EC-Council CTIA Module 5.1 Practice Test 001

This practice test covers Module 5 (Data Analysis) Sub-module 1 (Data Analysis).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 5.1 Practice Test 001

10 questions • Single best answer

Question 1

A CTI team has finished collecting and normalizing a large dataset of threat indicators. The team lead now directs analysts to examine the data to identify patterns, relationships, and anomalies that can inform defensive decisions. This activity marks the beginning of which phase of the intelligence lifecycle?

A. Collection B. Dissemination C. Analysis D. Direction

Question 2

A CTI analyst examines collected threat data and classifies it as either qualitative or quantitative based on its nature. Network connection counts and malware infection rates are examples of which data type?

A. Qualitative data B. Quantitative data C. Strategic intelligence D. Tactical indicators

Question 3

A CTI analyst reviews threat data and notes subjective descriptors: 'the threat actor appears highly motivated,' 'the malware is sophisticated,' and 'the campaign targets government entities.' These descriptions represent which type of data?

A. Quantitative data B. Qualitative data C. Structured machine-readable data D. Statistical data

Question 4

A threat intelligence manager distinguishes between data, information, and intelligence when briefing her team. Which statement most accurately captures the difference between threat data and threat intelligence?

A. Threat data and threat intelligence are interchangeable terms with identical meaning B. Threat data is raw, unanalyzed facts; threat intelligence is analyzed, contextualized knowledge that informs decisions C. Threat intelligence is always more voluminous than threat data D. Threat data is produced by analysts; threat intelligence is generated automatically by machines

Question 5

During a threat intelligence review, an analyst applies deductive analysis to assess a suspected nation-state campaign. She starts with a known general principle — that nation-state actors targeting energy sector organizations typically pre-position for long-term access — and applies it to specific observed activity. Which type of reasoning is she using?

A. Inductive reasoning B. Abductive reasoning C. Deductive reasoning D. Heuristic analysis

Question 6

A CTI analyst observes multiple specific incidents — an increase in phishing targeting executives, a surge in credential harvesting malware, and reports of BEC fraud attempts — and draws a general conclusion that the organization is being targeted by a financially motivated threat actor. This type of reasoning is called what?

A. Deductive reasoning B. Inductive reasoning C. Abductive reasoning D. Normative analysis

Question 7

A CTI lead is presenting analytical findings to the CISO and uses a structured process to examine evidence, consider alternative hypotheses, and systematically eliminate less supported explanations before reaching a conclusion. This describes which approach to data analysis?

A. Ad-hoc intuitive analysis B. Structured analytical technique C. OSINT collection methodology D. Statistical regression analysis

Question 8

A CTI analyst is tasked with analyzing a dataset of network flow records to determine whether observed outbound connections constitute a C2 communication pattern. She first segments the data by connection frequency, destination geography, and payload size before drawing conclusions. This initial examination of the data structure is known as what?

A. Threat attribution B. Exploratory data analysis (EDA) C. Intelligence dissemination D. Data collection planning

Question 9

A CTI team analyzes threat data to produce three types of intelligence products. One product advises executives on adversary geopolitical motivations (strategic), one informs IR teams about active campaign TTPs (operational), and one feeds SIEM detection rules with specific IoCs (tactical). Which statement best describes the relationship between these intelligence types?

A. Strategic, operational, and tactical intelligence are identical in audience and purpose B. They serve different audiences and time horizons: strategic informs long-term decisions, operational guides current campaigns, and tactical supports immediate detection C. Tactical intelligence is always more valuable than strategic intelligence D. Only tactical intelligence is produced through data analysis; the other types are generated by executives

Question 10

A CTI analyst documents that a collected dataset contains high-confidence, machine-readable IoCs from a government CERT advisory, low-confidence forum posts from dark web sources, and medium-confidence malware analysis reports. Before analysis, she assigns a reliability rating to each source. Why is source reliability assessment a critical step in data analysis?

A. It determines the length of the final intelligence report B. It ensures analysts weight evidence according to source trustworthiness, reducing the risk of conclusions based on unreliable data C. It replaces the need for deduplication and normalization D. It allows the team to collect from fewer sources

EC-Council CTIA Module 5.1 Practice Test 001

Related Posts

Leave a Comment Cancel Reply