EC-Council CTIA Module 7.1 Practice Test 001

This practice test covers Module 7 (Threat Hunting and Detection) Sub-module 1 (Threat Hunting Concepts).

These questions are inspired by the EC-Council CTIA exam and are designed to help you test your knowledge of cyber threat intelligence, threats and frameworks, and other related topics. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CTIA exam.

Note: CTIA is a registered trademark of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CTIA practice tests based on specific modules and sub-modules, click that link

EC-Council CTIA Module 7.1 Practice Test 001

10 questions • Single best answer

Question 1

A CTI manager explains to her team that reactive security operations detect threats only after alerts fire, while threat hunting takes a proactive approach. Which statement best defines threat hunting in the context of CTI?

A. Threat hunting is the automated deployment of detection signatures to the SIEM B. Threat hunting is the proactive, intelligence-driven search for threats that have evaded existing detection controls C. Threat hunting is the process of collecting raw threat data from external sources D. Threat hunting is the same as incident response — responding to confirmed alerts

Question 2

A threat hunter develops a hypothesis that APT29 has established persistent footholds in the organization's environment based on intelligence about the actor's recent campaigns. She then searches the environment for evidence of this specific behavior. This approach is best described as what type of hunting?

A. Unstructured ad-hoc hunting based on random pattern searches B. Intelligence-driven, hypothesis-based threat hunting C. Automated signature-based detection D. Bulk data collection and normalization

Question 3

A CTI team uses the Threat Hunting Maturity Model (HMM) to assess their organization's hunting capability. They determine the organization is at Level 1 — performing minimal hunting with mostly automated alert-based investigations. What would advancing to Level 3 require?

A. Deploying more network sensors and increasing log volume B. Developing procedural, intelligence-informed hunting procedures with defined hunting techniques applied routinely C. Purchasing a new SIEM with more correlation rules D. Increasing the number of incident response playbooks

Question 4

A threat hunter uses the TaHiTI (Targeted Hunting Integrating Threat Intelligence) methodology to guide a hunting campaign. She starts by selecting a threat actor from the organization's threat profile, mapping their TTPs to MITRE ATT&CK, and designing hunt queries targeting those specific techniques. What is the key advantage of TaHiTI over generic hunting approaches?

A. TaHiTI replaces the need for SIEM-based detection altogether B. TaHiTI anchors hunting activities to specific, relevant threat intelligence making hunting more targeted and operationally meaningful C. TaHiTI automates all hunt queries without analyst involvement D. TaHiTI is exclusively used for cloud environments

Question 5

A threat hunter investigating potential lateral movement finds anomalous WMI process execution from a workstation to multiple internal servers at unusual hours. She identifies this behavior is consistent with a known threat actor's TTPs in the CTI knowledge base. This discovery is an example of what hunting outcome?

A. A false positive generated by a SIEM correlation rule B. Intelligence-confirmed behavioral anomaly indicative of potential lateral movement C. A data normalization error in the log pipeline D. A routine scheduled task appearing suspicious due to logging misconfiguration

Question 6

A threat hunting team structures their workflow as: (1) Create hypothesis based on threat intelligence, (2) Gather and analyze data, (3) Discover findings, (4) Inform and update intelligence, (5) Improve automated detections. This cyclical workflow is known as what?

A. The intelligence collection cycle B. The Threat Hunting Loop C. The Incident Response Lifecycle D. The STIX/TAXII exchange protocol

Question 7

A threat hunter identifies that her team spends 70% of hunting time on data collection and preparation tasks. To improve hunting efficiency, the team implements a data analytics platform with pre-indexed, normalized logs. What does this improvement address?

A. The Hunting Maturity Model Level 5 requirement for machine learning-based detection B. Reducing the data preparation burden to increase time available for hypothesis development and investigation C. Replacing the need for threat intelligence in hunting campaigns D. Automating the escalation of all hunting findings to law enforcement

Question 8

A threat hunter reads a CTI report about a ransomware group that consistently uses scheduled tasks for persistence and certutil.exe for payload delivery. She creates hunt queries targeting scheduled task creation events and certutil.exe execution. Which hunting concept does this demonstrate?

A. Hunting based on indicators of compromise (IoC-based hunting) B. Hypothesis-based hunting driven by TTP intelligence C. Passive network monitoring using a SIEM D. Threat actor attribution through forensic evidence

Question 9

A threat hunter is required to document her skills and demonstrates proficiency in: understanding adversary TTPs, applying MITRE ATT&CK, writing custom detection queries, analyzing network flows, reverse engineering basic malware artifacts, and communicating findings to stakeholders. These competencies reflect what aspect of the CTI-hunting role?

A. The threat hunter skillset required for effective intelligence-led hunting B. The minimum requirements for a junior data analyst position C. The skills required for a network administrator D. The competencies required for a software developer

Question 10

A CISO asks the threat hunting team to quantify the value of their hunting program. The team provides metrics showing: 12 previously undetected threats discovered, 3 new SIEM detection rules created from hunting findings, and mean dwell time reduced from 47 days to 12 days. Which outcome most directly demonstrates the business value of the hunting program?

A. The number of SIEM rules created B. Reduction in threat dwell time and discovery of threats that evaded existing controls C. The number of hours analysts spent on hunting activities D. The number of threat intelligence reports produced

EC-Council CTIA Module 7.1 Practice Test 001

Related Posts

Leave a Comment Cancel Reply