EC-Council CTIA Module 5.8 Practice Test 001

This practice test covers Module 5 (Data Analysis) Sub-module 8 (Threat Intelligence Tools).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 5.8 Practice Test 001

10 questions • Single best answer

Question 1

A CTI team uses a platform that aggregates threat intelligence feeds, normalizes data, enables analyst annotations, and supports STIX/TAXII-based sharing with partner organizations. Which type of tool is the team using?

A. Security information and event management (SIEM) system B. Threat Intelligence Platform (TIP) C. Endpoint detection and response (EDR) agent D. Web application firewall (WAF)

Question 2

A CTI analyst uses Maltego to map relationships between a suspicious domain, associated IP addresses, WHOIS registrant emails, and linked social profiles. Maltego's graphical link analysis interface is used for which analytical purpose?

A. Performing real-time network traffic packet capture B. Visualizing entity relationships for OSINT-based threat actor infrastructure mapping C. Deploying detection signatures to the SIEM D. Encrypting intelligence reports for secure dissemination

Question 3

A CTI analyst uses VirusTotal to look up a suspicious file hash. The platform returns results from 72 antivirus engines showing 45 detections, geolocation of associated IPs, behavior sandbox reports, and related samples. What type of threat intelligence tool is VirusTotal?

A. A network intrusion detection system B. A multi-source threat intelligence aggregation and analysis platform for file and indicator analysis C. A SIEM correlation engine D. A threat intelligence sharing standard

Question 4

A CTI team uses MISP (Malware Information Sharing Platform) to share IoCs with trusted partners. MISP enables analysts to create events, tag indicators with taxonomies, and push STIX-formatted feeds to subscribers. MISP is best categorized as what type of tool?

A. A threat intelligence sharing and collaboration platform B. A SIEM replacement tool C. A malware reverse engineering framework D. A network vulnerability scanner

Question 5

A CTI analyst uses OpenCTI, an open-source platform, to manage threat knowledge by linking threat actors, campaigns, malware, attack patterns, and IoCs using STIX 2.1 relationships. What distinguishes OpenCTI from a traditional TIP in terms of analytical depth?

A. OpenCTI can only process IP addresses; traditional TIPs handle all indicator types B. OpenCTI uses a knowledge graph model that natively maps relationships between CTI objects using STIX, providing deeper contextual linkage than simple indicator management C. OpenCTI is exclusively a dissemination platform with no analytical features D. OpenCTI requires a paid subscription while traditional TIPs are free

Question 6

A SOC analyst at a government agency uses ThreatConnect to correlate observed attack indicators with intelligence on known APT campaigns. The platform provides playbooks that automatically trigger enrichment workflows when a new indicator is added. This automation capability is an example of what?

A. Static indicator blocking using firewall rules B. TIP-driven orchestration and automated intelligence enrichment workflows C. Manual threat actor profile updates by senior analysts D. Passive DNS data collection

Question 7

A CTI analyst uses Shodan during a threat investigation to search for internet-connected devices running a specific vulnerable software version associated with a threat campaign. What type of tool is Shodan?

A. A malware analysis sandbox B. An internet-wide scanning and device discovery tool for OSINT collection C. A SIEM for real-time log analysis D. A forensic disk imaging platform

Question 8

A CTI team deploys a sandbox environment to analyze a malware sample suspected of being used in a targeted attack. The sandbox captures file system changes, registry modifications, network connections, and process behavior. Which tool type is this?

A. A threat intelligence sharing platform B. A dynamic malware analysis sandbox C. A static code analysis framework D. A vulnerability management platform

Question 9

A CTI team uses a Threat Intelligence Platform that integrates with the SIEM and firewall to automatically push high-confidence malicious IPs to the firewall block list when confidence scores exceed a defined threshold. This integration capability is called what?

A. Intelligence production and reporting B. Automated defensive actioning or TIP-driven threat blocking C. Bulk data collection ingestion D. Collection plan development

Question 10

A CTI analyst uses Recorded Future to search for mentions of the organization's brand and IP ranges in dark web forums, paste sites, and closed hacker communities. What category of threat intelligence tool provides this capability?

A. A forensic disk analysis tool B. A commercial threat intelligence platform with dark web monitoring C. A network packet analyzer D. An endpoint detection and response (EDR) system

EC-Council CTIA Module 5.8 Practice Test 001

Related Posts

Leave a Comment Cancel Reply