Exercise 2: Chained Detection Scenarios

AP Cybersecurity · Unit 5 · Lesson 5.6 · Exercise 2

Chained Detection Scenarios

Six mini-incidents. Each is a realistic detection scenario pulled from common SOC patterns: credential stuffing, insider threats, cloud account compromise, ransomware staging, supply chain, and log tampering. Predict the response before checking options. Understanding why the distractors are wrong matters as much as identifying the right answer.

6 Scenarios Predict-First ~30 min Partial Credit
Score 0 / 6
Question 1

Scenario 1: The Quiet Credential Stuffing

An e-commerce site's SOC reviews overnight alerts. The brute-force rule (10+ failed logins from one IP in 5 minutes) fired zero times. However, customer support reports four separate complaints of unauthorized purchases this morning, all from accounts whose passwords users admit to reusing from other sites. The SIEM shows 72,000 failed logins last night distributed across 18,000 source IPs and 12,000 different usernames.

The SOC manager asks: which detection would have caught this campaign in real time?

✎ Predict: The existing rule groups by source_ip. What dimension is the attacker spreading across that keeps every IP below threshold?
Question 2

Scenario 2: The 30-Minute Exfiltration

At 2:43 AM, a UEBA engine scores an event high-risk: employee j.morrison, a software engineer who has never accessed the customer_billing database in three years of employment, ran 847 queries against it in 30 minutes, returning 4.2 GB of CSV exports. The credentials are valid. MFA challenge succeeded. The source IP is the employee's known home broadband.

The SOC lead asks: what is the highest-confidence detection signal in this event?

✎ Predict: Valid creds + valid MFA + known IP. What makes this detectable at all? Which baseline is broken most severely?
Question 3

Scenario 3: The Leaked IAM Key

A DevOps engineer accidentally commits an AWS IAM access key to a public GitHub repository at 9:17 AM. GitHub's secret-scanning notifies the engineer at 9:19 AM. The key is rotated at 9:24 AM. However, CloudTrail logs show the following activity on the leaked key between 9:18 and 9:23 AM:

9:18:02 AssumeRole: arn:aws:iam::123456:role/admin
9:18:05 ListBuckets: all-regions
9:18:22 CreateAccessKey: new-iam-user-z8x1
9:19:10 GetObject: prod-backups/db-2026-04-17.sql.gz
9:21:47 CreateUser: svc-legit (tagged "legitimate_service")
9:23:15 AttachUserPolicy: AdministratorAccess to svc-legit


The IR lead asks: besides rotating the leaked key, what is the most critical immediate action?

✎ Predict: The attacker used the stolen key for 6 minutes. What did they do in that time that survives the key rotation?
Question 4

Scenario 4: The Pre-Encryption Signals

A SOC analyst is reviewing a Friday-afternoon alert chain from an internal file server. Over the previous 6 hours, the following activity was logged:

· 13:02vssadmin.exe delete shadows /all /quiet executed by SYSTEM context
· 13:05wbadmin.exe delete catalog -quiet
· 13:18 — 30 MB of outbound traffic to a first-seen IP (Ukraine)
· 14:22 — recursive enumeration of network shares from the server's service account
· 16:45 — EDR agent on the server stopped sending telemetry

Which of these events should have triggered the highest-priority alert for an analyst to investigate immediately?

✎ Predict: Which event is specifically associated with ransomware staging? Which alert, if you got it at that moment, would let you contain the incident before encryption begins?
Question 5

Scenario 5: The Signed Update That Called Home

A security-monitoring platform deployed to 340 servers pushes a routine auto-update signed with the vendor's legitimate code-signing certificate. Two days later, one of the company's network sensors flags unusual DNS queries from 340 servers: they are each resolving a domain that matches a known command-and-control pattern from an industry threat-intel feed.

The IR lead must classify the incident severity using NIST SP 800-61 framing. Which severity classification applies, and what does it drive?

✎ Predict: Supply-chain compromise of a trusted platform vendor on 340 hosts. How does that score on NIST severity — and what containment action does it justify?
Question 6

Scenario 6: The Logs Stopped on Tuesday

A forensic investigator examining a breached Linux web server notices the following:

· /var/log/auth.log contains entries through Tuesday at 14:22, then nothing until the compromise was discovered Thursday morning.
· auditd was configured to log to /var/log/audit/audit.log, which also shows the same Tuesday 14:22 cutoff.
· The server's bash history for the attacker's working account is empty.
· Remote syslog to the SIEM was configured and logs flowed through Tuesday 14:22 — and then stopped.

Which conclusion is best supported by this evidence?

✎ Predict: Local logs AND remote SIEM stopped at the same moment. What does that tell you about where the attacker took action, and what they could not have done?

Complete

Final score: 0 / 6

AP Cybersecurity · Unit 5 · Lesson 5.6 · Exercise 2
LessonExercise 1Exercise 2Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]