Domain 2: Threats, Vulnerabilities, and Mitigations Review — 24 of 61

Domain 2 – Section C Review: Malicious Activity and Mitigations

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations Section C — Malicious Activity and Mitigations Review 10 Questions

This section integrates:

  • Malware Types and Indicators of Compromise
  • Network and Application Attacks
  • Cryptographic Attacks
  • Mitigation Techniques

Security+ expects you to recognize attack patterns, identify indicators of compromise, and select the appropriate mitigation for each scenario.

1. Malware Recognition and Indicators

Each malware type has a distinct behavior pattern:

Identify the behavior first, then classify the malware.
The indicator of compromise tells you what happened. The malware type tells you how.
  • Ransomware — encrypts files, demands payment. IoC: encrypted files, ransom notes, unusual outbound traffic.
  • Trojans — appear legitimate but deliver malicious payloads. IoC: unexpected processes, outbound connections.
  • Worms — self-replicate across networks without user interaction. IoC: rapid network spread, bandwidth spikes.
  • Rootkits — hide deep in the OS or firmware. IoC: discrepancies between system tools and direct analysis.
  • Keyloggers — capture keystrokes. IoC: unexpected processes, data exfiltration to unknown destinations.

2. Network and Application Attack Patterns

Network attacks exploit protocols and infrastructure:

  • DDoS — overwhelms resources with traffic from multiple sources.
  • Man-in-the-middle — intercepts communication between two parties.
  • ARP poisoning — corrupts ARP tables to redirect traffic.
  • DNS poisoning — corrupts DNS cache to redirect users.
  • Replay attacks — captures and retransmits valid authentication data.
Network attacks target the path. Application attacks target the destination.
Know which layer the attack operates on to select the right defense.

3. Cryptographic Attack Awareness

Cryptographic attacks target the mathematical foundations of security:

  • Brute force — trying every possible key until one works.
  • Birthday attack — exploiting hash collision probability.
  • Downgrade attack — forcing a system to use weaker cryptographic protocols.
  • Known plaintext — using known input-output pairs to derive the key.

The defense against most cryptographic attacks is using strong, current algorithms with adequate key lengths and proper implementation.

4. Mitigation Selection

Matching the right mitigation to the attack:

  • Network segmentation limits lateral movement after a breach.
  • Patching eliminates known vulnerabilities.
  • Input validation prevents injection attacks.
  • Encryption protects data at rest and in transit.
  • Endpoint detection and response identifies and contains active threats.
The best mitigation addresses the root cause, not just the symptom.

Section C Decision Pattern

When unsure in Domain 2 Section C:

  1. Identify the attack type from the described behavior.
  2. Map the indicator of compromise to the malware category.
  3. Determine which network layer or application component is targeted.
  4. Select the mitigation that addresses the root cause.
  5. Prefer preventive mitigations over reactive ones when both are options.

Section C – Practice Questions

Question 1

Users report that their files have been renamed with a .locked extension and a text file demanding cryptocurrency payment appears on their desktops. What type of malware is responsible?

A. Ransomware
B. Worm
C. Trojan
D. Spyware

Answer & reasoning

Correct: A

File encryption with a demand for payment is the defining characteristic of ransomware. The renamed files and ransom note are classic indicators of compromise for this malware type.

Question 2

A security analyst notices that an internal workstation is sending DNS queries to an external server at regular 30-second intervals, even when the user is not active. What is this behavior MOST likely indicative of?

A. DNS tunneling or command-and-control beaconing
B. Normal DNS resolution
C. DNS cache poisoning
D. A DDoS attack

Answer & reasoning

Correct: A

Regular, periodic DNS queries to an external server when the user is inactive indicate beaconing behavior. Malware often uses DNS tunneling to communicate with command-and-control servers, disguising the traffic as normal DNS requests.

Question 3

An attacker captures a user's Kerberos authentication token and replays it to gain access to a file server. What type of attack is this?

A. Brute force
B. Man-in-the-middle
C. Pass-the-hash
D. Replay attack

Answer & reasoning

Correct: D

A replay attack captures valid authentication data and retransmits it to gain unauthorized access. The attacker does not need to crack the token — they simply reuse it. Defenses include timestamps, nonces, and session tokens that expire.

Question 4

During a TLS handshake, an attacker forces the client and server to negotiate using SSL 3.0 instead of TLS 1.3. What type of cryptographic attack is this?

A. Birthday attack
B. Brute force
C. Downgrade attack
D. Known plaintext attack

Answer & reasoning

Correct: C

A downgrade attack forces systems to use weaker cryptographic protocols. By forcing SSL 3.0, the attacker can exploit known vulnerabilities in the older protocol. The mitigation is to disable legacy protocols entirely.

Question 5

A malware sample spreads across a network without any user interaction, exploiting an SMB vulnerability. What type of malware is this?

A. Virus
B. Trojan
C. Worm
D. Ransomware

Answer & reasoning

Correct: C

Worms self-replicate and spread across networks without user interaction. Unlike viruses, which require a host file or user action, worms exploit network vulnerabilities to propagate autonomously. The SMB exploitation pattern is characteristic of worm behavior.

Question 6

A web server experiences a sudden flood of traffic from thousands of IP addresses, rendering the site inaccessible. The traffic appears to come from IoT devices worldwide. What attack is occurring and what is the BEST immediate mitigation?

A. Man-in-the-middle; implement certificate pinning
B. DDoS from a botnet; activate rate limiting and upstream filtering
C. DNS poisoning; flush the DNS cache
D. ARP poisoning; implement static ARP entries

Answer & reasoning

Correct: B

Traffic from thousands of IoT devices is a distributed denial-of-service (DDoS) attack using a botnet. The immediate mitigation is rate limiting and upstream filtering (working with the ISP or CDN to filter malicious traffic before it reaches the server).

Question 7

An attacker on the same network segment sends forged ARP replies to associate their MAC address with the default gateway's IP address. What is the PRIMARY purpose of this attack?

A. To crash the network switch
B. To brute-force the gateway credentials
C. To deny service to all users
D. To intercept traffic between hosts and the gateway

Answer & reasoning

Correct: D

ARP poisoning redirects traffic through the attacker's machine by corrupting ARP tables. The primary purpose is to intercept traffic (man-in-the-middle), allowing the attacker to read, modify, or capture data flowing between hosts and the gateway.

Question 8

A security team discovers a process running with SYSTEM privileges that does not match any known application. The process hides from Task Manager but is visible with a specialized rootkit detection tool. What type of malware is this?

A. Rootkit
B. Keylogger
C. Adware
D. Worm

Answer & reasoning

Correct: A

The defining characteristic of a rootkit is its ability to hide from standard system tools while maintaining elevated privileges. The discrepancy between Task Manager (which cannot see it) and a specialized tool (which can) confirms rootkit behavior.

Question 9

After a successful phishing attack, the security team finds that the attacker moved laterally from a workstation to a database server through an unsegmented network. What mitigation would have BEST limited the damage?

A. Stronger email filtering
B. Full-disk encryption
C. Network segmentation
D. Longer password requirements

Answer & reasoning

Correct: C

Network segmentation limits lateral movement by isolating network zones. Even after the initial compromise, the attacker could not have reached the database server if proper segmentation existed. Email filtering might have prevented the initial phishing, but the question asks what would have limited the damage after the breach.

Question 10

An organization detects that its public-facing web application is receiving crafted requests that include operating system commands in URL parameters. The commands are being executed by the web server. What is the BEST mitigation?

A. Enable full-disk encryption
B. Implement input validation and parameterized queries
C. Increase firewall logging
D. Deploy a stronger SSL certificate

Answer & reasoning

Correct: B

This is a command injection attack. The web application is executing user-supplied input as system commands. Input validation prevents malicious commands from being processed. Encryption and SSL protect data in transit but do not prevent injection attacks. Logging detects but does not prevent the attack.

Domain 2 Capstone Capstone Review: THREATS, VULNERABILITIES, AND MITIGATIONS