SANS FOR578 / GIAC GCTI Certification Exam Prep Questions & Verified
Answers (Graded A+ | Assured Success)
What is counterintelligence? The identification, assessment, and neutralisation of adversary intelligence activities.
Which type of memory is the most Working memory as it processes inputs and determines whether to store
critical in intel analysis and why? them for long or short term memory
Theory that every object is processed by the brain and stored as a
What is template matching?
template in long term memory
System 1 - intuitive, fast, effective
Compare system 1 and 2 thinking
System 2 - analytical, slow, methodical
Which system of thinking requires System 1
mental models?
What is an activity group? A clustering of intrusions which cover 2 or more phases in the diamond model
An indicator that remains constant across multiple intrusions, uniquely
What is a key indicator?
distinguishes a campaign from other campaigns, and aligns to a single
category of adversary action.
What is a Collection Management A CMF is the plan for how you collect data, where you collect it, and
Framework (CMF)? what type of data you collect.
What 3 aspects make up a threat? Intent, Capability, Opportunity
Which level of effort is required to Simple
change a domain name according
to the pyramid of pain?
What is the importance of Ensures analyst understands limitations of their data sources
understanding
intelligence collection on a technical
level?
, What is counter intelligence? The identification, assessment, neutralisation, and exploitation of adversarial entities.
Understanding your organizations Environmental
vulnerabilities using models and
config analysis is what type of threat
detection?
Which TLP level allows intel to be TLP: White
shared online?
On the sliding scale of cyber security, Active Defence
what category to analysts respond to
and learn from adversaries on their
network?
Before satisfying an intel requirement, Determine whether they have enough data to satisfy the requirement. A
what must an analyst do to Collection Management Framework (CMF) defines how you
determine if it is achievable? collect data.
What TLP level allows you to share TLP:Green
intel within your community?
IOCs are used to improve signatures Passive Defence
of an organizations NIDS, what
category on the
sliding scale of security does this all
under?
Use of Structured Analytic Techniques (SATs)
How can intel teams prevent bias?
Inclusion of diversity
Questioning the ROI and reduction Strategic
of risk of security intel functions
within an
organization is an example of what
category of intelligence?
Combination of various event data sources, historical information, and
What is synthesis in CTI field?
digital forensics to form a theory or system
What is a priority intelligence Intelligence requirements that are seen as critical to mission success.
requirement (PIR)?
Which non-linear approach to Target-centric intelligence
modelling was meant to eliminate
stovepiping that occurs in intel
work?
User is passed between multiple sites and numerous exploits used in
What is bouncing malware?
convoluted combinations
Answers (Graded A+ | Assured Success)
What is counterintelligence? The identification, assessment, and neutralisation of adversary intelligence activities.
Which type of memory is the most Working memory as it processes inputs and determines whether to store
critical in intel analysis and why? them for long or short term memory
Theory that every object is processed by the brain and stored as a
What is template matching?
template in long term memory
System 1 - intuitive, fast, effective
Compare system 1 and 2 thinking
System 2 - analytical, slow, methodical
Which system of thinking requires System 1
mental models?
What is an activity group? A clustering of intrusions which cover 2 or more phases in the diamond model
An indicator that remains constant across multiple intrusions, uniquely
What is a key indicator?
distinguishes a campaign from other campaigns, and aligns to a single
category of adversary action.
What is a Collection Management A CMF is the plan for how you collect data, where you collect it, and
Framework (CMF)? what type of data you collect.
What 3 aspects make up a threat? Intent, Capability, Opportunity
Which level of effort is required to Simple
change a domain name according
to the pyramid of pain?
What is the importance of Ensures analyst understands limitations of their data sources
understanding
intelligence collection on a technical
level?
, What is counter intelligence? The identification, assessment, neutralisation, and exploitation of adversarial entities.
Understanding your organizations Environmental
vulnerabilities using models and
config analysis is what type of threat
detection?
Which TLP level allows intel to be TLP: White
shared online?
On the sliding scale of cyber security, Active Defence
what category to analysts respond to
and learn from adversaries on their
network?
Before satisfying an intel requirement, Determine whether they have enough data to satisfy the requirement. A
what must an analyst do to Collection Management Framework (CMF) defines how you
determine if it is achievable? collect data.
What TLP level allows you to share TLP:Green
intel within your community?
IOCs are used to improve signatures Passive Defence
of an organizations NIDS, what
category on the
sliding scale of security does this all
under?
Use of Structured Analytic Techniques (SATs)
How can intel teams prevent bias?
Inclusion of diversity
Questioning the ROI and reduction Strategic
of risk of security intel functions
within an
organization is an example of what
category of intelligence?
Combination of various event data sources, historical information, and
What is synthesis in CTI field?
digital forensics to form a theory or system
What is a priority intelligence Intelligence requirements that are seen as critical to mission success.
requirement (PIR)?
Which non-linear approach to Target-centric intelligence
modelling was meant to eliminate
stovepiping that occurs in intel
work?
User is passed between multiple sites and numerous exploits used in
What is bouncing malware?
convoluted combinations
