EC-Council CTIA Module 5.2 Practice Test 001

This practice test covers Module 5 (Data Analysis) Sub-module 2 (Data Analysis Techniques).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 5.2 Practice Test 001

10 questions • Single best answer

Question 1

A CTI analyst applies statistical analysis to a dataset of phishing email timestamps to identify peaks in campaign activity. She calculates mean, median, and standard deviation to characterize distribution patterns. Which data analysis technique is she using?

A. Analysis of Competing Hypotheses (ACH) B. Statistical data analysis C. Diamond Model framework analysis D. Threat actor profiling

Question 2

A CTI team investigating a suspected nation-state intrusion uses a technique where they list all plausible explanations, create a matrix of evidence versus hypotheses, and systematically identify which hypotheses the evidence is inconsistent with. Which analytical technique are they applying?

A. SWOT analysis B. Regression analysis C. Analysis of Competing Hypotheses (ACH) D. Kill chain mapping

Question 3

An analyst applies ACH to assess whether an observed intrusion was conducted by a nation-state, a cybercriminal group, or an insider threat. After completing the matrix, she finds that two hypotheses remain plausible but one has significantly more contradictory evidence. What action should she take?

A. Select the hypothesis with the most supporting evidence regardless of contradictions B. Eliminate the hypothesis with the most contradictory evidence and continue refining analysis on remaining plausible hypotheses C. Immediately publish an attribution report based on the preliminary matrix D. Discard all hypotheses and restart collection

Question 4

A CTI analyst uses Structured Analysis of Competing Hypotheses (SACH) to assess a complex threat campaign. How does SACH differ from standard ACH?

A. SACH replaces the evidence matrix with a visual network diagram only B. SACH adds structured rigor by requiring analysts to formally document evidence quality, source reliability, and assumption dependencies alongside the standard ACH matrix C. SACH eliminates the need for multiple hypotheses and focuses on a single most-likely explanation D. SACH is exclusively used for financial fraud analysis and not applicable to cyber threat intelligence

Question 5

A threat intelligence manager identifies that her team's analytical conclusions are frequently influenced by the first piece of evidence they encounter, causing them to anchor on that initial assessment and underweight subsequent contradictory evidence. Which analytical bias does this describe?

A. Confirmation bias B. Anchoring bias C. Availability bias D. Attribution error

Question 6

A CTI analyst uses frequency analysis to determine which malware families are most prevalent in a recent dataset of 10,000 analyzed malware samples. She ranks the families by occurrence count and calculates what percentage each represents. This is an example of what type of analysis?

A. Predictive modeling B. Descriptive statistical analysis C. Threat hunting hypothesis generation D. Diamond Model correlation

Question 7

During data analysis, a CTI analyst notices that malware C2 beacon intervals follow a consistent pattern — connections every 60 seconds with ±2-second jitter. She uses this statistical pattern to build a behavioral signature for detection. Which analytical technique is she applying?

A. Qualitative thematic analysis B. Pattern analysis using statistical behavioral profiling C. Intelligence requirements definition D. Threat intelligence dissemination planning

Question 8

A CTI team discovers that three separate threat intelligence reports from different vendors attribute the same attack to different threat groups. An analyst applies ACH to determine which attribution is most defensible given the available evidence. What fundamental cognitive benefit does using ACH provide in this scenario?

A. It guarantees a definitive answer with 100% certainty B. It eliminates the need for additional evidence collection C. It reduces confirmation bias by forcing systematic evaluation of evidence against all hypotheses simultaneously D. It automates the analysis using machine learning without analyst input

Question 9

A CTI analyst uses correlation analysis to compare IP addresses in a newly collected threat feed against historical incident data. She identifies that 15 of the new IPs were present in two prior breach investigations. What does this statistical correlation indicate?

A. The new IPs are definitively attributed to the same threat actor as the prior breaches B. The correlation suggests a possible link between the new feed indicators and prior incidents, warranting further analytical investigation C. The correlating IPs should be immediately blocked without further analysis D. Statistical correlation proves that the same attack tools were used in all three incidents

Question 10

A CTI team lead trains her junior analysts to always apply structured analytical techniques (SATs) rather than relying solely on intuition when assessing complex threat scenarios. What is the primary reason SATs are preferred over purely intuitive analysis in high-stakes CTI work?

A. SATs are faster to apply than intuitive analysis B. SATs produce structured, traceable, and bias-mitigated conclusions that can be reviewed, challenged, and improved by peers C. SATs eliminate the need for experienced analysts D. SATs guarantee that all conclusions will be correct

EC-Council CTIA Module 5.2 Practice Test 001

Related Posts

Leave a Comment Cancel Reply