CREST Registered Threat Intelligence Analyst (CRTIA) Practice Exam (100 Questions)
QUESTIONS AND CORRECT ANSWERS GRADE A
1. What is the primary objective of the Diamond Model of Intrusion Analysis?
A) To classify malware families
B) To map adversary infrastructure
C) To analyze intrusion activity through four core features: adversary, capability,
infrastructure, victim
D) To calculate risk scores for vulnerabilities
**ANSWER: C**
**EXPLANATION:** The Diamond Model provides a structured approach for analyzing
intrusions by examining relationships between adversaries, their capabilities,
infrastructure used, and victims targeted.
2. Which of the following BEST describes the difference between Indicators of Compromise
(IOCs) and Indicators of Attack (IOAs)?
A) IOCs are technical artifacts, IOAs are behavioral patterns
B) IOCs are reactive, IOAs are proactive
C) IOCs are always hash-based, IOAs are always network-based
D) IOCs focus on what happened, IOAs focus on what is happening
**ANSWER: B**
**EXPLANATION:** IOCs are forensic artifacts used for detection after compromise, while
IOAs are behavioral indicators used to detect attacks in progress before damage occurs.
3. According to the MITRE ATT&CK framework, which tactic involves "developing and
acquiring capabilities that can be used for targeting"?
A) Resource Development
B) Initial Access
,C) Persistence
D) Privilege Escalation
**ANSWER: A**
**EXPLANATION:** Resource Development (TA0042) involves adversaries building
capabilities before conducting operations, including developing malware, acquiring
infrastructure, or establishing accounts.
4. What is the PRIMARY purpose of the Cyber Kill Chain framework?
A) To classify malware persistence mechanisms
B) To describe stages of a targeted cyber attack from reconnaissance to data exfiltration
C) To calculate the financial impact of breaches
D) To map network vulnerabilities
**ANSWER: B**
**EXPLANATION:** Developed by Lockheed Martin, the Cyber Kill Chain describes seven
stages of a cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation,
Installation, Command & Control, and Actions on Objectives.
5. Which intelligence collection discipline involves gathering information from publicly
available sources?
A) OSINT
B) HUMINT
C) SIGINT
D) GEOINT
**ANSWER: A**
**EXPLANATION:** Open Source Intelligence (OSINT) involves collecting and analyzing
information from publicly available sources such as websites, social media, forums, and
public databases.
,6. In the context of threat intelligence, what does TTP stand for?
A) Tactics, Techniques, and Procedures
B) Threat Tracking Protocol
C) Technical Threat Profile
D) Targeted Threat Pattern
**ANSWER: A**
**EXPLANATION:** TTPs refer to the patterns of activities or methods associated with
specific threat actors, describing how they operate across the attack lifecycle.
7. Which of the following is a key characteristic of Strategic Threat Intelligence?
A) Focused on specific indicators like IP addresses and hashes
B) Used by SOC analysts for immediate incident response
C) Provides high-level insights for executive decision-making
D) Contains technical details about malware behavior
**ANSWER: C**
**EXPLANATION:** Strategic intelligence is broad, long-term intelligence used by
executives and decision-makers to understand the threat landscape, risk posture, and
inform security strategy.
8. What is the PRIMARY purpose of the STIX (Structured Threat Information Expression)
framework?
A) To automate malware analysis
B) To standardize the representation of cyber threat information
C) To encrypt threat intelligence feeds
D) To classify threat actor motivations
**ANSWER: B**
, **EXPLANATION:** STIX is a standardized language for describing cyber threat information
in a consistent and machine-readable format, facilitating sharing and analysis.
9. According to the Intelligence Cycle, which phase involves transforming collected
information into usable intelligence?
A) Collection
B) Processing
C) Analysis
D) Dissemination
**ANSWER: B**
**EXPLANATION:** The Processing phase involves converting raw collected data into a
form suitable for analysis, including translation, decryption, and data reduction.
10. What is the difference between a Threat Actor and an Advanced Persistent Threat
(APT)?
A) APTs are always state-sponsored, threat actors can be anyone
B) APTs refer to sophisticated, organized groups with sustained operations; threat actors is
a broader term
C) Threat actors only target financial gain, APTs target intellectual property
D) APTs are always detected within 24 hours, threat actors may operate undetected for
years
**ANSWER: B**
**EXPLANATION:** APT refers specifically to sophisticated, often state-sponsored groups
conducting prolonged, targeted campaigns. Threat actor is a broader term encompassing
all individuals or groups conducting cyber attacks.
11. Which of the following BEST describes the purpose of the CybOX (Cyber Observable
Expression) language?
A) To describe network security policies
QUESTIONS AND CORRECT ANSWERS GRADE A
1. What is the primary objective of the Diamond Model of Intrusion Analysis?
A) To classify malware families
B) To map adversary infrastructure
C) To analyze intrusion activity through four core features: adversary, capability,
infrastructure, victim
D) To calculate risk scores for vulnerabilities
**ANSWER: C**
**EXPLANATION:** The Diamond Model provides a structured approach for analyzing
intrusions by examining relationships between adversaries, their capabilities,
infrastructure used, and victims targeted.
2. Which of the following BEST describes the difference between Indicators of Compromise
(IOCs) and Indicators of Attack (IOAs)?
A) IOCs are technical artifacts, IOAs are behavioral patterns
B) IOCs are reactive, IOAs are proactive
C) IOCs are always hash-based, IOAs are always network-based
D) IOCs focus on what happened, IOAs focus on what is happening
**ANSWER: B**
**EXPLANATION:** IOCs are forensic artifacts used for detection after compromise, while
IOAs are behavioral indicators used to detect attacks in progress before damage occurs.
3. According to the MITRE ATT&CK framework, which tactic involves "developing and
acquiring capabilities that can be used for targeting"?
A) Resource Development
B) Initial Access
,C) Persistence
D) Privilege Escalation
**ANSWER: A**
**EXPLANATION:** Resource Development (TA0042) involves adversaries building
capabilities before conducting operations, including developing malware, acquiring
infrastructure, or establishing accounts.
4. What is the PRIMARY purpose of the Cyber Kill Chain framework?
A) To classify malware persistence mechanisms
B) To describe stages of a targeted cyber attack from reconnaissance to data exfiltration
C) To calculate the financial impact of breaches
D) To map network vulnerabilities
**ANSWER: B**
**EXPLANATION:** Developed by Lockheed Martin, the Cyber Kill Chain describes seven
stages of a cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation,
Installation, Command & Control, and Actions on Objectives.
5. Which intelligence collection discipline involves gathering information from publicly
available sources?
A) OSINT
B) HUMINT
C) SIGINT
D) GEOINT
**ANSWER: A**
**EXPLANATION:** Open Source Intelligence (OSINT) involves collecting and analyzing
information from publicly available sources such as websites, social media, forums, and
public databases.
,6. In the context of threat intelligence, what does TTP stand for?
A) Tactics, Techniques, and Procedures
B) Threat Tracking Protocol
C) Technical Threat Profile
D) Targeted Threat Pattern
**ANSWER: A**
**EXPLANATION:** TTPs refer to the patterns of activities or methods associated with
specific threat actors, describing how they operate across the attack lifecycle.
7. Which of the following is a key characteristic of Strategic Threat Intelligence?
A) Focused on specific indicators like IP addresses and hashes
B) Used by SOC analysts for immediate incident response
C) Provides high-level insights for executive decision-making
D) Contains technical details about malware behavior
**ANSWER: C**
**EXPLANATION:** Strategic intelligence is broad, long-term intelligence used by
executives and decision-makers to understand the threat landscape, risk posture, and
inform security strategy.
8. What is the PRIMARY purpose of the STIX (Structured Threat Information Expression)
framework?
A) To automate malware analysis
B) To standardize the representation of cyber threat information
C) To encrypt threat intelligence feeds
D) To classify threat actor motivations
**ANSWER: B**
, **EXPLANATION:** STIX is a standardized language for describing cyber threat information
in a consistent and machine-readable format, facilitating sharing and analysis.
9. According to the Intelligence Cycle, which phase involves transforming collected
information into usable intelligence?
A) Collection
B) Processing
C) Analysis
D) Dissemination
**ANSWER: B**
**EXPLANATION:** The Processing phase involves converting raw collected data into a
form suitable for analysis, including translation, decryption, and data reduction.
10. What is the difference between a Threat Actor and an Advanced Persistent Threat
(APT)?
A) APTs are always state-sponsored, threat actors can be anyone
B) APTs refer to sophisticated, organized groups with sustained operations; threat actors is
a broader term
C) Threat actors only target financial gain, APTs target intellectual property
D) APTs are always detected within 24 hours, threat actors may operate undetected for
years
**ANSWER: B**
**EXPLANATION:** APT refers specifically to sophisticated, often state-sponsored groups
conducting prolonged, targeted campaigns. Threat actor is a broader term encompassing
all individuals or groups conducting cyber attacks.
11. Which of the following BEST describes the purpose of the CybOX (Cyber Observable
Expression) language?
A) To describe network security policies
