EC-Council CTIA Module 1.2 Practice Test 002

This practice test covers Module 1 (Introduction to Threat Intelligence) Sub-module 2 (Cyber Threat Intelligence Concepts).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Practice Test of the Day 260528

10 questions • Single best answer

Question 1

A threat intelligence lead at a cloud services company is onboarding a new analyst and asks her to define cyber threat intelligence. Which definition most accurately reflects the CTI concept as understood in professional practice?

A. Cyber threat intelligence is the real-time collection of log data from firewalls and SIEM platforms B. Cyber threat intelligence is evidence-based knowledge about adversaries — including their capabilities, motivations, intentions, and TTPs — that enables informed decisions to protect against specific threats C. Cyber threat intelligence is a set of automated blocking rules applied to network perimeters based on vendor subscriptions D. Cyber threat intelligence is a management reporting tool used to track the status of active security incidents

Question 2

A CTI analyst is building adversary profiles for her organization's threat library. One group conducts 18-month espionage campaigns against defense contractors using custom implants and zero-day exploits. Another group deploys ransomware within 48 hours of initial access and demands payment. Which factor most clearly distinguishes these two actors?

A. The total number of malware variants each group has developed and deployed over their lifetime B. The number of countries each group has targeted in documented campaigns C. Motivation and campaign objectives — long-term access and data theft versus rapid monetization through extortion D. The sophistication of each group's initial access techniques relative to known vulnerability disclosures

Question 3

An intelligence lead is finalizing the distribution plan for three new CTI products. She must match each product to its primary consumer. Which consumer-product pairing correctly aligns each intelligence type with its intended audience?

A. Malware hashes and YARA rules → board of directors; geopolitical threat trends → SOC analysts; actor TTPs → network engineers B. ATT&CK-mapped TTPs → Tier-1 help desk analysts; sector risk trends → malware reverse engineers; IoC feeds → executive staff C. Geopolitical threat landscape → executive leadership; ATT&CK-mapped TTPs → SOC and IR teams; malware hashes and C2 IPs → security tools via automated ingestion D. All intelligence products should be sent simultaneously to all audiences without differentiation to maximize coverage

Question 4

A SOC manager receives two reports on the same threat actor. Report A covers the actor's historical origins, geopolitical motivation, and past high-profile breaches. Report B provides current C2 domains, lateral movement TTPs, and SIEM detection rule recommendations. Which report is more immediately actionable for SOC operations, and why?

A. Report A, because understanding actor history and motivation is necessary before any defensive action can be taken B. Report B, because it provides current indicators and TTPs the SOC team can implement directly in detection and monitoring workflows without additional analysis C. Both reports are equally actionable because SOC teams need both context and indicators to respond effectively D. Neither report is actionable until the data is correlated with internal network traffic logs by the CTI team

Question 5

A CTI team briefs an IR team on a newly identified threat actor. Intelligence shows the group is ideologically motivated, targets public utilities, and typically deploys wiper malware to destroy data rather than encrypt it for financial gain. How should this motivation intelligence most directly shape the IR team's response approach?

A. The IR team should apply the same ransomware recovery playbook used for financially motivated attacks B. The IR team should focus investigation resources on identifying and disrupting the actor's ransom payment infrastructure C. The IR team should prioritize mapping the actor's monetization channels and cryptocurrency wallet addresses D. The IR team should anticipate data destruction rather than extortion, emphasizing resilience, offline backups, and rapid system rebuild over ransom negotiation workflows

Question 6

A CTI analyst at an energy company is designing a collection plan. He identifies internal sources — network sensor logs, EDR telemetry, and previous incident reports — alongside external sources including commercial feeds, OSINT, and ISAC threat reports. What advantage do internal sources provide that external sources typically cannot?

A. Internal sources provide broader geopolitical actor coverage than any external commercial intelligence feed B. Internal sources are always more frequently updated and current than commercial threat intelligence products C. Internal sources provide environment-specific visibility into attacker behavior within the organization — revealing TTPs and artifacts observed against the organization's own infrastructure rather than generic sector-wide indicators D. Internal sources eliminate the operational need for external threat intelligence subscriptions once fully deployed

Question 7

A threat hunter at a government agency is deciding whether to build detections around a threat actor's malware file hashes or their behavioral patterns — specifically process injection techniques and scheduled task persistence mechanisms. Which approach provides more durable, long-term detection value?

A. File hash-based detections, because they are exact, unambiguous, and can be immediately applied to endpoint blocking lists B. Behavioral TTP-based detections, because attackers can trivially change file hashes but must fundamentally alter their intrusion methodology to evade behavior-based detection C. File hash-based detections, because TTPs change too frequently across campaigns to form a reliable detection foundation D. Both approaches provide equal long-term detection value and should always be built simultaneously without prioritization

Question 8

A CTI analyst is categorizing three newly identified threat groups. Group 1 uses commodity malware purchased from underground forums and opportunistically targets unpatched systems. Group 2 conducts multi-year campaigns using custom implants, supply chain compromises, and zero-day exploits. Group 3 performs website defacements to advance an ideological message. Which classification best describes Group 2?

A. Script kiddie — uses readily available tools and targets systems opportunistically without deep technical capability B. Hacktivist — driven by ideological goals and focused on public disruption and messaging C. Advanced Persistent Threat (APT) — highly sophisticated, patient, and focused on long-term strategic objectives with significant operational resources D. Cybercriminal — primarily motivated by financial gain using commodity tools and broad target selection

Question 9

A CISO is preparing for an annual board presentation on cybersecurity investment priorities. The CTI team provides a strategic threat landscape briefing covering which nation-state groups actively target the company's sector, their primary attack vectors, and the organization's current defensive gaps against those specific threats. How does this CTI contribution support the CISO's objectives?

A. It replaces the need for an independent security risk assessment or penetration test B. It provides evidence-based adversary context that justifies and prioritizes specific security investment decisions to a non-technical executive audience C. It functions as a formal audit report that satisfies regulatory compliance requirements D. It gives the board direct access to raw threat feeds so they can independently evaluate vendor claims

Question 10

A CTI team lead is training new analysts. She draws a three-tier pyramid: raw network logs and sensor data at the base, correlated security events with added context in the middle, and finished analyst assessments with recommended defensive actions at the top. Which concept does this pyramid best illustrate?

A. The Pyramid of Pain, which shows how difficult it is for threat actors to replace different types of indicators B. The threat intelligence maturity model showing the stages of CTI program development C. The data-information-intelligence hierarchy, in which raw observations become finished intelligence only after analysis and contextualization D. The MITRE ATT&CK framework structure, organized from individual techniques to broader tactic categories

EC-Council CTIA Module 1.2 Practice Test 002

Related Posts

Leave a Comment Cancel Reply