EC-Council CTIA Module 2.4 Practice Test 001

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 4 (MITRE ATT\&CK and Diamond Model).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.4 Practice Test 001

10 questions • Single best answer

Question 1

A CTI program manager at a large retail organization is structuring threat behavior data from a recent campaign involving credential harvesting via phishing and lateral movement using stolen tokens. She wants to map adversary behaviors to named objectives with associated procedure examples. Which framework is best suited for this purpose?

A. Cyber Kill Chain — provides seven sequential phases for mapping adversary campaign activity from reconnaissance to actions on objectives B. MITRE ATT&CK — provides a structured knowledge base of adversary tactics, techniques, and procedures organized by adversary objective C. Diamond Model — maps intrusion events across four analytical vertices including adversary, capability, infrastructure, and victim D. STRIDE — categorizes threat types (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) for software threat modeling

Question 2

A SOC analyst at a healthcare network detects that an attacker used scheduled tasks to maintain persistence on compromised workstations following initial access via a phishing email. The analyst wants to reference the specific adversary behavior in MITRE ATT&CK. What is the correct ATT&CK classification for this behavior?

A. Tactic: Execution; Technique: Scheduled Task/Job — because the scheduled task runs code on the system B. Tactic: Persistence; Technique: Scheduled Task/Job — because the adversary is using the mechanism to survive system reboots and maintain long-term access C. Tactic: Defense Evasion; Technique: Scheduled Task/Job — because scheduled tasks disguise adversary activity within legitimate system functions D. Tactic: Initial Access; Technique: Scheduled Task/Job — because the phishing email enabled the attacker to first enter the environment

Question 3

An analyst at a financial institution is building a threat intelligence report and needs to explain the relationship between tactics and techniques in MITRE ATT&CK. A junior analyst is confused about which element represents the adversary's goal versus the method. Which statement correctly describes this relationship?

A. Tactics are specific, technical implementations of adversary actions; techniques represent the adversary's high-level objective for each phase B. Tactics represent the adversary's high-level goal or objective; techniques describe the specific method the adversary uses to achieve that goal C. Tactics and techniques are interchangeable ATT&CK concepts that describe adversary behavior at equivalent levels of specificity D. Techniques are abstract adversary objectives organized into categories; sub-techniques are the goals, and tactics are the tools the adversary deploys

Question 4

An incident response team at a manufacturing firm asks the CTI team to compare the adversary techniques observed during a recent intrusion against the organization's existing detection controls, and identify which techniques have no corresponding detection coverage. Which ATT&CK use case does this scenario best represent?

A. Threat intelligence enrichment — providing contextual data about the adversary group to support executive reporting B. Red team planning — using ATT&CK to design adversary simulation exercises aligned to the organization's threat profile C. Defensive gap analysis — using ATT&CK to identify which adversary techniques lack corresponding detection or preventive controls D. Threat hunting hypothesis generation — using ATT&CK techniques as starting points for proactive searches in telemetry data

Question 5

A threat intelligence analyst at an MSSP receives an intrusion report describing the following elements: the attacking group (APT29), the targeted organization (a fintech startup), the C2 domains used (infrastructure), and the malware family deployed (capability). Which analytical model organizes these four elements as its core vertices for intrusion analysis?

A. Cyber Kill Chain — organizes adversary activity into seven sequential phases from reconnaissance through actions on objectives B. MITRE ATT&CK — catalogs adversary tactics, techniques, and procedures across multiple platforms and environments C. Diamond Model of Intrusion Analysis — structures every intrusion event around four core vertices: Adversary, Capability, Infrastructure, and Victim D. PASTA (Process for Attack Simulation and Threat Analysis) — a seven-stage risk-centric threat modeling methodology for application security

Question 6

An analyst applies the Diamond Model to investigate an intrusion at a logistics company. She identifies the adversary's C2 server (infrastructure) communicating directly with the victim's compromised web server. In the Diamond Model, which two vertices are connected by this observed relationship?

A. Adversary and Victim — because the adversary is targeting the victim organization through the communication channel B. Capability and Infrastructure — because the malware (capability) runs on or through the C2 infrastructure C. Infrastructure and Victim — because the C2 server (adversary-controlled infrastructure) communicates directly with the victim's system D. Adversary and Capability — because the adversary operators control the C2 server and the malware it deploys

Question 7

A government agency's CTI team is analyzing multiple intrusion events attributed to the same threat group across five different victim organizations over 18 months. They want to link events by shared adversary TTPs and infrastructure rather than treating each intrusion as isolated. Which Diamond Model concept best supports this cross-event analysis?

A. Activity thread — a series of linked Diamond Model events representing a single intrusion campaign against one victim organization B. Meta-features — contextual attributes such as timestamps, phases, and results that enrich individual Diamond events but do not connect multiple events C. Activity group — a set of Diamond Model events linked by shared characteristics such as adversary identity, capability, or infrastructure across multiple victims D. Capability vertex — the adversary's tools and malware families that appear consistently across intrusion events

Question 8

An intelligence lead is briefing the CISO of a cloud services provider on a recent intrusion. She uses MITRE ATT&CK to explain adversary behaviors but must connect technical findings to business risk. The CISO asks which ATT&CK component represents the adversary's overall strategic intent at each stage of the attack. What is the correct answer?

A. Sub-techniques — the most granular ATT&CK level describing specific procedural variations of an adversary method B. Groups — named threat actor clusters in ATT&CK that document which techniques each adversary has used historically C. Mitigations — defensive controls and recommendations mapped to each specific ATT&CK technique D. Tactics — the high-level adversary objective or goal that each technique is designed to accomplish within an attack phase

Question 9

A CTI team at a financial institution applies the Diamond Model to a spear-phishing intrusion. They have positively identified the malware strain used and the C2 domains, and the victim organization is known. However, they cannot conclusively link the campaign to any known threat actor. Which Diamond Model vertex represents the primary analytical confidence gap in this scenario?

A. Infrastructure — because the team cannot determine whether additional C2 domains were used beyond those already identified B. Capability — because the malware may have unknown variants that were not detected during the investigation C. Victim — because the full scope of targeted assets within the organization has not been confirmed D. Adversary — because the threat actor responsible for the intrusion has not been attributed to a known group or identity

Question 10

An MSSP threat analyst is enriching an intelligence report on a ransomware campaign. The adversary executed PowerShell commands via Windows Management Instrumentation (WMI) to run the encryption payload. The analyst needs to correctly represent this behavior in MITRE ATT&CK at its proper hierarchical level. What is the accurate ATT&CK representation?

A. PowerShell is a tactic; Windows Management Instrumentation is a separate tactic under the Execution category B. Execution is the tactic; Windows Management Instrumentation Event Subscription (T1546.003) is a technique; PowerShell (T1059.001) is a separate technique, both under the Execution or Persistence tactic depending on context C. WMI and PowerShell are both sub-techniques under the single parent technique 'Living Off the Land' within the Defense Evasion tactic D. Living off the land is a named ATT&CK tactic with WMI and PowerShell listed as direct child techniques beneath it

EC-Council CTIA Module 2.4 Practice Test 001

Related Posts

Leave a Comment Cancel Reply