EC-Council CTIA Module 2.2 Practice Test 001

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 2 (Advanced Persistent Threats).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.2 Practice Test 001

10 questions • Single best answer

Question 1

An incident response team at a pharmaceutical company discovers that an adversary maintained covert access to drug development servers for 14 months, exfiltrated research data in small increments, and avoided triggering any alerts throughout the campaign. Which set of characteristics most accurately defines this type of threat actor?

A. Script kiddie using automated scanners with no strategic objective or technical sophistication B. Advanced persistent threat — a patient, targeted, well-resourced adversary conducting long-duration covert operations C. Hacktivist exploiting publicly disclosed vulnerabilities to make an ideological statement against the pharmaceutical industry D. Cybercriminal deploying ransomware to encrypt data and demand financial payment from the organization

Question 2

A CTI analyst reviewing a breach at a logistics company finds that the adversary used spear-phishing emails crafted with employee names, vendor details, and a spoofed procurement domain to gain an initial foothold into the corporate network. Which phase of the APT lifecycle does this activity represent?

A. Escalate Privileges — exploiting vulnerabilities to gain elevated access from an existing foothold B. Lateral Movement — spreading access across internal systems using compromised credentials C. Initial Intrusion — using targeted phishing or exploitation to gain the first point of unauthorized access D. Establish Presence — installing backdoors and implants to maintain persistent access after entry

Question 3

A CTI analyst at a technology company is documenting pre-attack behavior attributed to an APT group. The adversary researched employee LinkedIn profiles, organizational hierarchies, vendor relationships, and public procurement documents over several weeks before any technical intrusion activity began. Which APT lifecycle phase does this represent?

A. Initial Intrusion — delivering a weaponized payload to gain the first foothold in the target network B. Internal Reconnaissance — mapping systems and assets after gaining access to the target environment C. Establish Presence — deploying persistence mechanisms to maintain access after initial entry D. Initial Reconnaissance — gathering intelligence about the target before any intrusion attempt begins

Question 4

A SOC team at an energy company investigates a compromised workstation and finds custom backdoors installed in scheduled tasks and registry run keys, encrypted C2 channels masquerading as legitimate HTTPS traffic, and evidence that attacker tools were removed after each session to minimize artifacts. Which APT tactic is most clearly illustrated?

A. Lateral Movement — using compromised credentials to pivot across network segments to additional hosts B. Privilege Escalation — exploiting a local vulnerability to move from a standard account to domain admin C. Maintaining Presence with operational security — using persistence mechanisms while evading detection D. Mission Completion — staging and exfiltrating target data to adversary-controlled infrastructure

Question 5

An analyst at a defense contractor's CTI team determines that an adversary gained initial access via a compromised vendor account, then used pass-the-hash techniques and legitimate remote administration tools to access 12 internal systems across six weeks without triggering alerts. Which APT lifecycle phase is this?

A. Initial Reconnaissance — profiling the target organization and its employees before launching an attack B. Establish Presence — installing backdoors and implants to maintain a persistent foothold after entry C. Privilege Escalation — exploiting kernel vulnerabilities to gain elevated system or domain administrator rights D. Lateral Movement — spreading access across internal systems using valid credentials and native tools

Question 6

A financial institution's risk team asks its CTI lead to explain why APT intrusions are more difficult to detect and remediate than typical cybercriminal attacks. Which characteristic most clearly differentiates an APT from a financially motivated cybercriminal operation?

A. APTs exclusively target financial institutions while cybercriminals target any organization indiscriminately B. APTs rely solely on zero-day exploits while cybercriminals use only commodity malware and phishing kits C. APTs conduct patient, long-duration covert operations while cybercriminals typically seek rapid monetization with less stealth D. APTs are always sponsored by nation-states while all cybercriminals always operate independently without coordination

Question 7

During a breach investigation at a government contractor, forensic analysis shows the adversary used a compromised standard user account, then spent three weeks exploiting a local kernel vulnerability to gain domain administrator rights before moving to sensitive project repositories. Which APT lifecycle phase does this describe?

A. Internal Reconnaissance — mapping Active Directory structure and file share locations to identify target assets B. Lateral Movement — pivoting from the initial foothold to additional systems across the internal network C. Privilege Escalation — moving from limited user access to elevated permissions required to reach target data D. Mission Completion — staging and exfiltrating crown-jewel data to adversary infrastructure

Question 8

A CISO at a biotech firm presents findings from a year-long breach investigation. The adversary's final phase involved packaging research files into encrypted RAR archives, staging them on a compromised internal server, and transmitting them in small bursts to a cloud storage provider over several weeks. Which APT lifecycle phase does this represent?

A. Lateral Movement — using compromised credentials to access additional internal research systems B. Establish Presence — deploying encrypted implants to maintain persistent access across multiple systems C. Internal Reconnaissance — mapping research file locations and identifying high-value intellectual property D. Mission Completion — exfiltrating target data to fulfill the adversary's primary intelligence collection objective

Question 9

An intelligence briefing prepared for a government agency profiles a threat group that exclusively targets military research institutions, aerospace companies, and defense contractors with no ransom demands and no public claims of responsibility. All compromises involved multi-stage persistence and long-duration collection. Which objective most likely drives this APT group?

A. Financial gain through ransomware deployment and cryptocurrency extortion across high-value government-adjacent organizations B. Ideological activism using targeted data leaks to embarrass defense and government institutions publicly C. Espionage and intellectual property theft in support of a nation-state's strategic military or economic programs D. Destructive sabotage using wiper malware to impair the operational capability of defense supply chains

Question 10

After establishing persistence in a manufacturing firm's environment, an adversary spent four weeks scanning internal network segments, mapping Active Directory trust relationships, and enumerating file shares to locate proprietary process control documentation before taking further action. Which APT lifecycle phase is described?

A. Initial Intrusion — using a spear-phishing email to gain the first unauthorized foothold in the environment B. Establish Presence — deploying backdoors and C2 channels to maintain persistent access in the network C. Internal Reconnaissance — mapping the internal environment to identify the location of high-value target assets D. Lateral Movement — using compromised credentials to spread access across additional internal systems

EC-Council CTIA Module 2.2 Practice Test 001

Related Posts

Leave a Comment Cancel Reply