EC-Council CTIA Module 2.5 Practice Test 003

This practice test covers Module 2 (Introduction to Threat Intelligence) Sub-module 5 (Indicators of Compromise).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Practice Test of the Day 260628

10 questions • Single best answer

Question 1

A SOC analyst at a healthcare provider reviews forensic artifacts after a breach. They catalog malicious IP addresses, file hashes, and domain names the attacker left behind. What are these forensic clues collectively called?

A. Tactics, techniques, and procedures B. Indicators of Compromise C. Threat intelligence feeds D. Known vulnerabilities

Question 2

An analyst at an MSSP classifies a spoofed sender address and a weaponized attachment captured during a phishing wave. They group these by where the artifacts originate. Into which IoC category do they fall?

A. Network indicators B. Host-based indicators C. Behavioral indicators D. Email indicators

Question 3

A threat hunter examines a compromised workstation and finds suspicious registry keys, malicious filenames, and rogue running processes. These artifacts reside on the endpoint itself. Which IoC category do they represent?

A. Host-based indicators B. Network indicators C. Email indicators D. Strategic indicators

Question 4

A CTI analyst references a model that ranks indicator types by how much disruption each causes adversaries when blocked. Hash values sit at the bottom as trivial to change. Which model is this?

A. Diamond Model B. Cyber Kill Chain C. Pyramid of Pain D. MITRE ATT&CK

Question 5

Using the Pyramid of Pain, an analyst wants to impose the greatest cost on an adversary. They target the indicator type that is hardest for attackers to alter. Which indicator type is that?

A. IP addresses B. TTPs C. Domain names D. Hash values

Question 6

An analyst separates static artifacts like file hashes from the adversary's recurring patterns of operation. They focus on how the adversary acts rather than the leftover artifacts. What term describes those behaviors?

A. Tactics, techniques, and procedures B. Indicators of Compromise C. Threat data feeds D. Atomic indicators

Question 7

An analyst flags malicious command-and-control IP addresses, callback URLs, and domain names observed in traffic logs. These artifacts are seen on the wire. Which IoC category applies?

A. Host-based indicators B. Email indicators C. Behavioral indicators D. Network indicators

Question 8

A SOC ingests a feed of known-bad hashes and IP addresses into its SIEM to flag matches across the environment. The goal is to catch threats already seen elsewhere. What is the primary operational use of these indicators?

A. Predicting adversary motivation B. Setting the program budget C. Detecting and blocking known threats D. Writing executive strategy

Question 9

An analyst labels a single malicious IP address that cannot be broken into smaller parts and still keep its meaning. They need the correct indicator classification. Which type is this?

A. Atomic indicator B. Computed indicator C. Behavioral indicator D. Strategic indicator

Question 10

An analyst derives a value from incident data, such as a hash calculated from a malicious file or a regex built from logs. They must classify this derived value. Which indicator type is it?

A. Atomic indicator B. Computed indicator C. Behavioral indicator D. Tactical objective

EC-Council CTIA Module 2.5 Practice Test 003

Related Posts

Leave a Comment Cancel Reply