EC-Council CTIA Module 5.7 Practice Test 001

This practice test covers Module 5 (Data Analysis) Sub-module 7 (Create Runbooks and Knowledge Base).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 5.7 Practice Test 001

10 questions • Single best answer

Question 1

A CTI team lead wants to ensure that every analyst follows the same structured process when responding to a new phishing indicator report. She creates a step-by-step document that defines each action, decision point, and escalation path for this scenario. This document is called what?

A. A threat intelligence feed subscription agreement B. A runbook C. A collection plan D. An intelligence sharing agreement

Question 2

A CTI team creates a runbook for handling indicators of compromise (IoC) triage. The runbook specifies: (1) ingest the indicator, (2) check against allow-list, (3) look up in TIP, (4) search internal SIEM for matches, (5) determine confidence level, (6) escalate if confirmed. What is the primary benefit of this runbook?

A. It eliminates the need for experienced analysts B. It ensures consistent, repeatable, and efficient IoC triage regardless of which analyst handles the task C. It automatically blocks all ingested indicators D. It replaces the threat intelligence platform with a manual process

Question 3

A CTI organization builds a centralized repository where analysts store research notes, threat actor profiles, campaign histories, TTP mappings, and past analysis products that can be searched and referenced for future investigations. This repository is best described as what?

A. A threat intelligence knowledge base B. A security information and event management (SIEM) system C. A data collection pipeline D. A dissemination platform

Question 4

A CTI team lead reviews the team's knowledge base and finds that threat actor profiles for several groups are over 18 months old and reflect outdated TTPs. She schedules a quarterly knowledge base review cycle. What risk does keeping outdated knowledge base entries unaddressed create?

A. The knowledge base will consume too much server storage space B. Analysts may use outdated threat actor information to inform decisions, leading to inaccurate assessments C. The knowledge base will become inaccessible to external partners D. The dissemination frequency will decrease

Question 5

A CTI team creates a runbook specifically for ransomware threat response that includes automated steps (TIP lookups, SIEM queries) and manual analyst decision points. When should the team conduct a tabletop exercise to validate this runbook?

A. Only after a real ransomware incident has occurred B. Proactively, before a real incident occurs, to identify gaps, ambiguities, and process failures in a controlled setting C. Never — runbooks are validated through daily use only D. Only when a new analyst joins the team

Question 6

A CTI analyst creates a runbook for handling zero-day vulnerability alerts. The runbook includes a step: 'If the CVSS score is 9.0 or higher AND the vulnerability affects internet-facing systems, escalate to the CISO within 2 hours.' This escalation trigger is an example of what runbook design element?

A. A data normalization step B. A conditional decision gate with escalation criteria C. A threat intelligence feed configuration D. A source reliability rating

Question 7

A CTI team builds a knowledge base that includes MITRE ATT&CK technique mappings for all tracked threat actors, along with historical campaign timelines and associated IoCs. An analyst investigating a new incident searches the knowledge base and finds that the observed TTPs match a campaign from 18 months ago. What analytical advantage does the knowledge base provide?

A. It eliminates the need to collect any new threat data B. It enables rapid identification of historical context and potential campaign linkage without starting analysis from scratch C. It automatically generates detection rules for the SIEM D. It broadcasts alerts to all stakeholders simultaneously

Question 8

A CTI team develops runbooks for multiple threat scenarios: ransomware, credential stuffing, insider threat, and supply chain compromise. They version control the runbooks and require formal approval before changes are made. Why is version control important for runbooks?

A. It encrypts the runbook content so external attackers cannot read it B. It maintains an audit trail of changes, ensures analysts use the current approved version, and enables rollback if a change causes issues C. It automatically distributes updated runbooks to all partner organizations D. It generates metrics on how many incidents were handled

Question 9

A CTI team integrates their knowledge base with their TIP, enabling automatic population of threat actor entries from analyzed intelligence reports. An analyst notes that the knowledge base now shows Lazarus Group's known C2 infrastructure updated automatically after a new APT report was processed. What capability does this integration demonstrate?

A. Passive DNS replication B. Automated knowledge base enrichment from intelligence production workflows C. Bulk data collection scaling D. Intelligence dissemination to executive consumers

Question 10

A new CTI analyst joins a team and is immediately able to investigate a complex APT campaign by referencing the team's knowledge base, which contains prior research, TTP mappings, and historical campaign timelines for the suspected actor. What organizational benefit does this scenario demonstrate?

A. Reduced dependency on threat intelligence feeds B. Preservation and transfer of institutional knowledge, reducing onboarding time and analytical dependencies on individual experts C. Elimination of the need for structured analytical techniques D. Automatic generation of threat reports for executive audiences

EC-Council CTIA Module 5.7 Practice Test 001

Related Posts

Leave a Comment Cancel Reply