Chapter 54 Β· Quiz

Indicators of Compromise Quiz

6 multiple-choice questions + 1 matching section. Select your answers, then click Submit.

Question 1 of 6
An employee's Active Directory account is locked out. The employee contacts the help desk and states they have not attempted to log in this morning. What is the MOST accurate characterization of this event?
Question 2 of 6
Authentication logs show that the same user account logged in successfully from Chicago, Illinois at 10:02 AM and from Tokyo, Japan at 10:09 AM β€” a distance of approximately 10,100 km. What type of Indicator of Compromise does this represent, and what is the correct response?
Question 3 of 6
A security engineer finds that a compromised workstation can successfully browse news websites and use web applications normally, but consistently fails to reach Windows Update, its antivirus vendor's update server, and the Malwarebytes download site. Which IoC category does this represent and what is the attacker's goal?
Question 4 of 6
A network operations center alert fires at 2:47 AM: an internal file server is transferring 38 GB of data outbound to an IP address in a foreign country. The server's normal nightly outbound traffic is under 400 MB. Which IoC category best describes this, and what does it most likely indicate?
Question 5 of 6
A forensic investigator reviewing a database server finds that authentication log entries are completely absent for a 4-hour window on the date a data theft is believed to have occurred. The server was online and functioning normally during that period. What does this most likely indicate?
Question 6 of 6
An organization's legal team receives a ransom demand containing a 500-record sample of employee HR data as proof. The security team has no prior detection of any breach. What IoC category does this represent, and what is the correct understanding of the breach timeline?

Matching β€” IoC to Category

Match each observed event on the left to its IoC category on the right.

1. Firewall logs show a 3-hour gap with zero entries during a period when network anomalies were detected upstream
2. A patch installation log entry appears at 3:15 AM on a Tuesday β€” the organization's patch window is Saturday nights only
3. A user account is active in New York at 14:00 and in Singapore at 14:04
4. An internal server begins generating 10Γ— its normal outbound bandwidth at 4 AM, sending data to an unknown external IP
A. Resource Consumption β€” anomalous bandwidth or system utilization indicating active attacker activity such as data exfiltration
B. Missing Logs β€” absence of log entries that should exist, indicating deliberate deletion of forensic evidence
C. Out-of-Cycle Logging β€” administrative activity recorded outside expected operational schedules
D. Impossible Travel β€” authentication from two geographically distant locations within a physically impossible timeframe