CTIA

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

30 Indicators of Compromise (IoCs) are ____ used to build tactial threat intelligence. A. technical data B. tracking ID's C. warnings and alerts D. CVE's

What is the most common format for threat intelligence reports? A. Prose documents B. YARA C. SQL D. Infographics

Which of the following statistical techniques are used to validate data? (Choose the BEST answer) A. Confidence Levels B. All listed choices are correct. C. Standard Deviation D. Pearson's r Correlation Coefficient

A+C

Which of the following types of threat attribution deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target? (page 489) A. Campaign attribution B. True attribution C. Nation-state attribution D. Intrusion-set attribution

Which type of data analysis creates a logical sequence of events based on assumptions about an adversary? A. All listed choices are correct. B. Linchpin Analysis C. Cone of Plausibility Analysis D. Timeline Analysis

10 Which of the following search operators will restrict a Google search to URLs containing a specific string of characters (words)? A. info B. intitle C. inurl D. inanchor

10 What is the last phase of the Cyber Kill Chain? A. Exploitation B. Installation C. Actions on Objectives D. Command and Control

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network? A. Risk tolerance B. Timeliness C. Attack origination points D. Multiphased

1 _____ data collection occurs when data is obtained from external networks under the control of an adversary? A. Illegal B. Passive C. Strategic D. Active

6 Organizations need to leverage ___ in order to defend against threats and improve their security posture. A. threat intelligence B. financial resources C. the right information at the right time D. trained personnel

2 Which of the following types of threat actors are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers? A. Industrial spies B. State-sponsored hackers C. Organized hackers D. Script kiddies

3 Geopolitical Assessments provide what type of threat intelligence data? A. Strategic B. Tactical C. Political D. Operational

Michael, a threat analyst at an organization named Tech Top, was asked to conduct a cyberthreat intelligence analysis. After obtaining information regarding threats, he has started analyzing the information and understanding the nature of the threats. What stage of the cyber-threat intelligence is Michael currently in? A. Known knowns B. Unknowns unknown C. Known unknowns D. Unknown unknowns

Priority Intelligence Requirements (PIRs) includes A. Identify the person, group, entity or asset in the organization that is being targeted B. Identify threat actors targeting our organization's critical assets or new technologies C. Asll of these D. Identify the threat actors' motives

21 Which of the following can be used to automate OSINT data collection about a network? A. Frameworks B. Open Source Tools C. Scripts D. All listed choices are correct.

CISCO Cognitive Threat Analytics support which of the following? A. analysis of web traffic and endpoint detection data B. detection of sophisticated attacks C. identification of malicious activity while reducing false positives D. All listed choices are correct.

1 What type of security testing uses scenarios to mimic attackers? A. Intelligence-led B. Security Testing None of the listed choices is correct. C. Simulated Attacks D. Scenario-based Testing

What refers to capability of adversary to successfully achieve their intended goal A. Intent B. Threat C. Capability D. Impact

(Choose the BEST answer) Which of the following can be used to mitigate the risk of unauthorized disclosure of sensitive information in an intelligence report? A. Information-Handling Designations B. Tools and Standards C. Authorization and Identity Management D. Access Controls

25 Which of the following is NOT a named phase in the Cyber Kill Chain? A. Identification and Prevention B. Installation C. Exploitation D. Command and Control

How is policy compliance monitored? A. All of these B. Punishment of noncompliance C. Enforce a code of conduct D. Establish effective authorisation approval

A threat repository is used by analysts to ________. A. investigate incidents in progress. B. document and share threat intelligence. C. organize and disseminate intelligence reports. D. create security controls lists.

Which of the following is the strongest reason for limiting the number of hypotheses generated for use in the ACH process? A. None of the listed choices are correct. B. Uncertainty C. Utility D. Uniqueness

11 What type of Indicator of Compromise can be used to detect spear phishing attacks? A. Behavioral Indicators B. Host-based Indicators C. Email Indicators D. Network Indicators

13 A/an ____ is the existence of a weakness which can lead to an unexpected event which compromises the security of a system. A. None of the listed choices is correct. B. threat C. vulnerability D. exploit

15 (Choose the BEST answer.) Which of the following capabilities must be represented among the organization's security team members? A. Scripting and Programming B. None of the listed choices are mandatory. C. Incident Response, Vulnerability Management, and Security Operations D. Planning, Programming, and Budgeting

Mr. Bob, a threat analyst, is performing analysis of competing hypotheses (ACH). He has reached to a stage where he is required to apply his analysis skills effectively to reject as many hypotheses and select the best hypotheses from the identified bunch of hypotheses, and this is done with the help of listed evidence. Then, he prepares a matrix where all the screened hypotheses are placed on the top, and the listed evidence for the hypotheses are placed at the bottom. (page 421) What stage of ACH is Bob currently in? A. Refinement B. Inconsistency C. Diagnostics D. Evidence

Why is contextualization important to intelligence analysts? A. It helps keep irrelevant data from contaminating the final intelligence product. B. It improves effectiveness of data collection by excluding irrelevant contexts. C. It increases relevance of data and improves scalability and effectiveness of intelligence processing. D. None of the listed choices are correct.

14 Malware Forensics is what type of intelligence feed? A. Passive Surveillance Feed B. Internal Intelligence Feed C. Tactical Obervation Feed D. Proactive Surveillance Feed

33 The threat assessment team has been asked to identify critical threats to the organization. Which of the following is the best strategy to use? A. Bring together a team of subject matter experts to brainstorm the unknown unknowns. B. Use the organization's risk assessment to categorize and prioritize assets and resources which could be attacked. C. Use threat intelligence to Identify known attackers and the likelihood of their interest in attacking the organization. D. Identify organizational assets and threats to those assets then prioritize threats according to potential impact.

64. Identify Proactive Surveillance Feeds from the following: A. Fraud analysis B. Business associations C. Security researchers D. Honeynets

66. From the following, identify the sources of Measurement and Signature Intelligence (MASINT)? A. Radar sensors B. Prisoners of war (POWs) C. Refugees D. Foreign media

Moses, a threat intelligence analyst at InfoTec Inc., wants to find crucial information about the potential threats the organization is facing by using advanced Google search operators. He wants to identify whether any fake websites are hosted at the similar to the organization's URL. Which of the following Google search queries should Moses use? A. related: www.infothech.org B. info: www.infothech.org C. link: www.infothech.org D. cache: www.infothech.org

2 Who coined the terms "unknown unknowns" and "known unknowns?" A. President George W. Bush B. Senator Claire McCaskill C. Secretary of Defense Robert McNamara D. Secretary of Defense Donald Rumsfeld

10 How is continuous improvement implemented in a threat intelligence program? A. through use of feedback loops. B. None of the listed choices are correct. C. through use of consumer surveys. D. using Six Sigma quality principles.

10 Which of the following terms refers to the risk management process where an analyst analyzes the complete operations from an adversary point of view to provide security measures and avoid sensitive organizational data to get exposed? A. OPSEC B. CCI C. ISAC D. ENISA

11 What is information? A. processed data that has meaning and context B. a state that data goes through before becoming intelligence C. data that was refined using processing rules D. None of the listed choices is correct.

12 (Choose the BEST answer) Which of the following will impact the success of a cyber threat intelligence program? A. Appropriate definition of requirements B. None of the listed choices are correct. C. Diversity of thought included among program members D. Comprehensiveness of the threat list.

12 Which of the following triads is used to study and profile cyber attacks and attackers? A. Intent, Capability, Opportunity B. Confidentiality, Integrity, Availability C. People, Processes, Technologies D. Means, Methods, Motivations

13 A nation state with few resources has determined that it needs to train an anti-hacking team. Where could such a team learn the basic tools and techniques used by hackers? A. Hacker Forums B. Information Sharing and Analysis Centers C. US-Cert Alerts and NIST documents D. None of the listed choices are correct.

14 What is the last phase in the implementation of a threat intelligence program? A. reporting and dissemination B. archiving reports C. None of the listed choices are correct. D. after action reviews

18 What is the MoSCoW method used for? A. to prioritize requirements collaboratively B. to identify security controls by Must Have, Should Have, Could Have, and Won't Have categories C. to identify threat actors sponsored by nation states D. None of the listed choices are correct.

18 Why and for whom are threat intelligence sharing platforms essential capabilities? A. enables rapid sharing of threat intelligence between critical infrastructure entities. B. facilitates governmental sharing of tier 1 threat intelligence with businesses. C. implementation of standards and formats for threat intelligence sharing between government and industry. D. None of the listed choices are correct.

10 Which of the following primary use cases relies upon information from previous attacks against an organization? A. Prevention and Detection of Attacks B. Forensics C. Incident Reports D. Hunting

15 The value of intelligence reporting increases with which of the following? (Choose the BEST answer.) A. Depth of coverage B. Timeliness C. Breadth of scope D. None of the listed choices are correct.

16 Under the "tiered" information sharing model, which tier requires non-disclosure agreements and, possibly, national security clearances? A. None of the listed choices are correct. B. Tier 3 C. Tier 2 D. Tier 1

57. Identify the threat actors who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment. A. State-Sponsored Hackers B. Suicide Hackers C. Organized Hackers D. Industrial Spies

17 Which pivot method would be used to obtain information about an adversary's infrastructure when the analyst does not know what to look for? A. Analytic pivoting B. Specific tailored query C. Pivot for Discovery D. Pivot for Inquiry

7 A threat intelligence feed includes _____. A. information from satellite broadcasts. B. information from television broadcasts. C. a stream of indicators or data. D. SIEM warnings about attacks and threats.

What is the correct sequence of steps involved in scheduling a threat intelligence program? (Page 182) 1. Review the project charter 2. Identify all deliverables 3. Identify the sequence of activities 4. Identify task dependencies 5. Develop the final schedule 6. Estimate duration of each activity 7. Identify and estimate resources for all activities 8. Define all activities 9. Build a work breakdown structure (WBS) A. 1, 2, 3, 4, 5 ,6 ,7 ,8 , 9 B. 1, 2, 3, 4, 5, 6, 9, 8, 7 C. 1, 9, 2, 8, 3, 7, 4, 6, 5 D. 3, 4, 5, 2, 1, 9, 8, 7, 6

Which of the following are used to classify threat data? (Choose the BEST answer) A. Attributes B. Adversary C. All listed choices are correct. D. Relevance

Which of the following best describes the process of data mining? A. finding threats by scanning through system logs B. extraction of data by searching for keywords or text strings C. use of statistics, AI, and ML to identify patterns in bulk data D. finding attacks by scanning through SIEM log files and alerts.

15 Operational security for data collection __________. A. is the responsibility of every employee. B. None of the listed choices are correct. C. is provided by honey pots and lures. D. is an important task for threat intelligence analysts.

16 An attacker wants to obtain information about visitors to a target website. Which online tool could be used? (Choose the best answer.) A. ShinyStat Free B. Google Analytics C. Alexa.com D. All listed choices are correct.

19 Which of the following has no purpose other than to entrap an attacker and collect information about the origins of the attack? A. Reverse Social Engineering B. SpeedPhishing C. Cyber Counterintelligence D. Honey Pot

30 How can an organization protect its proprietary information from disclosure by third parties working in its threat intelligence program? A. Include non performance penalty clauses in the contract B. Require a signed loyalty statement C. All listed choices are correct. D. Require signed Non Disclosure Agreements

31 Which type of intelligence feed is most likely to provide a threat intelligence team with real-time or near real-time information about threats to an organization's reputation? A. Operational Intelligence Feeds B. Internal Intelligence Feeds C. External Intelligence Feeds D. Proactive Surveillance Feeds

40 Which of the following threat intelligence sharing considerations indicate how the intelligence can be distributed and shared among individuals, communities, or organizations? A. Format B. Intelligence coverage C. Information security D. Data handling classification

44 Thomas works as an analyst in Global Trust Trading Company. He wants to perform bulk data integration and data management in coordination with data analytic tool Hadoop. Which of the following tools should Thomas use? A. Zeus Tracker B. PassiveTotal C. Threatglass D. Talend

: Sam works as an analyst in an organization named InfoTech Security. He was asked to collect information from various threat intelligence sources. In meeting the deadline, he forgot to verify the threat intelligence sources and used data from an open-source data provider, who offered it at a very low cost. Though it was beneficial at the initial stage but relying on such data providers can produce unreliable data and noise putting the organization network into risk. What mistake Sam did that led to this situation? (Page 174) A. Sam used data without context. B. Sam did not use the proper technology to use or consume the information. C. Sam used unreliable intelligence sources. D. Sam did not use the proper standardization formats for representing threat data.

A team of threat intelligence analysts is performing threat analysis on malware, and each of them has come up with their own theory and evidence to support their theory on a given malware. Now, to identify the most consistent theory out of all the theories, which of the following analytic processes must threat intelligence manager use? (Page 420) A. Application decomposition and analysis (ADA) B. Threat modeling C. Automated technical analysis D. Analysis of competing hypotheses (ACH)

Daniel is a professional hacker whose aim is to attack a system to steal data and money for profit. He performs hacking to obtain confidential data such as social security numbers, personally identifiable information (PII) of an employee, and credit card information. After obtaining confidential data, he further sells the information on the black market to make money. Daniel comes under which of the following types of threat actor. A. Industrial spies B. State-sponsored hackers C. Insider threat D. Organized hackers

During the process of threat intelligence analysis, John, a threat analyst, successfully extracted an indication of adversary's information, such as Modus operandi, tools, communication channels, and forensics evasion strategies used by adversaries. Identify the type of threat intelligence analysis is performed by John. A. Operational threat intelligence analysis B. Technical threat intelligence analysis C. Strategic threat intelligence analysis D. Tactical threat intelligence analysis

Henry, a threat intelligence analyst at CyberSoft Inc., is working on a threat intelligence program. He was assigned to work on establishing criteria for prioritization of intelligence needs and requirements. Which of the following considerations must be employed by Henry to prioritize intelligence requirements? (Page 150) A. Understand data reliability B. Produce actionable data C. Understand frequency and impact of a threat D. Develop a collection plan

Identify the honeypot (computer security mechanism) that gives an attacker access to the real operating system without any restriction to gather vast information about the attacker. A. Honeyd B. High-interaction honeypot C. Medium-interaction honeypot D. None of these E. Low-interaction honeypot

In which of the following forms of bulk data collection are large amounts of data first collected from multiple sources in multiple formats and then processed to achieve threat intelligence? A. Structured form B. Structured form C. Production form D. Unstructured form

Joe works as a threat intelligence analyst with Xsecurity Inc. He is assessing the TI program by comparing the project results with the original objectives by reviewing project charter. He is also reviewing the list of expected deliverables to ensure that each of those is delivered to an acceptable level of quality. Identify the activity that Joe is performing to assess a TI program's success or failure. (page 234) A. Identifying areas of further improvement B. Determining the costs and benefits associated with the program C. Determining the fulfillment of stakeholders D. Conducting a gap analysis

John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques. What phase of the advanced persistent threat lifecycle is John currently in? A. Persistence B. Initial intrusion C. Search and exfiltration D. Expansion

Kathy wants to ensure that she shares threat intelligence containing sensitive information with the appropriate audience. Hence, she used traffic light protocol (TLP). Which TLP color would signify that information should be shared only within a particular community? A. Green B. Red C. White D. Amber

1 Which of the following are NOT cyber attack vectors? A. tailgating and piggybacking B. advanced persistent threats C. remote trojans and worms D. denial of service and ransomware

10 What is the first stage or phase of the Threat Intelligence Lifecycle? A. Planning and Direction B. Dissemination and Integration C. Collection D. Analysis and Production

12 Which of the following threat information types is referred to as a pattern that can be matched with the low-level data to detect malicious activities in the network? A. Detection indicators B. Low-level data C. Advisories D. Strategic reports

16 Which type of directive is used to define threat intelligence requirements of limited scope lasting a few weeks or months? A. Medium-term directives B. Weekly directives C. Monthly directives D. Long-term directives

16 Which of the following types of intelligence is collected from sources like Honeypots, Passive DNS monitors, online web trackers, or Sock puppets? A. Cyber counterintelligence (CCI) B. Financial intelligence C. Measurement and signature intelligence (MASINT) D. Technical intelligence

17 Steve is working as an analyst for Highlanders & Co. While performing data analysis, he used a method in which he included a list of all activities required to complete the project, time, dependencies, and logical endpoints such as milestones to acquire information about the relationship between various activities and the period of the activities obtained. Which of the following data analysis methods was used by Steve? A. Critical path analysis B. Timeline analysis C. Analogy analysis D. Cone of plausibility

17 Which of the following can provided detailed intelligence reports? A. Threat Intelligence Frameworks B. None of the listed choices are correct. C. Threat Intelligence Maturity Model D. Threat Intelligence Strategy

22 What is the difference between a threat landscape report and a threat analysis report? A. Threat landscape reports are broader and provide more insight into threats against an organization than is provided B. Threat landscape reports provide detailed assessments of attacker motivations and intentions. C. Threat landscape reports provide details of tactics, techniques, and procedures. D. The two reports are the same. They only differ in format and audience.

26 What step should be taken to finalize a prioritized list of threats? A. Discussion with stakeholders, IT professionals, and security team members B. Submit to governance board for voting C. Assign relative impacts D. Obtain CEO's approval after coordination with CIO, CFO, and CISO

26 Which type of escalation will result in the best course of action for responding to threat-based intelligence without involving higher levels of management? A. Horizontal Escalation B. Vertical Escalation C. Internet Escalation D. Vendor Escalation

27 Who invented the Cyber Kill Chain Methodology? A. Lockheed Martin B. US Department of Homeland Security C. General Dynamics D. US Department of Defense

28 Which of the following can be used by an analyst to collect information about an email based attack? A. Email headers B. Meta data extraction tool C. Click rates D. Bounce rates

28 In the context of Asset Identification, which of the following are non-physical assets? A. All listed choices are correct. B. operating system software C. applications D. databases

29 In which of the following stage of the threat modeling is an analyst required to gather information about the system to identify the specific areas that need to be addressed? A. System characterization B. System modeling C. Asset identification D. Threat profiling and attribution

29 What is the relationship between cyber threat intelligence and risks? A. Cyber threat intelligence can be used to identify risks B. Risk identification and assessment feeds into the Cyber Threat Intelligence process C. Cyber threat intelligence can be used to eliminate unknown risks D. None of the listed choices are correct.

30 Which Building Block for Threat Intelligence Sharing is concerned with the method used to share intelligence? A. Exchange Mechanisms B. Rules of Engagement and Protocols C. Information Exchange Types D. Models and Models of Threat Intelligence Exchange.

31 Why are Indicators of Compromise important to an organization's cyber threat intelligenc program? A. Indicators of compromise are the clues found through forensic analysis which provide information about potential intrusions or malicious activity. B. Indicators of compromise are developed from historical event data to help predict future incidents and attacks. C. Indicators of compromise are used by law enforcement officials to substantiate requests for warrants allowing seizure of hackers' equipment and data files. D. Indicators of compromise provide actionable intelligence to the incident response team.

32 Jack is a professional hacker who wants to perform remote exploitation on the target system of an organization. He established a two-way communication channel between the victim's system and his server. He used encryption techniques to hide the presence of a communication channel on a victim's system and further applied privilege escalation techniques to exploit the system. What phase of the cyber kill chain methodology is Jack currently in? A. Command and control B. Weaponization C. Reconnaissance D. Delivery

33 There are many motivating factors which encourage threat intelligence teams to share threat reports internally and externally. There are also some factors which discourage threat information sharing. Which of the following is the strongest reason why an organization would likely not share threat reports compiled by its analysts? A. The reports contain sensitive or negative information which could expose the company to legal action. B. Lower quality or out of date reports could reflect poorly upon the organization even if the information contained therein actionable. C. To preserve the company's intelligence sources and methods. D. The threat reports have commercial value and should be sold rather than shared quid pro quo.

33 Threat intelligence analysts are planning an online intelligence gathering activity. Which of the following OSINT information gathering techniques is not performed online and, for that reason, should not be included in their plans for this activity? A. Data Collection through Social Engineering B. Data Collection through Website Footprinting C. Data Collection through Search Engines D. Data Collection through Whois Lookup

34 A company has determined that it needs to significantly improve its cybersecurity posture. Which of the following actions should it take first? A. Assess the existing operational capabilities within the organization's cybersecurity program. B. Plan and implement a threat intelligence program. C. Conduct a vulnerability assessment using current threat intelligence and warnings. D. Conduct an inventory of all devices and nodes on the internal networks and determine their current patch levels.

34 Why is the preparation phase of the APT lifecyle imperative for the success of an APT attack? A. During the preparation phase, the adversary performs highly complex operations required to avoid detection once the attack is launched. B. Expansion of access and harvesting credentials in advance (i.e. during the preparation phase) is necessary to ensure the success of an APT. C. During the preparation phase, an adversary will identify vulnerabilities which cannot be exploited and thus will avoid wasting time and resources. D. Preparation ensures that the persistence phase of an APT attack cannot be countered by the victim organization.

35 A non-disclosure agreement (NDA) is a contract used between companies or between a company and individual(s) to identify information that must be protected and to inform recipients of their obligations to protect that information from disclosure. Why are NDA's an important tool for threat intelligence sharing? A. Improper disclosure of shared threat intelligence could result in harm to one or both parties to the NDA. B. The NDA protects the organization from charges of negligence or lack of diligence. C. The NDA allows the organization to sue for damages if the other party mishandles threat intelligence information. D. The NDA defines who is responsible for obtaining information to be shared under the agreement.

4 What is the main purpose of the Cyber Threat Intelligence process? A. to make an organization aware of existing and emerging threats B. None of the listed choices is correct. C. to uncover unknown threats before they cause damage to an asset or data D. to feed information into the organization's decision making processes

4 What is the main source of technical threat intelligence data collection? A. Malware indicators, network indicators, and e-mail indicators B. Chat room conversations C. Geopolitical information D. Data feeds and online sources

41 Which of the following static malware analysis technique includes calculation of cryptographic hashes of the binary code to recognize its function and compare it to other binary codes and programs faces in the past scenarios? A. File fingerprinting B. Website footprinting C. File dependencies identification D. Local and online malware scanning

42 Joe works as a threat intelligence analyst with Xsecurity Inc. He is assessing the TI program by comparing the project results with the original objectives by reviewing project charter. He is also reviewing the list of expected deliverables to ensure that each of those is delivered to an acceptable level of quality. Identify the activity that Joe is performing to assess a TI program's success or failure. A. Conducting a gap analysis B. Identifying areas of further improvement C. Determining the fulfillment of stakeholders D. Determining the costs and benefits associated with the program

53. Which type of threat intelligence provides high-level information about cyber security threats by using sources such as OSINT, CTI vendors, and ISAO/ISACs. A. Strategic Threat Intelligence B. Tactical Threat Intelligence C. Operational Threat Intelligence D. Technical Threat Intelligence

55. A leading university has suddenly noticed that their lab web server was being used actively to spread malware throughout the campus network. After setting up a monitoring tool on the server, they have identified a large amount of http traffic coming out of it. Finally, the security officials have determined that the hacker has planted a malware on the root directory of web documents and set up hundreds of zombie machines which make frequent HTTP GET requests to the malware through the web server. Which of the following is the root cause for this Scenario? A. Botnet B. Phishing C. Ransomware D. Wiretapping

60. In order to define the threat intelligence requirements, considering the prerequisites of the consumers is a must. To make this task easier, all the consumers are basically categorized into three categories. From the following, identify the one that includes the high-level executives and management of the organization such as CISOs and IT managers. A. Strategic Users B. Tactical Users C. Operational Users D. Technical Users

61. Which of the following is the formal permission to implement a threat intelligence program? A. Rule of engagement (ROE) B. Non-Disclosure Agreement (NDA) C. Proprietary Information Agreement (PIA) D. secrecy agreement (SA)

69. Kill chain mechanism begins in which of the following stage of Threat Analysis Process? A. Indicator Escalation B. Initial Analysis C. Enrichment Indicator through Fusion Analysis D. Escalation of an Event to a Threat Dissemination Analyst

72. Which of the following Organizational Trust Model uses body of evidence between organizations to establish a certain level of trust before sharing threat intelligence. A. Validated Trust B. Direct Historical Trust C. Mediated Trust D. Mandated Trust

8 Clark is an attacker who wants to acquire confidential information of a target organization for some financial benefit. He created an illegitimate e-mail containing malicious links and distributed to all the employees of that organization to obtain private information, such as social security numbers, account numbers, credit card numbers, and mobile numbers. Which type of attack does this scenario present? A. Phishing B. Buffer overflow C. Spoofing D. Denial-of-service attack

9 Which of the following are NOT usually characteristic of APTs? A. Single point of entry, single phase attack B. Tailoring to vulnerabilities C. Evasion and exploitation D. Multiphase attack

A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides an ability to modify or delete past or irrelevant threat data. Which of the following requirement must he include in the threat knowledge repository to fulfill his needs? (Page 495) A. Data management B. Protection ranking C. Searchable functionality D. Evaluating performance

A threat knowledge base can be stored in a ________. A. Structured database. B. Threat feed. C. Unified Threat Management system. D. File system.

ABC is a well-established cyber-security company in the United States. The organization implemented the automation of tasks such as data enrichment and indicator aggregation. They also joined various communities to increase their knowledge about the emerging threats. However, the security teams can only detect and prevent identified threats in a reactive approach. Based on threat intelligence maturity model, identify the level of ABC to know the stage at which the organization stands with its security and vulnerabilities. A. Level 2: increasing CTI capabilities B. Level 3: CTI program in place C. Level 1: preparing for CTI D. Level 0: vague where to start

Alice, a threat intelligence analyst at HiTech Cyber Solutions, wants to gather information for identifying emerging threats to the organization and implement essential techniques to prevent their systems and networks from such attacks. Alice is searching for online sources to obtain information such as the method used to launch an attack, and techniques and tools used to perform an attack and the procedures followed for covering the tracks after an attack. Which of the following online sources should Alice use to gather such information? (Page 95 A. Hacking forums page B. Job sites C. Social networking sites D. Financial services

An analyst wants to disseminate the information effectively so that the consumers can acquire and benefit out of the intelligence. Which of the following criteria must an analyst consider in order to make the intelligence concise, to the point, accurate, and easily understandable and must consist of a right balance between tables, narrative, numbers, graphics, and multimedia? (Page 524) A. The right presentation B. The right time C. The right order D. The right content

An organization suffered many major attacks and lost critical information, such as employee records, and financial information. Therefore, the management decides to hire a threat analyst to extract the strategic threat intelligence that provides high-level information regarding current cyber-security posture, threats, details on the financial impact of various cyber-activities, and so on. Which of the following sources will help the analyst to collect the required intelligence? (Page 26) A. OSINT, CTI vendors, ISAO/lSACs B. Campaign reports, malware, incident reports, attack group reports, human intelligence C. Humans, social media, chat rooms D. Active campaigns, attacks on other organizations, data feeds from external third parties

Choose the network supporting mobile communications across an arbitrary wireless LANs and satellite coverage areas. A. Global Area Network (GAN) B. None of these C. Home Area Network (HAN) D. Local Area Network (LAN) E. Wide Area Network (WAN)

During the process of threat intelligence analysis, John, a threat analyst, successfully extracted an indication of adversary's information, such as Modus operandi, tools, communication channels, and forensics evasion strategies used by the adversaries. Identify the type of threat intelligence analysis is performed by John. (Page 26) A. Tactical threat intelligence analysis B. Strategic threat intelligence analysis C. Technical threat intelligence analysis D. Operational threat intelligence analysis

Enrage Tech Company hired Enrique, a security analyst, for performing threat intelligence analysis. While performing data collection process, he used a counterintelligence mechanism where a recursive DNS server is employed to perform inter-server DNS communication and when a request is generated from any name server to the recursive DNS server, the recursive DNS servers log the responses that are received. Then it replicates the logged data and stores the data in the central database. Using these logs, he analyzed the malicious attempts that took place over DNS infrastructure. Which of the following cyber counterintelligence (CCl) gathering technique has Enrique used for data collection? (Page 335) A. Data collection through passive DNS monitoring B. Data collection through dynamic DNS (DDNS) C. Data collection through DNS interrogation D. Data collection through DNS zone transfer

H&P, Inc. is a small-scale organization that has decided to outsource the network security monitoring due to lack of resources in the organization. They are looking for the options where they can directly incorporate threat intelligence into their existing network defense solutions. Which of the following is the most cost-effective methods the organization can employ? A. Recruit managed security service providers (MSSP) B. Look for an individual within the organization C. Recruit data management solution provider D. Recruit the right talent

How you can deduce a great deal about adversaries' TTPs A. Exchanges of information about new exploits and tools being developed B. Discussions of plans and tactics on forums and social media sites C. Purchases of tools and services D. All of these

Identify the technique to draw symbols in public places for advertising an open Wi-Fi network. A. Warchalking B. Wardialing C. Wardriving D. Spamming E. None of these

In a team of threat analysts, two individuals were competing over projecting their own hypotheses on a given malware. However, to find logical proofs to confirm their hypotheses, the threat intelligence manager used a de-biasing strategy that involves learning strategic decision making in the circumstances comprising multistep interactions with numerous representatives, either having or without any perfect relevant information. Which of the following de-biasing strategies the threat intelligence manager used to confirm their hypotheses? (Page 474) A. Game theory B. Cognitive psychology C. Decision theory D. Machine learning

Joe works as a threat intelligence analyst with Xsecurity Inc. He is assessing the Tl program by comparing the project results with the original objectives by reviewing project charter. He is also reviewing the list of expected deliverables to ensure that each of those is delivered to an acceptable level of quality. Identify the activity that Joe is performing to assess a Tl program's success or failure. (Page 234) A. Conducting a gap analysis B. Identifying areas of further improvement C. Determining the costs and benefits associated with the program D. Determining the fulfillment of stakeholders

Karry, a threat analyst at an XYZ organization, is performing threat intelligence analysis. During the data collection phase, he used a data collection method that involves no participants and is purely based on analysis and observation of activities and processes going on within the local boundaries of the organization. Identify the type of data collection method used by Karry. (Page 245) A. Passive data collection B. Exploited data collection C. Raw data collection D. Active data collection

Mr. Bob, a threat analyst, is performing analysis of competing hypotheses (ACH). He has reached to a stage where he is required to apply his analysis skills effectively to reject as many hypotheses and select the best hypotheses from the identified bunch of hypotheses, and this is done with the help of listed evidence. Then, he prepares a matrix where all the screened hypotheses are placed on the top, and the listed evidence for the hypotheses are placed at the bottom. What stage of ACH is Bob currently in? A. Diagnostics B. Evidence C. Inconsistency D. Refinement

Patch management is a essential task for managing A. All of these B. servers C. endpoints D. network and security devices

Sarah is a security operations center (SOC) analyst working at JW Williams and Sons organization based in Chicago. As a part of security operations, she contacts information providers (sharing partners) for gathering information such as collections of validated and prioritized threat indicators along with a detailed technical analysis of malware samples, botnets, DDoS attack methods, and various other malicious tools. She further used the collected information at the tactical and operational levels. Sarah obtained the required information from which of the following types of sharing partner? (Page 223) A. Providers of threat data feeds B. Providers of threat actors C. Providers of threat indicators D. Providers of comprehensive cyber-threat intelligence

Walter and Sons Company has faced major cyber attacks and lost confidential data. The company has decided to concentrate more on the security rather than other resources. Therefore, they hired Alice, a threat analyst, to perform data analysis. Alice was asked to perform qualitative data analysis to extract useful information from collected bulk data. Which of the following techniques will help Alice to perform qualitative data analysis? (Page 406) A. Brainstorming, interviewing, SWOT analysis, Delphi technique, and so on B. Regression analysis, variance analysis, and so on C. Finding links between data and discover threat-related information D. Numerical calculations, statistical modeling, measurement, research, and so on

What is a "true attribution?" A. identification of a specific individual or country which sponsored an attack or intrusion. B. attribution of an attack based upon evidence collected by law enforcment officials. C. identification of a group or nation responsible for an attack. D. attributing an attack based upon truthful information from informants.

What is the main purpose of CTI A. Provide in-depth information on the threats that pose a greater risk to the organization's infrastructure B. Implement security measure to prevent data breaches C. Collect information about potential attacks currently targeting the organization D. None of these

What is the purpose of the "evidence" phase of the Analysis of Competing Hypotheses Process? A. Generate arguments for and against individual hypotheses B. Use evidence to reject hypothesis which do not fit the data. C. Use evidence to identify gaps in hypotheses. D. Generate a set of hypotheses.

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to target's network? (Page 98) A. Attack origination points B. Timeliness C. Multiphased D. Risk Tolerance

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network? (page 98) A. Attack origination points B. Timeliness C. Risk tolerance D. Multiphased

Which of the following data scoring techniques are used tovisually present data by plotting data based on properties they possess? A. Charting B. Graphing C. None of the listed choices are correct. D. Venn Diagrams

Which of the following remedies for logical fallacies can be used to ensure that analysts do not spend too much time on data collection? A. perform risk-based prioritization of threats B. assess data validity using statistics C. None of the listed choices are correct. D. use threat profiles

Why are intended audience and stakeholders important for evaluation of threat intelligence? A. To ensure threat intelligence deliverables meet the needs of the intended consumers. B. To guide the tactics, techniques, and procedures used to collect and process information. C. To guide the selection of delivery formats and dissemination channels. D. To ensure that appropriate classification categories are applied to the information contained in threat reports.

1 Which of the following project management tools is used to obtain management support for a threat intelligence program? A. Project Schedule and Milestones B. Project Charter C. Project Communications Strategy D. Project Scope Statement

11 Which of the following is important to successful execution of the threat intelligence program? A. clear guidance from high-level business executives B. All listed choices are correct. C. planning and review D. requirements gathering

12 Intelligence is_____. A. structured data and information. B. the output of an analysis process C. the output of processing data. D. highly refined data.

13 Why should help desk personnel be included on distribution lists for threat intelligence reports? A. None of the listed choices are correct. B. To help them prioritize and report calls which may be early warnings of breaches. C. To encourage information sharing between the help desk and the threat intelligence team. D. To emphasize their importance as the first line of cyber defense.

14 Host-based indicators are found on _____ systems. A. server B. infected C. attacker D. database

14 Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network? A. Multiphased B. Attack origination points C. Timeliness D. Risk tolerance

15 Attackers can be categorized by their motivations for engaging in cyber attacks. Which type of attacker is motivated by political or social agendas? A. Suicide Hackers B. Hacktivists C. Organized Hackers D. Nation-state sponsored hackers

19 Adversary behaviors can be used to enhance detection capabilities for future attacks. Which of the following can be indicative of programming or scripting based attacks? A. Use of HTTP User Agents B. Use of Powershell C. Use of DNS Tunneling D. Use of Command and Control Servers

19 Which of the following roles or responsibilities are performed by a threat intelligence analyst? A. All listed choices are correct. B. generate actionable intelligence alerts and reports C. collect and analyze malware samples D. perform e-discovery

20 How can a security posture assessment benefit an organization? A. Identify specific threats for which no countermeasures exist. B. Provide a foundation for budget or resource requests. C. Assess competency of existing staff. D. Provide expanded business case justification.

20 Why do attackers focus on obtaining information from Internet groups, forums, and blogs? (choose the BEST answer) A. currency and recency of information B. probability of finding sensitive information about target organizations and people. C. limited budgets for paid sources D. ease of access to information posted online

21 Which tactics are used by threat actors to collect information from human subjects? A. Internet search engines B. Social Engineering C. War dialing D. Spidering

21 Which of the following terms related to threat intelligence program provides a way to communicate about what activities need to be completed and what resources will be allocated to accomplish the activities and in what timeframe will those be completed? A. Budget planning B. Scheduling C. Requirement analysis D. Collection planning

22 Which of the following is a vertical community source where the information is collected from various threat intelligence sharing communities? A. Kaspersky B. MineMeld C. SecureWorks D. FortiGuard

22 Which of the following is an OPEN threat intelligence framework (as opposed to a closed or proprietary framework)? A. TC Complete B. YETI C. CrowdStrike D. NormShield

24 An attacker wants to obtain information to use in a whaling attack. Which of the following is the best source? A. Photographs and videos on Instagram B. Linked-In Profiles for Company Executives C. Twitter feeds from a hacktivist group D. None of the listed sources is appropriate for this task.

24 How does intelligence-led security testing differ from normal methods of security testing for IT systems? A. intelligence is used to speed up testing by reducing duplicate or irrelevant test cases B. contextual intelligence is used to guide how tests are designed and conducted C. security professionals are replaced by intelligence analysts who design the tests and test cases. D. None of the listed choices are correct.

25 Raw Data Producers belong in which part of the People, Processes, and Technologies framework? A. People B. Technologies C. All listed choices are correct. D. Processes

25 Which of the following challenges to intelligence sharing has it roots in legal and regulatory constraints? A. Consuming Intelligence from Other Organizations. B. Providing Own Intelligence to Other Organizations. C. None of the listed choices are correct. D. Consuming and Producing Threat Intelligence

26 What mechanisms can be used by APTs to exfiltrate data while evading data loss prevention technologies? A. Network Sniffing B. Encryption Techniques C. Low data rate transmissions D. Spoofing

26 How does cyber threat intelligence help businesses defend their assets and data? A. by converting unknown unknowns into known knowns B. by converting unknown threats into known threats C. by identifying vulnerable assets and mediating risks D. None of the listed choices are correct.

26 Which of the following terms is defined as a guideline that describes the way an attacker performs the attack from beginning to end? A. Procedures B. Tactics C. Data staging D. Techniques

28 In the context of Indicators of Compromise, what is the difference between atomic indicators and computed indicators? A. only atomic indicators can be used to identify adversary behaviors B. an atomic indicator cannot be divided into smaller parts and its meaning does not change with context C. computed indicators are more trust worthy D. None of the listed choices are correct.

29 Which of the following is a malware analysis tool that uses hash values to identify and track data across a network? A. Malware Scanning B. File Fingerprinting C. Identifying File Dependencies D. None of the listed sources is appropriate for this task.

30 Which of the following are necessary in order to benefit from Cyber Threat Intelligence Capabilities? A. Automated and Centralized Patch Servers B. Incident Response C. High-level, Functional, and Capability Requirements D. None of the listed choices are correct.

31 In which of the following phases of the threat intelligence lifecycle is raw data converted into meaningful information by highly trained professionals using sophisticated technology and tools? A. Data collection B. Processing and exploitation C. Analysis and production D. Planning and direction

32 Which of the following factors is NOT used when prioritizing requirements for protecting an organization's assets against attacks? A. Penalty or Consequences B. Insurability C. Risk D. Benefit

33 Why is intelligence-led security testing important? A. This type of testing focuses organizational resources upon current threats and attack methods. B. This type of testing uses contextual intelligence to guide the conduct of security testing and choices of attack methods to be simulated during tests. C. Intelligence-led testing requires less time to complete because only the most important threats are simulated. D. Cyber threat intelligence allows an organization to reduce the complexity of its testing.

34 A CISO is submitting budget requests for technology upgrades for cybersecurity capabilities. Which type of intelligence reporting is most likely to be useful in convincing other senior managers to support these budget requests? A. Executive Summaries for all types of threat intelligence B. Strategic Threat Intelligence C. Operational Threat Intelligence D. Technical Threat Intelligence

34 The threat intelligence team manager is preparing a technology purchase request to support bulk data gathering. Which of the following data characteristics should be used to estimate the amount of processing power and memory storage will be required to support this activity? A. Scanning, Footprinting, and Banner Scraping B. Volume, Velocity, and Complexity C. Source, Means, and Methods D. Tactics, Techniques, and Procedures

35 Which of the following analysis techniques involves the identification of common methods used to launch attacks and provides insights into upcoming threats and exploits? A. Detection of Internal Reconnaissance B. Adversary Behavioral Identification C. Scanning for Use of PowerShell D. Scanning for Use of Command Line Interface

35 Why should a threat team learn to use YARA rules? (choose the best answer) A. Knowing YARA will improve the individual's skills and increase their value as members of the threat team. B. YARA is an open source platform used to detect, classify, and share threat data from malware samples. C. YARA can be used to implement machine learning and therefore provides an advanced tool for managing threat data. D. YARA is free and provides a platform for collecting and sharing threat data from many different sources.

39 A company, TechSoft Solutions, implemented a threat intelligence program and began developing operational capabilities obtained in the previous levels and created an organized team approach for strategic analysis. The company also established necessary intelligence processes and workflows to extract their own threat intelligence. Identify the threat intelligence maturity level at which the company stands. A. Level 1: preparing for CTI B. Level 3: CTI program in place C. Level 4: well-defined CTI program D. Level 2: increasing CTI capabilities

47 Which of the following is a seven-stage risk-based modeling approach implemented for dynamic threat detection, enumeration, and scoring process? A. VAST B. PASTA C. TRIKE D. DREAD

49 Which of the following types of threat attribution deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target? A. Campaign attribution B. True attribution C. Nation-state attribution D. Intrusion-set attribution

5 _________ is a security mechanism to protect against an adversary's intelligence collection efforts. A. Operational Security B. Counterintelligence C. Defensive Perimeter D. Cyberintelligence

5 What is the primary goal of an Advanced Persistent Threat? A. None of the listed choices is correct. B. stealthy theft of information C. gain control of IT systems and subvert their operations D. hidden damage to IT systems

58. Which phase of APT Lifecycle deals with the deployment of malware and establishment of outbound connection? A. Preparation B. Initial Intrusion C. Expansion D. Persistence

6 Which type of data is extracted by analysts from large collections? A. Raw Data B. Exploited Data C. Hybrid Data D. Production Data

6 A _____ is a guideline that describes how an attack is performed. A. procedure B. tactic C. technique D. policy

6 How can Cyber Threat Intelligence be used to combat data loss? A. None of the listed choices is correct. B. by identifying data leaks C. by exposing data sources D. by differentiating between public and private data

62. One of the core elements while preparing the budget of threat intelligence program is 'Scope Baseline'. What does it imply? A. Cost for each individual activity that the program will complete. B. Possible funding constraints that are mandatory for the organization. C. Budget cost over time. D. Cost of resources allocated.

63. Which type of Threat Intelligence Data Collection mechanism provides crucial information about activity related attacks? A. Strategic B. Operational C. Tactical D. Technical

67. Which type of data analysis deals with analyzing the data related to past events? A. Descriptive B. Diagnostic C. Predictive D. Prescriptive

7 Which of the following factors are considered when designing the organization's security program? A. Attractiveness of organization to attackers B. All listed choices are correct. C. Industry and Regulatory Climate D. People, Processes, and Technologies

7 Which of the following is an outcome of extracting intelligence from information and data? A. None of the listed choices is correct. B. production of interpreted information that supports decision making C. risk reduction D. improvement in security controls implementations

74. Traffic Light Protocol (TLP) employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). Which of the following signal does the color 'TLP:AMBER' represent? A. Not for disclosure, restricted to participants only B. Limited disclosure, restricted to participants' organizations C. Limited disclosure, restricted to the community D. Disclosure is not limite

8 Which of the following sources provide operational threat intelligence? A. chat room conversations B. All listed choices are correct. C. event logs, investigation reports, activity logs D. social media and social networking

8 Which stage of the Threat Intelligence Maturity Model is characterized as "increasing CTI Capabilities?" A. Maturity Level 3 B. Maturity Level 2 C. Maturity Level 0 D. Maturity Level 4

9 Marry wants to follow an iterative and incremental approach to prioritize requirements in order to protect the important assets of an organization against attacks. She wants to set the requirements based on the order of priority, where the most important requirement must meet before, for a greater chance of success. She wants to apply prioritization tasks, scenarios, use cases, tests, and so on. Which of the following methodologies should Marry use to prioritize the requirements? A. Data visualization B. MoSCoW C. Fusion analysis D. Data sampling

9 Which of the following are examples of unstructured data? A. encrypted information B. images, video, and audio C. numbers and strings of digits D. string of characters and readable text

A detailed runbook is used to ______. A. provide configuration management for threat data. B. document response procedures for identified threats and incidents. C. document threat data from SIEM and UTM applications. D. log actions while threat detectors are running.

A network administrator working in an ABC organization collected log files generated by a traffic monitoring system, which may not seem to have useful information, but after performing proper analysis by him, the same information can be used to detect an attack in the network. Which of the following categories of threat information has he collected? (Page 541) A. Detection indicators B. Low-level data C. Advisories D. Strategic reports

A network administrator working in an ABC organization collected log files generated by a traffic monitoring system, which may not seem to have useful information, but after performing proper analysis by him, the same information can be used to detect an attack in the network. (Page 542) Which of the following categories of threat information has he collected? A. Detection indicators B. Low-level data C. Advisories D. Strategic reports

A threat analyst is working on a data set and needs to run statistical tests that will show relationships between data points. One of the tests available in the statistical software application is Pearson's Correlation Coefficient. Which of the following characteristics of the data can be determined using this statistical test? A. Ordinal relationship between two variables B. Degree of association for linearly related variables C. Degree of relationship using rank order of values D. Confidence level showing relevance and preciseness of the information

Alice, an analyst, shared information with security operation managers and network operations center (NOC) staff for protecting the organizational resources against various threats. Information shared by Alice was highly technical and include threat actor TTPs, malware campaigns, tools used by threat actors, and so on. Which of the following types of threat intelligence was shared by Alice? (Page 26) A. Technical Threat Intelligence B. Tactical Threat Intelligence C. Strategic Threat Intelligence D. Operational Threat Intelligence

Alison, an analyst in an XYZ organization, wants to retrieve information about a company's website from the time of its inception as well as the removed information from the target website. What should Alison do to get the information she needs? (Page 302) A. Alison should run the Web Data Extractor tool to extract the required website information. B. Alison should use https://archive.org to extract the required website information. C. Alison should recover cached pages of the website from the Google search engine to cache to extract the required website information. D. Alison should use SmartWhois to extract the required website information.

An analyst is conducting threat intelligence analysis in a client organization, and during the information gathering process, he gathered information from the publicly available sources and analyzed to obtain a rich useful form of intelligence. The information source that he used is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision making. Which of the following sources of intelligence did the analyst use to collect information? (Page 267) A. ISAC B. OSINT C. OPSEC D. SIGINT

Andrews and Sons Corp. has decided to share threat information among sharing partners. Garry, a threat analyst, working in Andrews and Sons Corp., was asked to follow a trust model necessary to establish trust between sharing partners. In the trust model used by him, the first organization makes use of a body of evidence in a second organization, and the level of trust between the two organizations depends on the degree and quality of evidence provided by the first organization. Which of the following types of trust model is used by Garry to establish the trust? (Page 566) A. Mandated trust B. Validated trust C. Direct historical trust D. Mediated trust

Before sharing threat intelligence internally, an analyst should _____. A. None of the listed choices are correct. B. Verify that the intelligence being shared meets the needs of the consumers. C. Scrub all analyst names from the reports to ensure confidentiality. D. Finalize the reports and have them signed off by the team leader.

Cognitive-based Threat Analysis requires that an analyst first ___________. A. collect large enough amounts of threat data for the cognitive engine to process. B. organize collected threat information into a specific structure format. C. understand how the cognitive application performs data analysis. D. teach the cognitive computing tool to recognize threats and attacks.

Correlation of reports from multiple sources will _____. A. Increase the value of the information. B. All listed choices are correct. C. Provide greater insight into similarities between indicators. D. Result in knowledge maturation.

H&P, Inc. is a small-scale organization that has decided to outsource the network security monitoring due to lack of resources in the organization. They are looking for the options where they can directly incorporate threat intelligence into their existing network defense solutions. Which of the following is the most cost-effective methods the organization can employ? (Page 210) A. Look for an individual within the organization B. Recruit managed security service providers (MSSP) C. Recruit the right talent D. Recruit data management solution provider

How to determine domain and IP address reputation? A. Test accessible servers for signs of compromise and malicious activities B. All of these C. Extract URLs from web pages and investigate to see if the source domains and websites appear to be under the control of threat actors, or have been compromised by malware. D. Analyze emails to see if they contain indicators of spam, phishing attacks, or fraud

Identify the threat modeling technique which is more for an application to meet the security properties of confidentiality, integrity, and availability, along the experts of construct the data flow diagram based on the threat model A. Trike threat modeling B. STRIDE threat modeling C. P.A.S.T.A. threat modeling

Jim works as a security analyst in a large multinational company. Recently, a group of hackers penetrated into their organizational network and used a data staging technique to collect sensitive data. They collected all sorts of sensitive data about the employees and customers, business tactics of the organization, financial information, network infrastructure information, and so on. What should Jim do to detect the data staging before the hackers exfiltrate from the network? (Page 116) A. Jim should analyze malicious DNS requests, DNS payload, unspecified domains, and destination of DNS requests. B. Jim should identify the web shell running in the network by analyzing server access, error logs, suspicious strings indicating encoding, user agent strings, and so on. C. Jim should monitor network traffic for malicious file transfers, file integrity monitoring, and event logs. D. Jim should identify the attack at an initial stage by checking the content of the user agent field.

Karry, a threat analyst at an XYZ organization, is performing threat intelligence analysis. During the data collection phase, he used a data collection method that involves no participants and is purely based on analysis and observation of activities and processes going on within the local boundaries of the organization. Identify the type data collection method used by the Karry. A. Active data collection B. Passive data collection C. Exploited data collection D. Raw data collection

Right content, right presentation, and right time refer to what part of the threat intelligence management process? A. Strategic intelligence management B. Intelligence dissemination C. Tactical intelligence management D. Intelligence collection

The goal of most APT attacks is A. Use advanced exploits of zero-day vulnerabilities B. To maintain ongoing access to the targeted network C. Use spear phishing and other social engineering techniques D. To get in and out as quickly as possible

Tim is working as an analyst in an ABC organization. His organization had been facing many challenges in converting the raw threat intelligence data into meaningful contextual information. After inspection, he found that it was due to noise obtained from misrepresentation of data from huge data collections. Hence, it is important to clean the data before performing data analysis using techniques such as data reduction. He needs to choose an appropriate threat intelligence framework that automatically performs data collection, filtering, and analysis for his organization. Which of the following threat intelligence frameworks should he choose to perform such tasks? (Page 74) A. SIGVERIF B. TC complete C. Threat grid D. HighCharts

Tracy works as a CISO in a large multinational company. She consumes threat intelligence to understand the changing trends of cyber security. She requires intelligence to understand the current business trends and make appropriate decisions regarding new technologies, security budget, improvement of processes, and staff. The intelligence helps her in minimizing business risks and protecting the new technology and business initiatives. Identify the type of threat intelligence consumer is Tracy. A. Tactical users B. Strategic users C. Operational users D. Technical users

Which of the following cognitive biases can adversely impact how an analyst applies personal beliefs about theories to the threat analysis process? A. Correspondence Bias B. Belief Bias C. Self-serving Bias D. Confirmation Bias

Which of the following companies provide threat intelligence tools? A. Scumblr B. All listed choices are correct. C. McAfee D. Fireeye

Which of the following components refers to a node in the network that routes the traffic from a workstation to external command and control server and helps in identification of installed malware in the network? A. Repeater B. Gateway C. Hub D. Network interface card (NIC)

Which of the following cybersecurity teams is likely to be aconsumer of threat intelligence reports? A. forensics team B. All listed choices are correct. C. incident response team D. anti-fraud team

Which of the following types of threat attribution deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target? A. Nation-state attribution B. True attribution C. Campaign attribution D. Intrusion-set attribution

11 Which of the following data analysis techniques refers to the standard data analysis process employed by the analysts to efficiently narrow down the required information from the collected data and can be used on any type of data? A. Structured analysis of competing hypotheses (SACH) B. Opportunity analysis C. Statistical data analysis D. Analysis of competing hypotheses (ACH)

12 Which category of information exchange would include data from IDS system logfiles? A. Strategic Reports B. Detection Indicators C. Low-level Data D. Advisories

13 What is the most effective way to identify valuable assets and data? A. Brainstorming B. Obtain cost estimates from business managers C. Conduct an inventory D. Survey subject matter experts

13 Which of the following types of threat intelligence provides high-level information regarding cyber-security posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions? A. Operational threat intelligence B. Technical threat intelligence C. Strategic threat intelligence D. Tactical threat intelligence

14 What is the first step in building an efficient threat intelligence program? A. Establishing rules of engagement B. Training the team C. Requirements gathering D. Identifying threats

15 The collection and analysis of information about threats is referred to as ____. A. None of the listed choices is correct. B. Data Analytics C. Cyber Threat Intelligence D. Risk Assessment

15 Which of the following points should be considered while preparing a nondisclosure agreement? A. It should include agreed-upon rules on what type of intelligence is needed by different consumers. B. Intelligence team can overcome legal, federal, and policy-related restrictions to use different tactics, systems, and personnel in the threat intelligence program. C. It should clearly identify all parties to the agreement; it should specifically include the starting date and length of the nondisclosure period. D. It should dictate the rules to be followed while implementing the threat intelligence program.

16 How can analysts detect adversarial behaviors involving data staging? A. Writing firewall rules to detect large file transfers B. None of the listed choices are correct. C. Monitoring network traffic D. Monitoring logfiles for excessive memory use

16 Which of the following is a business benefit of cyber threat intelligence? A. Reduction in costs of defending against attacks B. Loss prevention C. Insight into probability of risks and their impacts on the business D. None of the listed choices are correct

17 An intelligence consumer has asked for threat reporting that can be fed directly into its firewalls, SIEM systems, and endpoint protection systems. What type of report format is needed? A. YARA B. Python and Power Shell scripts C. Automation of Security Feeds and Application Program Interfaces D. OWASP and SOA

17 In the cleanup phase, an APT may change data on the targeted systems. Why? A. To hide the target of the attack. B. To evade detection C. All listed choices are correct. D. To mislead security analysts

18 (Choose the BEST answer.) Why should analysts perform continuous monitoring of Indicators of Compromise? A. To identify when attackers stop using a particular attack B. Continuous monitoring is less expensive than static monitoring. C. To detect and prevent security breaches D. To ensure executives are kept aware of attacker evolution

18 An analyst determines that Impersonation would be a good tool to use to collect information about an organization. This is an example of _____. A. Eavesdropping B. Dumpster Diving C. Social Engineering D. War Dialing

18 Which of the following terms refers to determining security designation and handling requirements by reviewing indicator metadata? A. Prioritization B. Decompression C. Categorization D. Content extraction

19 Which of the following Threat Intelligence Exchange Architectures uses a member-to-member exchange modality and, because of this, is less susceptible to attacks or single point of failure outages? A. First-in-First-Out B. Centralized C. Peer-to-Peer D. Hardened

19 What is the primary purpose of the Intelligence and Collection Planning process? A. to prevent intelligence failures B. None of the listed choices are correct. C. to develop a well planned approach to prevent poor results D. to ensure resources are properly allocated

19 Which of the following components of threat intelligence enabled risk management process generates detailed information about various sources and techniques used to gather threat information that is fed as input to risk assessment? A. Assess B. Respond C. Frame D. Monitor

2 Which of the following steps must be taken before implementing an organization's threat intelligence program? A. None of the listed choices are correct. B. Review incident reports for the past 18 months C. Assess existing capabilities D. Conduct an audit of existing security controls

2 Which of the following triads is used by cyber threat analysts to profile attacks? A. People, Processes, Technologies B. Means + Methods + Motivations C. Motives (Goal) + Method + Vulnerability D. Intent, Capability, Opportunity

20 Which of the following is a benefit of intelligence collaboration? A. increased compliance with legal and regulatory requirements B. None of the listed choices are correct. C. organizations can learn from each other's mistakes. D. reduction in errors and omissions

20 Clark, a professional hacker, is trying to perform an APT attack on a target organization's network. He is trying to obtain the administrative login credentials of the compromised system to gain further access to the systems in the network. What phase of the APT lifecycle is Clark currently in? A. Cleanup B. Preparation C. Expansion D. Persistence

21 What is the benefit of applying a strategic lens to the threat intelligence program? A. communicate the benefits of the program to management B. None of the listed choices are correct. C. help align the threat intelligence program with business operations D. keep planning and programming at the strategic level

21 Which of the following laws restricts the sharing of sensitive information about threats and indicators of compromise affecting businesses and their financial records? A. Gramm-Leach-Bliley Act B. Health Insurance Portability and Accountability Act C. Sarbanes-Oxley Act D. All listed choices are correct.

22 A threat intelligence analyst can study attacker's ____ to build a profile for threat actors. A. past history B. None of the listed choices are correct. C. techniques D. procedures

22 Why is metadata from web pages useful to attackers? A. Metadata contains hidden information that a company doesn t want revealed. B. Page level meta data is not useful to attackers. C. Page level meta data contains information about the web server and the organization. D. Metadata contains scripts and programs.

23 Which of the following talent acquisition strategies should be pursued first when setting up a threat intelligence team? A. Borrow experienced threat analysts from business partners B. Advertise for certified threat intelligence analysts C. Identify appropriate internal candidates D. Hire an experienced threat intelligence research consultancy

23 Why does a business need to audit information being sent over its networks? A. to provide required services to customers B. to identify illicit information and track its source C. to meet strict compliance requirements D. to assist in reaching customers easily

24 Choose the best description for "security pressure posture." A. None of the listed choices are correct. B. a measure of an organization's resilience C. elements or drivers which put pressure on an organization's security program D. the degree to which an organization can withstand external attacks

24 Which of the following report sections will contain details of how the intelligence was processed? A. Indicators of Compromise B. None of the listed choices are correct. C. Analysis Methodology D. Test Details

25 What type of tool allows an analyst to collect information about an Internet domain? A. ICANN Whois Query B. IANA Registry Lookup C. All listed choices are correct. D. ARIN WhoWas Query

25 An organization, namely, Highlander, Inc., decided to integrate threat intelligence into the incident response process for rapid detection and recovery from various security incidents. In which of the following phases of the incident response management does the organization utilize operational and tactical threat intelligence to provide context to the alerts generated by various security mechanisms? A. Phase 1: preplanning B. Phase 2: event C. Phase 3: incident D. Phase 4: breach

26 What blacklisting or whitelisting tools can a threat intelligence analyst use to obtain information to prepare custom IOCs for threat detection? A. Alexa Top 1 Million sites B. Apility.io C. All listed choices are correct. D. Statvoo.com

27 An analyst is investigating DNS poisoning attacks. Which of the following record types could have been used to change a DNS server to direct traffic to the attacker's servers? A. B Records and PTR Records B. PTX Record C. A Records and MX Records D. A Records and DNAME Records

27 Which of the following is not part of a scope statement for a threat intelligence program? A. Timescale schedule B. Objectives of the program C. Communications methods D. Identified business risks

27 Which of the following will maximize the return on investment for intelligence reports? A. Focus intelligence collection upon attackers who are known to be active and interested in the organization. B. None of the listed choices are correct. C. Broad sharing of intelligence reports within the organization. D. Focus intelligence collection and reporting upon the high value assets.

27 Cyber Threat Intelligence can help identify which of the following? A. Attacker techniques B. Adversary tactics C. All listed choices are correct. D. Procedures for possible attacks

28 In the context of this certification, what are Rules of Engagement? A. contractual obligations of threat intelligence providers B. rules for conducting penetration testing C. formal permission to implement a threat intelligence program D. None of the listed choices are correct.

28 Which of the following layers enables an adversary to navigate anonymously without being traced to perform illegal activities and cybercrimes? A. Surface web B. Search engine C. Dark net D. Hacking forum

29 Which of the following goals is met by the Traffic Light Protocol? A. indicate the classification of a threat report B. differentiate between in progress and completed investigations C. provide data handling guidance D. signal the trust level for the intelligence sources

3 Which of the following components refers to a node in the network that routes the traffic from a workstation to external command and control server and helps in identification of installed malware in the network? A. Repeater B. Hub C. Gateway D. Network interface card (NIC)

30 Which of the following acts authorizes cybersecurity information sharing between and among the private sector; state, local, tribal, and territorial governments; and the Federal Government? A. Health Insurance Portability and Accountability Act (HIPAA) B. Federal Information Security Management Act (FISMA) C. Cybersecurity Information Sharing Act (CISA) D. Cyber Intelligence Sharing and Protection Act (CISPA)

31 A senior manager of the firm has forwarded several email warnings (alerts) about cyber threats to the threat intelligence team. What is the first thing the team should do before acting upon these warnings? A. Assign a threat priority to the warnings. B. Enter the warnings into the threats database. C. Verify the trustworthiness of the originator of the warnings. D. Email the manager acknowledging receipt of the warnings.

31 An organization is having an offsite meeting with senior leadership to inform them about the planned implementation of a Threat Intelligence Program. Which of the following goals is MOST important as an outcome for that meeting? A. None of the listed choices are correct. B. Inform senior leadership and other stakeholders of the risks and potential costs to the organization if the threat intelligence program is not approved. C. Attain a common understanding of responsibilities, scope, and boundaries for the threat intelligence program. D. Establish the budget for the threat intelligence program so that the team can be hired and begin their work.

32 A cyber threat analyst is preparing a briefing for the company's executives which explaints the cyber threat intelligence process and the work of the intelligence analysts. Which of the following triads should be used to describe the existence of threats? A. Knowns, Unknowns, Unknown Unknowns B. Cyber Kill Chain C. Intent, capability, opportunity D. Means, methods, motives

32 An executive has requested that the cyber threat intelligence team provide information on tactics, techniques, and procedures (TTPs) that attackers could use against a company's new network management product line. What type of threat intelligence is being requested? A. Operational B. Technical C. Tactical D. Strategic

33 Harry, a threat analyst, wants to conduct a threat intelligence analysis on the organization that has experienced attacks and other setbacks due to lack of appropriate intelligence capabilities. Therefore, to convince the management, he must present the information that is useful and enables the threat analyst to build up the case. Which of the following key features must Harry focus on to obtain the essential information to convince the management and start the threat intelligence program? A. Scoring, workflow B. Brand protection, identification of attacker networks C. Drivers, obstacles, benefits D. Encounter rate, false positive rate, threat classification

34 Flora, a threat intelligence analyst at PanTech Cyber Solutions, is working on a threat intelligence program. She is trying to collect the company's crucial information through online job sites. Which of the following information will Flora obtain through job sites? A. Open ports and services B. Employee details and social security numbers C. Hardware and software information, network-related information, and technologies used by the company D. Top-level domains and subdomains of the company

34 Which of the following threat intelligence stages would an analyst be most likely to start with when assessing risks associated with an emerging technology? A. Risk assessment B. Known Knowns C. Unknown Unknowns D. Known Unknowns

35 Which of the following terms is used to describe an artifact that is found on a network or an operating system of an organization that with high confidence indicates an intrusion attempt? A. SOPs B. Incident C. IOCs D. Breach

36 Which of the following indicators of compromise (IoCs) adversary can easily change by appending any insignificant bit making their discovery insignificant? A. Host artifacts B. IP addresses C. Hash values D. Network artifacts

4 In which phase of the Cyber Kill Chain does an attack download additional software to take up residence on target systems? A. Weaponization B. Exploitation C. Installation D. Delivery

43 Sean works as a threat intelligence analyst. He is assigned a project for information gathering on a client's network to find a potential He started analysis and was trying to find out the company's internal URLs, looking for any information about the different departments and business units. He was unable to find any information. What should Sean do to get the information he needs? A. Sean should use WayBackMachine in Archive.org to find the company's internal URLs. B. Sean should use website mirroring tools such as HTTrack Web Site Copier to find the company's internal URLs C. Sean should use online services such as netcraft.com to find the company's internal URLs. D. Sean should use e-mail tracking tools such as eMailTrackerPro to find the company's internal URLs.

48 Which of the following cognitive bias describes a person's inclination to overemphasize personality-centered reasons for actions performed by others? A. Hindsight bias B. Confirmation bias C. Correspondence bias D. Belief bias

5 How can an organization avoid blaming threat intelligence analysts for programmatic failures? A. Look with Hindsight B. Openness C. Focus on the Future D. Focus on Both Positives and Negatives

5 Which of the following can be used to gain insight into future threats and exploits? A. Advanced Persistent Threat Lifecycle B. Intent, Capability, Opportunity Triad C. Adversary Behavioral Identification D. Cyber Kill Chain

5 Which of the following types of data analysis deals with analyzing the real-time data of the current activities and enables the analyst to identify what is currently happening in the organization based on the acquired real-time data? A. Predictive B. Diagnostic C. Descriptive D. Prescriptive

50 A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides an ability to modify or delete past or irrelevant threat data. Which of the following requirement must he include in the threat knowledge repository to fulfil his needs? A. Evaluating performance B. Protection ranking C. Data management D. Searchable functionality

54. Which type of threat intelligence uses humans, social media, and chat rooms as major sources for extracting and providing information about organizational threats? A. Strategic Threat Intelligence B. Tactical Threat Intelligence C. Operational Threat Intelligence D. Technical Threat Intelligence

56. Among the following cyber security threats, identify the one that falls under Host threat category: A. Spoofing B. ARP Poisoning C. Profiling D. Phishing

59. Which of the following security control acts as a node in the network and routes the traffic from a workstation to external command and control server. A. SIEM B. NGFW C. Gateway D. IDS/IPS

68. Which of the following Data Correlation Technique is a correlation statistic for measuring the ordinal relationship between two measured variables. A. Pearson's r Correlation Coefficient B. Spearman's Rank Correlation Coefficient C. Kendall's Rank Correlation Coefficient D. Intraclass Correlation Coefficient

70. Identify the correct formula that is used for ranking the threats during the threat modeling process. A. Risk = Probability + Damage Potential B. Risk = Probability - Damage Potential C. Risk = Probability * Damage Potential D. Risk = Probability / Damage Potential

71. According to threat intelligence information sharing model, the tier that includes a small number of communities such as critical infrastructure industry sectors and focuses on specific needs and security requirements for sharing information is represented as: A. Public Tier B. Private Tier C. Targeted Tier D. Strategic Tier

73. Which of the following MITRE Standard is an application-layer protocol that is used for the communication of CTI in a simple and scalable manner? A. CybOX B. STIX C. TAXII D. MAEC

8 What is the purpose of the reconnaissance phase of the Cyber Kill Chain? A. to scan the Internet for vulnerable networks B. to sneak into a target's systems C. to collect information and to probe a target for vulnerabilities D. to determine if an attack can evade detection

A team of threat intelligence analysts is performing threat analysis on malware, and each of them has come up with their own theory and evidence to support their theory on a given malware. Now, to identify the most consistent theory out of all the theories, which of the following analytic processes must threat intelligence manager use? A. Threat modelling B. Application decomposition and analysis (ADA) C. Analysis of competing hypotheses (ACH) D. Automated technical analysis

Alice, a threat intelligence analyst at HiTech Cyber Solutions, wants to gather information for identifying emerging threats to the organization and implement essential techniques to prevent their systems and networks from such attacks. Alice is searching for online sources to obtain information such as the method used to launch an attack, and techniques and tools used to perform an attack and the procedures followed for covering the tracks after an attack. Which of the following online sources should Alice use to gather such information? A. Financial services B. Social network settings C. Hacking forums D. Job sites

Cybersol Technologies initiated a cyber-threat intelligence program with a team of threat intelligence analysts. During the process, the analysts started converting the raw data into useful information by applying various techniques, such as machine-based techniques, and statistical methods. In which of the following phases of the threat intelligence lifecycle is the threat intelligence team currently working? (Page 49) A. Planning and direction B. Dissemination and integration C. Processing and exploitation D. Analysis and production

Daniel is a professional hacker whose aim is to attack a system to steal data and money for profit. He performs hacking to obtain confidential data such as social security numbers, personally identifiable information (PII) of an employee, and credit card information. After obtaining confidential data, he further sells the information on the black market to make money. Daniel comes under which of the following types of threat actor? (Page 91) A. State-sponsored hackers B. Industrial spies C. Organized hackers D. Insider threat

Evaluated threat intelligence can be used by management to _____. (Choose the BEST answer.) A. hold subordinates accountable for vulnerabilities exploited by adversaries. B. plan, program, and implement cybersecurity budgets. C. take actions to avoid further attacks against an organization. D. differentiate between strategic and tactical defenses.

Henry. a threat intelligence analyst at ABC Inc., is working on a threat intelligence program. He was assigned to work on establishing criteria for prioritization of intelligence needs and requirements. Which of the following considerations must be employed by Henry to prioritize intelligence requirements? A. Understand frequency and impact of a threat B. Understand data reliability C. Develop a collection plan D. Produce actionable data

In which of the following attacks does the attacker exploit vulnerabilities in a computer application before the software developer can release a patch for them? (Page 6) A. Advanced persistent attack B. Distributed network attack C. Zero-day attack D. Active online attack

In which of the following storage architecture is the data stored in a localized system, server, or storage hardware and capable of storing a limited amount of data in its database and locally available for data usage? A. Distributed storage B. Object-based storage C. Centralized storage D. Cloud storage

In which of the following storage architecture is the data stored in a localized system, server, or storage hardware and capable of storing a limited amount of data in its database and locally available for data usage? (Page 393) A. Object-based storage B. Cloud storage C. Centralized storage D. Distributed storage

Integrating threat intelligence into an existing security infrastructure will _______. (Choose the best answer.) A. thwart zero day attacks. B. None of the listed choices are correct. C. reduce risk and decrease response times for incidents. D. flatten the organization and save money on personnel costs.

James, a professional hacker, is trying to hack the confidential information of a target organization. He identified the vulnerabilities in the target system and created a tailored deliverable malicious payload using an exploit and a backdoor to send it to the victim. Which of the following phases of cyber kill chain methodology is Jame executing? (Page 105) A. Installation B. Reconnaissance C. Weaponization D. Exploitation

John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques. What phase of the advanced persistent threat lifecycle is John currently in? A. Initial intrusion B. Search and exfiltration C. Expansion D. Persistence

John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques. What phase of the advanced persistent threat lifecycle is John currently in? (Page 102) A. Initial intrusion B. Search and exfiltration C. Expansion D. Persistence

Kim, an analyst, is looking for an intelligence-sharing platform to gather and share threat information from a variety of sources. He wants to use this information to develop security policies to enhance the overall security posture of his organization. Which of the following sharing platforms should be used by Kim? (Page 596) A. PortDroid network analysis B. OmniPeek C. Blueliv threat exchange network D. Cuckoo sandbox

Lizzy, an analyst, wants to recognize the level of risks to the organization so as to plan countermeasures against cyber attacks. She used a threat modeling methodology where she performed the following stages: Stage 1: Build asset-based threat profiles Stage 2: Identify infrastructure vulnerabilities Stage 3: Develop security strategy and plans Which of the following threat modeling methodologies was used by Lizzy in the aforementioned scenario? (Page 460) A. DREAD B. TRIKE C. OCTAVE D. VAST

Miley, an analyst, wants to reduce the amount of collected data and make the storing and sharing process easy. She uses filtering, tagging, and queuing technique to sort out the relevant and structured data from the large amounts of unstructured data. Which of the following technique was employed by Miley? (Page 388) A. Data visualization B. Convenience sampling C. Normalization D. Sandboxing

Sarah is a security operations center (SOC) analyst working at JW Williams and Sons organization based in Chicago. As a part of security operations, she contacts information providers (sharing partners) for gathering information such as collections of validated and prioritized threat indicators along with a detailed technical analysis of malware samples, botnets, DDoS attack methods, and various other malicious tools. She further used the collected information at the tactical and operational levels. Sarah obtained the required information from which of the following types of sharing partner? A. Providers of comprehensive cyber-threat intelligence B. Providers of threat indicators C. Providers of threat data feeds D. Providers of threat actors

SecurityTech Inc. is developing a Tl plan where it can drive more advantages in less funds. In the process of selecting a TI platform, it wants to incorporate a feature that ranks elements such as intelligence sources, threat actors, attacks, and digital assets of the organization, so that it can put in more funds toward the resources which are critical for the organization's security. Which of the following key features should SecurityTech Inc. consider in their Tl plan for selecting the Tl platform? (Page 190) A. Search B. Workflow C. Scoring D. Open

Select the standard protocol used for interfacing external application software with a web server. A. IP B. TCP C. CGI D. None of these E. DHCP

Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find any evidence of compromise. During the network monitoring, he came to know that there are multiple logins from different locations in a short time span. Moreover, he also observed certain irregular log in patterns from locations where the organization does not have business relations. This resembles that somebody is trying to steal confidential information. Which of the following key indicators of compromise does this scenario present? (Page 126) A. Unusual outbound network traffic B. Unusual activity through privileged user account C. Geographical anomalies D. Unexpected patching of systems

What is actionable intelligence? A. intelligence that details actions taken by adversaries. B. intelligence that details actions taken to defend an enterprise. C. processed intelligence that can be used by decision makers. D. a structured data element used to store intelligence in a database.

What is not an emerging threat landscape areas A. Internet of things B. Cloud computing C. Wireless network D. Social media

What is the benefit of integrating the cyber kill chain methodology with threat analysis? (Choose the BEST answer.) A. None of the listed choices are correct. B. the cyber kill chain is a well known framework that can be easily explained to senior managers and executives. C. threat analysis can help identify a kill chain stage which can be mitigated to prevent the threat from occurring. D. the threat analyst can use the kill chain to identify weaponized threats.

Which of the following goals is achieved by using threat modeling? A. Understanding threat actor profiles, behaviors, and methods B. Identification, analysis, and ranking of threats C. All listed choices are correct. D. Describing complete security architecture

Which of the following is a fundamental characteristic of machine learning as applied to threat intelligence tools? A. generating new hypotheses about data B. applying human thought processes faster than a human can think C. learning from patterns in the data set D. All listed choices are correct.

Which of the following is an MS Office application that can be used to perform statistical analysis for threat data? A. MS Word B. SAS/STAT C. MS Excel D. IBM SPSS

Which of the following organizations publish standards and formats for sharing Threat Intelligence Information? A. US-Cert B. Mitre C. All listed choices are correct. D. IETF

Which type of threat intelligence analysis is most likely to use information from chat room conversations? A. Strategic B. None of the listed choices are correct. C. Operational D. Tactical

Why must a threat intelligence analyst understand statistics and statistical testing of hypotheses? A. To prevent misuse of statistics generated by automated tools B. To ensure that the proper statistical tests are being applied to data C. All listed choices are correct. D. To guide selection of statistics which will enable sorting of data to find patterns

13 What types of employee information can be gathered from online groups, forums, and blogs? A. lists of future goals B. full name, addresses, home phone numers, email addresses C. pictures of employees and workplace D. All listed choices are correct.

32 An organization is budgeting funds to send trained cyber threat analysts to conferences such as SchmooCon, B'Sides, and DEFCON. The budget committee has asked the team to identify the types of intelligence they expect to collect from this meeting and explain why that intelligence cannot be obtained through Internet sources. Which of the following is the BEST explanation to include in the business case for this expenditure? A. SIGINT collection will be performed at the conferences. The intelligence personnel will use rogue access points to siphon off cellular signals from phones in locations where attackers are likely to congregate. B. Social Media Intelligence will be performed at the conferences. The intelligence personnel will monitor known Social Media platforms and attendee postings to the conference websites to collect information about hacker activities during the events. C. Imagery intelligence collection will be performed at the conferences. The intelligence personnel will obtain surveillance videos and use facial recognition to identify known hackers so that team members can eavesdrop on their conversations in hallways. D. HUMINT collection will be performed at the conferences. The types of attackers who will be targeted are those whose online activities are hidden in the dark web and difficult to obtain from online sources.

32 Which of the following should be used to protect sensitive data contained in a published threat indicator? A. Apply authentication and authorization mechanisms B. Use an encrypted network C. Harden the storage repository against attacks D. All listed choices are correct.

33 Many network attacks are very noisy, that is, there is a substantial amount of abnormal traffic which is easily detected using firewalls and intrusion detection systems. Other network attacks are very stealthy and send packets over an extended period of time to avoid detection. Which of the following types of attacks are more likely to be quiet than not? A. Botnets B. Phishing C. Denial of Service D. Advanced Persistent Threats

35 After successfully collecting a large variety of data and extracting threat intelligence from it, the threat analyst needs to prepare the data for dissemination to the organization's managers and executives. Which type of reporting tool(s) should be used to prepare the intelligence data for consumption by these stakeholders? A. Database reports from MS Access, MySQL, and Tableau. B. Spreadsheets listing sources, frequency of events, and types of events. C. Power Point Presentations D. Data Visualization Tools (histograms, maps, charts)

35 Which of the following is NOT an enterprise objective for a Threat Intelligence Program? A. Improved incident detection. B. Enhanced and automated incident prevention. C. Improved risk management. D. Identifying known unknowns.

37 Which of the following is not a responsibility of an intelligence analyst? A. Support organizational strategic decision-making process. B. Research and develop imminent threats reports to inform higher-level executives about the current and evolving threat landscape. C. Develop a broad view of the organization's threat landscape by regular monitoring of IoCs and TTPs. D. Based on the identified threats, enhance detection methods and provide previously unknown related indicators.

38 An analyst is performing threat intelligence analysis in a client organization. He wants to check if the web server information of an organization's website is publicly available or not. Which of the following tools will help the analyst to do this? A. Pulsedive B. Malstrom C. NetSim D. Netcraft

4 When establishing a business case, what is a "driver?" A. an element of a needs assessment B. None of the listed choices are correct. C. approved requirements for intelligence as set by stakeholders D. difficulties and setbacks caused by a lack of a threat intelligence capability

4 Which type of threat intelligence data collection would include IP addresses, operating systems, and behavior of malware? A. Tactical B. Attack Signatures C. SIGINT D. Technical

45 In which of the following storage architecture is the data stored in a localized system, server, or storage hardware and capable of storing a limited amount of data in its database and locally available for data usage? A. Cloud storage B. Distributed storage C. Object-based storage D. Centralized storage

46 Which of the following terms is used to define the process of structuring the unstructured data to make it sorted and usable by the humans as well as by automated machine tools for intelligence consumption? A. File fingerprinting B. Data visualization C. System baselining D. Normalization

51. Identify the attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability? A. Smurf attack B. Teardrop attack C. Ping of death attack D. Zero-Day Attack

52. Which of the following is NOT a stage of Cyber Threat Intelligence? A. Known Knowns B. Known Unknowns C. Unknown Unknowns D. Unknown Knowns

6 Which of the following criteria is used to rate intelligence that is delivered to the stakeholder that helps in improving the defense strategies to detect the reported threats and decrease reoccurrences? A. Informative B. Awareness C. Richness D. Actionable

65. Identify the form of intelligence that is collected from an adversary's equipment or captured enemy material (CEM). A. Open-Source Intelligence (OSINT) B. Human Intelligence (HUMINT) C. Signals Intelligence (SIGINT) D. Technical Intelligence (TECHINT)

7 A ____ is a technical method used by an attacker. A. tactic B. policy C. procedure D. technique

7 Which of the following terms describes an interpreted information providing broader in-depth knowledge of the subject that supports decision making and response actions to resolve complex problems? A. Data B. Knowledge C. Information D. Intelligence

8 Which of the following will help define the scope of the threat intelligence program? A. None of the listed choices are correct. B. Number of business units to be included C. Size of the Threat Intelligence Program's budget D. Identify Intelligence Needs and Requirements

9 Which of the following factors can be used to convince management to fund a threat intelligence program? A. Drivers B. Obstacles C. Benefits D. All listed choices are correct.

An XYZ organization hired Mr. Andrews, a threat analyst. In order to identify the threats and mitigate the effect of such threats, Mr. Andrews was asked to perform threat modeling. During the process of threat modeling, he collected important information about the threat actor and characterized the analytic behavior of the adversary that includes technological details, goals, and motives that can be useful in building a strong countermeasure. What stage of the threat modeling is Mr. Andrews currently in? (Page 445) A. Threat ranking B. Threat determination and identification C. System modeling D. Threat profiling and attribution

An attacker instructs bots to use camouflage mechanism to hide his phishing and malware delivery locations in the rapidly changing network of compromised bots. In this particular technique, a single domain name consists of multiple IP addresses. Which of the following technique is used by the attacker? A. DNS zone transfer B. Dynamic DNS C. DNS interrogation D. Fast-Flux DNS

An attacker instructs bots to use camouflage mechanisms to hide his phishing and malware delivery locations in the rapidly changing network of compromised bots. In this particular technique, a single domain name consists of multiple IP addresses. Which of the following technique is used by the attacker? (Page 314) A. DNS interrogation B. Dynamic DNS C. DNS zone transfer D. Fast-Flux DNS

An intelligence information sharing and analysis center (ISAC) can provide benefits to individual organizations and threat analysis teams. Which of the following benefits can be used to enhance incident response processes? A. Sharing of Best Practices Information B. None of the listed choices are correct. C. Sharing of Threat Attributions D. Collaboration on Threat Indicators, Tactics, and Procedures.

Bob, a threat analyst, works in an organization named TechTop. He was asked to collect intelligence to fulfill the needs and requirements of the Red Team present within the organization. Which of the following are the needs of a Red Team? (Page 516) A. Intelligence related to increased attacks targeting a particular software or operating system vulnerability B. Intelligence that reveals risks related to various strategic business decisions C. Intelligence on latest vulnerabilities, threat actors, and their tactics, techniques, and procedures (TTPs) D. Intelligence extracted latest attacks analysis on similar organizations, which includes details about latest threats and TTPs

Guiana & Co. is a well-established cyber-security company in the United States. The organization implemented the automation of tasks such as data enrichment and indicator aggregation. They also joined various communities to increase their knowledge about the emerging threats. However, the security teams can only detect and prevent identified threats in a reactive approach. Based on threat intelligence maturity model, identify the level of Guiana & Co. to know the stage at which the organization stands with its security and vulnerabilities. (Page 65) A. Level 1: preparing for CTI B. Level 0: vague where to start C. Level 3: CTI program in place D. Level 2: increasing CTI capabilities

In system modeling, what is a "Trust Boundary?" A. A line between DMZs and internal networks B. None of the listed choices are correct. C. Boundary between internal and external systems D. Boundary between systems of differing trust levels or privileges

In the context of data analysis, which of the following statements best describes the term "hypothesis?" A. A test case which uses statistical verification. B. A belief about a phenomenon. C. A research question. D. A statement about data which can be tested.

In which of the following forms of bulk data collection are large amounts of data first collected from multiple sources in multiple formats and then processed to achieve threat intelligence? A. Structured form B. Hybrid form C. Production form D. Unstructured form

Jian is a member of the security team at Trinity, Inc. He was conducting a real-time assessment of system activities in order to acquire threat intelligence feeds. He acquired feeds from sources like honeynets, P2P monitoring, infrastructure, and application logs. Which of the following categories of threat intelligence feed was acquired by Jian? (Page 265) A. Internal intelligence feeds B. CSV data feeds C. External intelligence feeds D. Proactive surveillance feeds

Jian is a member of the security team at Trinity, Inc. He was conducting a real-time assessment of system activities in order to acquire threat intelligence feeds. He acquired feeds from sources like honeynets, P2P monitoring. infrastructure, and application logs. Which of the following categories of threat intelligence feed was acquired by Jian? A. Internal intelligence feeds B. External intelligence feeds C. CSV data feeds D. Proactive surveillance feeds

Kathy wants to ensure that she shares threat intelligence containing sensitive information with the appropriate audience. Hence, she used traffic light protocol (TLP). Which TLP color would you signify that information should be shared only within a particular community? A. Red B. White C. Green D. Amber

Moses, a threat intelligence analyst at InfoTech Inc., wants to find crucial information about the potential threats the organization is facing by using advanced Google search operators. He wants to identify whether any fake websites are hosted that are similar to the organization's URL. Which of the following Google search queries should Moses use? (Page 282) A. link: www.infotech.org B. cache: www.infotech.org C. info: www.infotech.org D. related: www.infotech.org

Q. 1 Which of the following terms refers to the existence of a weakness, design flaw, or implementation error, which can lead to an unexpected event compromising the security of the system? A. Hacking B. Zero-day attack C. Exploit D. Vulnerability

SecurityTech Inc. is developing a TI plan where it can drive more advantages in less funds. In the process of selecting a TI platform, it wants to incorporate a feature that ranks elements such as intelligence sources, threat actors, attacks, and digital assets of the organization, so that it can put in more funds toward the resources which are critical for the organization's security. Which of the following key features should SecurityTech Inc. consider in their TI plan for selecting the TI platform? A. Search B. Open C. Workflow D. Scoring

Tim is working as an analyst in an ABC organization. His organization had been facing many challenges in converting the raw threat intelligence data into meaningful contextual information. After inspection, he found that it was due to noise obtained from misrepresentation of data from huge data collections. Hence, it is important to clean the data before performing data analysis using techniques such as data reduction. He needs to choose an appropriate threat intelligence framework that automatically performs data collection, filtering, and analysis for his organization. Which of the following threat intelligence frameworks should he choose to perform such task? A. HighCharts B. SIGVERIF C. Threat grid D. TC complete

Tracy works as a CISO in a large multinational company. She consumes threat intelligence to understand the changing trends of cyber security. She requires intelligence to understand the current business trends and make appropriate decisions regarding new technologies, security budget, improvement of processes, and staff. This intelligence helps her in minimizing business risks and protecting the new technology and business initiatives. Identify the type of threat intelligence consumer is Tracy. (Page 23) A. Tactical users B. Technical users C. Operational users D. Strategic users

Tyrion, a professional hacker, is targeting an organization to steal confidential information. He wants to perform website footprinting to obtain the following information, which is hidden in the web page header. Connection status and content type Accept-ranges and last-modified information X-powered-by information Web server in use and its version Which of the following tools should Tyrion use to view header content? (Page 298) A. Hydra B. Vangaurd enforcer C. AutoShun D. Burp suite

What characterizes threat Modeling A. Is a process for capturing, organizing, and analyzing all of this information B. This also helps make informed decision making about how secure the application security risk is C. Is a structured representation of all the information that affects the security of an application. D. All of these

What is an example of Priority Intelligence Requirements (PIRs) A. Identify notable threats to the organization B. Describe threat reconnaissance activity that occurred today C. Identify cyber threats targeting related industries D. Identify the person, group, entity or asset in the organization that is being targeted

What is at the bottom level of Pyramid of Pain A. TTP B. IP address C. Domain Names D. Hash values

Which of the following advanced threat analysis techniques can be used by an analyst to fine-tune and enhance the analysis process? A. Automation B. Statistical Decision Making C. Artificial Intelligence D. Machine Learning

Which of the following components refers to a node in the network that routes the traffic from a workstation to external command and control server and helps in identification of installed malware in the network? (Page 144) A. Hub B. Network interface card (NIC) C. Repeater D. Gateway

Which of the following modifications will assist the analyst in identifying and removing noise from the data set? A. Reducing Data Overload (by reducing the amount of data in the data set). B. Identifying and Removing Logical Fallacies (e.g. by removing irrelevant data feeds) C. Identifying and Removing Cognitive Biases (e.g. avoiding common psychological traps in the analyst's thought processes) D. Prioritization of Threats (e.g. classify based on cost vs impact)

Which of the following types of data analysis uses nonnumeric techniques such as Delphi technique, brainstorming, and SWOT analysis? A. Exploratory B. Quantitative C. Predictive D. Qualitative

Which of the following types of threat attribution deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target? (Page 489) A. Campaign attribution B. Nation-state attribution C. Intrusion-set attribution D. True attribution

_______________ takes the forensic backups of systems that are the focus of an incident, in the incident response team. A. None of these B. Information security representative C. Legal representative D. Lead investigator E. Technical representative

2 HUMINT is collected from _____. A. People B. Telephone Calls C. Magazines and Newspapers D. Social Media

Which of the following is not part of the data analysis process? A. Transforming and/or Modeling Data B. Collecting bulk data. C. Examining bulk data. D. Filtering bulk data.

In which of the following forms of bulk data collection are large amounts of data first collected from multiple sources in multiple formats and then processed to achieve threat intelligence? (Page 382) A. Structured form B. Unstructured form C. Hybrid form D. Production form

9 OSINT can be obtained from _____. A. RF Signals and Telemetry Transmissions B. Encrypted wireless networks C. Websites, Magazines, and Newspapers D. Telephone Calls both Landline and Cellular

11 Which of the following are included in the Indicators of Compromise section of an intelligence report? A. names of vulnerabilities B. URLs, email addresses, and filenames C. timelines of attacks D. tests used to find a compromise

12 Which of the following web tools is used to access and collect data from the deep web? A. Opera B. Tor Browser C. Vivaldi D. Duck, Duck, Go

21 A/an _____ is a potential occurrence of a/an ___ event which can eventually cause harm or loss. A. None of the listed choices are correct. B. vulnerability ... unpredictable C. attack ... risk D. threat ... undesired

22 What is the purpose of a gap analysis when reviewing a threat intelligence program? A. to identify unmet requirements B. to identify people, processes, and technologies which need improvement C. All listed choices are correct. D. to evaluate how closely results match original objectives

23 An analyst has been tasked to examine computer process lists to identify use of the Command Line Interface by attackers. What specific characteristic is indicative of attackers? A. process ID's below 1000 or above 10,000 B. blank parent process ID field C. inactive processes D. process names or ID's consisting of arbitrary letters and numbers

23 The board of directors is reviewing the latest budget for the company and disagrees with the CIO's prioritization of cybersecurity threat intelligence over new servers for an overloaded and underpowered e-commerce system. What type of threat intelligence reports could be used to best defend the budget prioritization? A. Tactical Intelligence Reports B. Operational Intelligence Reports C. Incident Intelligence Reports D. Strategic Intelligence Reports

23 Why would a threat analyst perform website footprinting on the company's own websites? A. To inventory the websites so that they can be included in a risk assessment report. B. None of the listed sources is appropriate for this task. C. To gain experience using the tools that attackers use. D. To gain an understanding of what information an attacker could find and exploit.

23 During the process of threat intelligence analysis, John, a threat analyst, successfully extracted an indication of adversary's information, such as Modus operandi, tools, communication channels, and forensics evasion strategies used by the adversaries. Identify the type of threat intelligence analysis is performed by John A. Operational threat intelligence analysis B. Technical threat intelligence analysis C. Strategic threat intelligence analysis D. Tactical threat intelligence analysis

24 A government agency has discovered that it was penetrated by an Advanced Persistent Threat. What type information was LEAST likely to have been targeted by the attackers? A. Credit card information B. Classified documents C. User credentials D. Web pages for public websites

24 Kim, an analyst, is looking for an intelligence-sharing platform to gather and share threat information from a variety of sources. He wants to use this information to develop security policies to enhance the overall security posture of his organization. Which of the following sharing platforms should be used by Kim? A. PortDroid network analysis B. OmniPeek C. Cuckoo sandbox D. Blueliv threat exchange network

25 Which Threat Intelligence Strategy can be used to estimate and plan for the future? A. Intelligence Buy-in B. Threat Reports C. Threat Intelligence Requirement Analysis D. Threat Trending

Which step in CTI cinvolves prioritizing your objectives in adherence to your organization's core values. A. Processing B. Collection C. Analysis D. Planning and Direction

27 Which one of the following performance metric measures the number of relevant IoCs received and prepares the organization to efficiently and effectively defend against various evolving threats? A. Feedback and remarks B. Threat classification C. Time taken to detect incidents D. Encounter rate

28 Why is strategic threat intelligence generally not shared externally? A. To reduce the cost of production and dissemination. B. None of the listed choices are correct. C. Strategic Intelligence is generally not applicable to or not actionable by other organizations. D. To reduce the likelihood of exposing strategic business plans.

29 How can an organization make sure that its threat intelligence program focuses on the most likely threats? A. By evaluating the impacts on data and assets B. By prioritizing risks collected from subject matter experts C. By identifying the most active threat actors D. By considering the needs and requirements of all business units

29 In the context of the Cyber Kill Chain, what is meant by "weaponization?" A. Creating a logic bomb for delivery to the target systems or networks B. Building malware that targets a nation's critical infrastructures. C. None of the listed choices are correct. D. Tailoring of an exploit using information previously gathered by reconnaissance of a target

3 What is a gateway? A. A virtual private network server B. None of the listed choices are correct. C. A network interface controller (NIC) D. A network node that routes traffic to external networks

3 What is the defining characteristic of a risk? A. loss or harm B. impact on assets C. None of the listed choices is correct. D. uncertainty of an adverse event

3 Which of the following are application threat vectors? A. Footprinting and Profiling B. Arbitrary Code Execution and Password Attacks C. Privilege Escalation and Backdoor Attacks D. Hidden-field Manipulation and SQL injection.

30 What is the benefit to searching for an attacker's Command and Control (C&C) Servers ? A. Geographic location information can help identify which group(s) are responsible for the APT. B. Identifying C&C servers can help analysts identify and collect forensic data about an attack C. Monitoring traffic to the attacker's C&C server can help analysts identify compromised assets and data. D. All listed choices are correct.

31 Choose the best description of the differences between data, information, and intelligence. A. Intelligence is developed by human analysts using the results of automated collection processes. B. When data are processed completely and put into a context, they become intelligence. C. Data and information, combined together, become the intelligence required to plan a course of action or response. D. Intelligence supports decision making and is developed from processing data and interpreting / analyzing information.

Data Clustering is the process of ____. A. Graphing data by sources and destinations. B. Grouping data by ranges. C. Graphing data by indicators. D. Grouping data by similarities.

A threat analyst obtains an intelligence related to a threat, where the data is sent in the form of a connection request from a remote host to the server. From this data, he obtains only the IP address of the source and destination but no contextual information. While processing this data, he obtains contextual information stating that multiple connection requests from different geo-locations are received by the server within a short time span, and as a result, the server is stressed and gradually its performance has reduced. He further performed analysis on the information based on the past and present experience and concludes the attack experienced by the client organization. Which of the following attacks is performed on the client organization? (Page 128) A. DHCP attacks B. Bandwidth attack C. MAC spoofing attack D. Distributed Denial-of-Service (DDoS) attack

11 Which of the following factors affect data reliability? A. None of the listed choices are correct. B. accountability and auditability C. confidentiality, integrity, and availability D. relevance, credibility,and availability

14 Which of the following teams can benefit from having access to Cyber Threat Intelligence? A. SIEM Management Team B. Forensics Team C. Incident Response Teams D. All listed choices are correct.

17 After an organization has identified threats, what should be the next step? A. Assess the costs or impacts of each threat. B. Identify network access points which threats could exploit. C. Calculate the probability of the threats. D. Identify risks associated with each threat.

18 Which of the following characteristics of a Threat Intelligence Solution will assist in the management of SIEM capabilities? A. Automate Data Collection Process B. Enhance Patch Management C. Provide Informed Analysis and Prediction D. Integrate with Security Controls

20 How does the Cyber Kill Chain Methodology benefit a threat intelligence analyst? A. the kill chain identifies technologies that analysts can take to prevent an attack B. None of the listed choices are correct. C. when attackers follow the methodology, killing their attacks is easier D. it helps analysts identify steps that adversaries take to accomplish their goals

20 A/an ____ is a breach of a system which takes advantage of a ____. A. vulnerability ... exploit B. None of the listed choices are correct. C. threat ... Loophole D. exploit ... vulnerability

__________ is an analytic process that rejects hypotheses that contain too many inconsistent data points. A. Abductive Reasoning B. Hypothesis Testing C. Analysis of Prescient Intelligence D. Analysis of Competing Hypotheses

CTIA

Ensembles d'études connexes

A&P chapter 10 blood

Life Insurance Exam

Philosophy final (Test 1 and Test 2 Questions)

Finance 320 Final Quiz Questions First 2 chapters

Bio 101 Exam 1 Marshell

Microbiology Week 1

BIO microevolution LOs

PHILIPPINE ELECTRICAL CODE (PEC 2017)

Earth 101 mid term ch.1-6

AUDIT Chapter 3 - Audit Reports (Textbook Questions)

Digestive System

Adult Health 1 PrepU Quizzes

Biz Law Chapter 11

MBA 630

MEYERS UNIT 3 Practice test questions (robb)

MUSC 205

ATI - Bowel Elimination (17)

Chem Lab Final Weeks 1-7

Chapter 2 Prep U (Study Guide for Health Promotion Exam 1)

PrepU PEDS