EC-Council CTIA Module 2.5 Practice Test 002

By /

This practice test covers Module 2 (Cyber Threats and Attack Frameworks) Sub-module 5 (Indicators of Compromise).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 2.5 Practice Test 002
10 questions • Single best answer
Question 1
A SOC analyst at a regional healthcare provider reviews artifacts left after a malware infection, including suspicious file hashes, registry keys, and outbound connections. She wants to classify these forensic clues correctly. What term describes these observable signs of intrusion?
    Question 2
    An MSSP analyst is sorting collected indicators into categories. She separates malicious IP addresses, domain names, and URLs from items like file hashes and registry changes. Which category do the IP addresses, domains, and URLs belong to?
      Question 3
      A threat hunter at a financial institution maps indicators to the Pyramid of Pain to decide where to focus. She wants to inflict the greatest cost on adversaries by targeting the level hardest for them to change. Which level should she prioritize?
        Question 4
        An incident response team at a cloud service provider receives a feed containing sender addresses, malicious subject lines, and weaponized attachments tied to a phishing wave. They need to label these artifacts by category. Which indicator category applies?
          Question 5
          A CTI analyst at a government agency debates whether to alert on a single observed indicator. A colleague argues that one artifact alone may produce false positives and that context matters. What best describes the primary limitation of relying solely on indicators of compromise?
            Question 6
            A threat intelligence team is normalizing collected artifacts and must distinguish low-level evidence from adversary behavior. An analyst notes that a malicious file hash differs fundamentally from a description of how the attacker moves laterally. What does the lateral-movement description represent?
              Question 7
              An analyst supporting a critical infrastructure operator collects artifacts directly from endpoints, including running processes, mutexes, and modified registry keys. She must tag these for the detection team. Which category covers these endpoint-resident artifacts?
                Question 8
                A SOC team enriches a newly received indicator before deploying it as a detection rule. The lead stresses that an artifact must be validated, contextualized, and confirmed malicious first. What is the main risk of deploying unvalidated indicators?
                  Question 9
                  A threat hunter wants to move detection up the Pyramid of Pain from easily changed artifacts toward more durable signals. She currently alerts on file hashes and IP addresses. Which shift increases adversary cost the most?
                    Question 10
                    An intelligence lead briefs the detection team on why indicators alone are insufficient against an advanced persistent threat that constantly rotates infrastructure. She recommends complementing artifacts with behavioral analysis. What concept best supports this recommendation?
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top