EC-Council CTIA Module 2.4 Practice Test 001

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 4 (MITRE ATT\&CK and Diamond Model).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.4 Practice Test 001

10 questions • Single best answer

Question 1

A threat hunter at a retail enterprise wants a knowledge base that catalogs adversary behaviors as tactics and techniques observed in real intrusions. The reference must describe how attackers operate, not a linear phase order. Which resource fits?

A. Cyber Kill Chain B. Pyramid of Pain C. MITRE ATT&CK D. MoSCoW method

Question 2

A CTI analyst studies an intrusion analysis framework built on four linked features: the attacker, the capability used, the infrastructure, and the target. Which model organizes intrusions around these four elements?

A. Diamond Model B. Cyber Kill Chain C. MITRE ATT&CK D. Pyramid of Pain

Question 3

In ATT&CK, a SOC analyst needs the term for the adversary's high-level goal in a given phase, such as gaining initial access or maintaining persistence. Which ATT&CK component represents this objective?

A. Technique B. Indicator C. Vertex D. Tactic

Question 4

A CTI analyst documents the specific method an adversary used to achieve a goal, such as spearphishing for initial access. In ATT&CK terms, what is this specific method called?

A. Tactic B. Technique C. Campaign objective D. Infrastructure

Question 5

Using the Diamond Model, a financial CTI team connects a malware sample to the servers and domains the adversary used to deliver and control it. Which Diamond Model feature do these servers and domains represent?

A. Adversary B. Victim C. Infrastructure D. Capability

Question 6

A Diamond Model analyst classifies the malware and exploits an adversary employs against a target. Which core feature of the model do these tools represent?

A. Capability B. Infrastructure C. Victim D. Adversary

Question 7

A SOC director asks how ATT&CK improves detection engineering compared with indicator lists alone. The CTI lead notes it focuses defenders on durable adversary behaviors. What is the primary benefit?

A. It guarantees blocking every attack B. It eliminates the need for logging C. It identifies the attacker's identity D. It maps detections to behaviors harder to change

Question 8

An incident response team uses the Diamond Model to pivot from a known malicious domain to discover other victims contacting it. Which analytic strength of the model does this pivoting demonstrate?

A. Sequencing attack phases chronologically B. Linking related intrusion features for discovery C. Ranking indicators by adversary cost D. Prioritizing requirements by urgency

Question 9

A CTI team wants to combine a behavior-focused knowledge base with a model that maps relationships among attacker, tool, infrastructure, and target. Which pairing of frameworks meets this need?

A. Pyramid of Pain and MoSCoW B. Two copies of the Cyber Kill Chain C. MITRE ATT&CK and the Diamond Model D. SWOT analysis and PEST analysis

Question 10

A CTI analyst maps observed techniques onto an ATT&CK matrix to reveal which adversary behaviors the organization can and cannot currently detect. What is this gap-identification practice commonly called?

A. Coverage mapping B. Indicator hashing C. Requirements prioritization D. Phase sequencing

EC-Council CTIA Module 2.4 Practice Test 001

Related Posts

Leave a Comment Cancel Reply