3CTIAAAAAAAAAAAAA
(Choose the BEST answer) Which of the following can be used to mitigate the risk of unauthorized disclosure of sensitive information in an intelligence report? A. Information-Handling Designations B. Tools and Standards C. Authorization and Identity Management D. Access Controls
A
1 What type of security testing uses scenarios to mimic attackers? A. Intelligence-led B. Security Testing None of the listed choices is correct. C. Simulated Attacks D. Scenario-based Testing
A
1 Which of the following are NOT cyber attack vectors? A. tailgating and piggybacking B. advanced persistent threats C. remote trojans and worms D. denial of service and ransomware
A
10 How is continuous improvement implemented in a threat intelligence program? A. through use of feedback loops. B. None of the listed choices are correct. C. through use of consumer surveys. D. using Six Sigma quality principles.
A
10 What is the first stage or phase of the Threat Intelligence Lifecycle? A. Planning and Direction B. Dissemination and Integration C. Collection D. Analysis and Production
A
11 What is information? A. processed data that has meaning and context B. a state that data goes through before becoming intelligence C. data that was refined using processing rules D. None of the listed choices is correct.
A
12 (Choose the BEST answer) Which of the following will impact the success of a cyber threat intelligence program? A. Appropriate definition of requirements B. None of the listed choices are correct. C. Diversity of thought included among program members D. Comprehensiveness of the threat list.
A
12 Which of the following triads is used to study and profile cyber attacks and attackers? A. Intent, Capability, Opportunity B. Confidentiality, Integrity, Availability C. People, Processes, Technologies D. Means, Methods, Motivations
A
13 A nation state with few resources has determined that it needs to train an anti-hacking team. Where could such a team learn the basic tools and techniques used by hackers? A. Hacker Forums B. Information Sharing and Analysis Centers C. US-Cert Alerts and NIST documents D. None of the listed choices are correct.
A
14 What is the last phase in the implementation of a threat intelligence program? A. reporting and dissemination B. archiving reports C. None of the listed choices are correct. D. after action reviews
A
16 Which type of directive is used to define threat intelligence requirements of limited scope lasting a few weeks or months? A. Medium-term directives B. Weekly directives C. Monthly directives D. Long-term directives
A
17 Which of the following can provided detailed intelligence reports? A. Threat Intelligence Frameworks B. None of the listed choices are correct. C. Threat Intelligence Maturity Model D. Threat Intelligence Strategy
A
18 What is the MoSCoW method used for? A. to prioritize requirements collaboratively B. to identify security controls by Must Have, Should Have, Could Have, and Won't Have categories C. to identify threat actors sponsored by nation states D. None of the listed choices are correct.
A
18 Why and for whom are threat intelligence sharing platforms essential capabilities? A. enables rapid sharing of threat intelligence between critical infrastructure entities. B. facilitates governmental sharing of tier 1 threat intelligence with businesses. C. implementation of standards and formats for threat intelligence sharing between government and industry. D. None of the listed choices are correct.
A
2 HUMINT is collected from _____. A. People B. Telephone Calls C. Magazines and Newspapers D. Social Media
A
25 Which of the following is NOT a named phase in the Cyber Kill Chain? A. Identification and Prevention B. Installation C. Exploitation D. Command and Control
A
26 What step should be taken to finalize a prioritized list of threats? A. Discussion with stakeholders, IT professionals, and security team members B. Submit to governance board for voting C. Assign relative impacts D. Obtain CEO's approval after coordination with CIO, CFO, and CISO
A
26 Which type of escalation will result in the best course of action for responding to threat-based intelligence without involving higher levels of management? A. Horizontal Escalation B. Vertical Escalation C. Internet Escalation D. Vendor Escalation
A
27 Who invented the Cyber Kill Chain Methodology? A. Lockheed Martin B. US Department of Homeland Security C. General Dynamics D. US Department of Defense
A
28 Which of the following can be used by an analyst to collect information about an email based attack? A. Email headers B. Meta data extraction tool C. Click rates D. Bounce rates
A
28 In the context of Asset Identification, which of the following are non-physical assets? A. All listed choices are correct. B. operating system software C. applications D. databases
A
29 What is the relationship between cyber threat intelligence and risks? A. Cyber threat intelligence can be used to identify risks B. Risk identification and assessment feeds into the Cyber Threat Intelligence process C. Cyber threat intelligence can be used to eliminate unknown risks D. None of the listed choices are correct.
A
3 Geopolitical Assessments provide what type of threat intelligence data? A. Strategic B. Tactical C. Political D. Operational
A
30 Indicators of Compromise (IoCs) are ____ used to build tactial threat intelligence. A. technical data B. tracking ID's C. warnings and alerts D. CVE's
A
30 Which Building Block for Threat Intelligence Sharing is concerned with the method used to share intelligence? A. Exchange Mechanisms B. Rules of Engagement and Protocols C. Information Exchange Types D. Models and Models of Threat Intelligence Exchange.
A
31 Why are Indicators of Compromise important to an organization's cyber threat intelligenc program? A. Indicators of compromise are the clues found through forensic analysis which provide information about potential intrusions or malicious activity. B. Indicators of compromise are developed from historical event data to help predict future incidents and attacks. C. Indicators of compromise are used by law enforcement officials to substantiate requests for warrants allowing seizure of hackers' equipment and data files. D. Indicators of compromise provide actionable intelligence to the incident response team.
A
33 There are many motivating factors which encourage threat intelligence teams to share threat reports internally and externally. There are also some factors which discourage threat information sharing. Which of the following is the strongest reason why an organization would likely not share threat reports compiled by its analysts? A. The reports contain sensitive or negative information which could expose the company to legal action. B. Lower quality or out of date reports could reflect poorly upon the organization even if the information contained therein actionable. C. To preserve the company's intelligence sources and methods. D. The threat reports have commercial value and should be sold rather than shared quid pro quo.
A
34 A company has determined that it needs to significantly improve its cybersecurity posture. Which of the following actions should it take first? A. Assess the existing operational capabilities within the organization's cybersecurity program. B. Plan and implement a threat intelligence program. C. Conduct a vulnerability assessment using current threat intelligence and warnings. D. Conduct an inventory of all devices and nodes on the internal networks and determine their current patch levels.
A
34 Why is the preparation phase of the APT lifecyle imperative for the success of an APT attack? A. During the preparation phase, the adversary performs highly complex operations required to avoid detection once the attack is launched. B. Expansion of access and harvesting credentials in advance (i.e. during the preparation phase) is necessary to ensure the success of an APT. C. During the preparation phase, an adversary will identify vulnerabilities which cannot be exploited and thus will avoid wasting time and resources. D. Preparation ensures that the persistence phase of an APT attack cannot be countered by the victim organization.
A
35 A non-disclosure agreement (NDA) is a contract used between companies or between a company and individual(s) to identify information that must be protected and to inform recipients of their obligations to protect that information from disclosure. Why are NDA's an important tool for threat intelligence sharing? A. Improper disclosure of shared threat intelligence could result in harm to one or both parties to the NDA. B. The NDA protects the organization from charges of negligence or lack of diligence. C. The NDA allows the organization to sue for damages if the other party mishandles threat intelligence information. D. The NDA defines who is responsible for obtaining information to be shared under the agreement.
A
4 What is the main purpose of the Cyber Threat Intelligence process? A. to make an organization aware of existing and emerging threats B. None of the listed choices is correct. C. to uncover unknown threats before they cause damage to an asset or data D. to feed information into the organization's decision making processes
A
6 Organizations need to leverage ___ in order to defend against threats and improve their security posture. A. threat intelligence B. financial resources C. the right information at the right time D. trained personnel
A
9 Which of the following are NOT usually characteristic of APTs? A. Single point of entry, single phase attack B. Tailoring to vulnerabilities C. Evasion and exploitation D. Multiphase attack
A
A threat knowledge base can be stored in a ________. A. Structured database. B. Threat feed. C. Unified Threat Management system. D. File system.
A
What is a "true attribution?" A. identification of a specific individual or country which sponsored an attack or intrusion. B. attribution of an attack based upon evidence collected by law enforcment officials. C. identification of a group or nation responsible for an attack. D. attributing an attack based upon truthful information from informants.
A
What is the most common format for threat intelligence reports? A. Prose documents B. YARA C. SQL D. Infographics
A
What is the purpose of the "evidence" phase of the Analysis of Competing Hypotheses Process? A. Generate arguments for and against individual hypotheses B. Use evidence to reject hypothesis which do not fit the data. C. Use evidence to identify gaps in hypotheses. D. Generate a set of hypotheses.
A
Which of the following data scoring techniques are used tovisually present data by plotting data based on properties they possess? A. Charting B. Graphing C. None of the listed choices are correct. D. Venn Diagrams
A
Which of the following remedies for logical fallacies can be used to ensure that analysts do not spend too much time on data collection? A. perform risk-based prioritization of threats B. assess data validity using statistics C. None of the listed choices are correct. D. use threat profiles
A
Which of the following statistical techniques are used to validate data? (Choose the BEST answer) A. Confidence Levels B. All listed choices are correct. C. Standard Deviation D. Pearson's r Correlation Coefficient
A+C
1 Which of the following project management tools is used to obtain management support for a threat intelligence program? A. Project Schedule and Milestones B. Project Charter C. Project Communications Strategy D. Project Scope Statement
B
10 Which of the following primary use cases relies upon information from previous attacks against an organization? A. Prevention and Detection of Attacks B. Forensics C. Incident Reports D. Hunting
B
11 Which of the following are included in the Indicators of Compromise section of an intelligence report? A. names of vulnerabilities B. URLs, email addresses, and filenames C. timelines of attacks D. tests used to find a compromise
B
11 Which of the following is important to successful execution of the threat intelligence program? A. clear guidance from high-level business executives B. All listed choices are correct. C. planning and review D. requirements gathering
B
13 Why should help desk personnel be included on distribution lists for threat intelligence reports? A. None of the listed choices are correct. B. To help them prioritize and report calls which may be early warnings of breaches. C. To encourage information sharing between the help desk and the threat intelligence team. D. To emphasize their importance as the first line of cyber defense.
B
14 Host-based indicators are found on _____ systems. A. server B. infected C. attacker D. database
B
15 Attackers can be categorized by their motivations for engaging in cyber attacks. Which type of attacker is motivated by political or social agendas? A. Suicide Hackers B. Hacktivists C. Organized Hackers D. Nation-state sponsored hackers
B
15 The value of intelligence reporting increases with which of the following? (Choose the BEST answer.) A. Depth of coverage B. Timeliness C. Breadth of scope D. None of the listed choices are correct.
B
16 Under the "tiered" information sharing model, which tier requires non-disclosure agreements and, possibly, national security clearances? A. None of the listed choices are correct. B. Tier 3 C. Tier 2 D. Tier 1
B
19 Adversary behaviors can be used to enhance detection capabilities for future attacks. Which of the following can be indicative of programming or scripting based attacks? A. Use of HTTP User Agents B. Use of Powershell C. Use of DNS Tunneling D. Use of Command and Control Servers
B
20 How can a security posture assessment benefit an organization? A. Identify specific threats for which no countermeasures exist. B. Provide a foundation for budget or resource requests. C. Assess competency of existing staff. D. Provide expanded business case justification.
B
20 Why do attackers focus on obtaining information from Internet groups, forums, and blogs? (choose the BEST answer) A. currency and recency of information B. probability of finding sensitive information about target organizations and people. C. limited budgets for paid sources D. ease of access to information posted online
B
21 Which tactics are used by threat actors to collect information from human subjects? A. Internet search engines B. Social Engineering C. War dialing D. Spidering
B
22 Which of the following is an OPEN threat intelligence framework (as opposed to a closed or proprietary framework)? A. TC Complete B. YETI C. CrowdStrike D. NormShield
B
24 An attacker wants to obtain information to use in a whaling attack. Which of the following is the best source? A. Photographs and videos on Instagram B. Linked-In Profiles for Company Executives C. Twitter feeds from a hacktivist group D. None of the listed sources is appropriate for this task.
B
24 How does intelligence-led security testing differ from normal methods of security testing for IT systems? A. intelligence is used to speed up testing by reducing duplicate or irrelevant test cases B. contextual intelligence is used to guide how tests are designed and conducted C. security professionals are replaced by intelligence analysts who design the tests and test cases. D. None of the listed choices are correct.
B
25 Raw Data Producers belong in which part of the People, Processes, and Technologies framework? A. People B. Technologies C. All listed choices are correct. D. Processes
B
26 How does cyber threat intelligence help businesses defend their assets and data? A. by converting unknown unknowns into known knowns B. by converting unknown threats into known threats C. by identifying vulnerable assets and mediating risks D. None of the listed choices are correct.
B
28 In the context of Indicators of Compromise, what is the difference between atomic indicators and computed indicators? A. only atomic indicators can be used to identify adversary behaviors B. an atomic indicator cannot be divided into smaller parts and its meaning does not change with context C. computed indicators are more trust worthy D. None of the listed choices are correct.
B
29 Which of the following is a malware analysis tool that uses hash values to identify and track data across a network? A. Malware Scanning B. File Fingerprinting C. Identifying File Dependencies D. None of the listed sources is appropriate for this task.
B
30 Which of the following are necessary in order to benefit from Cyber Threat Intelligence Capabilities? A. Automated and Centralized Patch Servers B. Incident Response C. High-level, Functional, and Capability Requirements D. None of the listed choices are correct.
B
32 Which of the following factors is NOT used when prioritizing requirements for protecting an organization's assets against attacks? A. Penalty or Consequences B. Insurability C. Risk D. Benefit
B
33 Why is intelligence-led security testing important? A. This type of testing focuses organizational resources upon current threats and attack methods. B. This type of testing uses contextual intelligence to guide the conduct of security testing and choices of attack methods to be simulated during tests. C. Intelligence-led testing requires less time to complete because only the most important threats are simulated. D. Cyber threat intelligence allows an organization to reduce the complexity of its testing.
B
34 A CISO is submitting budget requests for technology upgrades for cybersecurity capabilities. Which type of intelligence reporting is most likely to be useful in convincing other senior managers to support these budget requests? A. Executive Summaries for all types of threat intelligence B. Strategic Threat Intelligence C. Operational Threat Intelligence D. Technical Threat Intelligence
B
34 The threat intelligence team manager is preparing a technology purchase request to support bulk data gathering. Which of the following data characteristics should be used to estimate the amount of processing power and memory storage will be required to support this activity? A. Scanning, Footprinting, and Banner Scraping B. Volume, Velocity, and Complexity C. Source, Means, and Methods D. Tactics, Techniques, and Procedures
B
35 Which of the following analysis techniques involves the identification of common methods used to launch attacks and provides insights into upcoming threats and exploits? A. Detection of Internal Reconnaissance B. Adversary Behavioral Identification C. Scanning for Use of PowerShell D. Scanning for Use of Command Line Interface
B
35 Why should a threat team learn to use YARA rules? (choose the best answer) A. Knowing YARA will improve the individual's skills and increase their value as members of the threat team. B. YARA is an open source platform used to detect, classify, and share threat data from malware samples. C. YARA can be used to implement machine learning and therefore provides an advanced tool for managing threat data. D. YARA is free and provides a platform for collecting and sharing threat data from many different sources.
B
5 _________ is a security mechanism to protect against an adversary's intelligence collection efforts. A. Operational Security B. Counterintelligence C. Defensive Perimeter D. Cyberintelligence
B
5 What is the primary goal of an Advanced Persistent Threat? A. None of the listed choices is correct. B. stealthy theft of information C. gain control of IT systems and subvert their operations D. hidden damage to IT systems
B
6 Which type of data is extracted by analysts from large collections? A. Raw Data B. Exploited Data C. Hybrid Data D. Production Data
B
6 A _____ is a guideline that describes how an attack is performed. A. procedure B. tactic C. technique D. policy
B
6 How can Cyber Threat Intelligence be used to combat data loss? A. None of the listed choices is correct. B. by identifying data leaks C. by exposing data sources D. by differentiating between public and private data
B
7 Which of the following factors are considered when designing the organization's security program? A. Attractiveness of organization to attackers B. All listed choices are correct. C. Industry and Regulatory Climate D. People, Processes, and Technologies
B
7 Which of the following is an outcome of extracting intelligence from information and data? A. None of the listed choices is correct. B. production of interpreted information that supports decision making C. risk reduction D. improvement in security controls implementations
B
8 Which of the following sources provide operational threat intelligence? A. chat room conversations B. All listed choices are correct. C. event logs, investigation reports, activity logs D. social media and social networking
B
8 Which stage of the Threat Intelligence Maturity Model is characterized as "increasing CTI Capabilities?" A. Maturity Level 3 B. Maturity Level 2 C. Maturity Level 0 D. Maturity Level 4
B
9 Which of the following are examples of unstructured data? A. encrypted information B. images, video, and audio C. numbers and strings of digits D. string of characters and readable text
B
A detailed runbook is used to ______. A. provide configuration management for threat data. B. document response procedures for identified threats and incidents. C. document threat data from SIEM and UTM applications. D. log actions while threat detectors are running.
B
A threat analyst is working on a data set and needs to run statistical tests that will show relationships between data points. One of the tests available in the statistical software application is Pearson's Correlation Coefficient. Which of the following characteristics of the data can be determined using this statistical test? A. Ordinal relationship between two variables B. Degree of association for linearly related variables C. Degree of relationship using rank order of values D. Confidence level showing relevance and preciseness of the information
B
A threat repository is used by analysts to ________. A. investigate incidents in progress. B. document and share threat intelligence. C. organize and disseminate intelligence reports. D. create security controls lists.
B
Before sharing threat intelligence internally, an analyst should _____. A. None of the listed choices are correct. B. Verify that the intelligence being shared meets the needs of the consumers. C. Scrub all analyst names from the reports to ensure confidentiality. D. Finalize the reports and have them signed off by the team leader.
B
Cognitive-based Threat Analysis requires that an analyst first ___________. A. collect large enough amounts of threat data for the cognitive engine to process. B. organize collected threat information into a specific structure format. C. understand how the cognitive application performs data analysis. D. teach the cognitive computing tool to recognize threats and attacks.
B
Correlation of reports from multiple sources will _____. A. Increase the value of the information. B. All listed choices are correct. C. Provide greater insight into similarities between indicators. D. Result in knowledge maturation.
B
Right content, right presentation, and right time refer to what part of the threat intelligence management process? A. Strategic intelligence management B. Intelligence dissemination C. Tactical intelligence management D. Intelligence collection
B
Which of the following cognitive biases can adversely impact how an analyst applies personal beliefs about theories to the threat analysis process? A. Correspondence Bias B. Belief Bias C. Self-serving Bias D. Confirmation Bias
B
Which of the following companies provide threat intelligence tools? A. Scumblr B. All listed choices are correct. C. McAfee D. Fireeye
B
Which of the following cybersecurity teams is likely to be aconsumer of threat intelligence reports? A. forensics team B. All listed choices are correct. C. incident response team D. anti-fraud team
B
Which of the following is not part of the data analysis process? A. Transforming and/or Modeling Data B. Collecting bulk data. C. Examining bulk data. D. Filtering bulk data.
B
Which type of data analysis creates a logical sequence of events based on assumptions about an adversary? A. All listed choices are correct. B. Linchpin Analysis C. Cone of Plausibility Analysis D. Timeline Analysis
B
10 Which of the following search operators will restrict a Google search to URLs containing a specific string of characters (words)? A. info B. intitle C. inurl D. inanchor
C
10 What is the last phase of the Cyber Kill Chain? A. Exploitation B. Installation C. Actions on Objectives D. Command and Control
C
11 What type of Indicator of Compromise can be used to detect spear phishing attacks? A. Behavioral Indicators B. Host-based Indicators C. Email Indicators D. Network Indicators
C
13 What is the most effective way to identify valuable assets and data? A. Brainstorming B. Obtain cost estimates from business managers C. Conduct an inventory D. Survey subject matter experts
C
13 A/an ____ is the existence of a weakness which can lead to an unexpected event which compromises the security of a system. A. None of the listed choices is correct. B. threat C. vulnerability D. exploit
C
14 What is the first step in building an efficient threat intelligence program? A. Establishing rules of engagement B. Training the team C. Requirements gathering D. Identifying threats
C
15 (Choose the BEST answer.) Which of the following capabilities must be represented among the organization's security team members? A. Scripting and Programming B. None of the listed choices are mandatory. C. Incident Response, Vulnerability Management, and Security Operations D. Planning, Programming, and Budgeting
C
15 The collection and analysis of information about threats is referred to as ____. A. None of the listed choices is correct. B. Data Analytics C. Cyber Threat Intelligence D. Risk Assessment
C
16 How can analysts detect adversarial behaviors involving data staging? A. Writing firewall rules to detect large file transfers B. None of the listed choices are correct. C. Monitoring network traffic D. Monitoring logfiles for excessive memory use
C
16 Which of the following is a business benefit of cyber threat intelligence? A. Reduction in costs of defending against attacks B. Loss prevention C. Insight into probability of risks and their impacts on the business D. None of the listed choices are correct
C
17 An intelligence consumer has asked for threat reporting that can be fed directly into its firewalls, SIEM systems, and endpoint protection systems. What type of report format is needed? A. YARA B. Python and Power Shell scripts C. Automation of Security Feeds and Application Program Interfaces D. OWASP and SOA
C
17 In the cleanup phase, an APT may change data on the targeted systems. Why? A. To hide the target of the attack. B. To evade detection C. All listed choices are correct. D. To mislead security analysts
C
17 Which pivot method would be used to obtain information about an adversary's infrastructure when the analyst does not know what to look for? A. Analytic pivoting B. Specific tailored query C. Pivot for Discovery D. Pivot for Inquiry
C
18 (Choose the BEST answer.) Why should analysts perform continuous monitoring of Indicators of Compromise? A. To identify when attackers stop using a particular attack B. Continuous monitoring is less expensive than static monitoring. C. To detect and prevent security breaches D. To ensure executives are kept aware of attacker evolution
C
18 An analyst determines that Impersonation would be a good tool to use to collect information about an organization. This is an example of _____. A. Eavesdropping B. Dumpster Diving C. Social Engineering D. War Dialing
C
19 Which of the following Threat Intelligence Exchange Architectures uses a member-to-member exchange modality and, because of this, is less susceptible to attacks or single point of failure outages? A. First-in-First-Out B. Centralized C. Peer-to-Peer D. Hardened
C
19 What is the primary purpose of the Intelligence and Collection Planning process? A. to prevent intelligence failures B. None of the listed choices are correct. C. to develop a well planned approach to prevent poor results D. to ensure resources are properly allocated
C
2 Which of the following steps must be taken before implementing an organization's threat intelligence program? A. None of the listed choices are correct. B. Review incident reports for the past 18 months C. Assess existing capabilities D. Conduct an audit of existing security controls
C
2 Which of the following triads is used by cyber threat analysts to profile attacks? A. People, Processes, Technologies B. Means + Methods + Motivations C. Motives (Goal) + Method + Vulnerability D. Intent, Capability, Opportunity
C
20 Which of the following is a benefit of intelligence collaboration? A. increased compliance with legal and regulatory requirements B. None of the listed choices are correct. C. organizations can learn from each other's mistakes. D. reduction in errors and omissions
C
21 What is the benefit of applying a strategic lens to the threat intelligence program? A. communicate the benefits of the program to management B. None of the listed choices are correct. C. help align the threat intelligence program with business operations D. keep planning and programming at the strategic level
C
21 Which of the following laws restricts the sharing of sensitive information about threats and indicators of compromise affecting businesses and their financial records? A. Gramm-Leach-Bliley Act B. Health Insurance Portability and Accountability Act C. Sarbanes-Oxley Act D. All listed choices are correct.
C
22 A threat intelligence analyst can study attacker's ____ to build a profile for threat actors. A. past history B. None of the listed choices are correct. C. techniques D. procedures
C
23 Which of the following talent acquisition strategies should be pursued first when setting up a threat intelligence team? A. Borrow experienced threat analysts from business partners B. Advertise for certified threat intelligence analysts C. Identify appropriate internal candidates D. Hire an experienced threat intelligence research consultancy
C
23 Why does a business need to audit information being sent over its networks? A. to provide required services to customers B. to identify illicit information and track its source C. to meet strict compliance requirements D. to assist in reaching customers easily
C
24 Choose the best description for "security pressure posture." A. None of the listed choices are correct. B. a measure of an organization's resilience C. elements or drivers which put pressure on an organization's security program D. the degree to which an organization can withstand external attacks
C
24 Which of the following report sections will contain details of how the intelligence was processed? A. Indicators of Compromise B. None of the listed choices are correct. C. Analysis Methodology D. Test Details
C
25 What type of tool allows an analyst to collect information about an Internet domain? A. ICANN Whois Query B. IANA Registry Lookup C. All listed choices are correct. D. ARIN WhoWas Query
C
26 What blacklisting or whitelisting tools can a threat intelligence analyst use to obtain information to prepare custom IOCs for threat detection? A. Alexa Top 1 Million sites B. Apility.io C. All listed choices are correct. D. Statvoo.com
C
27 An analyst is investigating DNS poisoning attacks. Which of the following record types could have been used to change a DNS server to direct traffic to the attacker's servers? A. B Records and PTR Records B. PTX Record C. A Records and MX Records D. A Records and DNAME Records
C
27 Which of the following is not part of a scope statement for a threat intelligence program? A. Timescale schedule B. Objectives of the program C. Communications methods D. Identified business risks
C
27 Which of the following will maximize the return on investment for intelligence reports? A. Focus intelligence collection upon attackers who are known to be active and interested in the organization. B. None of the listed choices are correct. C. Broad sharing of intelligence reports within the organization. D. Focus intelligence collection and reporting upon the high value assets.
C
27 Cyber Threat Intelligence can help identify which of the following? A. Attacker techniques B. Adversary tactics C. All listed choices are correct. D. Procedures for possible attacks
C
28 In the context of this certification, what are Rules of Engagement? A. contractual obligations of threat intelligence providers B. rules for conducting penetration testing C. formal permission to implement a threat intelligence program D. None of the listed choices are correct.
C
29 Which of the following goals is met by the Traffic Light Protocol? A. indicate the classification of a threat report B. differentiate between in progress and completed investigations C. provide data handling guidance D. signal the trust level for the intelligence sources
C
31 A senior manager of the firm has forwarded several email warnings (alerts) about cyber threats to the threat intelligence team. What is the first thing the team should do before acting upon these warnings? A. Assign a threat priority to the warnings. B. Enter the warnings into the threats database. C. Verify the trustworthiness of the originator of the warnings. D. Email the manager acknowledging receipt of the warnings.
C
31 An organization is having an offsite meeting with senior leadership to inform them about the planned implementation of a Threat Intelligence Program. Which of the following goals is MOST important as an outcome for that meeting? A. None of the listed choices are correct. B. Inform senior leadership and other stakeholders of the risks and potential costs to the organization if the threat intelligence program is not approved. C. Attain a common understanding of responsibilities, scope, and boundaries for the threat intelligence program. D. Establish the budget for the threat intelligence program so that the team can be hired and begin their work.
C
32 A cyber threat analyst is preparing a briefing for the company's executives which explaints the cyber threat intelligence process and the work of the intelligence analysts. Which of the following triads should be used to describe the existence of threats? A. Knowns, Unknowns, Unknown Unknowns B. Cyber Kill Chain C. Intent, capability, opportunity D. Means, methods, motives
C
32 An executive has requested that the cyber threat intelligence team provide information on tactics, techniques, and procedures (TTPs) that attackers could use against a company's new network management product line. What type of threat intelligence is being requested? A. Operational B. Technical C. Tactical D. Strategic
C
34 Which of the following threat intelligence stages would an analyst be most likely to start with when assessing risks associated with an emerging technology? A. Risk assessment B. Known Knowns C. Unknown Unknowns D. Known Unknowns
C
4 In which phase of the Cyber Kill Chain does an attack download additional software to take up residence on target systems? A. Weaponization B. Exploitation C. Installation D. Delivery
C
5 How can an organization avoid blaming threat intelligence analysts for programmatic failures? A. Look with Hindsight B. Openness C. Focus on the Future D. Focus on Both Positives and Negatives
C
7 A threat intelligence feed includes _____. A. information from satellite broadcasts. B. information from television broadcasts. C. a stream of indicators or data. D. SIEM warnings about attacks and threats.
C
8 What is the purpose of the reconnaissance phase of the Cyber Kill Chain? A. to scan the Internet for vulnerable networks B. to sneak into a target's systems C. to collect information and to probe a target for vulnerabilities D. to determine if an attack can evade detection
C
9 OSINT can be obtained from _____. A. RF Signals and Telemetry Transmissions B. Encrypted wireless networks C. Websites, Magazines, and Newspapers D. Telephone Calls both Landline and Cellular
C
Evaluated threat intelligence can be used by management to _____. (Choose the BEST answer.) A. hold subordinates accountable for vulnerabilities exploited by adversaries. B. plan, program, and implement cybersecurity budgets. C. take actions to avoid further attacks against an organization. D. differentiate between strategic and tactical defenses.
C
Integrating threat intelligence into an existing security infrastructure will _______. (Choose the best answer.) A. thwart zero day attacks. B. None of the listed choices are correct. C. reduce risk and decrease response times for incidents. D. flatten the organization and save money on personnel costs.
C
What is actionable intelligence? A. intelligence that details actions taken by adversaries. B. intelligence that details actions taken to defend an enterprise. C. processed intelligence that can be used by decision makers. D. a structured data element used to store intelligence in a database.
C
What is the benefit of integrating the cyber kill chain methodology with threat analysis? (Choose the BEST answer.) A. None of the listed choices are correct. B. the cyber kill chain is a well known framework that can be easily explained to senior managers and executives. C. threat analysis can help identify a kill chain stage which can be mitigated to prevent the threat from occurring. D. the threat analyst can use the kill chain to identify weaponized threats.
C
Which of the following are used to classify threat data? (Choose the BEST answer) A. Attributes B. Adversary C. All listed choices are correct. D. Relevance
C
Which of the following best describes the process of data mining? A. finding threats by scanning through system logs B. extraction of data by searching for keywords or text strings C. use of statistics, AI, and ML to identify patterns in bulk data D. finding attacks by scanning through SIEM log files and alerts.
C
Which of the following goals is achieved by using threat modeling? A. Understanding threat actor profiles, behaviors, and methods B. Identification, analysis, and ranking of threats C. All listed choices are correct. D. Describing complete security architecture
C
Which of the following is a fundamental characteristic of machine learning as applied to threat intelligence tools? A. generating new hypotheses about data B. applying human thought processes faster than a human can think C. learning from patterns in the data set D. All listed choices are correct.
C
Which of the following is an MS Office application that can be used to perform statistical analysis for threat data? A. MS Word B. SAS/STAT C. MS Excel D. IBM SPSS
C
Which of the following organizations publish standards and formats for sharing Threat Intelligence Information? A. US-Cert B. Mitre C. All listed choices are correct. D. IETF
C
Which type of threat intelligence analysis is most likely to use information from chat room conversations? A. Strategic B. None of the listed choices are correct. C. Operational D. Tactical
C
Why must a threat intelligence analyst understand statistics and statistical testing of hypotheses? A. To prevent misuse of statistics generated by automated tools B. To ensure that the proper statistical tests are being applied to data C. All listed choices are correct. D. To guide selection of statistics which will enable sorting of data to find patterns
C
1 _____ data collection occurs when data is obtained from external networks under the control of an adversary? A. Illegal B. Passive C. Strategic D. Active
D
11 Which of the following factors affect data reliability? A. None of the listed choices are correct. B. accountability and auditability C. confidentiality, integrity, and availability D. relevance, credibility,and availability
D
14 Which of the following teams can benefit from having access to Cyber Threat Intelligence? A. SIEM Management Team B. Forensics Team C. Incident Response Teams D. All listed choices are correct.
D
15 Operational security for data collection __________. A. is the responsibility of every employee. B. None of the listed choices are correct. C. is provided by honey pots and lures. D. is an important task for threat intelligence analysts.
D
16 An attacker wants to obtain information about visitors to a target website. Which online tool could be used? (Choose the best answer.) A. ShinyStat Free B. Google Analytics C. Alexa.com D. All listed choices are correct.
D
17 After an organization has identified threats, what should be the next step? A. Assess the costs or impacts of each threat. B. Identify network access points which threats could exploit. C. Calculate the probability of the threats. D. Identify risks associated with each threat.
D
18 Which of the following characteristics of a Threat Intelligence Solution will assist in the management of SIEM capabilities? A. Automate Data Collection Process B. Enhance Patch Management C. Provide Informed Analysis and Prediction D. Integrate with Security Controls
D
19 Which of the following has no purpose other than to entrap an attacker and collect information about the origins of the attack? A. Reverse Social Engineering B. SpeedPhishing C. Cyber Counterintelligence D. Honey Pot
D
2 Who coined the terms "unknown unknowns" and "known unknowns?" A. President George W. Bush B. Senator Claire McCaskill C. Secretary of Defense Robert McNamara D. Secretary of Defense Donald Rumsfeld
D
20 How does the Cyber Kill Chain Methodology benefit a threat intelligence analyst? A. the kill chain identifies technologies that analysts can take to prevent an attack B. None of the listed choices are correct. C. when attackers follow the methodology, killing their attacks is easier D. it helps analysts identify steps that adversaries take to accomplish their goals
D
21 Which of the following can be used to automate OSINT data collection about a network? A. Frameworks B. Open Source Tools C. Scripts D. All listed choices are correct.
D
21 A/an _____ is a potential occurrence of a/an ___ event which can eventually cause harm or loss. A. None of the listed choices are correct. B. vulnerability ... unpredictable C. attack ... risk D. threat ... undesired
D
22 What is the purpose of a gap analysis when reviewing a threat intelligence program? A. to identify unmet requirements B. to identify people, processes, and technologies which need improvement C. All listed choices are correct. D. to evaluate how closely results match original objectives
D
23 An analyst has been tasked to examine computer process lists to identify use of the Command Line Interface by attackers. What specific characteristic is indicative of attackers? A. process ID's below 1000 or above 10,000 B. blank parent process ID field C. inactive processes D. process names or ID's consisting of arbitrary letters and numbers
D
23 The board of directors is reviewing the latest budget for the company and disagrees with the CIO's prioritization of cybersecurity threat intelligence over new servers for an overloaded and underpowered e-commerce system. What type of threat intelligence reports could be used to best defend the budget prioritization? A. Tactical Intelligence Reports B. Operational Intelligence Reports C. Incident Intelligence Reports D. Strategic Intelligence Reports
D
23 Why would a threat analyst perform website footprinting on the company's own websites? A. To inventory the websites so that they can be included in a risk assessment report. B. None of the listed sources is appropriate for this task. C. To gain experience using the tools that attackers use. D. To gain an understanding of what information an attacker could find and exploit.
D
24 A government agency has discovered that it was penetrated by an Advanced Persistent Threat. What type information was LEAST likely to have been targeted by the attackers? A. Credit card information B. Classified documents C. User credentials D. Web pages for public websites
D
28 Why is strategic threat intelligence generally not shared externally? A. To reduce the cost of production and dissemination. B. None of the listed choices are correct. C. Strategic Intelligence is generally not applicable to or not actionable by other organizations. D. To reduce the likelihood of exposing strategic business plans.
D
29 How can an organization make sure that its threat intelligence program focuses on the most likely threats? A. By evaluating the impacts on data and assets B. By prioritizing risks collected from subject matter experts C. By identifying the most active threat actors D. By considering the needs and requirements of all business units
D
29 In the context of the Cyber Kill Chain, what is meant by "weaponization?" A. Creating a logic bomb for delivery to the target systems or networks B. Building malware that targets a nation's critical infrastructures. C. None of the listed choices are correct. D. Tailoring of an exploit using information previously gathered by reconnaissance of a target
D
3 What is a gateway? A. A virtual private network server B. None of the listed choices are correct. C. A network interface controller (NIC) D. A network node that routes traffic to external networks
D
3 What is the defining characteristic of a risk? A. loss or harm B. impact on assets C. None of the listed choices is correct. D. uncertainty of an adverse event
D
3 Which of the following are application threat vectors? A. Footprinting and Profiling B. Arbitrary Code Execution and Password Attacks C. Privilege Escalation and Backdoor Attacks D. Hidden-field Manipulation and SQL injection.
D
30 How can an organization protect its proprietary information from disclosure by third parties working in its threat intelligence program? A. Include non performance penalty clauses in the contract B. Require a signed loyalty statement C. All listed choices are correct. D. Require signed Non Disclosure Agreements
D
30 What is the benefit to searching for an attacker's Command and Control (C&C) Servers ? A. Geographic location information can help identify which group(s) are responsible for the APT. B. Identifying C&C servers can help analysts identify and collect forensic data about an attack C. Monitoring traffic to the attacker's C&C server can help analysts identify compromised assets and data. D. All listed choices are correct.
D
31 Which type of intelligence feed is most likely to provide a threat intelligence team with real-time or near real-time information about threats to an organization's reputation? A. Operational Intelligence Feeds B. Internal Intelligence Feeds C. External Intelligence Feeds D. Proactive Surveillance Feeds
D
31 Choose the best description of the differences between data, information, and intelligence. A. Intelligence is developed by human analysts using the results of automated collection processes. B. When data are processed completely and put into a context, they become intelligence. C. Data and information, combined together, become the intelligence required to plan a course of action or response. D. Intelligence supports decision making and is developed from processing data and interpreting / analyzing information.
D
32 Which of the following should be used to protect sensitive data contained in a published threat indicator? A. Apply authentication and authorization mechanisms B. Use an encrypted network C. Harden the storage repository against attacks D. All listed choices are correct.
D
33 Many network attacks are very noisy, that is, there is a substantial amount of abnormal traffic which is easily detected using firewalls and intrusion detection systems. Other network attacks are very stealthy and send packets over an extended period of time to avoid detection. Which of the following types of attacks are more likely to be quiet than not? A. Botnets B. Phishing C. Denial of Service D. Advanced Persistent Threats
D
33 The threat assessment team has been asked to identify critical threats to the organization. Which of the following is the best strategy to use? A. Bring together a team of subject matter experts to brainstorm the unknown unknowns. B. Use the organization's risk assessment to categorize and prioritize assets and resources which could be attacked. C. Use threat intelligence to Identify known attackers and the likelihood of their interest in attacking the organization. D. Identify organizational assets and threats to those assets then prioritize threats according to potential impact.
D
35 After successfully collecting a large variety of data and extracting threat intelligence from it, the threat analyst needs to prepare the data for dissemination to the organization's managers and executives. Which type of reporting tool(s) should be used to prepare the intelligence data for consumption by these stakeholders? A. Database reports from MS Access, MySQL, and Tableau. B. Spreadsheets listing sources, frequency of events, and types of events. C. Power Point Presentations D. Data Visualization Tools (histograms, maps, charts)
D
35 Which of the following is NOT an enterprise objective for a Threat Intelligence Program? A. Improved incident detection. B. Enhanced and automated incident prevention. C. Improved risk management. D. Identifying known unknowns.
D
4 When establishing a business case, what is a "driver?" A. an element of a needs assessment B. None of the listed choices are correct. C. approved requirements for intelligence as set by stakeholders D. difficulties and setbacks caused by a lack of a threat intelligence capability
D
4 Which type of threat intelligence data collection would include IP addresses, operating systems, and behavior of malware? A. Tactical B. Attack Signatures C. SIGINT D. Technical
D
7 A ____ is a technical method used by an attacker. A. tactic B. policy C. procedure D. technique
D
8 Which of the following will help define the scope of the threat intelligence program? A. None of the listed choices are correct. B. Number of business units to be included C. Size of the Threat Intelligence Program's budget D. Identify Intelligence Needs and Requirements
D
9 Which of the following factors can be used to convince management to fund a threat intelligence program? A. Drivers B. Obstacles C. Benefits D. All listed choices are correct.
D
An intelligence information sharing and analysis center (ISAC) can provide benefits to individual organizations and threat analysis teams. Which of the following benefits can be used to enhance incident response processes? A. Sharing of Best Practices Information B. None of the listed choices are correct. C. Sharing of Threat Attributions D. Collaboration on Threat Indicators, Tactics, and Procedures.
D
CISCO Cognitive Threat Analytics support which of the following? A. analysis of web traffic and endpoint detection data B. detection of sophisticated attacks C. identification of malicious activity while reducing false positives D. All listed choices are correct.
D
Data Clustering is the process of ____. A. Graphing data by sources and destinations. B. Grouping data by ranges. C. Graphing data by indicators. D. Grouping data by similarities.
D
In system modeling, what is a "Trust Boundary?" A. A line between DMZs and internal networks B. None of the listed choices are correct. C. Boundary between internal and external systems D. Boundary between systems of differing trust levels or privileges
D
In the context of data analysis, which of the following statements best describes the term "hypothesis?" A. A test case which uses statistical verification. B. A belief about a phenomenon. C. A research question. D. A statement about data which can be tested.
D
Which of the following advanced threat analysis techniques can be used by an analyst to fine-tune and enhance the analysis process? A. Automation B. Statistical Decision Making C. Artificial Intelligence D. Machine Learning
D
Which of the following modifications will assist the analyst in identifying and removing noise from the data set? A. Reducing Data Overload (by reducing the amount of data in the data set). B. Identifying and Removing Logical Fallacies (e.g. by removing irrelevant data feeds) C. Identifying and Removing Cognitive Biases (e.g. avoiding common psychological traps in the analyst's thought processes) D. Prioritization of Threats (e.g. classify based on cost vs impact)
D
Which of the following types of data analysis uses nonnumeric techniques such as Delphi technique, brainstorming, and SWOT analysis? A. Exploratory B. Quantitative C. Predictive D. Qualitative
D
__________ is an analytic process that rejects hypotheses that contain too many inconsistent data points. A. Abductive Reasoning B. Hypothesis Testing C. Analysis of Prescient Intelligence D. Analysis of Competing Hypotheses
D
22 What is the difference between a threat landscape report and a threat analysis report? A. Threat landscape reports are broader and provide more insight into threats against an organization than is provided B. Threat landscape reports provide detailed assessments of attacker motivations and intentions. C. Threat landscape reports provide details of tactics, techniques, and procedures. D. The two reports are the same. They only differ in format and audience.
A
33 Threat intelligence analysts are planning an online intelligence gathering activity. Which of the following OSINT information gathering techniques is not performed online and, for that reason, should not be included in their plans for this activity? A. Data Collection through Social Engineering B. Data Collection through Website Footprinting C. Data Collection through Search Engines D. Data Collection through Whois Lookup
A
Why are intended audience and stakeholders important for evaluation of threat intelligence? A. To ensure threat intelligence deliverables meet the needs of the intended consumers. B. To guide the tactics, techniques, and procedures used to collect and process information. C. To guide the selection of delivery formats and dissemination channels. D. To ensure that appropriate classification categories are applied to the information contained in threat reports.
A
12 Which of the following web tools is used to access and collect data from the deep web? A. Opera B. Tor Browser C. Vivaldi D. Duck, Duck, Go
B
12 Intelligence is_____. A. structured data and information. B. the output of an analysis process C. the output of processing data. D. highly refined data.
B
19 Which of the following roles or responsibilities are performed by a threat intelligence analyst? A. All listed choices are correct. B. generate actionable intelligence alerts and reports C. collect and analyze malware samples D. perform e-discovery
B
25 Which of the following challenges to intelligence sharing has it roots in legal and regulatory constraints? A. Consuming Intelligence from Other Organizations. B. Providing Own Intelligence to Other Organizations. C. None of the listed choices are correct. D. Consuming and Producing Threat Intelligence
B
26 What mechanisms can be used by APTs to exfiltrate data while evading data loss prevention technologies? A. Network Sniffing B. Encryption Techniques C. Low data rate transmissions D. Spoofing
B
Which of the following is the strongest reason for limiting the number of hypotheses generated for use in the ACH process? A. None of the listed choices are correct. B. Uncertainty C. Utility D. Uniqueness
B
12 Which category of information exchange would include data from IDS system logfiles? A. Strategic Reports B. Detection Indicators C. Low-level Data D. Advisories
C
22 Why is metadata from web pages useful to attackers? A. Metadata contains hidden information that a company doesn t want revealed. B. Page level meta data is not useful to attackers. C. Page level meta data contains information about the web server and the organization. D. Metadata contains scripts and programs.
C
5 Which of the following can be used to gain insight into future threats and exploits? A. Advanced Persistent Threat Lifecycle B. Intent, Capability, Opportunity Triad C. Adversary Behavioral Identification D. Cyber Kill Chain
C
Why is contextualization important to intelligence analysts? A. It helps keep irrelevant data from contaminating the final intelligence product. B. It improves effectiveness of data collection by excluding irrelevant contexts. C. It increases relevance of data and improves scalability and effectiveness of intelligence processing. D. None of the listed choices are correct.
C
13 What types of employee information can be gathered from online groups, forums, and blogs? A. lists of future goals B. full name, addresses, home phone numers, email addresses C. pictures of employees and workplace D. All listed choices are correct.
D
14 Malware Forensics is what type of intelligence feed? A. Passive Surveillance Feed B. Internal Intelligence Feed C. Tactical Obervation Feed D. Proactive Surveillance Feed
D
20 A/an ____ is a breach of a system which takes advantage of a ____. A. vulnerability ... exploit B. None of the listed choices are correct. C. threat ... Loophole D. exploit ... vulnerability
D
25 Which Threat Intelligence Strategy can be used to estimate and plan for the future? A. Intelligence Buy-in B. Threat Reports C. Threat Intelligence Requirement Analysis D. Threat Trending
D
32 An organization is budgeting funds to send trained cyber threat analysts to conferences such as SchmooCon, B'Sides, and DEFCON. The budget committee has asked the team to identify the types of intelligence they expect to collect from this meeting and explain why that intelligence cannot be obtained through Internet sources. Which of the following is the BEST explanation to include in the business case for this expenditure? A. SIGINT collection will be performed at the conferences. The intelligence personnel will use rogue access points to siphon off cellular signals from phones in locations where attackers are likely to congregate. B. Social Media Intelligence will be performed at the conferences. The intelligence personnel will monitor known Social Media platforms and attendee postings to the conference websites to collect information about hacker activities during the events. C. Imagery intelligence collection will be performed at the conferences. The intelligence personnel will obtain surveillance videos and use facial recognition to identify known hackers so that team members can eavesdrop on their conversations in hallways. D. HUMINT collection will be performed at the conferences. The types of attackers who will be targeted are those whose online activities are hidden in the dark web and difficult to obtain from online sources.
D