Eccouncil 312-85 Certified Threat Intelligence Analyst Exam Practice Test

Page: 1 / 14
Total 50 questions
Question 1

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network?



Answer : D

Advanced Persistent Threats (APTs) are characterized by their 'Multiphased' nature, referring to the various stages or phases the attacker undertakes to breach a network, remain undetected, and achieve their objectives. This characteristic includes numerous attempts to gain entry to the target's network, often starting with reconnaissance, followed by initial compromise, and progressing through stages such as establishment of a backdoor, expansion, data exfiltration, and maintaining persistence. This multiphased approach allows attackers to adapt and pursue their objectives despite potential disruptions or initial failures in their campaign. Reference:

'Understanding Advanced Persistent Threats and Complex Malware,' by FireEye

MITRE ATT&CK Framework, detailing the multiphased nature of adversary tactics and techniques


Question 2

Which of the following components refers to a node in the network that routes the traffic from a workstation to external command and control server and helps in identification of installed malware in the network?



Answer : B

A gateway in a network functions as a node that routes traffic between different networks, such as from a local network to the internet. In the context of cyber threats, a gateway can be utilized to monitor and control the data flow to and from the network, helping in the identification and analysis of malware communications, including traffic to external command and control (C2) servers. This makes it an essential component in detecting installed malware within a network by observing anomalies or unauthorized communications at the network's boundary. Unlike repeaters, hubs, or network interface cards (NICs) that primarily facilitate network connectivity without analyzing the traffic, gateways can enforce security policies and detect suspicious activities. Reference:

'Network Security Basics,' Security+ Guide to Network Security Fundamentals

'Malware Command and Control Channels: A Journey,' SANS Institute InfoSec Reading Room


Question 3

Tyrion, a professional hacker, is targeting an organization to steal confidential information. He wants to perform website footprinting to obtain the following information, which is hidden in the web page header.

Connection status and content type

Accept-ranges and last-modified information

X-powered-by information

Web server in use and its version

Which of the following tools should the Tyrion use to view header content?



Answer : D

Burp Suite is a comprehensive tool used for web application security testing, which includes functionality for viewing and manipulating the HTTP/HTTPS headers of web page requests and responses. This makes it an ideal tool for someone like Tyrion, who is looking to perform website footprinting to gather information hidden in the web page header, such as connection status, content type, server information, and other metadata that can reveal details about the web server and its configuration. Burp Suite allows users to intercept, analyze, and modify traffic between the browser and the web server, which is crucial for uncovering such hidden information. Reference:

'Burp Suite Essentials' by Akash Mahajan

Official Burp Suite Documentation


Question 4

An attacker instructs bots to use camouflage mechanism to hide his phishing and malware delivery locations in the rapidly changing network of compromised bots. In this particular technique, a single domain name consists of multiple IP addresses.

Which of the following technique is used by the attacker?



Answer : D

Fast-Flux DNS is a technique used by attackers to hide phishing and malware distribution sites behind an ever-changing network of compromised hosts acting as proxies. It involves rapidly changing the association of domain names with multiple IP addresses, making the detection and shutdown of malicious sites more difficult. This technique contrasts with DNS zone transfers, which involve the replication of DNS data across DNS servers, or Dynamic DNS, which typically involves the automatic updating of DNS records for dynamic IP addresses, but not necessarily for malicious purposes. DNS interrogation involves querying DNS servers to retrieve information about domain names, but it does not involve hiding malicious content. Fast-Flux DNS specifically refers to the rapid changes in DNS records to obfuscate the source of the malicious activity, aligning with the scenario described. Reference:

SANS Institute InfoSec Reading Room

ICANN (Internet Corporation for Assigned Names and Numbers) Security and Stability Advisory Committee


Question 5

Jian is a member of the security team at Trinity, Inc. He was conducting a real-time assessment of system activities in order to acquire threat intelligence feeds. He acquired feeds from sources like honeynets, P2P monitoring. infrastructure, and application logs.

Which of the following categories of threat intelligence feed was acquired by Jian?



Answer : A

Internal intelligence feeds are derived from data and information collected within an organization's own networks and systems. Jian's activities, such as real-time assessment of system activities and acquiring feeds from honeynets, P2P monitoring, infrastructure, and application logs, fall under the collection of internal intelligence feeds. These feeds are crucial for identifying potential threats and vulnerabilities within the organization and form a fundamental part of a comprehensive threat intelligence program. They contrast with external intelligence feeds, which are sourced from outside the organization and include information on broader cyber threats, trends, and TTPs of threat actors. Reference:

'Building an Intelligence-Led Security Program' by Allan Liska

'Threat Intelligence: Collecting, Analysing, Evaluating' by M-K. Lee, L. Healey, and P. A. Porras


Question 6

A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides an ability to modify or delete past or irrelevant threat data.

Which of the following requirement must he include in the threat knowledge repository to fulfil his needs?



Answer : C

Incorporating a data management requirement in the threat knowledge repository is essential to provide the ability to modify or delete past or irrelevant threat data. Effective data management practices ensure that the repository remains accurate, relevant, and up-to-date by allowing for the adjustment and curation of stored information. This includes removing outdated intelligence, correcting inaccuracies, and updating information as new insights become available. A well-managed repository supports the ongoing relevance and utility of the threat intelligence, aiding in informed decision-making and threat mitigation strategies. Reference:

'Building and Maintaining a Threat Intelligence Library,' by Recorded Future

'Best Practices for Creating a Threat Intelligence Policy, and How to Use It,' by SANS Institute


Question 7

Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find any evidence of compromise. During the network monitoring, he came to know that there are multiple logins from different locations in a short time span. Moreover, he also observed certain irregular log in patterns from locations where the organization does not have business relations. This resembles that somebody is trying to steal confidential information.

Which of the following key indicators of compromise does this scenario present?



Answer : D

The scenario described by Steve's observations, where multiple logins are occurring from different locations in a short time span, especially from locations where the organization has no business relations, points to 'Geographical anomalies' as a key indicator of compromise (IoC). Geographical anomalies in logins suggest unauthorized access attempts potentially made by attackers using compromised credentials. This is particularly suspicious when the locations of these logins do not align with the normal geographical footprint of the organization's operations or employee locations. Monitoring for such anomalies can help in the early detection of unauthorized access and potential data breaches. Reference:

SANS Institute Reading Room, 'Indicators of Compromise: Reality's Version of the Minority Report'

'Identifying Indicators of Compromise' by CERT-UK


Page:    1 / 14   
Total 50 questions