EC-Council CTIA Module 3.6 Practice Test 001

This practice test covers Module 3 (Requirements, Planning, Direction, and Review) Sub-module 6 (Threat Intelligence Sharing).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 3.6 Practice Test 001

10 questions • Single best answer

Question 1

A threat intelligence analyst at a regional bank receives an intelligence report marked TLP:AMBER from an ISAC partner. Which sharing constraint does this classification impose on the receiving organization?

A. The report may be shared publicly to increase sector-wide awareness of the threat B. The report may be shared within the analyst's organization and with trusted direct partners who need to act on it C. The report is restricted solely to the named recipients specified by the originating organization D. The report may be freely shared with any vetted government agency without restriction

Question 2

A CTI team needs to automate the exchange of machine-readable threat intelligence with a sector ISAC. They require a standard that structures intelligence objects and a protocol that transports them. Which pairing satisfies both requirements?

A. OpenIOC for structuring and HTTPS for transport B. STIX for structuring and TAXII for transport C. MISP for structuring and STIX for transport D. CybOX for structuring and IODEF for transport

Question 3

A cybersecurity manager at a mid-size retail firm wants to join a sharing community but cannot qualify for a sector-specific ISAC. Which alternative body is best suited for organizations that do not align to a single critical infrastructure sector?

A. A Computer Emergency Response Team (CERT) B. A government fusion center C. An Information Sharing and Analysis Organization (ISAO) D. A managed security service provider (MSSP)

Question 4

A CTI program manager at a large financial institution coordinates intelligence dissemination to ten downstream community banks without expecting reciprocal contributions from those partners. Which threat intelligence sharing model does this arrangement best represent?

A. Peer-to-peer sharing B. Many-to-many sharing C. Hub-and-spoke sharing D. Ad hoc sharing

Question 5

An intelligence lead at a critical infrastructure operator wants to formalize sharing with a newly identified peer organization. Before exchanging sensitive operational intelligence, which step should the analyst complete first?

A. Publish the intelligence to an open threat feed to gauge the peer's interest level B. Establish a trust relationship through a formal agreement such as an MoU or NDA C. Begin sharing immediately to demonstrate goodwill and accelerate relationship building D. Require the peer organization to share first before providing any intelligence in return

Question 6

A threat intelligence manager is building the business case for joining a sector ISAC. Which outcome most directly demonstrates the strategic value of participating in structured threat intelligence sharing?

A. Reduced need for in-house analysts because partner organizations perform most of the analysis B. Access to a broader and more timely pool of threat data that reduces detection blind spots C. Elimination of the organization's obligation to maintain its own threat intelligence lifecycle D. Guaranteed regulatory compliance with applicable information security frameworks

Question 7

A government CTI team prepares to share a threat report with private-sector partners through an ISAC portal. The report contains victim attribution data that must not be disclosed. Which technique should the team apply before disseminating the report?

A. Encrypt the full report and share only the decryption key with vetted recipients B. Redact or anonymize the victim attribution data before sharing the report C. Downgrade the TLP classification to TLP:WHITE so all partners can access the full content D. Delay sharing indefinitely until a formal legal review confirms no element is sensitive

Question 8

A CTI team at a healthcare network identifies an active ransomware campaign targeting hospital billing systems. To notify other healthcare organizations facing the same threat quickly and through a sector-aligned channel, which sharing partner type is most appropriate?

A. A commercial threat intelligence vendor B. A law enforcement liaison office C. A Health-ISAC or equivalent sector-specific sharing community D. A cloud service provider's abuse reporting team

Question 9

A CTI team evaluates two distribution models for delivering IoC feeds. In one model, indicators are automatically sent to partners as they are produced. In the second, partners query a central repository when they need data. Which terms correctly label these two models?

A. Active sharing and passive sharing B. Push sharing and pull sharing C. Broadcast sharing and selective sharing D. Automated sharing and manual sharing

Question 10

A threat intelligence program manager reviews the organization's sharing posture and notes all intelligence exchange relies on informal email with no agreed format, frequency, or classification scheme. Which characterization best describes this approach?

A. Structured sharing, because consistent email channels establish a repeatable process B. Federated sharing, because multiple organizations contribute through a common channel C. Ad hoc sharing, because there is no standardized framework governing the exchange D. Managed sharing, because the program manager oversees distribution directly

EC-Council CTIA Module 3.6 Practice Test 001

Related Posts

Leave a Comment Cancel Reply