Detecting Device Attacks | AP Cybersecurity

AP Cybersecurity Topics › Detecting Device Attacks

Unit 4 • Topic 4.4 • Detecting Attacks on Devices

Detecting Attacks on Devices: Indicators of Compromise

Topic 4.4 asks how to detect attacks against devices by watching for indicators of compromise: signs that a device has been attacked, such as unexpected processes, performance changes, or unusual network activity.

How device attacks are detected
Choosing a detection method
Real-world example
Key terms
Match it up
Check for Understanding
FAQ

Indicatorssigns of compromise

Controlslogs, anti-malware, monitoring

Evaluatespeed, cost, accuracy

Detection turns indicators of compromise into a response.

How device attacks are detected

Detection looks for indicators of compromise: a device running slowly, unknown processes, files that changed unexpectedly, new accounts, or traffic to suspicious addresses. Anti-malware alerts, system logs, and monitoring tools surface these signs.

Some malware actively hides, like a rootkit, so detection may rely on behavior and integrity checks rather than spotting a known file.

Scenario

A laptop suddenly runs slowly, has an unfamiliar process, and is sending data to an unknown server. What do these suggest?

Reveal answer

Indicators of compromise. Together they point to a device attack, such as spyware or a RAT, even before the specific malware is named.

Exam tip

Detection is about indicators and evidence, not prevention. The question often asks which sign or control would reveal an attack.

Choosing a detection method

Detection methods are evaluated on trade-offs: how fast they detect, how much they cost, and how accurate they are (false positives and false negatives). No method is perfect, so organizations pick controls that fit the device's risk.

This mirrors the network-detection trade-offs from Unit 3: speed, cost, and error rates drive the choice.

Scenario

Why might a high-value workstation justify a more expensive, faster detection method than a kiosk?

Reveal answer

Risk. The workstation's higher value and sensitivity make faster, more accurate detection worth the added cost, while a low-risk kiosk may not.

Real-world example

Spotting a quiet infection

Spyware and RATs often run silently, but they leave indicators: unexpected processes, performance drops, and traffic to unknown servers. Monitoring surfaces these signs so teams can respond.

Several indicators together point to compromise.

Key Terms

Indicator of compromise	An observable sign a device was attacked.
Anti-malware alert	A warning from scanning software.
System log	A record of actions used to spot anomalies.
False positive	A benign event flagged as an attack.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.

Term

Definition

All matched. Nice work.

Common Mistakes

Confusing detection with prevention

Detection reveals an attack; prevention stops it. Topic 4.4 is about revealing.

Expecting one obvious sign

Indicators often appear together; a single symptom may be benign.

Forgetting hidden malware

Rootkits hide, so detection may need behavior or integrity checks.

Ignoring trade-offs

Methods differ in speed, cost, and accuracy; match them to risk.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.

Question 1

Signs that a device may have been attacked are called:

B. Indicators of compromise are the observable signs of an attack on a device.

Question 2

Which would be an indicator of compromise? I. An unknown running process. II. Traffic to a suspicious server. III. A routine OS update.

A. I and II suggest compromise. A routine update is normal, so III is not an indicator.

Question 3 Predict first

Detection methods are commonly evaluated by:

B. Methods are weighed by detection speed, cost, and accuracy (false positives and negatives).

Question 4 Predict first

Why can a rootkit be hard to detect by file scanning?

A. A rootkit embeds in the OS and conceals itself, so behavior or integrity checks may be needed.

Question 5

Topic 4.4 (detecting device attacks) focuses on:

D. Detection reveals attacks; it does not by itself prevent them.

Question 6

Why match the detection method to the device's risk?

C. Higher-risk devices warrant stronger detection despite higher cost; low-risk ones may not.

Frequently Asked Questions

By watching for indicators of compromise, such as unknown processes, performance changes, altered files, or suspicious network activity, surfaced by logs, anti-malware, and monitoring.

An observable sign that a device may have been attacked, like an unfamiliar process or traffic to a suspicious server. Several together strengthen the case.

By trade-offs: how fast they detect, how much they cost, and how accurate they are in terms of false positives and false negatives, matched to the device's risk.

← PreviousProtecting Devices Next →SQL Injection

Keep studying

All Topics Unit 4 Study Guide Practice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]