EC-Council CTIA Module 6.9 Practice Test 001

This practice test covers Module 6 (Intelligence Reporting and Dissemination) Sub-module 9 (Threat Intelligence Sharing and Collaboration using Python Scripting).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 6.9 Practice Test 001

10 questions • Single best answer

Question 1

A CTI analyst writes a Python script to retrieve STIX 2.1 threat indicator bundles from a remote TAXII 2.1 server using the 'taxii2-client' library. Which Python library is specifically designed for this purpose?

A. requests B. taxii2-client C. pandas D. scapy

Question 2

A CTI analyst uses Python with the 'stix2' library to parse a STIX 2.1 bundle and extract all 'indicator' objects along with their 'pattern' field values. What does this Python-based processing enable?

A. Automated extraction of indicator detection patterns from STIX bundles for deployment to detection systems B. Real-time network traffic monitoring using the extracted patterns C. Manual entry of STIX data into an Excel spreadsheet D. Geolocation of all IP addresses in the STIX bundle

Question 3

A CTI analyst writes a Python script that reads a list of IoCs from a CSV file and submits them to a partner organization's MISP instance via the PyMISP API wrapper. What does this script automate?

A. Manual email distribution of the IoC list to the partner B. Automated programmatic intelligence submission to a partner MISP instance C. Real-time network blocking of the submitted IoCs D. Automated TLP marking assignment for each IoC

Question 4

A CTI analyst's Python script retrieves 500 indicators from three different TAXII feeds, combines them, removes duplicates using a set-based deduplication method, and outputs a clean JSON file. Which Python data structure is most appropriate for deduplication in this use case?

A. A Python list that allows duplicate values B. A Python set that automatically prevents duplicate entries C. A Python dictionary with sequential integer keys D. A Python tuple that is immutable

Question 5

A CTI analyst uses Python's 'requests' library to make a REST API call to a threat intelligence platform and retrieve the JSON response containing a list of malicious domains. She parses the JSON and filters for only domains with a confidence score above 80. Which Python code pattern correctly implements this filtering?

A. domains = [d for d in response.json() if d['confidence'] > 80] B. domains = response.json().filter(confidence > 80) C. domains = requests.get(confidence=80) D. domains = json.parse(response, confidence=80)

Question 6

A CTI analyst wants to automate the daily sharing of threat indicators from their TIP to a partner MISP instance using a Python script scheduled via cron. After running for two weeks, the analyst discovers the script is creating duplicate MISP events each time it runs. How should the script be modified to prevent this?

A. Increase the cron schedule frequency to run the script more often B. Add logic to check for existing MISP events by UUID or indicator value before creating new ones C. Delete all MISP events before running the script each day D. Disable duplicate check in MISP settings

Question 7

A CTI analyst develops a Python script that monitors a threat intelligence sharing Slack channel, extracts URLs and IP addresses from new messages using regular expressions, and automatically submits them as indicators to the team's TIP via API. Which Python library is most useful for the regex-based indicator extraction step?

A. taxii2-client B. re (Python's built-in regular expressions module) C. pandas D. matplotlib

Question 8

A CTI analyst writes a Python script that uses the MISP API to automatically tag all indicators in a specific event with the 'tlp:amber' taxonomy tag before sharing the event with partner organizations. Which PyMISP method is most relevant for applying tags to MISP objects?

A. misp.search() to find existing tags B. misp.tag() to apply taxonomy tags to MISP events or attributes C. misp.download_sample() to retrieve malware samples D. misp.get_feed() to retrieve external feed data

Question 9

A CTI team automates their STIX bundle generation using Python's 'stix2' library. The script creates Indicator objects with STIX patterns, a ThreatActor object, and links them with a Relationship object. What does creating explicit Relationship objects in STIX 2.1 provide?

A. It compresses the STIX bundle size for faster transmission B. It expresses structured, machine-readable connections between intelligence objects enabling automated relationship traversal and graph analysis C. It automatically encrypts the STIX bundle before sharing D. It converts the STIX bundle to CSV format

Question 10

A CTI analyst needs to build a Python script that automatically shares new high-confidence indicators (score ≥ 85) with three partner organizations via their respective REST APIs whenever a new indicator is validated in the team's TIP. Which Python architecture pattern best supports this requirement?

A. A single synchronous script that processes one partner API call at a time and waits for each to complete before calling the next B. An event-driven script using a webhook or TIP callback to trigger sharing workflows when new indicators are validated C. A daily batch script that shares all indicators from the past 24 hours regardless of confidence D. A manual script the analyst runs on request

EC-Council CTIA Module 6.9 Practice Test 001

Related Posts

Leave a Comment Cancel Reply