Exercise 1: Predict-First Detection MCQs

AP Cybersecurity · Unit 5 · Lesson 5.6 · Exercise 1

Predict-First Detection MCQs

Eight questions on detection fundamentals from Lesson 5.6. For each question, predict your answer before looking at the options — that habit is what turns multiple-choice AP questions from gambles into scoring opportunities. After you answer, read the feedback on every option, not just the correct one: knowing why the distractors are wrong is half the point.

8 Questions Predict-First ~20 min Instant Feedback
Score 0 / 8
Question 1

A developer adds the following logging line to an authentication endpoint so the SOC can investigate failed logins. Assume the logger ships to a centralized SIEM that is read by multiple teams, including contractors.

logger.info("auth_failure: user=%s submitted=%s from=%s", user_email, submitted_password, source_ip)

The code is reviewed before merge. Which single change is the primary fix?

✎ Predict: Which argument in the log line must not reach the SIEM under any circumstance?
Question 2

An incident response team is evaluating its detection program. Consider the following three claims about MTTD (mean time to detect) and MTTR (mean time to respond):

I. A program with low MTTD and high MTTR can still produce long dwell times.
II. Reducing MTTR requires a written playbook more than it requires new tooling.
III. False positive rate does not affect MTTD as long as analysts triage every alert.

Which of the statements is/are correct?

✎ Predict: Dwell time = MTTD + MTTR. What does high false positive rate do to analyst attention even when every alert is triaged?
Question 3

A SIEM engineer is onboarding a new application. The application emits logs in free-form syslog like this:

<134>1 2026-04-18T14:23:09Z web-01 app 2847 - - User alice.nguyen logged in successfully from 198.51.100.42 after 2 MFA attempts

Version 2 of the application is about to ship. The vendor offers to change the log output to either (a) the same free-form text with slightly reworded messages, or (b) structured JSON with named fields for user, source_ip, outcome, and mfa_attempt_count. Which recommendation is correct?

✎ Predict: What breaks on existing correlation rules if the free-form wording changes? What does not break if JSON field names stay stable?
Question 4

A forensic investigator reviewing a breach sees the following sequence in correlated SIEM data. Clocks on each host are local-timezone and NOT synchronized via NTP:

web-01 (US-East, local): 14:03:12 privilege_escalation user=alice
auth-srv (UTC): 18:01:47 auth_success user=alice source=new-device
auth-srv (UTC): 18:03:12 mfa_bypass_detected user=alice


Which statement about this evidence is correct?

✎ Predict: Convert each timestamp to a single reference frame. What order do the events occur in? Is the apparent causality real or an artifact?
Question 5

A SIEM engineer writes the following correlation rule to detect brute-force login attempts:

SELECT source_ip, COUNT(*) AS attempts
FROM auth_events
WHERE timestamp > NOW() - INTERVAL '5 minutes'
GROUP BY source_ip
HAVING COUNT(*) >= 10;


Three weeks later, the SOC reports that a credential-stuffing campaign was missed despite producing over 8,000 failed logins in 30 minutes. The rule was functioning correctly. Which single change would have caught this campaign?

✎ Predict: Credential stuffing spreads attempts across many usernames from a botnet of IPs. What does this rule group by, and what does the attacker spread across?
Question 6

A SOC is choosing which threat-intelligence signals to invest engineering time in. Consider these three detection investments:

I. Block a list of 50,000 known-bad IP addresses updated nightly from a threat feed.
II. Match file hashes against a database of malware samples from the last 180 days.
III. Alert whenever Microsoft Word spawns PowerShell with an encoded command argument.

Ranked from least to most painful for a determined attacker to evade, the correct order is:

✎ Predict: Pyramid of Pain (section 5.6.7): IP addresses are at the bottom (trivial to rotate), hashes are below IPs (recompile to evade), TTPs are at the top (require behavioral change). Match each option to its level.
Question 7

An attacker phishes an administrator's session cookie via info-stealer malware, replays the stolen cookie, and authenticates to the admin console from a VPS in another country. MFA is configured on the account but the cookie skips the MFA challenge because the session is "already authenticated." The SIEM has correct data flowing from the identity provider, the web application, and the cloud provider.

Which detection would have caught this scenario while the attacker still had the session active?

✎ Predict: MFA fires at authentication-time; session replay bypasses it. What layer detects abuse of valid credentials that the attacker authenticated with?
Question 8

The SOC is building detections for log-integrity attacks — cases where an attacker who gained root on a host attempts to cover their tracks by deleting or modifying local logs. Each of the following controls helps defend against post-breach log tampering EXCEPT:

✎ Predict: What is the defender's threat model in section 5.6.9? If the attacker has root on the host, which controls on that same host do they defeat?

Exercise Complete

Final score: 0 / 8

AP Cybersecurity · Unit 5 · Lesson 5.6 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]