These questions cover threat intelligence frameworks, attack taxonomy, and compliance obligations — areas that SPLK-5001 tests alongside Splunk operational skills to validate security analyst knowledge, not just tool proficiency.
Question 1
In the Diamond Model of Intrusion Analysis, a threat actor uses a custom Python backdoor and a commodity RAT (Remote Access Trojan) in the same campaign. Which element of the Diamond Model do these tools represent?
- A) Adversary — the threat actor behind the campaign
- B) Victim — the targeted organisations
- C) Infrastructure — the command and control servers
- D) Capability — the tools and techniques used by the adversary
Answer: D — Capability
The Diamond Model has four core elements:
| Element | Definition | Examples |
|---|---|---|
| Adversary | The threat actor or group | APT29, criminal organisation |
| Capability | Tools, malware, exploits | Custom backdoor, commodity RAT, exploit kit |
| Infrastructure | Resources used to deliver capability | C2 servers, phishing domains, IP ranges |
| Victim | The target | Organisation, individual, asset |
Capability represents what the adversary uses to execute the intrusion — both custom tooling (harder to attribute, lower OPSEC risk for adversary) and commodity tools (widely available, easier to detect via signatures).
The Diamond Model is used in threat intelligence to analyse intrusion events and correlate campaigns. If the same Capability appears across multiple Victims, it suggests the same Adversary or operation.
</details>Question 2
A banking application reports that customers' transactions are being modified after they authenticate — the changes don't appear in server logs, suggesting the modification is happening on the client side. Which attack type is most consistent with this behaviour?
- A) A man-in-the-middle (MitM) attack intercepting traffic at the network layer
- B) A man-in-the-browser (MitB) attack using malware installed in the browser
- C) A session hijacking attack stealing authenticated session cookies
- D) A cross-site scripting (XSS) attack injecting malicious JavaScript via the server
Answer: B — Man-in-the-browser (MitB)
A man-in-the-browser attack uses malware (typically a browser extension, plugin, or injected DLL) to intercept and modify transactions inside the browser, after the user has authenticated and the page has rendered. The malware:
- Intercepts the user's intended transaction (e.g., transfer £100 to Account A)
- Modifies the transaction parameters (e.g., changes to £10,000 to Account B)
- Submits the modified request to the server
- Intercepts the server's response and shows the user the original, unmodified values
Why server logs are clean: The server receives and logs the modified request as submitted. From the server's perspective, the authenticated user made the transaction — the modification happened before the request left the browser.
Distinguishing similar attacks:
| Attack | Where modification occurs |
|---|---|
| MitM | Network layer, between client and server |
| MitB | Inside the browser, after user input |
| Session hijacking | Steals session, doesn't modify transactions |
| XSS | Server injects malicious script into the page |
Question 3
A hospital's security team is implementing a cybersecurity programme. Under HIPAA, which types of data receive specific protection requirements?
- A) All personally identifiable information (PII) of patients and staff
- B) Financial transaction data for billing and insurance claims
- C) Protected Health Information (PHI) — individually identifiable health data
- D) Any data stored in electronic form, regardless of content
Answer: C — Protected Health Information (PHI)
HIPAA (Health Insurance Portability and Accountability Act) specifically protects Protected Health Information (PHI) — information that relates to an individual's health status, healthcare provision, or payment for healthcare, and that can identify the individual.
PHI identifiers under HIPAA include:
- Name, address, dates (birth, admission, discharge)
- Phone numbers, email addresses, SSN, medical record numbers
- Biometric identifiers, photographs
- Any other unique identifying number or code
The HIPAA Security Rule specifically addresses electronic PHI (ePHI) and requires:
- Administrative safeguards (policies, workforce training, access management)
- Physical safeguards (facility controls, device controls)
- Technical safeguards (access controls, audit controls, transmission security)
HIPAA doesn't protect all PII or all financial data — only health-related identifiable information. For cybersecurity analysts, PHI breaches trigger mandatory notification requirements under the HIPAA Breach Notification Rule.
</details>Key Takeaways
- Diamond Model: Adversary uses Capability (tools/malware) via Infrastructure to target a Victim — four elements, six possible relationships
- MitB attacks modify transactions inside the browser after authentication; server logs appear clean because the server receives the modified request
- HIPAA protects PHI (Protected Health Information) specifically — individually identifiable health data, not all PII or financial data