ExamRange

CND (312-38) Network Defense Simulation

Learn to differentiate between risk management formulas and the core definition of a cyber attack. This scenario tests your understanding of threat concepts and attack anatomy.

Network Scenario

You are a Network Security Analyst monitoring the external Web Application Firewall (WAF) and IDS sensors for a financial institution. You receive a series of high-priority alerts indicating a targeted intrusion attempt against the customer login portal.

To properly classify this event in your incident tracking system and update your threat models, you must break down the anatomy of the incident. A threat intelligence feed has correlated the source IP to a known financially motivated threat group. Understanding the strict definitions of threats, vulnerabilities, and attacks is crucial for accurate reporting.

Traffic & Logs

# WAF & IDS Alert Logs - Extranet Gateway
[10:14:22] WAF_ALERT: SQL Injection attempt detected. Source IP: 198.51.100.42
[10:14:23] PAYLOAD_CAP: GET /login.php?user=admin' OR '1'='1 --
[10:15:01] THREAT_INTEL: IP 198.51.100.42 matches known FIN-threat infrastructure.
[10:15:01] THREAT_TAG: Financial Data Theft / DB Dump Objective
[10:15:05] FW_ACTION: IP dynamically blocked by IPS policy. Drop rule applied.

Question

How is an “attack” represented?

Think about what an attacker actually needs to carry out their plan. A vulnerability is a weakness in your system, but an attack is the action the adversary takes based on their intent and tools.

Expert Analysis

1. What is happening in the network

An external adversary is actively probing the web application layer using SQL injection syntax. The logs correlate the payload delivery (the method) with a known financially motivated threat actor profile (the motive).

2. Identify attack or behavior

This is an active Application Layer Attack. Specifically, the adversary is attempting an authorization bypass or data extraction technique against the backend database.

3. Why correct answer is correct

Motive (goal) + method accurately represents an attack. An attack is the realization of a threat. To execute an attack, a threat actor must have a reason/goal for attacking (Motive, e.g., financial theft) and a technique or tool to carry it out (Method, e.g., SQL Injection).

4. Why others are wrong

  • Motive + method + vulnerability: While a vulnerability is required for an attack to be successful, the vulnerability is an attribute of the target system, not a component of the attack itself. An attack can occur even if no vulnerability exists (it just fails).
  • Asset + Threat + Vulnerability: This is a formula used to calculate or define Risk, not an attack.
  • Asset + Threat: This represents a threat landscape or exposure, lacking the execution element (method) and the target's weakness (vulnerability).

MINI LESSON: Anatomy of Cyber Security Concepts

Network Defenders must use precise terminology:
Vulnerability: A flaw or weakness in your system (e.g., unpatched software).
Threat: A potential danger (e.g., a hacker group existing).
Attack: The actual action taken (Motive + Method).
Risk: The probability of a threat exploiting a vulnerability and the resulting business impact (Asset value).

Explore more CND simulations