PRACTICE

02 Comparing Threat Types
Mini Quiz Answers

Question 1: An organization detects automated port scanning using common, publicly available tools followed by the deployment of generic ransomware with no customization. The threat actor shows minimal technical skill and relies entirely on pre-built exploit kits downloaded from forums. Which term BEST describes this threat actor?

  • A. Nation state. A nation state attack is sponsored by a foreign government, agency, or military entity, but there is no information stated in the question to indicate that is the case.
  • B. Organized crime. While a financial motive ("ransomware") is listed in this question, organized crime groups tend to have significant skill, which this threat actor does not.
  • C. Script kiddie. A script kiddie uses publicly available tools, limited to no customization, and limited technical skill.
  • D. Competitor. There is no information in the question to show a competitor was involved.

Question 2: Over the past 18 months, a defense contractor has observed extremely stealthy network traffic exfiltrating sensitive schematics to an overseas IP address only during off-peak hours. The attacker used previously unknown exploits and custom malware that erased logs upon detection. This operation required significant funding and patience. Which actor is most likely responsible?

  • A. Hacktivist. A hacktivist's motives are related to politics, environmental concerns, or other ideology, not exfiltrating data.
  • B. APT. This meets all the requirements of an APT. The attack continued persistently for 18 months and used a high level of skill and resources.
  • C. Script kiddie. Script kiddies have the least resources, whereas this threat actor has significant resources.
  • D. Insider threat. While this could be an insider threat, the definition fits APT best.

Question 3: A hospital's systems are encrypted by ransomware. The ransom note includes a professional call center number for negotiation, and the payment is demanded in cryptocurrency with detailed instructions on how to purchase it. The malware is identified as a variant sold on underground forums with a revenue-sharing model. Which actor profile fits this description?

  • A. Organized crime. The motive is financial (ransomware), while the malware and operations have a professional quality. This best suits organized crime groups.
  • B. Hacktivist. A hacktivist's motives are related to politics, environmental concerns, or other ideology, not ransomware.
  • C. Competitor. There is no information in the question to show a competitor was involved.
  • D. Script kiddie. The description of the attack shows skill and professionalism, which are not associated with script kiddies.

Question 4: A group claiming affiliation with an environmental activism movement has launched a prolonged DDoS attack against an oil company's public website and replaced the homepage with a political manifesto. They have made no attempt to steal money or intellectual property. What is the primary motivation classification for this group?

  • A. Financial gain. There is no indication that financial gain is involved; the question states there is no attempt to steal.
  • B. Chaotic. The chaotic motive involves seeking thrills, whereas this attack is politically motivated.
  • C. Ideological. The question describes hacktivists, who have an ideological motive. They conduct cyberattacks because of their beliefs.
  • D. Coercion. Coercion is a social engineering technique. This question describes a direct cyberattack.

Question 5: A network administrator, fearing impending layoffs, creates a hidden backdoor account to access the company's customer database six months after termination for the purpose of selling the data to a competitor. What type of threat does this represent?

  • A. Shadow IT. Shadow IT refers to the unauthorized use of personal devices or software, not the installation of malware or the creation of persistent accounts.
  • B. Intentional insider threat. This action describes an intentional insider threat.
  • C. Supply chain threat. A supply chain threat originates from a third-party supplier. This staff member is part of the organization.
  • D. Unintentional insider threat. This question describes deliberate (intentional) actions.

Question 6: An employee installs an unapproved Cloud storage application on their work laptop to synchronize large project files for personal convenience, inadvertently bypassing corporate Data Loss Prevention controls and uploading sensitive documents to a personal account. What term describes this activity?

  • A. Corporate espionage. While this could be one company spying on another, not enough evidence exists in the question to support this theory.
  • B. Shadow IT. Shadow IT refers to the unauthorized use of personal devices or software, which is a significant risk.
  • C. Zero-day exploit. A zero-day exploit is a malicious attack unknown to the software vendor.
  • D. Hacktivism. A hacktivist's motives are related to politics, environmental concerns, or other ideology, not stealing data.

Question 7: The IT department is reviewing all publicly exposed APIs, open ports, wireless access points, and employee user accounts to determine the total sum of possible entry points an attacker could potentially use. What concept are they assessing?

  • A. Attack vectors. An attack vector is a specific method or technique used for unauthorized access, not just an opportunity.
  • B. Threat intelligence. Threat intelligence relates to specific data on threat actors, like techniques or timing.
  • C. Attack surface. The attack surface is the total sum of all possible entry points into the organization, whether devices, people, applications, or buildings.
  • D. Risk appetite. The term risk appetite describes how much risk an organization is willing to tolerate in its operations, rather than a specific pathway for cyberattacks.

Question 8: An attacker sends an email containing a malicious link disguised as a shipping notification to a senior executive's inbox to deliver credential-harvesting malware. What is the BEST description of this activity?

  • A. Whaling. The question describes the target as a "senior executive". Whaling focuses on high-profile, influential employees with, or with access to, significant authority.
  • B. Spearphishing. This attack does describe spearphishing, which is targeted. However, whaling is a better description since the attack is targeted at a senior executive.
  • C. Social engineering. This is a social engineering attack, but this term is not specific enough.
  • D. Business Email Compromise. A Business Email Compromise (BEC) is a sophisticated, targeted phishing attack where cybercriminals impersonate executives, employees, or trusted vendors via email to trick victims into transferring funds or stealing sensitive data. A BEC could certainly be the next step in this attack, but the goal of the attack is currently stated as "credential harvesting".

Question 9: A researcher discovers a flaw in a widely used operating system that allows privilege escalation. No patch exists because the vendor is currently unaware of the vulnerability. An attacker begins exploiting this flaw immediately in the wild. What type of vulnerability is this?

  • A. Legacy vulnerability. A legacy vulnerability is a security flaw in outdated software, hardware, or IT systems that no longer receives vendor support, updates, or security patches.
  • B. Zero-day. A zero-day is a vulnerability unknown to the vendor.
  • C. Commodity malware. Commodity malware describes malware often available for purchase or rent.
  • D. Fileless malware. Fileless malware is a stealthy cyberattack that runs directly in a computer's RAM rather than installing files on the hard drive. It abuses trusted, legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), or registry keys to execute malicious actions.

Question 10: The company's Chief Financial Officer (CFO) does not wish to pay for security updates because he sees it as a waste of money. What term describes the assessment of dangers posed by NOT keeping systems up to date?

  • A. Vulnerability. A vulnerability in cybersecurity is a specific weakness, flaw, or gap in an IT system, software, hardware, or organizational process that can be exploited by an attacker to gain unauthorized access, steal data, or disrupt services. This does not quite describe a lack of updates.
  • B. Threat. A cybersecurity threat is any potential, malicious act or occurrence aiming to disrupt, steal, or damage data, systems, and networks, and involves a threat actor. A lack of updates is not a malicious act.
  • C. Risk. The correct answer is risk becasse it is defined as the combination of the likelihood of a threat exploiting a vulnerability and the severity of the resulting impact on assets. A lack of updates increases both the likelihood of a successful attack and the potential impact caused or the actions available to a threat actor.
  • D. Insider threat. While this is technically an insider threat (insider threats can be non-malicious, like making a bad decision or refusal to spend money), this is not the best description of a lack of updates.

Question 11: A manufacturing plant continues running an end-of-life operating system on its industrial controllers that no longer receives security patches from the vendor, making it highly susceptible to known public exploits. What term describes these systems?

  • A. Virtual machines. A virtual machine (VM) is a software-defined, simulated computer system that runs on physical hardware but operates as an independent, isolated machine with its own OS and resources
  • B. Legacy systems. A legacy vulnerability is a security flaw in outdated software, hardware, or IT systems that no longer receives vendor support, updates, or security patches.
  • C. Honeypots. A honeypot is a computer intentionally made vulnerable to deceive or delay attackers, which is not the case here.
  • D. Industrial Control Systems. While these systems could be Industrial Control Systems (ICS), the question is asking specifically about the outdated, unsupported operating system.

Question 12: A managed service provider's remote monitoring software is compromised by attackers who insert a backdoor into a routine, digitally signed software update that is automatically pushed to thousands of client environments. Clients trusting the vendor's certificate install the malware. What type of attack vector is this?

  • A. Supply chain. This is a description of supply chain compromise, using trusted software to deliver malware to its end users.
  • B. Lure-based. A lure-based attack tricks users into interacting with something, like a digital file or physical lure like a USB drive. In this case, users were not tricked into interacting with the file, it was simply supplied to them.
  • C. Message-based. No message was described in this question, like a phishing email or text message.
  • D. Nation-state. It is possible this attack was carried out by a nation state, but we do not have any information on the threat actor.

Question 13: An attacker leaves infected USB drives labeled "Confidential Salary Information - 2024" in a company parking lot, hoping curiosity will lead employees to plug them into work computers. What type of attack vector is this?

  • A. Tailgating. Tailgating in cybersecurity is a physical social engineering attack where an unauthorized person follows an authorized employee into a restricted area
  • B. Shoulder surfing. Shoulder surfing is a social engineering technique where attackers covertly observe a victim's screen, keyboard, or keypad to steal sensitive data.
  • C. Digital lure. A digital lure in cybersecurity is a social engineering tactic, often called "baiting," that uses enticing, false offers to trick victims into taking actions that compromise security. This question describes a physical scenario.
  • D. Physical lure. A physical lure in cybersecurity is a social engineering tactic where an attacker leaves a tangible, malicious item in a public or semi-private location, designed to exploit human curiosity or greed. The goal is for a victim to find the item, take it, and connect it to a computer, thereby enabling the attacker to install malware, steal data, or gain network access.

Question 14: An attacker wearing a courier uniform carries a large box and follows an employee through a secure badge-access door before it closes, claiming their hands are full and they need to make a delivery. Which physical social engineering technique is being used?

  • A. Impersonation. This question does describe impersonation (posing as a courier or delivery person), but there is a more specific technique in use.
  • B. Piggybacking. Piggybacking in cybersecurity is a social engineering tactic where an unauthorized person tricks an authorized individual into granting them access to secure physical areas or digital systems. Unlike tailgating, which is stealthy, piggybacking often relies on manipulating human politeness or compliance to bypass security measures
  • C. Tailgating. Tailgating is a stealthy technique where someone follows an authorized person into a building. In this case, the employee knows that the attacker has entered the building.
  • D. Dumpster diving. Dumpster diving in cybersecurity is the act of searching through trash, recycling, or discarded equipment to find sensitive, confidential information.

Question 15: An attacker registers the domain "techsupp0rt-login.com" using a zero instead of the letter 'o' to catch users who mistype the software vendor's support website address. What technique is being used?

  • A. Typosquatting. Typosquatting is a cyberattack where criminals register misspelled or similar variations of popular domain names (e.g., "gogle.com" for "google.com") to exploit user typing errors
  • B. DNS poisoning. DNS poisoning (or DNS cache poisoning/spoofing) is a cyberattack that corrupts a DNS resolver's cache with false IP address data, redirecting users from legitimate websites to malicious, attacker-controlled sites.
  • C. Domain hijacking. Domain hijacking is a cyberattack where unauthorized individuals seize control of a domain name by altering its registration details without the owner's consent. This could involve hacking into the victim's account at the domain registrar's website, for example. In this question, however, the domain is not a legitimate one.
  • D. Watering hole. A watering hole attack is a targeted cybersecurity strategy where attackers infect legitimate websites. This is not a legitimate website.

Question 16: An attacker conducting OSINT research identifies that employees of a specific defense contractor frequently visit a particular industry news blog. The attacker compromises that legitimate website to infect only those specific visitors with malware targeting their browsers. What is this attack called?

  • A. Spearphishing. A spearphishing attack is a targeted form of phishing, not compromising a website.
  • B. Watering hole. A watering hole attack is a targeted cybersecurity strategy where attackers infect legitimate, niche websites frequently visited by a specific group—such as employees of a particular company or industry—to distribute malware and gain network access. By compromising trusted sites, these attacks bypass traditional security
  • C. Drive-by download. A drive-by download is a cyberattack where malicious software (malware) is automatically installed on a user's device without their knowledge, consent, or any active click. It occurs simply by visiting a compromised website. This could apply here, but the situation is specific to a legitimate industry website.
  • D. Supply chain attack. A supply chain attack involves compromise of a third-party vendor's infrastructure. This could be the case here, but the situation is describing a more targeted attack technique, which is a watering hole.

Question 17: The CFO receives an urgent email appearing to be from the CEO instructing them to immediately wire $500,000 to a new vendor for a confidential acquisition. The display name matches the CEO's address, but the actual email address is slightly different. What specific type of social engineering technique is in use?

  • A. Urgency. An urgency technique implies that time is a factor. In this case, the question states the transfer should happen "immediately".
  • B. Consensus. A consensus technique, or social proof, in social engineering is a manipulation tactic where attackers convince a victim to trust them by falsely claiming that others have already complied with a request, so it would be rude to refuse. It exploits the human tendency to follow "herd mentality" or believe that if others trust the actor, it is safe to do so. In this case, the request is made to just one person, the CFO.
  • C. Coercion. A coercion technique involves threats or implied consequences for refusal, which is not mentioned in this question.
  • D. Phishing. Phishing is not specific enough for this attack.

Question 18: A nation-state actor creates thousands of fake social media accounts to spread disinformation about election processes in a foreign country, aiming to destabilize public trust and create social division without directly hacking systems. This is an example of what?

  • A. Hacktivism. While hacktivism can involve political, social, or ethical causes, it is not done on such a widespread scale.
  • B. Organized crime. Organized crime involves financial gain, which is not stated in this question.
  • C. Influence campaign. Influence campaigns in cybersecurity are coordinated, malicious efforts using digital tools, social media, and propaganda to manipulate public opinion, erode trust, and alter behavior or decision-making, and are usually done by nation-states.
  • D. Corporate espionage. There is no indication in this question of one company spying on another.

Question 19: The Chief Executive Officer (CEO) of a company asks the Chief Information Security Officer why the company cannot be kept 100% safe. The CISO explains that as the company has grown, the increased number of devices and personnel has provided more opportunities for attackers to gain unauthorized access. Which term BEST describes this concept?

  • A. Vulnerability assessment. A vulnerability assessment in cybersecurity is a systematic, often automated, process that identifies, classifies, and reports security weaknesses in an organization's IT infrastructure. This does not answer the CEO's question.
  • B. Attack intelligence. This is not a term used in cybersecurity.
  • C. Attack vector. An attack vector is the specific method or tool used by a threat actor, which does not answer the CEO's question.
  • D. Attack surface. The attack surface is the total sum of all possible entry points into the organization, whether devices, people, applications, or buildings. As organizations grow, the attack surface expands if not carefully managed.

Question 20: An employee receives a phone call claiming to be from the technical support helpdesk. The caller asks the employee to supply their password over the phone, claiming that it is safe because the rest of the employee's team have also given their passwords. What specific social engineering technique is in use?

  • A. Consensus. A consensus technique, or social proof, in social engineering is a manipulation tactic where attackers convince a victim to trust them by falsely claiming that others have already complied with a request, so it would be rude to refuse. It exploits the human tendency to follow "herd mentality" or believe that if others trust the actor, it is safe to do so. In this case, the attacker says "the rest of the employee's team" have already complied. The employee might believe it is abnormal or rude to refuse.
  • B. Intimidation. An intimidation approach involves a threat of some type of negative consequences, which is not stated in this question.
  • C. Urgency. Urgency involves being short on time or time running out, which is not stated in this question.
  • D. Whaling. A whaling attack is targeted at a high-ranking or influential employee. There is no indication that this is the case.