Name The Threat Profile
Financially motivated, deploys ransomware, operates leak site
What is a Ransomware Group?
Validating a phishing alert and containing endpoint
What is SOC?
Malware encrypts files and demands payment (name the attack)
What is ransomware?
Multiple failed logins followed by success from same IP
What is potential brute-force attempt?
User clicks malicious link and downloads payload
What is Initial Access?
Long-term persistence, espionage-focused, often tied to a nation-state
What is an Advanced Persistent Threat (APT)?
Tracking infrastructure patterns across multiple campaigns
What is CTI?
Executes malicious code within a legitimate process (name the technique)
What is process injection?
Login from two geographically distant locations within minutes
What is impossible travel?
DAILY DOUBLE:
User confirms they are traveling abroad - do you: close, monitor, or escalate?
Encoded PowerShell spawns from Word
What is Execution?
low-skill attackers who use prebuilt tools and exploits written by others
What is a script kiddie?
Turning a malicious domain report into a detection rule
What is SOC with CTI support?
Uses PowerShell, WMI, or built-in tools to evade detection (name the TTP)
What is Living-off-the-Land?
User reports MFA push notifications they did not initiate
What is MFA Fatigue?
Process accesses LSASS memory
What is Credential Access?
conducts attacks motivated by political or ideological beliefs, often defacing websites or launching DDoS campaigns
What is a hacktivist?
Producing an assessment on emerging ransomware trends
What is CTI?
attacker logs in using legitimate employee credentials with no brute force activity or failed login attempts
What is use of valid accounts
New admin account created outside approved change window
What is privilege escalation concern?
remote service created to pivot to another host
What is lateral movement
a trusted employee or contractor exfiltrates sensitive data using authorized credentials
What is an insider threat
Hunting for behavior tied to newly reported TTPs.
What is SOC informed by CTI?
small, encrypted outbound connections at consistent timed intervals to a newly registered domain (name the technique)
What is command-and-control (C2) beaconing?
user successfully authenticates to multiple systems without any interactive logon events or password entry recorded
What is Pass-The-Hash
Data compressed and sent to external cloud storage before ransomware deployed
What is Exfiltration?