EC-Council CTIA Module 5.6 Practice Test 001

This practice test covers Module 5 (Data Analysis) Sub-module 6 (Threat Intelligence Evaluation).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 5.6 Practice Test 001

10 questions • Single best answer

Question 1

A CTI manager reviews a set of finished intelligence products and assesses whether they are accurate, timely, relevant to the organization's requirements, and complete enough to support decisions. This systematic review of intelligence quality is called what?

A. Intelligence collection planning B. Threat intelligence evaluation C. Data normalization D. Security awareness assessment

Question 2

A CTI analyst is asked to evaluate the confidence level of an intelligence assessment attributing a campaign to a specific APT group. She assigns a confidence rating of 'moderate' based on two corroborating sources with consistent evidence but acknowledges uncertainty about one key indicator. What does this confidence rating communicate?

A. The assessment has been verified by the target organization's own security team B. The analytical conclusion is partially supported by corroborating evidence but contains residual uncertainty that consumers should factor into their decisions C. The intelligence should be discarded because it is not 100% certain D. The analyst is requesting additional collection before any analysis is produced

Question 3

A CTI team evaluates an intelligence product and finds it was produced on time but lacks context about adversary motivation and provides no actionable defensive recommendations. Against which evaluation criterion does this product fail?

A. Timeliness B. Completeness and actionability C. Source diversity D. Collection methodology

Question 4

A government CTI team attempts to attribute a series of cyberattacks to a specific nation-state based on malware code reuse, operational timing aligned to the nation's business hours, and language artifacts in debug strings. What type of evidence is the team using for attribution?

A. Physical surveillance evidence B. Technical, temporal, and linguistic attribution indicators C. Open-source financial transaction records D. Witness testimony from affected organizations

Question 5

During threat intelligence evaluation, a CTI lead discovers that an intelligence product that significantly influenced a security investment decision was based on a single uncorroborated source. What is the primary risk this evaluation finding reveals?

A. The intelligence product was disseminated to the wrong audience B. High-impact decisions were based on intelligence of uncertain reliability, creating potential for misinformed risk management C. The product was produced too quickly D. The product was formatted incorrectly

Question 6

A CTI analyst performs threat attribution and concludes with high confidence that a threat actor is 'Lazarus Group' based on overlapping C2 infrastructure, shared malware tooling, and operational timing. She explicitly states in the intelligence product: 'Attribution is high confidence but not definitive.' Why is this qualification important?

A. It reduces the analyst's personal liability for incorrect conclusions B. It accurately communicates the level of certainty to consumers, allowing them to account for residual uncertainty in their decisions C. It signals that collection should stop on this campaign D. It indicates that the intelligence product should be classified as top secret

Question 7

A CTI team uses the Admiralty Code (also called the NATO evaluation system) to rate intelligence source reliability (A through F) and information content accuracy (1 through 6) on all collected raw intelligence. A '4' rating for content accuracy means what?

A. The information has been confirmed by multiple independent sources B. The information cannot be judged based on available evidence C. The source is usually reliable D. The information is probably true

Question 8

A CTI team conducts a post-engagement evaluation after providing intelligence in support of a major incident response. They review what intelligence was produced, what decisions it informed, what was accurate, what was missed, and what improvements are needed. This evaluation activity is known as what?

A. Intelligence collection plan revision B. After-action review (AAR) or lessons-learned evaluation C. Threat actor re-profiling D. Security posture baseline assessment

Question 9

During attribution analysis, a CTI analyst considers that two different threat actor groups may be using the same malware framework purchased from an underground marketplace. This possibility challenges a clean attribution conclusion. What phenomenon does this represent in attribution analysis?

A. False positive indicator overlap B. Shared tooling and false flag risk in attribution C. Data normalization failure D. Collection plan inadequacy

Question 10

A CTI team evaluates their intelligence products against the CTIA intelligence quality standard of 'CART' — Correct, Actionable, Relevant, and Timely. An intelligence report produced last month about a threat campaign that has already been fully remediated scores poorly on which CART dimension?

A. Correct B. Actionable C. Timely D. Relevant

EC-Council CTIA Module 5.6 Practice Test 001

Related Posts

Leave a Comment Cancel Reply