Eccouncil 312-85 Exam Practice Test Instant Access

Question 1

Bob, a threat analyst, works in an organization named TechTop. He was asked to collect intelligence to fulfil the needs and requirements of the Red Tam present within the organization.

Which of the following are the needs of a RedTeam?

AIntelligence related to increased attacks targeting a particular software or operating system vulnerability

BIntelligence on latest vulnerabilities, threat actors, and their tactics, techniques, and procedures (TTPs)

CIntelligence extracted latest attacks analysis on similar organizations, which includes details about latest threats and TTPs

DIntelligence that reveals risks related to various strategic business decisions

Answer : B

Red Teams are tasked with emulating potential adversaries to test and improve the security posture of an organization. They require intelligence on the latest vulnerabilities, threat actors, and their TTPs to simulate realistic attack scenarios and identify potential weaknesses in the organization's defenses. This information helps Red Teams in crafting their attack strategies to be as realistic and relevant as possible, thereby providing valuable insights into how actual attackers might exploit the organization's systems. This need contrasts with the requirements of other teams or roles within an organization, such as strategic decision-makers, who might be more interested in intelligence related to strategic risks or Blue Teams, which focus on defending against and responding to attacks. Reference:

Red Team Field Manual (RTFM)

MITRE ATT&CK Framework for understanding threat actor TTPs

Question 2

Andrews and Sons Corp. has decided to share threat information among sharing partners. Garry, a threat analyst, working in Andrews and Sons Corp., has asked to follow a trust model necessary to establish trust between sharing partners. In the trust model used by him, the first organization makes use of a body of evidence in a second organization, and the level of trust between two organizations depends on the degree and quality of evidence provided by the first organization.

Which of the following types of trust model is used by Garry to establish the trust?

AMediated trust

BMandated trust

CDirect historical trust

DValidated trust

Answer : D

In the trust model described, where trust between two organizations depends on the degree and quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This model relies on the validation of evidence or credentials presented by one party to another to establish trust. The validation process assesses the credibility, reliability, and relevance of the information shared, forming the basis of the trust relationship between the sharing partners. This approach is common in threat intelligence sharing where the accuracy and reliability of shared information are critical. Reference:

'Building a Cybersecurity Culture,' ISACA

'Trust Models in Information Security,' Journal of Internet Services and Applications

Question 3

Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network?

ARisk tolerance

BTimeliness

CAttack origination points

DMultiphased

Answer : D

Advanced Persistent Threats (APTs) are characterized by their 'Multiphased' nature, referring to the various stages or phases the attacker undertakes to breach a network, remain undetected, and achieve their objectives. This characteristic includes numerous attempts to gain entry to the target's network, often starting with reconnaissance, followed by initial compromise, and progressing through stages such as establishment of a backdoor, expansion, data exfiltration, and maintaining persistence. This multiphased approach allows attackers to adapt and pursue their objectives despite potential disruptions or initial failures in their campaign. Reference:

'Understanding Advanced Persistent Threats and Complex Malware,' by FireEye

MITRE ATT&CK Framework, detailing the multiphased nature of adversary tactics and techniques

Question 4

Kathy wants to ensure that she shares threat intelligence containing sensitive information with the appropriate audience. Hence, she used traffic light protocol (TLP).

Which TLP color would you signify that information should be shared only within a particular community?

ARed

BWhite

CGreen

DAmber

Answer : D

In the Traffic Light Protocol (TLP), the color amber signifies that the information should be limited to those who have a need-to-know within the specified community or organization, and not further disseminated without permission. TLP Red indicates information that should not be disclosed outside of the originating organization. TLP Green indicates information that is limited to the community but can be disseminated within the community without restriction. TLP White, or TLP Clear, indicates information that can be shared freely with no restrictions. Therefore, for information meant to be shared within a particular community with some restrictions on further dissemination, TLP Amber is the appropriate designation. Reference:

FIRST (Forum of Incident Response and Security Teams) Traffic Light Protocol (TLP) Guidelines

CISA (Cybersecurity and Infrastructure Security Agency) TLP Guidelines

Question 5

H&P, Inc. is a small-scale organization that has decided to outsource the network security monitoring due to lack of resources in the organization. They are looking for the options where they can directly incorporate threat intelligence into their existing network defense solutions.

Which of the following is the most cost-effective methods the organization can employ?

ARecruit the right talent

BLook for an individual within the organization

CRecruit data management solution provider

DRecruit managed security service providers (MSSP)

Answer : D

For H&P, Inc., a small-scale organization looking to outsource network security monitoring and incorporate threat intelligence into their network defenses cost-effectively, recruiting a Managed Security Service Provider (MSSP) would be the most suitable option. MSSPs offer a range of services including network security monitoring, threat intelligence, incident response, and compliance management, often at a lower cost than maintaining an in-house security team. This allows organizations to benefit from expert services and advanced security technologies without the need for significant resource investment. Reference:

'The Benefits of Managed Security Services,' by Gartner

'How to Choose a Managed Security Service Provider (MSSP),' by CSO Online

Question 6

Tyrion, a professional hacker, is targeting an organization to steal confidential information. He wants to perform website footprinting to obtain the following information, which is hidden in the web page header.

Connection status and content type

Accept-ranges and last-modified information

X-powered-by information

Web server in use and its version

Which of the following tools should the Tyrion use to view header content?

AHydra

BAutoShun

CVanguard enforcer

DBurp suite

Answer : D

Burp Suite is a comprehensive tool used for web application security testing, which includes functionality for viewing and manipulating the HTTP/HTTPS headers of web page requests and responses. This makes it an ideal tool for someone like Tyrion, who is looking to perform website footprinting to gather information hidden in the web page header, such as connection status, content type, server information, and other metadata that can reveal details about the web server and its configuration. Burp Suite allows users to intercept, analyze, and modify traffic between the browser and the web server, which is crucial for uncovering such hidden information. Reference:

'Burp Suite Essentials' by Akash Mahajan

Official Burp Suite Documentation

Question 7

An organization suffered many major attacks and lost critical information, such as employee records, and financial information. Therefore, the management decides to hire a threat analyst to extract the strategic threat intelligence that provides high-level information regarding current cyber-security posture, threats, details on the financial impact of various cyber-activities, and so on.

Which of the following sources will help the analyst to collect the required intelligence?

AActive campaigns, attacks on other organizations, data feeds from external third parties

BOSINT, CTI vendors, ISAO/ISACs

CCampaign reports, malware, incident reports, attack group reports, human intelligence

DHuman, social media, chat rooms

Answer : B

For gathering strategic threat intelligence that provides a high-level overview of the current cybersecurity posture, potential financial impacts of cyber activities, and overarching threats, sources such as Open Source Intelligence (OSINT), Cyber Threat Intelligence (CTI) vendors, and Information Sharing and Analysis Organizations (ISAOs)/Information Sharing and Analysis Centers (ISACs) are invaluable. OSINT involves collecting data from publicly available sources, CTI vendors specialize in providing detailed threat intelligence services, and ISAOs/ISACs facilitate the sharing of threat data within specific industries or communities. These sources can provide broad insights into threat landscapes, helping organizations understand how to align their cybersecurity strategies with current trends and threats. Reference:

'Cyber Threat Intelligence: Sources and Methods,' by Max Kilger, Ph.D., SANS Institute Reading Room

'Open Source Intelligence (OSINT): An Introduction to the Basic Concepts and the Potential Benefits for Information Security,' by Kevin Cardwell, IEEE Xplore

Eccouncil Certified Threat Intelligence Analyst 312-85 Exam Practice Test