Phishing & Social Engineering
What protocol-based weakness allows attackers to spoof email "From" addresses if SPF, DKIM and DMARC are misconfigured?
What is email header spoofing during to improper domain authentication?
What does TTP stand for?
What are Tactics, Techniques, and Procedures?
What does SIEM stand for?
What is Security Information and Event Management?
What does IAM stand for in cloud security?
What is Identity and Access Management?
This is a critical first step in the incident response process involves confirming whether an observed anomaly is a real security event and assessing its potential impact.
What is triage?
What is the psychological principle behind phishing emails that use urgent subject lines like "Account Suspended" or "Payment Failure"?
What is social engineering through fear or urgency?
What MITRE tactic involves gaining a foothold on a target system?
What is Initial Access?
What’s the first step when triaging a high-severity alert?
What is validating the source and context of the alert?
In AWS, what service provides logs of API calls and user actions?
What is CloudTrail?
What are the six typical phases of the incident response lifecycle?
What are preparation, detection, analysis, containment, eradication, and recovery?
In a phishing campaign, what technique involves using homoglyph domains (e.g. "rn" for "m") to bypass visual detections?
What is typo squatting or IDN homograph attack?
Which technique is used to execute code from memory and evade detection?
What is process injection?
Which log source is commonly used to identify failed login attempts?
What are authentication logs (e.g., Windows Event ID 4625)?
What Azure service manages conditional access and user risk policies?
What is Entra ID (formerly Azure AD)?
What’s the difference between containment and eradication?
Containment isolates the threat; eradication removes it from the environment.
What advanced phasing technique involves hijacking a legitimate email thread and injecting malicious replies?
What is conversation/thread hijacking?
What is the name of the MITRE ATT&CK group known for ransomware and extortion targeting large enterprises?
Who is FIN12 or Scattered Spider?
What’s the term for an alert that appears malicious but is verified to be benign?
What is a false positive?
What is a common misconfiguration that leads to public data exposure in AWS?
What is an open S3 bucket?
What type of incident involves attackers encrypting files and demanding payment?
What is a ransomware attack?
What's one meshing attackers use to bypass email security filters and sandboxing tools when delivering payloads?
What is payload obfuscation using encryption attachments, HTML smuggling, or multi-stage payload delivery?
What tactic involves clearing logs or deleting artifacts post-compromise?
What is Defense Evasion or Impact?
When an alert shows a rare parent-child process relationship (e.g., Word spawning PowerShell), what tactic is likely involved?
What is Execution or Defense Evasion?
What is the term for a cloud resource assuming another role without user interaction?
What is role assumption (STS:AssumeRole)?
In a major incident, what is the first action after confirming compromise?
What is executing containment procedures and notifying the IR team?