Skip to main content

Chapter 4.4 Quiz - Hardening, Compliance & Red/Blue Team Operations

Quiz Mode - All answers are hidden under collapsible sections. Attempt each question before revealing the answer.

Question 1

Your organization scores 45% on a NIST CSF assessment. The CISO asks which function to prioritize first to have the greatest risk reduction impact. Using the CSF function hierarchy and the course's defensive controls, justify your answer with specific control examples.

Reveal Answer

Answer: Prioritize IDENTIFY if the score is low there, but in most organizations at 45% overall, the highest-impact investment is typically PROTECT - specifically Identity Management (PR.AA) and Data Security (PR.DS).

Reasoning:

The CSF functions have a logical dependency order: you cannot DETECT what you haven't PROTECTED, and you cannot RESPOND effectively without knowing what you're PROTECTING (IDENTIFY). However, the impact of each function on real-world breach outcomes follows a different order:

If IDENTIFY is weak (no asset inventory, no risk assessment):

  • You don't know what systems exist - you can't patch them - can't monitor them
  • Fix first: deploy asset discovery (Nmap/Shodan internal sweep), build CMDB
  • Impact: enables all other functions

If PROTECT is weak (most common gap at 45%):

  • No MFA - credential attacks succeed trivially (Module 3 credential chapters)
  • No hardening - Kerberoasting, SMB relay succeed without effort
  • No least-privilege - lateral movement is unrestricted

Specific highest-impact controls from this course:

1. PR.AA-05 -- Least privilege + MFA
   Cost: Low | Impact: Defeats T1078 (Valid Accounts) -- the #1 ATT&CK technique

2. PR.IR-01 -- Network segmentation
   Cost: Medium | Impact: Defeats all lateral movement (Chapter 3.3)
   Structural control -- attacker with valid creds still can't reach sensitive systems

3. PR.DS-02 -- Data in transit encrypted (TLS enforcement)
   Cost: Low | Impact: Defeats passive eavesdropping, credential intercept

Why not DETECT first? Detection without protection means you detect attacks you can't prevent fast enough to stop the breach. MTTD (mean time to detect) of even 1 hour means an unprotected environment is fully compromised before the alert is actioned. Structural protection controls (segmentation, MFA) stop attacks that detection would only observe.

The correct sequencing: IDENTIFY (know your assets) -> PROTECT (remove attack surface) -> DETECT (catch what gets through) -> RESPOND (contain and recover) -> GOVERN (sustain it).

Question 2

A red team achieves Domain Admin access in 6 hours through this chain: phishing email -> PowerShell download cradle -> Kerberoasting svc-backup -> password spray with cracked password -> DA via DCSync. For each of the five steps, name the single most effective structural control that would have broken the chain at that point.

Reveal Answer

Answer: Breaking each link in the kill chain:

Step 1 - Phishing email -> PowerShell download cradle

Control: Email security gateway with attachment/link sandboxing + Attack Surface Reduction rule blocking Office/script apps from spawning PowerShell.

# ASR rule: block Office from spawning child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids `
  "d4f940ab-401b-4efc-aadc-ad5f3c50688a" `
  -AttackSurfaceReductionRules_Actions Enabled

Even if the phishing email is delivered, PowerShell cannot be spawned from the document macro. The download cradle never executes.

Step 2 - PowerShell download cradle reaching C2

Control: Egress proxy with TLS inspection blocking uncategorized/new domains.

# Squid with ssl-bump -- inspect outbound TLS, block unknown destinations
# New C2 domains registered days before attack are uncategorized
# Default-deny new domain policy breaks the download cradle callback

The PowerShell payload can't download its second stage - the C2 callback is blocked.

Step 3 - Kerberoasting svc-backup

Control: Group Managed Service Account (gMSA) for svc-backup - 240-character auto-rotating password makes cracking computationally infeasible.

New-ADServiceAccount -Name "svc-backup" `
  -DNSHostName "svc-backup.corp.local" `
  -ManagedPasswordIntervalInDays 30

The TGS ticket is still requestable, but the 240-char managed password cannot be cracked with any wordlist or mask attack.

Step 4 - Password spray with cracked password

Control: MFA on all interactive logons, including domain account authentication to servers.

Even with svc-backup's password, every authentication attempt requires a second factor the attacker doesn't possess. Password spray produces authentication failures - no access granted.

Step 5 - DCSync via DA

Control: Tiered administration model - DA accounts usable only from Privileged Access Workstations (PAWs), and the compromised account (svc-backup) should never have a path to DA.

Tier 0: DC, AD management -> DA accounts only, PAW required
Tier 1: Servers -> Server admin accounts
Tier 2: Workstations -> Helpdesk accounts
No lateral movement between tiers

svc-backup is a Tier 1/2 account with no path to Tier 0 (DA). Even fully compromised, it cannot perform DCSync.

Summary: Any single one of these controls would have broken the chain. Defense-in-depth means the attacker must defeat all five simultaneously - an exponentially harder task.

Question 3

You are writing the Rules of Engagement for a red team assessment of a hospital network. The hospital has a live patient monitoring system connected to the same network as workstations. List five explicit prohibitions that must appear in the ROE, and explain the legal and patient safety rationale for each.

Reveal Answer

Answer:

Prohibition 1 - No testing of, access to, or interaction with patient monitoring, life support, or medical device systems

Rationale: Medical devices (ventilators, infusion pumps, cardiac monitors) operate on safety-critical real-time schedules. Any network disruption, packet injection, or unexpected traffic could cause device malfunction. Patient death is a foreseeable consequence. Legal exposure: criminal negligence liability regardless of authorization. This prohibition is absolute - no exception for "passive" observation.

Prohibition 2 - No denial of service attacks, packet floods, or actions that could degrade network performance

Rationale: In a hospital, network degradation directly affects clinical systems. EMR (Electronic Medical Record) access delays, imaging system slowdowns, or nurse call system failures are patient safety events. Even "light" scanning techniques (ICMP sweeps, SYN scans) can overwhelm medical-grade network hardware not designed for adversarial traffic volumes. Legal: hospital networks in most jurisdictions are protected critical infrastructure.

Prohibition 3 - No access to, exfiltration of, or interaction with Protected Health Information (PHI)

Rationale: HIPAA (in the US) and equivalent regulations globally impose strict requirements on PHI access. Unauthorized access to PHI - even as part of an authorized penetration test - creates regulatory reporting obligations and potential civil/criminal liability. The ROE must explicitly prohibit touching PHI data. If a test requires demonstrating access to a sensitive share, a test file (not real PHI) must be pre-placed there by the hospital IT team.

Prohibition 4 - No physical access testing, social engineering of clinical staff, or tailgating into clinical areas

Rationale: Social engineering of nurses, physicians, or clinical staff creates patient safety risks (distraction during care), potential HIPAA violations (verbal disclosure), and significant liability for the testing firm. Clinical staff are not security-aware personnel - they are trained to prioritize patient care. Physical testing in clinical areas risks contaminating sterile environments or disrupting care delivery.

Prohibition 5 - No testing outside business hours without explicit written approval for each out-of-hours test window

Rationale: Hospital IT staffing is reduced outside business hours, meaning the response to an unexpected problem caused by testing (even benign) is slower. Any incident during testing that requires IT response will compete with clinical incident response. Out-of-hours testing approval ensures adequate IT staffing is on call and the on-call team is notified.

Additional mandatory requirement for hospital ROEs: A deconfliction hotline staffed 24/7 during the engagement that connects the red team directly to both the CISO and the on-call clinical IT manager. If any test activity causes unexpected network behavior, the red team stops immediately and calls the hotline - before any investigation into the cause.

Question 4

Your security metrics show: MTTD = 18 days, MTTR = 72 hours, patch SLA compliance = 61%, alert TP rate = 8%. Rank these four metrics by urgency of remediation and describe one concrete action for each that would produce the greatest improvement within 90 days.

Reveal Answer

Answer:

Rank 1 (Most urgent) - MTTD = 18 days

18-day mean time to detect is catastrophic. Every day of dwell time is another day of lateral movement, credential harvesting, and data access. The industry median MTTD is approximately 16-21 days (IBM Cost of a Data Breach 2023) - being at the median is not a defensible position. This drives all other metrics: you can't respond to what you haven't detected.

90-day action: Deploy Elastic Agent or equivalent EDR with process creation, network connection, and authentication telemetry to all endpoints - especially workstations (the most common initial access vector). Configure the three highest-fidelity detections immediately: (1) PowerShell encoded commands, (2) NTLM network logons with NTLM auth, (3) new scheduled tasks. Even three well-tuned rules will materially reduce MTTD.

# Target MTTD reduction: 18 days -> < 3 days in 90 days
# Metric to track: time from first malicious event (per forensic analysis)
#                  to first alert in SIEM for that event

Rank 2 (Urgent) - Alert TP rate = 8%

At 8% TP rate, analysts spend 92% of their time on noise. This directly causes MTTD to stay high - real alerts are buried. Alert fatigue also causes analysts to reduce investigation quality and miss subtle indicators. This is the root cause of long MTTD in most organizations.

90-day action: Identify the top 5 highest-volume rules by alert count. For each, query SIEM for all FP dispositions in the last 30 days - find the common FP pattern (specific user, process, host) and add a targeted Sigma filter. Goal: reduce FP volume by 60% without removing any TP-generating rules. Target TP rate: > 25% within 90 days.

Rank 3 - Patch SLA compliance = 61%

61% compliance means 39% of critical vulnerabilities remain unpatched past the SLA window. These are known, public vulnerabilities with available patches - the lowest-effort attacks for any adversary. This is particularly critical for internet-facing systems.

90-day action: Implement automated patching for workstations and non-critical servers using WSUS/SCCM/Ansible - removing the human bottleneck for the majority of patch volume. For critical servers requiring change control, create a fast-track 72-hour change process for CVSS 9.0+ vulnerabilities. Target: > 90% compliance within 90 days.

Rank 4 - MTTR = 72 hours

72-hour MTTR is high but less urgent than the others - you can only respond after detection. Improving MTTD automatically improves the meaningful MTTR (time from breach to containment). Additionally, 72-hour MTTR often reflects process delays (approvals, notification chains) rather than technical limitations.

90-day action: Implement SOAR playbooks for the top 3 alert types - automate the first 30 minutes of investigation (IOC enrichment, asset lookup, initial containment decision). Automated first-response compresses MTTR for most incidents from hours to minutes. Target: < 4 hours MTTR for HIGH severity alerts within 90 days.

Priority order rationale: MTTD -> TP Rate -> Patch SLA -> MTTR, because reducing MTTD requires improving TP rate (you can't detect fast what's buried in noise), and patch SLA reduces the attack surface that creates the incidents requiring fast detection and response.

End of Quiz 4.4