3.4. Indicators of Malicious Activity
š” First Principle: Knowing attacks exist is different from being able to detect them in progress. Indicators of malicious activity are the observable evidence that an attack is happening or has happened. SOC analysts, SIEM systems, and automated tools all depend on recognizing these indicators to trigger investigation and response.
Think of a doctor diagnosing a disease: the disease is the attack, and the indicators are the symptoms. A fever alone might be harmless, but a fever combined with a rash, headache, and recent travel to a tropical region points to a specific diagnosis. Security indicators work the same way ā individual events may be benign, but patterns and combinations reveal malicious activity.
The exam tests your ability to match observed behavior to specific attack types. When you see "files encrypted with ransom note," you identify ransomware. When you see "DNS requests to algorithmically generated domains," you identify a C2 channel using domain generation algorithms. Pattern recognition is the skill being tested.
