not detect it.
4 5.6.4 — Detective Controls: Cost, Sensitivity, Classification (5.6.B–C)
Organizations select detective controls based on three criteria from the CED: cost, sensitivity of the data, and regulatory classification requirements.
| Criterion | Description | Example |
|---|---|---|
| Cost | Honeypots and hash verification are inexpensive. DLP services are higher-cost but provide stronger, broader detection. | A small business uses honeypots and hashing; an enterprise uses DLP. |
| Sensitivity | More sensitive or critical data should be monitored more closely. High-value targets attract adversaries. | PHI and financial records warrant DLP; low-sensitivity archives can rely on periodic hash checks. |
| Classification | PII, PHI, educational, and financial data often have legal/regulatory monitoring requirements. | HIPAA requires auditing of PHI access; PCI-DSS requires logging of cardholder data access. |
Real-Time vs. Retrospective Detection
| Timing | Methods | Capability |
|---|---|---|
| Real-time | Honeypots, DLP tools, automated log analysis | Alert while attack is in progress; enables prompt response to stop attack before more damage |
| Retrospective | Manual log analysis, hash verification after the fact | Identify attacks after they have already occurred; useful for forensics but cannot stop the attack in progress |
The CED specifically notes that honeypots offer near-instantaneous detection (5.6.C.1). This is because the alert fires the moment any access attempt is logged — there is no analysis delay. This makes honeypots one of the fastest detective controls available for data-at-rest threats.
5 5.6.5 — Identifying Attack Indicators in Logs (5.6.E)
The AP free-response question provides server log entries and asks you to identify which attack type each entry indicates. Know the specific indicators for all four attack types from 5.1.
| Attack Type | Log Indicators to Look For | Example Log Entry |
|---|---|---|
| SQL Injection | Single or double quotes in input; OR 1=1; double-dash --; SQL keywords in all caps (WHERE, SELECT, FROM, IN, DROP) |
GET /search?q=admin%27+OR+%271%27%3D%271+-- |
| XSS |
tags in user input fields |
POST /comment text= |
| Buffer Overflow | Abnormally long URL, cookie value, query string, or total HTTP request length | GET /login?user=AAAAAAAAA...[2000 chars]...AAAA HTTP/1.1 |
| Directory Traversal |
../ sequences in URL path parameters (GET requests) |
GET /img?file=../../../etc/passwd HTTP/1.1 |
200 OK: The request succeeded — if it was an attack, it likely worked. A 200 response to a directory traversal attempt means the file was returned.
403 Forbidden / 404 Not Found: The request was blocked or the resource was not found. The attack may have been attempted but blocked. However, a 403 does not mean the underlying vulnerability is patched — only that this specific request was blocked.
500 Internal Server Error: The application crashed or encountered an error. SQL injection attempts that cause syntax errors in a query often return 500. Indicates the application processed (and was affected by) the malicious input.
Check for Understanding — Topic 5.6
1. A system administrator records the SHA256 hash of a critical configuration file as ab34.... Two weeks later, the hash is f19e.... A review of access logs shows one user viewed the file but made no edits according to the application. What does the hash change indicate, and what limitation of hash verification is illustrated?
2. A security analyst reviews logs for a protected PII database. Which of the following access patterns should be flagged as a suspicious indicator of potential malicious activity?
3. A server log contains the entry: GET /profile?id=1+UNION+SELECT+username,password+FROM+admin_users+--+HTTP/1.1+200. Which attack type is indicated, and what specific elements of the log entry confirm this?
4. An organization places a file named passwords_backup.txt (containing fake credentials) in a shared network folder and configures an alert for any access. A real file named passwords.txt containing actual credentials exists in a different location. This week the alert fires. Which statement BEST evaluates this scenario?
5. A defender uses BASH to verify the integrity of a file. Which command correctly generates the SHA256 hash for a file named audit_log.txt?
6. A security team evaluates two detective controls for protecting a database containing regulated health records (PHI): (A) placing honeypots in the database directory, and (B) deploying a DLP service that monitors all data access and transmission. Using the three CED criteria for determining detective controls, which approach is MOST appropriate for this scenario?
7. A log shows the following HTTP request: GET /files?doc=../../../etc/shadow HTTP/1.1 200. What attack occurred, what data was likely accessed, and what does the 200 status code indicate?
8. Which of the following correctly identifies a FALSE NEGATIVE limitation of each detective control?
9. Which of the following log entries MOST clearly indicates an attempted XSS attack?
10. A forensic analyst compares two detective controls used after a suspected breach. Control A (honeypot) did not fire any alerts during the suspected breach window. Control B (hash verification) shows that the file containing customer SSNs has an unchanged hash but access logs show it was opened by an unauthorized account. Which conclusion is BEST supported by this evidence?
⚠ Common AP Exam Mistakes — Topic 5.6
| Common Mistake | Why It's Wrong | Correct Thinking |
|---|---|---|
| Thinking hash change proves theft | A hash change proves the file was modified. Theft (reading/copying without modifying) leaves the hash unchanged. Students conflate modification with theft. | Hash change = file content was altered. No hash change = content was not altered. Theft without modification is invisible to hash verification. |
| Saying honeypots detect all attacks on data | Honeypots only trigger when an adversary attempts to access the honeypot file specifically. Adversaries who target only real files and ignore the honeypot will never trigger it. | Honeypot blind spot: adversaries who do not access the decoy. Always combine honeypots with other controls (logging, DLP) for comprehensive coverage. |
| Confusing real-time and retrospective detection | Hash verification and manual log review are retrospective — they identify attacks after they occur. Students say hash verification prevents attacks, but it only detects modification after the fact. | Honeypots and DLP are real-time (alert during attack). Hash verification and retrospective log review identify attacks after the fact. Prevention is different from detection. |
| Misidentifying SQL injection log indicators | Students focus only on OR 1=1 and miss that single quotes, double-dash, and SQL keywords (in all-caps) are also SQL injection indicators in logs. | SQL injection indicators: single quote, double quote, OR 1=1, double-dash (--), and ALL-CAPS SQL keywords (WHERE, SELECT, FROM, DROP, IN). Learn all five categories. |
| Thinking 403 response means the attack failed and the vulnerability is fixed | A 403 means this specific request was blocked. The underlying vulnerability may still exist — a different request might bypass the restriction. 403 is a response, not a patch. | 403 = this request was blocked. The vulnerability may still be present. Always investigate and patch the root cause, not just the blocked request. |
8 5.6.8 — Key Terms & FAQ
Q: What is the difference between sha256sum (BASH) and shasum -a 256 (zsh)?
A: Both produce the same SHA256 hash output for the same input file. They are different command-line tools that come with different Unix/Linux systems: sha256sum is the standard tool on Linux/Ubuntu; shasum is available on macOS (zsh is the default shell on modern Macs). The -a 256 flag in shasum specifies the algorithm. The CED requires you to know all three commands (PowerShell, BASH, zsh).
Q: Can a log analysis tool be both real-time and retrospective?
A: Yes. Many SIEM (Security Information and Event Management) tools analyze logs in near real-time AND allow retrospective querying of historical logs. The CED distinguishes between tools that provide alerts during an attack and tools that identify attacks after the fact — but a comprehensive tool can do both.
Q: How does DLP differ from a firewall?
A: A firewall controls which network traffic is allowed in or out based on rules (source, destination, port, protocol). DLP monitors what data users access, use, and transmit — it looks at the content and context of data operations, not just network packets. DLP can detect an insider who emails a spreadsheet of customer SSNs to a personal email; a firewall typically cannot.
Q: Is the FRQ likely to include log analysis questions?
A: Yes. The AP Cybersecurity FRQ description explicitly mentions log files as a source type. Expect to analyze log entries and identify attack indicators. Know the four attack types from 5.1 and the specific log patterns for each from 5.6.E.
Students submit before leaving.
- Explain how a honeypot detects malicious activity and identify its specific false-negative limitation from the CED. (AP Skill: Evaluate Controls)
- A system administrator hashes a sensitive file and records the digest. A week later, the hash is different. What does this confirm? What does it not confirm? Write the BASH command to generate the SHA256 hash for a file named
confidential.db. (AP Skill: Apply Hash Verification) - Using the three CED criteria for detective controls, explain why a hospital would be justified in deploying DLP (not just honeypots) for files containing patient records. (AP Skill: Determine Controls)
- Review the following log entries. For each, identify the attack type and cite the specific indicator: (a)
GET /search?q=%27+UNION+SELECT+*+FROM+users+--; (b)GET /img?f=../../../../etc/passwd; (c)POST /review body=. (AP Skill: Analyze Logs) - An adversary reads a copy of a salary spreadsheet without modifying it. Will a cryptographic hash check of the file detect this? Will a honeypot detect it? Explain both answers using the CED false-negative descriptions. (AP Skill: Evaluate Detection Methods)
Q1: Honeypot: a file with fake valuable data; any access alerts defenders because no legitimate reason to access it exists (5.6.A.2). False-negative limitation: honeypots cannot detect adversaries who do not attempt to access them — an adversary who targets only real files will never trigger the alert (5.6.C.3).
Q2: Confirms: the file content was altered between the two hash operations (5.6.D.3). Does not confirm: who changed it, when exactly, or whether data was also copied/stolen without modification (5.6.C.3). BASH command: sha256sum confidential.db
Q3: Classification: PHI (patient records) is governed by HIPAA, which has legal monitoring requirements (5.6.B.3). Sensitivity: patient records are highly sensitive and critical, warranting closer monitoring (5.6.B.2). Cost: the cost of HIPAA non-compliance (fines, breach notification) exceeds the cost of DLP (5.6.B.1). All three criteria support DLP.
Q4: (a) SQL injection — indicators: single quote (%27='), UNION SELECT, double-dash (--). (b) Directory traversal — indicator: ../../../../etc/passwd (multiple ../ sequences in path parameter). (c) XSS — indicator:
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]