Uncover chapter quiz
Uncover chapter quiz
No grades. The point is to push your thinking. Tap an option to see if it lands.
A threat intel feed says a particular domain is associated with a known campaign. The analyst sees the same domain in firewall logs from one host. What is the right next step?
Threat intelligence is most useful as a hypothesis. The matched domain is a starting point, not a verdict. Validate against the actual telemetry (which process, which user, which pattern) before acting.
Which level of MITRE ATT&CK changes most often?
Procedures (specific implementations) change rapidly as adversaries adapt their tooling. Techniques (the methods) change more slowly. Tactics (the goals) are nearly stable over years. This is why TTP-based hunting beats indicator matching for durability.
An investigation needs to know if a file ever ran on an endpoint. Which data source answers this most directly?
EDR captures process creation events that show whether a file was executed. FIM tells you the file exists or was modified, but not whether it ran. SIEM aggregates events from multiple sources; EDR is the source that answers execution directly.
The Uncover narrative concludes with a chain of MITRE techniques. Why is the chain more useful than free-form prose?
ATT&CK turns analyst observations into a portable artifact. The same chain of techniques is meaningful to the IR responder, the detection engineer who decides what to tune, and the leader who wants to see threat trends over time.
An analyst is investigating a possible compromise on a macOS developer workstation. The user's role legitimately involves scripting, IDE plugin processes, and encrypted outbound traffic. What does the methodology require Uncover to produce if the evidence supports a false-positive verdict?
A false-positive verdict that meets the methodology's standard is not dismissed. It is documented, evidenced, and bounded. That documentation is what lets the case re-open with full context if new signals appear, and what produces the detection-engineering feedback that prevents the same alert from firing repeatedly.
Risk receives an Uncover handoff. Which of these decisions is Risk authorized to make?
Need a nudge?
Risk is not response.
Risk is the analytical checkpoint, not the response phase. Its job is to evaluate whether Uncover's evidence is sufficient to close the case or whether the investigation needs to expand. Containment, notification, and detection tuning happen in later phases (Escalation, Documentation) once Risk's verdict supports them.
During Uncover, a TLS certificate associated with a known C2 campaign appears in proxy logs from one internal host. The threat-intel feed labels it medium confidence, 30 days old. What is the right next move?
The intel match raises a hypothesis at medium confidence. The methodology says validate against the environment's own telemetry (which process, which user, what came next) before acting. Validation may promote the case to high confidence, demote it to false-positive, or leave it ambiguous and shape what Risk will decide. The match alone is not the verdict.
The five intelligence-use patterns Uncover relies on most are indicator matching, attribution, TTP hunting, automated enrichment, and dark-web monitoring. Which one is most durable against an adversary that changes tools every campaign?
Indicators (hashes, domains, IPs) change every campaign and can be modified in minutes. Procedures (specific tool implementations) change between campaigns. Techniques (the underlying methods) change in years. TTP-based hunting builds detection on the most durable layer, which is why it outperforms indicator matching against sophisticated adversaries.