ESTUDY
SANS FOR578 / GIAC GCTI CERTIFICATION EXAM PREP
LATEST EXAM QUESTIONS AND VERIFIED ANSWERS
GRADED A+ | WITH RATIONALES
1. What is counterintelligence?
a) The process of gathering intelligence on competitors
b) The identification, assessment, and neutralisation of adversary intelligence activities
c) The analysis of internal organizational threats
d) The development of cybersecurity tools
Answer: b) The identification, assessment, and neutralisation of adversary intelligence
activities
Rationale: Counterintelligence focuses on identifying and mitigating adversarial intelligence
efforts that threaten an organization.
2. Which type of memory is the most critical in intelligence analysis and why?
a) Long-term memory, as it stores historical data
b) Working memory, as it processes inputs and determines storage
c) Sensory memory, as it captures immediate inputs
d) Short-term memory, as it retains recent information
Answer: b) Working memory, as it processes inputs and determines storage
Rationale: Working memory is critical because it processes incoming data and decides whether
to store it in long-term or short-term memory.
3. What is template matching?
a) A theory that objects are stored as templates in long-term memory
b) A method for comparing malware signatures
c) A technique for identifying network anomalies
d) A process for mapping threat actors
Answer: a) A theory that objects are stored as templates in long-term memory
Rationale: Template matching suggests that the brain processes and stores objects as templates
for future recognition.
4. Compare System 1 and System 2 thinking.
a) System 1 - analytical, slow; System 2 - intuitive, fast
b) System 1 - intuitive, fast; System 2 - analytical, slow
c) System 1 - methodical, slow; System 2 - creative, fast
d) System 1 - logical, fast; System 2 - emotional, slow
Answer: b) System 1 - intuitive, fast; System 2 - analytical, slow
Rationale: System 1 is fast and intuitive, while System 2 is slow and analytical, requiring
deliberate effort.
,ESTUDY
5. Which system of thinking requires mental models?
a) System 1
b) System 2
c) Both System 1 and System 2
d) Neither System 1 nor System 2
Answer: a) System 1
Rationale: System 1 relies on mental models for quick, intuitive decision-making.
6. What is an activity group?
a) A single intrusion event
b) A clustering of intrusions covering two or more phases in the Diamond Model
c) A group of unrelated cyber incidents
d) A collection of malware samples
Answer: b) A clustering of intrusions covering two or more phases in the Diamond Model
Rationale: An activity group represents a series of related intrusions across multiple phases of
an attack.
7. What is a key indicator?
a) An indicator that changes frequently
b) An indicator that remains constant across multiple intrusions and uniquely distinguishes a
campaign
c) An indicator used only for internal analysis
d) An indicator that is irrelevant to threat detection
Answer: b) An indicator that remains constant across multiple intrusions and uniquely
distinguishes a campaign
Rationale: Key indicators are consistent across intrusions and help identify specific campaigns.
8. What is a Collection Management Framework (CMF)?
a) A plan for how, where, and what type of data is collected
b) A tool for analyzing malware
c) A method for sharing intelligence
d) A framework for threat modeling
Answer: a) A plan for how, where, and what type of data is collected
Rationale: A CMF outlines the strategy for data collection to support intelligence requirements.
9. What three aspects make up a threat?
a) Intent, Capability, Opportunity
b) Risk, Vulnerability, Impact
c) Detection, Prevention, Response
d) Planning, Execution, Review
Answer: a) Intent, Capability, Opportunity
Rationale: A threat is defined by the adversary’s intent, capability, and opportunity to act.
,ESTUDY
10. Which level of effort is required to change a domain name according to the Pyramid of Pain?
a) Simple
b) Moderate
c) Difficult
d) Impossible
Answer: a) Simple
Rationale: Changing a domain name is relatively easy for adversaries, making it a low-effort
task.
11. What is the importance of understanding intelligence collection on a technical level?
a) It ensures analysts understand the limitations of their data sources
b) It eliminates the need for human analysis
c) It focuses only on high-level strategic intelligence
d) It reduces the need for collaboration
Answer: a) It ensures analysts understand the limitations of their data sources
Rationale: Technical understanding helps analysts assess the reliability and scope of collected
data.
12. What is counterintelligence?
a) The identification, assessment, neutralisation, and exploitation of adversarial entities
b) The process of gathering competitor data
c) The analysis of internal threats
d) The development of cybersecurity tools
Answer: a) The identification, assessment, neutralisation, and exploitation of adversarial
entities
Rationale: Counterintelligence involves identifying and mitigating adversarial threats while
exploiting their activities.
13. Understanding your organization’s vulnerabilities using models and configuration analysis is
what type of threat detection?
a) Environmental
b) Behavioral
c) Signature-based
d) Anomaly-based
Answer: a) Environmental
Rationale: Environmental threat detection focuses on understanding vulnerabilities specific to
an organization’s infrastructure.
14. Which TLP level allows intelligence to be shared online?
a) TLP: Red
b) TLP: Amber
c) TLP: Green
d) TLP: White
, ESTUDY
Answer: d) TLP: White
Rationale: TLP: White allows information to be shared publicly, including online.
15. On the sliding scale of cybersecurity, what category involves analysts responding to and
learning from adversaries on their network?
a) Passive Defense
b) Active Defense
c) Intelligence Gathering
d) Threat Hunting
Answer: b) Active Defense
Rationale: Active Defense involves real-time interaction with adversaries to mitigate threats.
16. Before satisfying an intelligence requirement, what must an analyst do to determine if it is
achievable?
a) Determine whether they have enough data to satisfy the requirement
b) Ignore the requirement if it is too complex
c) Share the requirement with external partners
d) Focus only on high-priority threats
Answer: a) Determine whether they have enough data to satisfy the requirement
Rationale: Analysts must assess data availability to determine if the requirement can be met.
17. What TLP level allows you to share intelligence within your community?
a) TLP: Red
b) TLP: Amber
c) TLP: Green
d) TLP: White
Answer: c) TLP: Green
Rationale: TLP: Green permits sharing within a specific community or group.
18. IOCs are used to improve signatures of an organization’s NIDS. What category on the sliding
scale of security does this fall under?
a) Passive Defense
b) Active Defense
c) Intelligence Gathering
d) Threat Hunting
Answer: a) Passive Defense
Rationale: Improving NIDS signatures using IOCs is a passive defense measure.
19. How can intelligence teams prevent bias?
a) Use of Structured Analytic Techniques (SATs)
b) Rely solely on automated tools
c) Ignore conflicting data
d) Focus only on high-confidence intelligence
SANS FOR578 / GIAC GCTI CERTIFICATION EXAM PREP
LATEST EXAM QUESTIONS AND VERIFIED ANSWERS
GRADED A+ | WITH RATIONALES
1. What is counterintelligence?
a) The process of gathering intelligence on competitors
b) The identification, assessment, and neutralisation of adversary intelligence activities
c) The analysis of internal organizational threats
d) The development of cybersecurity tools
Answer: b) The identification, assessment, and neutralisation of adversary intelligence
activities
Rationale: Counterintelligence focuses on identifying and mitigating adversarial intelligence
efforts that threaten an organization.
2. Which type of memory is the most critical in intelligence analysis and why?
a) Long-term memory, as it stores historical data
b) Working memory, as it processes inputs and determines storage
c) Sensory memory, as it captures immediate inputs
d) Short-term memory, as it retains recent information
Answer: b) Working memory, as it processes inputs and determines storage
Rationale: Working memory is critical because it processes incoming data and decides whether
to store it in long-term or short-term memory.
3. What is template matching?
a) A theory that objects are stored as templates in long-term memory
b) A method for comparing malware signatures
c) A technique for identifying network anomalies
d) A process for mapping threat actors
Answer: a) A theory that objects are stored as templates in long-term memory
Rationale: Template matching suggests that the brain processes and stores objects as templates
for future recognition.
4. Compare System 1 and System 2 thinking.
a) System 1 - analytical, slow; System 2 - intuitive, fast
b) System 1 - intuitive, fast; System 2 - analytical, slow
c) System 1 - methodical, slow; System 2 - creative, fast
d) System 1 - logical, fast; System 2 - emotional, slow
Answer: b) System 1 - intuitive, fast; System 2 - analytical, slow
Rationale: System 1 is fast and intuitive, while System 2 is slow and analytical, requiring
deliberate effort.
,ESTUDY
5. Which system of thinking requires mental models?
a) System 1
b) System 2
c) Both System 1 and System 2
d) Neither System 1 nor System 2
Answer: a) System 1
Rationale: System 1 relies on mental models for quick, intuitive decision-making.
6. What is an activity group?
a) A single intrusion event
b) A clustering of intrusions covering two or more phases in the Diamond Model
c) A group of unrelated cyber incidents
d) A collection of malware samples
Answer: b) A clustering of intrusions covering two or more phases in the Diamond Model
Rationale: An activity group represents a series of related intrusions across multiple phases of
an attack.
7. What is a key indicator?
a) An indicator that changes frequently
b) An indicator that remains constant across multiple intrusions and uniquely distinguishes a
campaign
c) An indicator used only for internal analysis
d) An indicator that is irrelevant to threat detection
Answer: b) An indicator that remains constant across multiple intrusions and uniquely
distinguishes a campaign
Rationale: Key indicators are consistent across intrusions and help identify specific campaigns.
8. What is a Collection Management Framework (CMF)?
a) A plan for how, where, and what type of data is collected
b) A tool for analyzing malware
c) A method for sharing intelligence
d) A framework for threat modeling
Answer: a) A plan for how, where, and what type of data is collected
Rationale: A CMF outlines the strategy for data collection to support intelligence requirements.
9. What three aspects make up a threat?
a) Intent, Capability, Opportunity
b) Risk, Vulnerability, Impact
c) Detection, Prevention, Response
d) Planning, Execution, Review
Answer: a) Intent, Capability, Opportunity
Rationale: A threat is defined by the adversary’s intent, capability, and opportunity to act.
,ESTUDY
10. Which level of effort is required to change a domain name according to the Pyramid of Pain?
a) Simple
b) Moderate
c) Difficult
d) Impossible
Answer: a) Simple
Rationale: Changing a domain name is relatively easy for adversaries, making it a low-effort
task.
11. What is the importance of understanding intelligence collection on a technical level?
a) It ensures analysts understand the limitations of their data sources
b) It eliminates the need for human analysis
c) It focuses only on high-level strategic intelligence
d) It reduces the need for collaboration
Answer: a) It ensures analysts understand the limitations of their data sources
Rationale: Technical understanding helps analysts assess the reliability and scope of collected
data.
12. What is counterintelligence?
a) The identification, assessment, neutralisation, and exploitation of adversarial entities
b) The process of gathering competitor data
c) The analysis of internal threats
d) The development of cybersecurity tools
Answer: a) The identification, assessment, neutralisation, and exploitation of adversarial
entities
Rationale: Counterintelligence involves identifying and mitigating adversarial threats while
exploiting their activities.
13. Understanding your organization’s vulnerabilities using models and configuration analysis is
what type of threat detection?
a) Environmental
b) Behavioral
c) Signature-based
d) Anomaly-based
Answer: a) Environmental
Rationale: Environmental threat detection focuses on understanding vulnerabilities specific to
an organization’s infrastructure.
14. Which TLP level allows intelligence to be shared online?
a) TLP: Red
b) TLP: Amber
c) TLP: Green
d) TLP: White
, ESTUDY
Answer: d) TLP: White
Rationale: TLP: White allows information to be shared publicly, including online.
15. On the sliding scale of cybersecurity, what category involves analysts responding to and
learning from adversaries on their network?
a) Passive Defense
b) Active Defense
c) Intelligence Gathering
d) Threat Hunting
Answer: b) Active Defense
Rationale: Active Defense involves real-time interaction with adversaries to mitigate threats.
16. Before satisfying an intelligence requirement, what must an analyst do to determine if it is
achievable?
a) Determine whether they have enough data to satisfy the requirement
b) Ignore the requirement if it is too complex
c) Share the requirement with external partners
d) Focus only on high-priority threats
Answer: a) Determine whether they have enough data to satisfy the requirement
Rationale: Analysts must assess data availability to determine if the requirement can be met.
17. What TLP level allows you to share intelligence within your community?
a) TLP: Red
b) TLP: Amber
c) TLP: Green
d) TLP: White
Answer: c) TLP: Green
Rationale: TLP: Green permits sharing within a specific community or group.
18. IOCs are used to improve signatures of an organization’s NIDS. What category on the sliding
scale of security does this fall under?
a) Passive Defense
b) Active Defense
c) Intelligence Gathering
d) Threat Hunting
Answer: a) Passive Defense
Rationale: Improving NIDS signatures using IOCs is a passive defense measure.
19. How can intelligence teams prevent bias?
a) Use of Structured Analytic Techniques (SATs)
b) Rely solely on automated tools
c) Ignore conflicting data
d) Focus only on high-confidence intelligence
