EC-Council CTIA Module 4.1 Practice Test 001

This practice test covers Module 4 (Data Collection and Processing) Sub-module 1 (Threat Intelligence Data Collection).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 4.1 Practice Test 001

10 questions • Single best answer

Question 1

A CTI analyst at a regional electric utility is building a new data collection capability from scratch. Before selecting tools and sources, which foundational step should be completed first?

A. Subscribe to three commercial threat intelligence feeds to establish baseline coverage B. Define a collection plan aligned to the program's intelligence requirements C. Deploy a SIEM platform to aggregate and normalize all incoming threat data D. Establish automated OSINT monitoring for threat actor forums and paste sites

Question 2

A SOC team at a financial institution receives both structured STIX/TAXII feeds and unstructured threat reports from a vendor. Which statement best distinguishes structured from unstructured threat data?

A. Structured data requires human analysis before use; unstructured data is parsed automatically by security tools B. Structured data is formatted for machine processing using a defined schema; unstructured data lacks a consistent format C. Structured data originates from external sources; unstructured data is generated from internal security logs D. Structured data is higher-fidelity intelligence; unstructured data is considered low-quality and unreliable

Question 3

A threat intelligence team is categorizing its data sources as internal or external. Which source is best classified as an internal threat intelligence data source?

A. ISAC threat sharing feeds distributed to sector members B. Open-source malware repositories such as VirusTotal or MalwareBazaar C. Security information and event management (SIEM) logs from the organization's own environment D. Commercial threat intelligence platform indicators subscribed to by the organization

Question 4

An analyst is conducting OSINT collection to support a threat assessment of a suspected nation-state actor. Which activity is best described as OSINT collection?

A. Deploying a network honeypot to capture attacker tools and lateral movement techniques B. Reviewing leaked credential dumps on paste sites and threat actor discussions on dark web forums C. Querying the organization's internal SIEM for anomalous privileged account activity D. Obtaining a tip from a confidential source with insider access to the threat actor group

Question 5

A CTI analyst collects intelligence by analyzing captured malware samples and reverse-engineering their command-and-control infrastructure. Which type of intelligence collection does this best represent?

A. HUMINT — intelligence collected through human sources and interpersonal contact B. OSINT — intelligence gathered from publicly available open-source resources C. FININT — intelligence derived from financial transactions and money flows D. TECHINT — intelligence collected by analyzing technical artifacts and adversary tools

Question 6

A threat intelligence program manager is evaluating candidate data sources for inclusion in the collection plan. Which factor is most critical when assessing the reliability of a threat intelligence source?

A. Whether the source is available at no cost or requires a commercial subscription B. The daily volume of indicators the source delivers to the intelligence platform C. The source's documented track record of accuracy, timeliness, and relevance to the organization D. Whether the source supports STIX/TAXII format for automated ingestion

Question 7

A CTI team is designing a collection plan and must document collection sources, assigned responsibilities, and the intelligence requirements each source addresses. What is the primary purpose of a threat intelligence collection plan?

A. To define the analytical frameworks and structured models used to evaluate collected threat data B. To establish a structured approach that aligns collection activities to the program's intelligence requirements C. To automate ingestion and normalization of threat feeds into the organization's SIEM or TIP D. To create a scheduled dissemination calendar for delivering finished intelligence to stakeholders

Question 8

A CTI team at a managed security service provider uses Python scripts to automate collection of IP reputation data from multiple open-source threat APIs. What is the primary advantage of using scripting for threat data collection?

A. It ensures every collected indicator is manually reviewed by an analyst before entering the pipeline B. It enables scalable, repeatable, and automated collection across multiple disparate sources simultaneously C. It eliminates the need for a documented collection plan because automation handles source selection D. It guarantees that all collected data meets minimum quality standards for finished intelligence production

Question 9

A CTI analyst is profiling adversary infrastructure using passive DNS records, WHOIS registration data, and BGP routing tables. Which category of data collection does this activity represent?

A. HUMINT — intelligence gathered through direct human contact with threat actors or insiders B. FININT — intelligence derived from financial transaction or cryptocurrency analysis C. OSINT — intelligence collected from publicly accessible open-source data D. SIGINT — intelligence obtained by intercepting communications signals

Question 10

A CTI team receives tasking to collect intelligence on ransomware groups. The team lead notes that some high-value sources exist only on invitation-only dark web forums. What type of collection challenge does this scenario describe?

A. Structured data normalization requirements imposed by the collection management framework B. Access constraints on non-public collection sources that require operational tradecraft C. Bulk data management problems caused by high-volume indicator feeds D. Source reliability degradation due to inconsistent data formats across feeds

EC-Council CTIA Module 4.1 Practice Test 001

Related Posts

Leave a Comment Cancel Reply