Eccouncil Certified Threat Intelligence Analyst 312-85 Exam Questions

Page: 1 / 14
Total 50 questions
Question 1

Mr. Bob, a threat analyst, is performing analysis of competing hypotheses (ACH). He has reached to a stage where he is required to apply his analysis skills effectively to reject as many hypotheses and select the best hypotheses from the identified bunch of hypotheses, and this is done with the help of listed evidence. Then, he prepares a matrix where all the screened hypotheses are placed on the top, and the listed evidence for the hypotheses are placed at the bottom.

What stage of ACH is Bob currently in?



Answer : D

In the Analysis of Competing Hypotheses (ACH) process, the stage where Mr. Bob is applying analysis to reject hypotheses and select the most likely one based on listed evidence, followed by preparing a matrix with screened hypotheses and evidence, is known as the 'Refinement' stage. This stage involves refining the list of hypotheses by systematically evaluating the evidence against each hypothesis, leading to the rejection of inconsistent hypotheses and the strengthening of the most plausible ones. The preparation of a matrix helps visualize the relationship between each hypothesis and the available evidence, facilitating a more objective and structured analysis. Reference:

'Psychology of Intelligence Analysis' by Richards J. Heuer, Jr., for the CIA's Center for the Study of Intelligence

'A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis' by the CIA


Question 2

John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques.

What phase of the advanced persistent threat lifecycle is John currently in?



Answer : C

The phase described where John, after gaining initial access, is attempting to obtain administrative credentials to further access systems within the network, is known as the 'Expansion' phase of an Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold within the target's environment, often by escalating privileges, compromising additional systems, and moving laterally through the network. The goal is to increase control over the network and maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for establishing long-term presence and eventual data exfiltration or other malicious objectives. Reference:

MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral Movement

'APT Lifecycle: Detecting the Undetected,' a whitepaper by CyberArk


Question 3

Jame, a professional hacker, is trying to hack the confidential information of a target organization. He identified the vulnerabilities in the target system and created a tailored deliverable malicious payload using an exploit and a backdoor to send it to the victim.

Which of the following phases of cyber kill chain methodology is Jame executing?



Answer : C

In the cyber kill chain methodology, the phase where Jame is creating a tailored malicious deliverable that includes an exploit and a backdoor is known as 'Weaponization'. During this phase, the attacker prepares by coupling a payload, such as a virus or worm, with an exploit into a deliverable format, intending to compromise the target's system. This step follows the initial 'Reconnaissance' phase, where the attacker gathers information on the target, and precedes the 'Delivery' phase, where the weaponized bundle is transmitted to the target. Weaponization involves the preparation of the malware to exploit the identified vulnerabilities in the target system. Reference:

Lockheed Martin's Cyber Kill Chain framework

'Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,' leading to the development of the Cyber Kill Chain framework


Question 4

A network administrator working in an ABC organization collected log files generated by a traffic monitoring system, which may not seem to have useful information, but after performing proper analysis by him, the same information can be used to detect an attack in the network.

Which of the following categories of threat information has he collected?



Answer : D

The network administrator collected log files generated by a traffic monitoring system, which falls under the category of low-level data. This type of data might not appear useful at first glance but can reveal significant insights about network activity and potential threats upon thorough analysis. Low-level data includes raw logs, packet captures, and other granular details that, when analyzed properly, can help detect anomalous behaviors or indicators of compromise within the network. This type of information is essential for detection and response efforts, allowing security teams to identify and mitigate threats in real-time. Reference:

'Network Forensics: Tracking Hackers through Cyberspace,' by Sherri Davidoff and Jonathan Ham, Prentice Hall

'Real-Time Detection of Anomalous Activity in Dynamic, Heterogeneous Information Systems,' IEEE Transactions on Information Forensics and Security


Question 5

Tracy works as a CISO in a large multinational company. She consumes threat intelligence to understand the changing trends of cyber security. She requires intelligence to understand the current business trends and make appropriate decisions regarding new technologies, security budget, improvement of processes, and staff. The intelligence helps her in minimizing business risks and protecting the new technology and business initiatives.

Identify the type of threat intelligence consumer is Tracy.



Answer : B

Tracy, as a Chief Information Security Officer (CISO), requires intelligence that aids in understanding broader business and cybersecurity trends, making informed decisions regarding new technologies, security budgets, process improvements, and staffing. This need aligns with the role of a strategic user of threat intelligence. Strategic users leverage intelligence to guide long-term planning and decision-making, focusing on minimizing business risks and safeguarding against emerging threats to new technology and business initiatives. This type of intelligence is less about the technical specifics of individual threats and more about understanding the overall threat landscape, regulatory environment, and industry trends to inform high-level strategy and policy. Reference:

'The Role of Strategic Intelligence in Cybersecurity,' Journal of Cybersecurity Education, Research and Practice

'Cyber Threat Intelligence and the Lessons from Law Enforcement,' by Robert M. Lee and David Bianco, SANS Institute Reading Room


Question 6

Jim works as a security analyst in a large multinational company. Recently, a group of hackers penetrated into their organizational network and used a data staging technique to collect sensitive dat

a. They collected all sorts of sensitive data about the employees and customers, business tactics of the organization, financial information, network infrastructure information and so on.

What should Jim do to detect the data staging before the hackers exfiltrate from the network?



Answer : C

In the scenario described, where attackers have penetrated the network and are staging data for exfiltration, Jim should focus on monitoring network traffic for signs of malicious file transfers, implement file integrity monitoring, and scrutinize event logs. This approach is crucial for detecting unusual activity that could indicate data staging, such as large volumes of data being moved to uncommon locations, sudden changes in file integrity, or suspicious entries in event logs. Early detection of these indicators can help in identifying the staging activity before the data is exfiltrated from the network. Reference:

NIST Special Publication 800-61 Rev. 2, 'Computer Security Incident Handling Guide'

SANS Institute Reading Room, 'Detecting Malicious Activity with DNS and NetFlow'


Question 7

Bob, a threat analyst, works in an organization named TechTop. He was asked to collect intelligence to fulfil the needs and requirements of the Red Tam present within the organization.

Which of the following are the needs of a RedTeam?



Answer : B

Red Teams are tasked with emulating potential adversaries to test and improve the security posture of an organization. They require intelligence on the latest vulnerabilities, threat actors, and their TTPs to simulate realistic attack scenarios and identify potential weaknesses in the organization's defenses. This information helps Red Teams in crafting their attack strategies to be as realistic and relevant as possible, thereby providing valuable insights into how actual attackers might exploit the organization's systems. This need contrasts with the requirements of other teams or roles within an organization, such as strategic decision-makers, who might be more interested in intelligence related to strategic risks or Blue Teams, which focus on defending against and responding to attacks. Reference:

Red Team Field Manual (RTFM)

MITRE ATT&CK Framework for understanding threat actor TTPs


Page:    1 / 14   
Total 50 questions