EC-Council CTIA Module 8.3 Practice Test 001

This practice test covers Module 8 (Threat Intelligence in SOC Operations, Incident Response, and Risk Management) Sub-module 3 (Threat Intelligence in Incident Response).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 8.3 Practice Test 001

10 questions • Single best answer

Question 1

A CTI team is notified of an active ransomware incident at a hospital. They immediately pull relevant intelligence about the suspected ransomware group's TTPs, lateral movement patterns, and data exfiltration timelines to brief the incident response team. How does this intelligence support the IR process?

A. It replaces the need for forensic investigation during the incident B. It enables the IR team to anticipate adversary next steps and focus containment on the most likely attack progression paths C. It automatically contains the ransomware spread without IR team action D. It generates a root cause analysis report immediately after the briefing

Question 2

During an active intrusion, an IR team discovers an unknown malware sample on a compromised server. They submit the sample to the CTI team for analysis. The CTI team identifies it as a variant of a known APT-associated tool and provides the IR team with indicators of other likely compromise locations and expected C2 callback patterns. What does this CTI-IR integration demonstrate?

A. CTI supporting real-time incident investigation with adversary identification and scope expansion guidance B. CTI performing automated remediation of the malware on the server C. CTI generating a quarterly threat landscape report during an active incident D. CTI advising the organization to accept the risk and take no further action

Question 3

An IR team contains and remediates a breach. During the post-incident review, the CTI team identifies that the initial access vector — a phishing email exploiting a specific lure theme — matches a campaign documented in their threat actor knowledge base that had been tracked for six months. What does this finding indicate about the CTI-IR integration?

A. The CTI knowledge base information was irrelevant to the incident B. A gap in CTI-to-IR intelligence dissemination — relevant intelligence was available but not acted upon before the incident C. The phishing campaign was so sophisticated that intelligence could not have helped D. The IR team conducted an unnecessarily thorough investigation

Question 4

A CTI analyst supports an incident response investigation into a suspected APT intrusion. She identifies that the observed techniques — spearphishing with document exploits, living-off-the-land lateral movement, and slow low-volume data staging — are consistent with a long-term espionage campaign rather than financially motivated cybercrime. What does this intelligence assessment change about the IR approach?

A. Nothing — all IR responses follow the same playbook regardless of actor motivation B. The IR strategy should emphasize covert evidence collection and scope mapping before containment to avoid tipping off the actor and losing visibility into the full campaign C. The IR team should immediately notify the press about the espionage campaign D. The IR team should focus solely on restoring systems to production without investigation

Question 5

A CTI team provides an IR team with a list of file hashes, registry keys, and scheduled task names used by the threat actor's implant for persistence across 12 previous incidents. The IR team uses this list to scan all systems in the environment. This investigation technique is called what?

A. Vulnerability scanning B. Intelligence-led compromise scope assessment using known IoCs and TTPs C. Passive DNS data collection D. Network penetration testing

Question 6

A CTI analyst monitors threat actor infrastructure and detects that a domain previously associated with a C2 campaign has resumed DNS activity, suggesting the actor may be relaunching operations. She immediately notifies the IR team with context about the actor's previous campaign targets and TTPs. This proactive intelligence notification serves what IR purpose?

A. Increasing the number of SIEM rules in the environment B. Enabling pre-incident preparation — the IR team can pre-position detection and response capabilities before the attack begins C. Generating a post-incident lessons-learned report before the incident occurs D. Providing evidence for law enforcement prosecution

Question 7

During incident recovery, a CTI analyst is asked to assess whether the threat actor is likely to return after remediation. Based on intelligence showing the actor has re-compromised 70% of previous victims within 90 days when their root cause was inadequately addressed, she advises the IR team to prioritize a specific set of hardening actions. What does this intelligence contribution demonstrate?

A. CTI supporting incident recovery planning with threat actor recidivism intelligence B. CTI automatically remediating all vulnerabilities identified during the incident C. CTI generating a public disclosure statement about the incident D. CTI performing a vulnerability scan of remediated systems

Question 8

A CTI team embeds an analyst into the IR team during a major breach investigation at a financial institution. The embedded CTI analyst provides real-time intelligence lookups, helps interpret adversary artifacts, and updates the threat actor profile with newly discovered TTPs from the investigation. This model is called what?

A. CTI performing vulnerability assessments during incident response B. Embedded CTI-IR model providing real-time intelligence support during active investigations C. CTI replacing the IR team's forensic investigation capability D. CTI generating automated containment actions without analyst input

Question 9

After containing a major incident, a CTI analyst reviews all findings from the investigation and identifies three new threat actor TTPs not previously documented in their knowledge base: a novel persistence mechanism, an unusual exfiltration protocol, and a previously unseen obfuscation technique. What should she do with these findings?

A. Discard them as incident-specific anomalies not relevant to future intelligence work B. Update the threat actor knowledge base, create new ATT&CK-mapped detection rules, and share sanitized findings with sector peers C. Keep the findings confidential within the IR team only D. Wait for the next annual threat assessment before documenting the new TTPs

Question 10

A CTI team uses intelligence from a previous incident to develop an IR playbook specifically for the threat actor's campaign pattern. The playbook includes: initial detection indicators, containment steps, specific forensic artifacts to collect, communication templates, and recovery guidance. This playbook represents what integration between CTI and incident response?

A. A generic incident response checklist with no threat-specific content B. An intelligence-driven threat-specific IR playbook built from prior incident learning C. A data retention policy for incident evidence D. A vendor management guide for SIEM procurement

EC-Council CTIA Module 8.3 Practice Test 001

Related Posts

Leave a Comment Cancel Reply