EC-Council CTIA Module 2.5 Practice Test 001

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 5 (Indicators of Compromise).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.5 Practice Test 001

10 questions • Single best answer

Question 1

A threat hunter at a telecommunications company is briefing junior analysts on detection fundamentals. She explains the role of indicators of compromise in identifying malicious activity. Which statement best defines an indicator of compromise (IoC)?

A. A structured set of adversary TTPs documented in the MITRE ATT&CK framework used for detection engineering. B. Observable artifacts in a system or network that suggest a security incident has occurred or is in progress. C. A formal report generated by the CTI team describing the confirmed impact and timeline of a breach. D. A list of known threat actors and their associated malware families maintained in a threat intelligence platform.

Question 2

A SOC analyst at an energy company is reviewing the Pyramid of Pain to prioritize threat detection. His team wants to focus on indicators that, when detected and blocked, cause the greatest disruption to an adversary. Which indicator type sits at the top of the Pyramid of Pain?

A. File hash values B. Domain names C. IP addresses D. Tactics, Techniques, and Procedures (TTPs)

Question 3

An incident response team at a retail company shares SHA-256 hashes of malware samples found during an investigation. A senior analyst warns the team not to rely heavily on hash-based detection. Why are hash values considered the lowest-value indicators on the Pyramid of Pain?

A. Hash values are proprietary and cannot be shared using standard threat intelligence formats such as STIX or TAXII. B. Hash values represent behavioral patterns that threat actors can modify simply by rewriting their attack playbook. C. Adversaries can trivially alter a hash value by making minor modifications to malware, immediately invalidating the indicator. D. Hash values only apply to email-based indicators and cannot detect network-level or endpoint threats.

Question 4

A CTI analyst at a healthcare provider is classifying IoCs collected during a phishing campaign investigation. She categorizes a C2 server IP address as an atomic indicator. Which of the following best describes atomic indicators of compromise?

A. Indicators derived algorithmically by combining multiple raw data points such as email headers and sender reputation. B. High-level behavioral patterns observed across an entire intrusion campaign over an extended period. C. Simple, indivisible data elements such as IP addresses, email addresses, or file hashes that cannot be broken down further. D. Indicators that represent an adversary's complete set of attack tactics and operational methodology.

Question 5

A threat intelligence team at a financial institution flags a set of malicious IP addresses and shares them across their ISAC community. A peer analyst notes that actors seldom feel significant pain from IP-based blocking. Why do IP addresses rank low on the Pyramid of Pain?

A. IP addresses cannot be embedded in standard threat intelligence sharing formats like STIX, limiting their usefulness. B. IP addresses change so frequently in modern networks that they are statistically unreliable as detection indicators. C. Attackers can easily switch to new IP addresses or route through proxies and bulletproof hosting, making this indicator simple to circumvent. D. IP address indicators are only valid for nation-state attribution and are not applicable to commodity cybercrime threats.

Question 6

During a post-incident review at a cloud services provider, the security team identifies suspicious registry key modifications on endpoints and unusual outbound DNS queries to a recently registered domain. The team lead asks analysts to separate host-based from network-based IoCs. Which of the following is a network-based IoC?

A. A new autorun registry key created by malware under HKLMSoftwareMicrosoftWindowsCurrentVersionRun. B. A malicious process injected into a legitimate Windows service running in memory on an endpoint. C. Unusual outbound DNS queries to a recently registered domain associated with a known C2 framework. D. A modified system binary with an altered SHA-256 hash value found during endpoint forensics.

Question 7

A threat analyst at a government agency is reviewing logs after detecting a lateral movement event. She identifies a pattern of failed authentication attempts followed by successful logins across multiple systems within minutes. This multi-event detection approach is best described as which type of indicator?

A. Atomic indicator B. Computed indicator C. Behavioral indicator D. Technical indicator

Question 8

An analyst at a managed detection and response provider is building detection signatures by algorithmically combining email header fields, attachment metadata, and sender IP reputation scores into a single composite artifact. The resulting indicator is derived from multiple correlated data elements. This is an example of which IoC category?

A. Atomic indicator B. Behavioral indicator C. Computed indicator D. Strategic indicator

Question 9

A CTI team at a critical infrastructure company confirms that an adversary group consistently uses a commercially available remote access tool for maintaining persistence. Disrupting this capability requires the adversary to find or build a replacement tool. Where do tools fall on the Pyramid of Pain, and why?

A. At the top, because tools represent the highest-fidelity behavioral understanding of adversary operations. B. At the bottom, because tools can be replaced as easily and quickly as changing an IP address. C. In the middle, because adversaries can replace tools but doing so requires meaningful time, effort, and cost. D. Tools are not represented on the Pyramid of Pain; the model only includes atomic indicators such as hashes and IPs.

Question 10

A threat hunting team at an MSSP is debating whether to invest in IoC-based detection or TTP-based detection strategies. The team lead argues that TTP-based detection provides more durable long-term coverage. Why are TTPs considered more valuable than atomic IoCs for sustained threat detection?

A. TTPs are machine-readable and can be imported directly into SIEM platforms without analyst review or tuning. B. TTPs are based on adversary behaviors that are difficult and costly to change, providing detection that persists across infrastructure rotations. C. TTPs are updated more frequently than IoC feeds by threat intelligence sharing communities, ensuring fresher detection coverage. D. TTP-based detection replaces the need for IoC collection entirely once a CTI program reaches advanced maturity.

EC-Council CTIA Module 2.5 Practice Test 001

Related Posts

Leave a Comment Cancel Reply