EC-Council CTIA Module 2.5 Practice Test 002

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 5 (Indicators of Compromise).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.5 Practice Test 002

10 questions • Single best answer

Question 1

An incident responder at a healthcare provider collects forensic artifacts proving a breach occurred, such as malicious IPs and file hashes. These observable evidence items confirm intrusion. What are these artifacts called?

A. TTPs B. Indicators of Compromise C. Vulnerabilities D. Patches

Question 2

Among collected artifacts, a connection to a known malicious domain and a suspicious external IP stand out. Which IoC category do these belong to?

A. Host indicators B. Email indicators C. Behavioral indicators D. Network indicators

Question 3

An analyst finds a malicious registry key, an unexpected file hash, and a rogue process on an endpoint. Which IoC category covers these?

A. Host-based indicators B. Network indicators C. Email indicators D. Strategic indicators

Question 4

Investigators identify a spoofed sender address, malicious attachment, and phishing subject line. Which IoC category fits these artifacts?

A. Network indicators B. Host indicators C. Email indicators D. Cloud indicators

Question 5

A manager confuses two concepts. The attacker's specific malicious IP is one thing, while their broader method of phishing then moving laterally is another. The behavioral method is best called what?

A. An IoC B. A TTP C. A hash D. A domain

Question 6

Using the Pyramid of Pain, an analyst notes that blocking a file hash barely inconveniences the adversary, who can trivially change it. Which indicator sits at the bottom, easiest to change?

A. TTPs B. Tools C. Domain names D. Hash values

Question 7

At the top of the same pyramid, denying these forces the adversary to fundamentally change behavior, causing the most pain. Which level is this?

A. TTPs B. IP addresses C. Hash values D. Domain names

Question 8

An indicator that cannot be broken into smaller parts, such as a single IP address or email, is classified as which type?

A. Computed indicator B. Behavioral indicator C. Atomic indicator D. Strategic indicator

Question 9

Some indicators are produced by processing data rather than observed directly. A hash value or regular expression derived through computation is one example. Which type is this?

A. Atomic indicator B. Computed indicator C. Behavioral indicator D. Network tactic

Question 10

Some indicators describe sequences of attacker activity rather than single artifacts. They combine multiple atomic and computed indicators into a pattern. Which type is this?

A. Atomic indicator B. Computed indicator C. Network port D. Behavioral indicator

EC-Council CTIA Module 2.5 Practice Test 002

Related Posts

Leave a Comment Cancel Reply