EC-Council CTIA Module 2.3 Practice Test 001

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 3 (Cyber Kill Chain).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.3 Practice Test 001

10 questions • Single best answer

Question 1

A threat intelligence analyst supporting a government defense contractor reviews network telemetry and discovers evidence of passive scanning against external web servers and systematic LinkedIn enumeration of employees in engineering roles. Which phase of the Cyber Kill Chain does this activity represent?

A. Delivery — the adversary is transmitting reconnaissance artifacts to victim systems B. Weaponization — the adversary is selecting exploit code matched to discovered vulnerabilities C. Reconnaissance — the adversary is gathering target information prior to initiating the attack D. Exploitation — the adversary is leveraging discovered vulnerabilities to gain initial access

Question 2

A SOC team at an energy utility receives threat intelligence indicating that an adversary group bundled a malicious macro into a document masquerading as a regulatory compliance form. No payload has been delivered to any employee yet. Which Cyber Kill Chain phase is the adversary currently in?

A. Delivery — the adversary is in the process of transmitting the payload to the victim B. Exploitation — the adversary is triggering the macro to execute code on the target system C. Weaponization — the adversary has coupled an exploit with a malicious payload into a deliverable weapon D. Reconnaissance — the adversary is gathering information about the regulatory environment to craft the lure

Question 3

A CTI team at a financial institution identifies that a threat actor sent a malicious Office document attached to spear-phishing emails targeting 40 employees in the accounts payable department. The document has been received but not yet opened. Which Cyber Kill Chain phase does this activity represent?

A. Exploitation — the adversary is triggering vulnerabilities embedded in the document B. Weaponization — the adversary is preparing the malicious document for distribution C. Delivery — the adversary is transmitting the weaponized payload to the target environment D. Installation — the adversary is establishing persistence through the delivered document

Question 4

A threat hunter at a healthcare network discovers that an adversary triggered a remote code execution vulnerability in an unpatched VPN appliance, causing arbitrary commands to run under the appliance's service account context. Which phase of the Cyber Kill Chain does this activity represent?

A. Delivery — the adversary transmitted the malicious payload to the VPN appliance B. Installation — the adversary is deploying a persistent backdoor on the compromised appliance C. Exploitation — the adversary triggered a vulnerability to execute unauthorized code on the target system D. Command and Control — the adversary is communicating with the compromised appliance remotely

Question 5

An MSSP analyst investigating a client breach finds that after the initial compromise, the adversary dropped a remote access trojan into a system's startup folder and created a scheduled task to re-execute the RAT every 15 minutes. Which phase of the Cyber Kill Chain does this behavior represent?

A. Actions on Objectives — the adversary is achieving the campaign's end goal through the deployed tools B. Command and Control — the adversary is establishing a remote management channel to the compromised host C. Installation — the adversary is deploying a backdoor and establishing persistence on the compromised system D. Exploitation — the adversary is using the RAT to trigger additional vulnerabilities on internal systems

Question 6

A CTI team at an insurance company observes that a compromised workstation is generating encrypted HTTPS traffic to an unknown external domain at 10-minute intervals, even during non-business hours. Which Cyber Kill Chain phase does this beaconing activity represent?

A. Installation — the adversary is deploying persistence mechanisms through the observed traffic B. Actions on Objectives — the adversary is exfiltrating data using encrypted HTTPS as a cover channel C. Command and Control — the adversary is maintaining remote control of the implant through a covert communication channel D. Delivery — the adversary is using HTTPS to deliver additional payloads to the compromised host

Question 7

A CTI analyst mapping an intrusion campaign finds that after maintaining C2 access for three weeks, the adversary began bulk-copying sensitive merger documents to a staging folder and transferring them to an external cloud storage service. Which Cyber Kill Chain phase does this represent?

A. Command and Control — the adversary is using the cloud service as a secondary C2 infrastructure node B. Installation — the adversary is deploying additional implants via the cloud storage service C. Actions on Objectives — the adversary is achieving the campaign's end goal through data exfiltration D. Exploitation — the adversary is leveraging cloud storage vulnerabilities to gain elevated access

Question 8

A CTI program manager is training new analysts on attack frameworks. She explains that while both models support threat analysis, one provides a linear seven-phase attack sequence while the other offers a granular, non-linear matrix of adversary techniques mapped to tactics. Which statement best captures this distinction between the Cyber Kill Chain and MITRE ATT&CK?

A. The Cyber Kill Chain maps specific malware families to threat actor groups, while MITRE ATT&CK maps attack phases to defensive tool categories B. The Cyber Kill Chain provides a linear sequence of attack phases from reconnaissance to actions on objectives, while MITRE ATT&CK provides a granular, non-linear matrix of adversary TTPs organized by tactic C. MITRE ATT&CK was designed for strategic intelligence reporting to executives, while the Cyber Kill Chain was designed for technical indicator sharing between analysts D. The Cyber Kill Chain applies exclusively to network-based intrusions, while MITRE ATT&CK covers only endpoint and host-based attack techniques

Question 9

A CTI analyst is helping a security architecture team identify where to invest in controls to disrupt an adversary campaign at the earliest possible Kill Chain phase. The analyst explains that disrupting the adversary before any access is achieved is most cost-effective. Which Kill Chain phases represent the best early disruption points before the adversary breaches the perimeter?

A. Installation and Command and Control — blocking persistence and severing C2 channels after the adversary establishes access B. Exploitation and Actions on Objectives — detecting vulnerability triggering and data exfiltration as they occur C. Reconnaissance and Delivery — denying information collection and blocking weaponized payload transmission before any access is gained D. Weaponization and Exploitation — analyzing adversary tooling and patching vulnerabilities before they are triggered

Question 10

A threat intelligence team at a cloud services provider is onboarding new analysts. A senior analyst explains that the Cyber Kill Chain model was developed by Lockheed Martin and adapted from an existing military doctrine. Which military targeting concept forms the conceptual foundation of the Cyber Kill Chain?

A. The OODA Loop — Observe, Orient, Decide, Act — a cognitive decision-making cycle used to describe how combatants process information and respond faster than an opponent B. Intelligence Preparation of the Battlefield (IPB) — a systematic military process for analyzing the operational environment and adversary capabilities C. F3EAD — Find, Fix, Finish, Exploit, Analyze, Disseminate — a special operations targeting cycle for neutralizing high-value targets D. The F2T2EA kill chain — Find, Fix, Track, Target, Engage, Assess — a military sequence describing the steps required to identify and neutralize a threat

EC-Council CTIA Module 2.3 Practice Test 001

Related Posts

Leave a Comment Cancel Reply