Practice Free 312-85 Certified Threat Intelligence Analyst (CTIA) Exam Questions Answers With Explanation

The phase described where John, after gaining initial access, is attempting to obtain administrative credentials to further access systems within the network, is known as the 'Expansion' phase of an Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold within the target's environment, often by escalating privileges, compromising additional systems, and moving laterally through the network. The goal is to increase control over the network and maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for establishing long-term presence and eventual data exfiltration or other malicious objectives.

FININT (Financial Intelligence) refers to the collection, processing, and analysis of financial transaction data to identify suspicious or illicit activities such as fraud, money laundering, terrorist financing, or financial crimes.

In this scenario, the analyst is investigating unusual financial transaction patterns, which is exactly the purpose of financial intelligence.

Key Features of FININT:

Focuses on financial data sources, including transaction records, wire transfers, and account statements.

Helps detect illicit financial flows or abnormal transaction behaviors.

Used by banks, financial institutions, and government agencies to identify and prevent financial crimes.

Often shared with intelligence agencies and regulatory bodies to support counter-fraud and anti-money laundering operations.

Why the Other Options Are Incorrect:

A. OSINT:Refers to publicly available information such as websites, news, or social media. It is not specific to financial transaction data.

B. CHIS:Refers to human intelligence sources obtained through personal or covert interaction, not financial data analysis.

C. TECHINT:Refers to intelligence gathered from technical sources such as sensors or electronic systems, not financial records.

Conclusion:

The correct intelligence type used to analyze suspicious financial transactions is FININT (Financial Intelligence).

Final Answer: D. FININT

Explanation Reference (Based on CTIA Study Concepts):

As per CTIA threat intelligence classifications, FININT involves collecting and analyzing financial data to detect and mitigate fraudulent or criminal activities.

The phase described involves defining and setting up what intelligence needs to be collected before the actual collection process begins. This aligns with the Intelligence Requirements phase of the threat intelligence lifecycle.

Intelligence Requirements define what information is needed and why it is needed to support decision-making or intelligence production. These requirements guide the collection and analysis processes by specifying the goals and priorities of intelligence gathering.

Kira’s focus should be on determining the exact intelligence needs that will later drive the production of actionable insights.

Why the Other Options Are Incorrect:

A. Production requirements: Concerned with how intelligence reports and outputs will be formatted and disseminated after analysis, not what data should be collected.

C. Business requirements: Focus on organizational goals or project objectives, not specific intelligence needs.

D. Collection requirements: Define how and from where to gather data, but are based on intelligence requirements, which come first.

Conclusion:

Kira should define Intelligence Requirements, which determine what must be collected to fulfill intelligence production needs.

Final Answer: B. Intelligence requirements

Explanation Reference (Based on CTIA Study Concepts):

In the CTIA threat intelligence lifecycle, defining intelligence requirements is the first stage and establishes the foundation for effective intelligence collection and production.

Burp Suite is a comprehensive tool used for web application security testing, which includes functionality for viewing and manipulating the HTTP/HTTPS headers of web page requests and responses. This makes it an ideal tool for someone like Tyrion, who is looking to perform website footprinting to gather information hidden in the web page header, such as connection status, content type, server information, and other metadata that can reveal details about the web server and its configuration. Burp Suite allows users to intercept, analyze, and modify traffic between the browser and the web server, which is crucial for uncovering such hidden information.

Strategic Threat Intelligence provides high-level insights into the overall threat landscape, long-term trends, and the potential impact of emerging cyber threats on business operations and strategy. It is primarily designed for executives, policymakers, and senior management to make informed decisions that align with organizational goals and risk tolerance.

This intelligence type translates complex technical data into business-relevant language, helping leadership understand:

The motives and objectives of threat actors.

The geopolitical or industry trends affecting cybersecurity risk.

The overall security posture and areas requiring investment.

How to allocate resources for long-term resilience and compliance.

Why the Other Options Are Incorrect:

A. Operational Threat Intelligence:Focuses on ongoing campaigns and immediate threats relevant to security operations and incident response teams.

B. Tactical Threat Intelligence:Deals with adversary Tactics, Techniques, and Procedures (TTPs) and is used by SOC and defense analysts for short-term defensive actions.

D. Technical Threat Intelligence:Focuses on technical indicators such as IP addresses, hashes, and URLs, used for detection and blocking within security tools.

Conclusion:

For a CEO focusing on long-term strategic decisions and organizational resilience, the most valuable form of threat intelligence is Strategic Threat Intelligence.

Final Answer: C. Strategic Threat Intelligence

Explanation Reference (Based on CTIA Study Concepts):

As outlined in CTIA’s section on Types of Threat Intelligence, strategic threat intelligence provides executive-level insights for planning and governance, supporting risk management and long-term decision-making.

The methodology described—iterative and incremental prioritization of requirements based on importance—perfectly aligns with the MoSCoW method.

MoSCoW stands for:

M – Must have (critical requirements that are mandatory),

S – Should have (important but not essential),

C – Could have (desirable but optional),

W – Won’t have (this time) (deferred or out of scope).

It is widely used in security, risk management, and software development to determine the priority of tasks or requirements that should be implemented first.

By applying MoSCoW, Marry ensures that critical security requirements (such as protecting core assets) are addressed first before moving on to less critical ones.

Why the Other Options Are Incorrect:

A. Data sampling: Refers to statistical analysis methods, not prioritization.

C. Data visualization: Used to represent data graphically, not for setting priorities.

D. Fusion analysis: Used to integrate multiple data sources for intelligence analysis, not requirement prioritization.

Conclusion:

Marry should use the MoSCoW prioritization methodology to structure and prioritize her organization’s security requirements.

Final Answer: B. MoSCoW

Explanation Reference (Based on CTIA Study Concepts):

In CTIA’s requirement prioritization and planning stages, MoSCoW is used to assign importance levels to intelligence and security requirements for efficient implementation.

In the Threat Intelligence Sharing Model, the Public Tier is used when information is of low sensitivity and can be shared widely across communities, industry groups, or the public domain.

This tier is ideal for sharing generalized threat data, advisories, or non-sensitive indicators that do not pose risks to the organization if disclosed.

Why the Other Options Are Incorrect:

Private tier: Used for highly sensitive intelligence shared only within a small internal group or trusted partners.

Targeted tier: Shared with specific, predefined organizations or partners with a need-to-know basis.

Multitier: Involves multiple sharing levels but is not a standard individual tier type.

Conclusion:

Henry should use the Public Tier, suitable for broader sharing of low-sensitivity information.

Final Answer: B. Public tier

Explanation Reference (Based on CTIA Study Concepts):

As per CTIA’s “Threat Intelligence Sharing Framework,” the public tier enables dissemination of low-sensitivity threat intelligence to trusted communities for collaborative defense.

Passive DNS monitoring involves collecting data about DNS queries and responses without actively querying DNS servers, thereby not altering or interfering with DNS traffic. This technique allows analysts to track changes in DNS records and observe patterns that may indicate malicious activity. In the scenario described, Enrique is employing passive DNS monitoring by using a recursive DNS server to log the responses received from name servers, storing these logs in a central database for analysis. This approach is effective for identifying malicious domains, mapping malware campaigns, and understanding threat actors' infrastructure without alerting them to the fact that they are being monitored. This method is distinct from active techniques such as DNS interrogation or zone transfers, which involve sending queries to DNS servers, and dynamic DNS, which refers to the automatic updating of DNS records.

Information Sharing and Analysis Centers (ISACs) are nonprofit organizations established to facilitate secure sharing of threat intelligence among companies within a specific industry sector.

ISACs provide:

A trusted platform for sharing cyber threat indicators.

Secure mechanisms for communication and collaboration.

Analytical services that enhance shared threat data for participating members.

Each ISAC is industry-specific (for example, Financial Services ISAC, Energy ISAC) and provides members with reports, advisories, and data analytics to strengthen collective defense.

Why the Other Options Are Incorrect:

Trading partners: Share intelligence directly between organizations with established business relationships.

Informal contacts: Represent ad hoc, trust-based sharing without a formal structure.

Commercial vendors: Offer paid threat intelligence feeds or services, not nonprofit community-based sharing.

Conclusion:

Tech Knights Inc. should use an Information Sharing and Analysis Center (ISAC) to share intelligence securely and collaboratively.

Final Answer: B. Information Sharing and Analysis Centers (ISACs)

Explanation Reference (Based on CTIA Study Concepts):

According to CTIA’s section on “Information Sharing Models,” ISACs are nonprofit entities that promote collaboration and data exchange for cyber threat intelligence within industry sectors.

The described activity involves pretending to be a legitimate or authorized person in order to gather sensitive information. This social engineering technique is known as Impersonation.

Impersonation is a form of deception in which the attacker pretends to be someone else — such as an employee, contractor, or service technician — to gain access to restricted information or areas. In this method, the attacker often relies on trust, authority, or familiarity to manipulate others into revealing confidential data.

In the scenario, the analyst obtained information by observing terminals, searching desks, and examining bins while pretending to be a trusted individual. This fits the definition of impersonation rather than other social engineering methods.

Why the Other Options Are Incorrect:

Shoulder surfing: Involves directly observing someone’s screen or keyboard to capture credentials or data, not pretending to be someone else.

Piggybacking: Refers to physically following an authorized person into a restricted area without proper authentication.

Dumpster diving: Involves searching discarded items, such as trash or recycle bins, to find confidential information, without human interaction or pretense.

Conclusion:

The analyst used Impersonation to pose as an authorized person and collect sensitive data.

Final Answer: A. Impersonation

Explanation Reference (Based on CTIA Study Concepts):

From the CTIA study materials under “Social Engineering and Threat Collection Techniques,” impersonation is identified as a key human-based technique for gathering information during reconnaissance.

Normalization in the context of data analysis refers to the process of organizing data to reduce redundancy and improve efficiency in storing and sharing. By filtering, tagging, and queuing, Miley is effectively normalizing the data—converting it from various unstructured formats into a structured, more accessible format. This makes the data easier to analyze, store, and share. Normalization is crucial in cybersecurity and threat intelligence to manage the vast amounts of data collected and ensure that only relevant data is retained and analyzed. This technique contrasts with sandboxing, which is used for isolating and analyzing suspicious code; data visualization, which involves representing data graphically; and convenience sampling, which is a method of sampling where samples are taken from a group that is conveniently accessible.

ABC cyber-security company, which has implemented automation for tasks such as data enrichment and indicator aggregation and has joined various communities to increase knowledge about emerging threats, is demonstrating characteristics of a Level 3 maturity in the threat intelligence maturity model. At this level, organizations have a formal Cyber Threat Intelligence (CTI) program in place, with processes and tools implemented to collect, analyze, and integrate threat intelligence into their security operations. Although they may still be reactive in detecting and preventing threats, the existence of structured CTI capabilities indicates a more developed stage of threat intelligence maturity.

In the trust model described, where trust between two organizations depends on the degree and quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This model relies on the validation of evidence or credentials presented by one party to another to establish trust. The validation process assesses the credibility, reliability, and relevance of the information shared, forming the basis of the trust relationship between the sharing partners. This approach is common in threat intelligence sharing where the accuracy and reliability of shared information are critical.

For intelligence to be effectively disseminated and utilized by consumers, it must be presented in a manner that is concise, accurate, easily understandable, and engaging. This involves a careful balance of narrative, numerical data, tables, graphics, and potentially multimedia elements to convey the information clearly and compellingly. The right presentation takes into account the preferences and needs of the intelligence consumers, as well as the context and urgency of the information. By focusing on how the intelligence is presented, the analyst ensures that the content is not only consumed but also actionable, facilitating informed decision-making.

The description focuses on contextual information about events and incidents, including attacker methodologies, risks, and historical malicious activity. This aligns with Operational Threat Intelligence.

Operational Threat Intelligence provides actionable insights about current or recent attacks, giving context that supports incident response and security operations. It connects individual technical indicators with the larger picture of attacker campaigns and motives.

Why the Other Options Are Incorrect:

B. Strategic threat intelligence: Focuses on long-term, high-level planning for executives.

C. Technical threat intelligence: Deals with raw indicators such as hashes, IPs, and URLs.

D. Tactical threat intelligence: Focuses on adversary TTPs for defense operations, not contextual event analysis.

Conclusion:

John is performing Operational Threat Intelligence, which enriches event data with contextual information for investigation and response.

Final Answer: A. Operational threat intelligence

Explanation Reference (Based on CTIA Study Concepts):

CTIA defines operational threat intelligence as intelligence that provides context for incidents and ongoing attacks, helping organizations understand threats at a campaign or activity level.

The scenario describes a trust establishment process where one organization bases its trust in another on the degree and quality of evidence that the second organization provides. This concept is known as Validated Trust.

Validated Trust is built through the verification and assessment of presented evidence such as certifications, security audits, compliance documentation, or past performance. The higher the credibility and quality of the evidence, the greater the level of trust established.

This type of trust is evidence-based, meaning it does not rely solely on previous interactions or third-party mediation but on verifiable proof provided directly between the entities involved.

Why the Other Options Are Incorrect:

A. Mandated Trust:This is imposed by regulation, policy, or authority. It is not based on evidence but on obligation or requirement.

B. Direct Historical Trust:This trust is formed from prior experiences and a consistent history of interactions between the entities. It does not depend on new evidence or documentation.

D. Mediated Trust:This form of trust is established through an intermediary (such as a trusted third party or certificate authority) who vouches for the credibility of one organization to another.

Conclusion:

The process where trust is established based on the degree and quality of evidence provided by one party is known as Validated Trust.

Final Answer: C. Validated Trust

Explanation Reference (Based on CTIA Study Concepts):

According to the CTIA study topics under “Information Sharing and Trust Establishment,” validated trust is the level of confidence gained through verification of tangible evidence, certifications, or attestations demonstrating security assurance and reliability.

The attack described, where multiple connection requests from different geo-locations are received by a server within a short time span leading to stress and reduced performance, is indicative of a Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's resources (such as a server) with excessive requests from multiple sources, making it difficult for the server to handle legitimate traffic, leading to degradation or outright unavailability of service. The use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks, making them harder to mitigate.

For Alice to perform qualitative data analysis, techniques such as brainstorming, interviewing, SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis, and the Delphi technique are suitable. Unlike quantitative analysis, which involves numerical calculations and statistical modeling, qualitative analysis focuses on understanding patterns, themes, and narratives within the data. These techniques enable the analyst to explore the data's deeper meanings and insights, which are essential for strategic decision-making and developing a nuanced understanding of cybersecurity threats and vulnerabilities.

To retrieve historical information about a company's website, including content that may have been removed or altered, Alison should use the Internet Archive's Wayback Machine, accessible at https://archive.org . The Wayback Machine is a digital archive of the World Wide Web and other information on the Internet, providing free access to snapshots of websites at various points in time. This tool is invaluable for researchers and analysts looking to understand the evolution of a website or recover lost information.

The scenario described by Steve's observations, where multiple logins are occurring from different locations in a short time span, especially from locations where the organization has no business relations, points to 'Geographical anomalies' as a key indicator of compromise (IoC). Geographical anomalies in logins suggest unauthorized access attempts potentially made by attackers using compromised credentials. This is particularly suspicious when the locations of these logins do not align with the normal geographical footprint of the organization's operations or employee locations. Monitoring for such anomalies can help in the early detection of unauthorized access and potential data breaches.

In the scenario described, where attackers have penetrated the network and are staging data for exfiltration, Jim should focus on monitoring network traffic for signs of malicious file transfers, implement file integrity monitoring, and scrutinize event logs. This approach is crucial for detecting unusual activity that could indicate data staging, such as large volumes of data being moved to uncommon locations, sudden changes in file integrity, or suspicious entries in event logs. Early detection of these indicators can help in identifying the staging activity before the data is exfiltrated from the network.