Deductive Reasoning

172.16.4.3

You receive reports of suspicious logins from three IP addresses.
Only one IP is associated with a breach.

Clues:

If the login came from a known VPN, it's not a breach.

The VPN IP is 192.168.1.50.

10.0.0.12 was flagged for failed logins.

172.16.4.3 matches a known attacker IP.

Question: Which IP caused the breach?

Sam

Three employees attempted to access restricted files. Only one did so successfully.

Clues:

The person who used a personal device was denied access.

The person who logged in after hours was logged.

Sam used a company laptop.
Jamie logged in after hours.

Lee used a personal device.

Question: Who accessed the restricted files?

Malware alert

Three alerts were triggered: a malware alert, a phishing alert, and a misconfiguration.

Clues:

The phishing alert came from an internal email.

The malware alert wasn't from an internal source.

Only external alerts were flagged for escalation.

The misconfiguration came from a cloud admin tool.

Question: Which alert was escalated?

Server log

An analyst reviews three logs: endpoint, firewall, and server.

Clues:

The endpoint log showed no unusual behavior.

The firewall log showed a port scan.

The server log had repeated login failures.

Only one log indicates an actual breach attempt.

Question: Which log indicates a breach attempt?

Jordan

Three users installed new software.

Clues:

One installation included a hidden process.

The user who downloaded from a verified vendor did not trigger alerts.

Pat used a USB drive.

Taylor used the verified vendor.

Jordan installed the program flagged for a hidden process.

Question: Who likely introduced a threat?

6pm

You're auditing login times: 8 AM, 12 PM, and 6 PM.

Clues:

The 6 PM login occurred on a weekend.

The 12 PM login happened from a known corporate IP.

The unauthorized access was not from a known IP or on a weekday.

Question: Which time was the unauthorized access?

Critical alert

You have three alert categories: critical, warning, and info.

Clues:

The info alert was about a scheduled scan.

The warning alert was for a software update delay.

The critical alert came from the IDS.

IDS alerts indicate high-priority threats.

Question: Which alert needs immediate action?

One with no firewall and outdated AV

Three systems triggered alerts.

Clues:

The system with outdated antivirus did not detect malware.

The system with no firewall rules detected multiple pings.

Only the system with both protections disabled was infected.

Question: Which system was infected?

Log C

Three network logs show events:

Log A: traffic spikes

Log B: repeated DNS requests

Log C: long connection to IP in Russia

Clues:

DNS requests can indicate command and control communication.

Traffic spikes may indicate a DoS attack.

A long connection to a foreign IP may suggest exfiltration.

Question: Which log suggests data exfiltration?

The one with the macro-enabled attachment

Three emails are flagged.

Clues:

One has a spoofed domain.

One contains a macro-enabled attachment.

One is from an internal address but unusual timing.

Only the one with the macro is confirmed malicious.

Question: Which email was malicious?