Released ECCouncil 312-85 Updated Questions PDF [Q18-Q42]

Released ECCouncil 312-85 Updated Questions PDF

312-85 Dumps and Practice Test (52 Exam Questions)

The CTIA certification is ideal for cybersecurity professionals who are responsible for identifying and mitigating threats within their organizations. It is especially relevant for security analysts, threat intelligence analysts, security engineers, security consultants, and security managers. The CTIA certification can help professionals enhance their skills and knowledge in the field of threat intelligence and improve their career prospects.

The CTIA certification exam is known as the ECCouncil 312-85 exam. 312-85 exam is a comprehensive assessment of a candidate's knowledge and understanding of threat intelligence. 312-85 exam consists of 100 multiple-choice questions that must be answered within a time limit of four hours. 312-85 exam covers a wide range of topics, including threat intelligence fundamentals, threat modeling, data collection, analysis, and dissemination.

 

NEW QUESTION # 18
Enrage Tech Company hired Enrique, a security analyst, for performing threat intelligence analysis. While performing data collection process, he used a counterintelligence mechanism where a recursive DNS server is employed to perform interserver DNS communication and when a request is generated from any name server to the recursive DNS server, the recursive DNS servers log the responses that are received. Then it replicates the logged data and stores the data in the central database. Using these logs, he analyzed the malicious attempts that took place over DNS infrastructure.
Which of the following cyber counterintelligence (CCI) gathering technique has Enrique used for data collection?

• A. Data collection through passive DNS monitoring
• B. Data collection through DNS zone transfer
• C. Data collection through DNS interrogation
• D. Data collection through dynamic DNS (DDNS)

Answer: A

Explanation:
Passive DNS monitoring involves collecting data about DNS queries and responses without actively querying DNS servers, thereby not altering or interfering with DNS traffic. This technique allows analysts to track changes in DNS records and observe patterns that may indicate malicious activity. In the scenario described, Enrique is employing passive DNS monitoring by using a recursive DNS server to log the responses received from name servers, storing these logs in a central database for analysis. This approach is effective for identifying malicious domains, mapping malware campaigns, and understanding threat actors' infrastructure without alerting them to the fact that they are being monitored. This method is distinct from active techniques such as DNS interrogation or zone transfers, which involve sending queries to DNS servers, and dynamic DNS, which refers to the automatic updating of DNS records.References:
* SANS Institute InfoSec Reading Room, "Using Passive DNS to Enhance Cyber Threat Intelligence"
* "Passive DNS Replication," by Florian Weimer, FIRST Conference Presentation

NEW QUESTION # 19
A network administrator working in an ABC organization collected log files generated by a traffic monitoring system, which may not seem to have useful information, but afterperforming proper analysis by him, the same information can be used to detect an attack in the network.
Which of the following categories of threat information has he collected?

• A. Low-level data
• B. Strategic reports
• C. Detection indicators
• D. Advisories

Answer: A

Explanation:
The network administrator collected log files generated by a traffic monitoring system, which falls under the category of low-level data. This type of data might not appear useful at first glance but can reveal significant insights about network activity and potential threats upon thorough analysis. Low-level data includes raw logs, packet captures, and other granular details that, when analyzed properly, can help detect anomalous behaviors or indicators of compromise within the network. This type of information is essential for detection and response efforts, allowing security teams to identify and mitigate threats in real-time.References:
* "Network Forensics: Tracking Hackers through Cyberspace," by Sherri Davidoff and Jonathan Ham, Prentice Hall
* "Real-Time Detection of Anomalous Activity in Dynamic, Heterogeneous Information Systems," IEEE Transactions on Information Forensics and Security

NEW QUESTION # 20
An analyst is conducting threat intelligence analysis in a client organization, and during the information gathering process, he gathered information from the publicly available sources and analyzed to obtain a rich useful form of intelligence. The information source that he used is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision making.
Which of the following sources of intelligence did the analyst use to collect information?

• A. OSINT
• B. ISAC
• C. OPSEC
• D. SIGINT

Answer: A

Explanation:
The analyst used Open Source Intelligence (OSINT) to gather information from publicly available sources.
OSINT involves collecting and analyzing information from publicly accessible sources to produce actionable intelligence. This can include media reports, public government data, professional and academic publications, and information available on the internet. OSINT is widely used for national security, law enforcement, and business intelligence purposes, providing a rich source of information for making informed decisions and understanding the threat landscape.References:
* "Open Source Intelligence (OSINT) Tools and Techniques," by SANS Institute
* "The Role of OSINT in Cybersecurity and Threat Intelligence," by Recorded Future

NEW QUESTION # 21
Which of the following characteristics of APT refers to numerous attempts done by the attacker to gain entry to the target's network?

• A. Risk tolerance
• B. Timeliness
• C. Attack origination points
• D. Multiphased

Answer: C

NEW QUESTION # 22
John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques.
What phase of the advanced persistent threat lifecycle is John currently in?

• A. Expansion
• B. Persistence
• C. Initial intrusion
• D. Search and exfiltration

Answer: A

NEW QUESTION # 23
In a team of threat analysts, two individuals were competing over projecting their own hypotheses on a given malware. However, to find logical proofs to confirm their hypotheses, the threat intelligence manager used a de-biasing strategy that involves learning strategic decision making in the circumstances comprising multistep interactions with numerous representatives, either having or without any perfect relevant information.
Which of the following de-biasing strategies the threat intelligence manager used to confirm their hypotheses?

• A. Cognitive psychology
• B. Game theory
• C. Decision theory
• D. Machine learning

Answer: B

NEW QUESTION # 24
Bob, a threat analyst, works in an organization named TechTop. He was asked to collect intelligence to fulfil the needs and requirements of the Red Tam present within the organization.
Which of the following are the needs of a RedTeam?

• A. Intelligence related to increased attacks targeting a particular software or operating system vulnerability
• B. Intelligence that reveals risks related to various strategic business decisions
• C. Intelligence extracted latest attacks analysis on similar organizations, which includes details about latest threats and TTPs
• D. Intelligence on latest vulnerabilities, threat actors, and their tactics, techniques, and procedures (TTPs)

Answer: D

Explanation:
Red Teams are tasked with emulating potential adversaries to test and improve the security posture of an organization. They require intelligence on the latest vulnerabilities, threat actors, and their TTPs to simulate realistic attack scenarios and identify potential weaknesses in the organization's defenses. This information helps Red Teams in crafting their attack strategies to be as realistic and relevant as possible, thereby providing valuable insights into how actual attackers might exploit the organization's systems. This need contrasts with the requirements of other teams or roles within an organization, such as strategic decision-makers, who might be more interested in intelligence relatedto strategic risks or Blue Teams, which focus on defending against and responding to attacks.References:
* Red Team Field Manual (RTFM)
* MITRE ATT&CK Framework for understanding threat actor TTPs

NEW QUESTION # 25
Walter and Sons Company has faced major cyber attacks and lost confidential data. The company has decided to concentrate more on the security rather than other resources. Therefore, they hired Alice, a threat analyst, to perform data analysis. Alice was asked to perform qualitative data analysis to extract useful information from collected bulk data.
Which of the following techniques will help Alice to perform qualitative data analysis?

• A. Numerical calculations, statistical modeling, measurement, research, and so on.
• B. Regression analysis, variance analysis, and so on
• C. Brainstorming, interviewing, SWOT analysis, Delphi technique, and so on
• D. Finding links between data and discover threat-related information

Answer: C

Explanation:
For Alice to perform qualitative data analysis, techniques such as brainstorming, interviewing, SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis, and the Delphi technique are suitable. Unlike quantitative analysis, which involves numerical calculations and statistical modeling, qualitative analysis focuses on understanding patterns, themes, and narratives within the data. These techniques enable the analyst to explore the data's deeper meanings and insights, which are essential for strategic decision-making and developing a nuanced understanding of cybersecurity threats and vulnerabilities.References:
* "Qualitative Research Methods in Cybersecurity," SANS Institute Reading Room
* "The Delphi Method for Cybersecurity Risk Assessment," by Cybersecurity and Infrastructure Security Agency (CISA)

NEW QUESTION # 26
Andrews and Sons Corp. has decided to share threat information among sharing partners. Garry, a threat analyst, working in Andrews and Sons Corp., has asked to follow a trust model necessary to establish trust between sharing partners. In the trust model used by him, the first organization makes use of a body of evidence in a second organization, and the level of trust between two organizations depends on the degree and quality of evidence provided by the first organization.
Which of the following types of trust model is used by Garry to establish the trust?

• A. Mediated trust
• B. Direct historical trust
• C. Mandated trust
• D. Validated trust

Answer: D

Explanation:
In the trust model described, where trust between two organizations depends on the degree and quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This model relies on the validation of evidence or credentials presented by one party to another to establish trust. The validation process assesses the credibility, reliability, and relevance of the information shared, forming the basis of the trust relationship between the sharing partners. This approach is common in threat intelligence sharing where the accuracy and reliability of shared information are critical.References:
* "Building a Cybersecurity Culture," ISACA
* "Trust Models in Information Security," Journal of Internet Services and Applications

NEW QUESTION # 27
Which of the following types of threat attribution deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target?

• A. Nation-state attribution
• B. Campaign attribution
• C. True attribution
• D. Intrusion-set attribution

Answer: C

NEW QUESTION # 28
In which of the following forms of bulk data collection are large amounts of data first collected from multiple sources in multiple formats and then processed to achieve threat intelligence?

• A. Unstructured form
• B. Hybrid form
• C. Structured form
• D. Production form

Answer: A

Explanation:
In the context of bulk data collection for threat intelligence, data is often initially collected in an unstructured form from multiple sources and in various formats. This unstructured data includes information from blogs, news articles, threat reports, social media, and other sources that do not follow a specific structure or format.
The subsequent processing of this data involves organizing, structuring, and analyzing it to extract actionable threat intelligence. This phase is crucial for turning vast amounts of disparate data into coherent, useful insights for cybersecurity purposes.References:
* "The Role of Unstructured Data in Cyber Threat Intelligence," by Jason Trost, Anomali
* "Turning Unstructured Data into Cyber Threat Intelligence," by Giorgio Mosca, IEEE Xplore

NEW QUESTION # 29
Moses, a threat intelligence analyst at InfoTec Inc., wants to find crucial information about the potential threats the organization is facing by using advanced Google searchoperators. He wants to identify whether any fake websites are hosted at the similar to the organization's URL.
Which of the following Google search queries should Moses use?

• A. related: www.infothech.org
• B. cache: www.infothech.org
• C. info: www.infothech.org
• D. link: www.infothech.org

Answer: A

Explanation:
The "related:" Google search operator is used to find websites that are similar or related to a specified URL. In the context provided, Moses wants to identify fake websites that may be posing as or are similar to his organization's official site. By using the "related:" operator followed by his organization's URL, Google will return a list of websites that Google considers to be similar to the specified site. This can help Moses identify potential impersonating websites that could be used for phishing or other malicious activities. The "info:",
"link:", and "cache:" operators serve different purposes; "info:" provides information about the specified webpage, "link:" used to be used to find pages linking to a specific URL (but is now deprecated), and "cache:" shows the cached version of the specified webpage.References:
* Google Search Operators Guide by Moz
* Google Advanced Search Help Documentation

NEW QUESTION # 30
What is the correct sequence of steps involved in scheduling a threat intelligence program?
1. Review the project charter
2. Identify all deliverables
3. Identify the sequence of activities
4. Identify task dependencies
5. Develop the final schedule
6. Estimate duration of each activity
7. Identify and estimate resources for all activities
8. Define all activities
9. Build a work breakdown structure (WBS)

• A. 1-->2-->3-->4-->5-->6-->7-->8-->9
• B. 3-->4-->5-->2-->1-->9-->8-->7-->6
• C. 1-->2-->3-->4-->5-->6-->9-->8-->7
• D. 1-->9-->2-->8-->3-->7-->4-->6-->5

Answer: D

NEW QUESTION # 31
Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find any evidence of compromise. During the network monitoring, he came to know that there are multiple logins from different locations in a short time span. Moreover, he also observed certain irregular log in patterns from locations where the organization does not have business relations. This resembles that somebody is trying to steal confidential information.
Which of the following key indicators of compromise does this scenario present?

• A. Geographical anomalies
• B. Unusual outbound network traffic
• C. Unusual activity through privileged user account
• D. Unexpected patching of systems

Answer: A

Explanation:
The scenario described by Steve's observations, where multiple logins are occurring from different locations in a short time span, especially from locations where the organization has no business relations, points to
'Geographical anomalies' as a key indicator of compromise (IoC). Geographical anomalies in logins suggest unauthorized access attempts potentially made by attackers using compromised credentials. This is particularly suspicious when the locations of these logins do not align with the normal geographical footprint of the organization's operations or employee locations. Monitoring for such anomalies can help in the early detection of unauthorized access and potential data breaches.References:
* SANS Institute Reading Room, "Indicators of Compromise: Reality's Version of the Minority Report"
* "Identifying Indicators of Compromise" by CERT-UK

NEW QUESTION # 32
An organization suffered many major attacks and lost critical information, such as employee records, and financial information. Therefore, the management decides to hire a threat analyst to extract the strategic threat intelligence that provides high-level information regarding current cyber-security posture, threats, details on the financial impact of various cyber-activities, and so on.
Which of the following sources will help the analyst to collect the required intelligence?

• A. Human, social media, chat rooms
• B. OSINT, CTI vendors, ISAO/ISACs
• C. Active campaigns, attacks on other organizations, data feeds from external third parties
• D. Campaign reports, malware, incident reports, attack group reports, human intelligence

Answer: B

Explanation:
For gathering strategic threat intelligence that provides a high-level overview of the current cybersecurity posture, potential financial impacts of cyber activities, and overarching threats, sources such as Open Source Intelligence (OSINT), Cyber Threat Intelligence (CTI) vendors, and Information Sharing and Analysis Organizations (ISAOs)/Information Sharing and Analysis Centers (ISACs) are invaluable. OSINT involves collecting data from publicly available sources, CTI vendors specialize in providing detailed threat intelligence services, and ISAOs/ISACs facilitate the sharing of threat data within specific industries or communities.
These sources can provide broad insights into threat landscapes, helping organizations understand how to align their cybersecurity strategies with current trends and threats.References:
* "Cyber Threat Intelligence: Sources and Methods," by Max Kilger, Ph.D., SANS Institute Reading Room
* "Open Source Intelligence (OSINT): An Introduction to the Basic Concepts and the Potential Benefits for Information Security," by Kevin Cardwell, IEEE Xplore

NEW QUESTION # 33
An organization suffered many major attacks and lost critical information, such as employee records, and financial information. Therefore, the management decides to hire a threat analyst to extract the strategic threat intelligence that provides high-level information regarding current cyber-security posture, threats, details on the financial impact of various cyber-activities, and so on.
Which of the following sources will help the analyst to collect the required intelligence?

• A. Human, social media, chat rooms
• B. OSINT, CTI vendors, ISAO/ISACs
• C. Active campaigns, attacks on other organizations, data feeds from external third parties
• D. Campaign reports, malware, incident reports, attack group reports, human intelligence

Answer: B

NEW QUESTION # 34
A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides an ability to modify or delete past or irrelevant threat data.
Which of the following requirement must he include in the threat knowledge repository to fulfil his needs?

• A. Data management
• B. Searchable functionality
• C. Protection ranking
• D. Evaluating performance

Answer: A

Explanation:
Incorporating a data management requirement in the threat knowledge repository is essential to provide the ability to modify or delete past or irrelevant threat data. Effective data management practices ensure that the repository remains accurate, relevant, and up-to-date by allowing for the adjustment and curation of stored information. This includes removing outdated intelligence, correcting inaccuracies, and updating information as new insights become available. A well-managed repository supports the ongoing relevance and utility of the threat intelligence, aiding in informed decision-making and threat mitigation strategies.References:
* "Building and Maintaining a Threat Intelligence Library," by Recorded Future
* "Best Practices for Creating a Threat Intelligence Policy, and How to Use It," by SANS Institute

NEW QUESTION # 35
What is the correct sequence of steps involved in scheduling a threat intelligence program?
1. Review the project charter
2. Identify all deliverables
3. Identify the sequence of activities
4. Identify task dependencies
5. Develop the final schedule
6. Estimate duration of each activity
7. Identify and estimate resources for all activities
8. Define all activities
9. Build a work breakdown structure (WBS)

• A. 1-->2-->3-->4-->5-->6-->7-->8-->9
• B. 3-->4-->5-->2-->1-->9-->8-->7-->6
• C. 1-->2-->3-->4-->5-->6-->9-->8-->7
• D. 1-->9-->2-->8-->3-->7-->4-->6-->5

Answer: D

Explanation:
The correct sequence for scheduling a threat intelligence program involves starting with the foundational steps of defining the project scope and objectives, followed by detailed planning and scheduling of tasks. The sequence starts with reviewing the project charter (1) to understand the project's scope, objectives, and constraints. Next, building a Work Breakdown Structure (WBS) (9) helps in organizing the team's work into manageable sections. Identifying all deliverables (2) clarifies the project's outcomes. Defining all activities (8) involves listing the tasks required to produce the deliverables. Identifying the sequence of activities (3) and estimating resources (7) and task dependencies (4) sets the groundwork for scheduling. Estimating the duration of each activity (6) is critical before developing the final schedule (5), which combines all these elements into a comprehensive plan. This approach ensures a structured and methodical progression from project initiation to execution.References:
* "A Guide to the Project Management Body of Knowledge (PMBOK Guide)," Project Management Institute
* "Cyber Intelligence-Driven Risk," by Intel471

NEW QUESTION # 36
A threat analyst obtains an intelligence related to a threat, where the data is sent in the form of a connection request from a remote host to the server. From this data, he obtains only the IP address of the source and destination but no contextual information. While processing this data, he obtains contextual information stating that multiple connection requests from different geo-locations are received by the server within a short time span, and as a result, the server is stressed and gradually its performance has reduced. He further performed analysis on the information based on the past and present experience and concludes the attack experienced by the client organization.
Which of the following attacks is performed on the client organization?

• A. Distributed Denial-of-Service (DDoS) attack
• B. DHCP attacks
• C. MAC spoofing attack
• D. Bandwidth attack

Answer: A

Explanation:
The attack described, where multiple connection requests from different geo-locations are received by a server within a short time span leading to stress and reduced performance, is indicative of a Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's resources (such as a server) with excessive requests from multiple sources, making it difficult for the server to handle legitimate traffic, leading to degradation or outright unavailability of service. The use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks, making them harder to mitigate.References:
* "Understanding Denial-of-Service Attacks," US-CERT
* "DDoS Quick Guide," DHS/NCCIC

NEW QUESTION # 37
Tracy works as a CISO in a large multinational company. She consumes threat intelligence to understand the changing trends of cyber security. She requires intelligence to understand the current business trends and make appropriate decisions regarding new technologies, security budget, improvement of processes, and staff. The intelligence helps her in minimizing business risks and protecting the new technology and business initiatives.
Identify the type of threat intelligence consumer is Tracy.

• A. Strategic users
• B. Technical users
• C. Operational users
• D. Tactical users

Answer: A

Explanation:
Tracy, as a Chief Information Security Officer (CISO), requires intelligence that aids in understanding broader business and cybersecurity trends, making informed decisions regarding new technologies, security budgets, process improvements, and staffing. This need aligns with the role of a strategic user of threat intelligence.
Strategic users leverage intelligence to guide long-term planning and decision-making, focusing on minimizing business risks and safeguarding against emerging threats to new technology and business initiatives. This type of intelligence is less about the technical specifics of individual threats and more about understanding the overall threat landscape, regulatory environment, and industry trends to inform high-level strategy and policy.References:
* "The Role of Strategic Intelligence in Cybersecurity," Journal of Cybersecurity Education, Research and Practice
* "Cyber Threat Intelligence and the Lessons from Law Enforcement," by Robert M. Lee and David Bianco, SANS Institute Reading Room

NEW QUESTION # 38
Sarah is a security operations center (SOC) analyst working at JW Williams and Sons organization based in Chicago. As a part of security operations, she contacts information providers (sharing partners) for gathering information such as collections of validated and prioritized threat indicators along with a detailed technical analysis of malware samples, botnets, DDoS attack methods, and various other malicious tools. She further used the collected information at the tactical and operational levels.
Sarah obtained the required information from which of the following types of sharing partner?

• A. Providers of threat indicators
• B. Providers of comprehensive cyber-threat intelligence
• C. Providers of threat actors
• D. Providers of threat data feeds

Answer: B

NEW QUESTION # 39
Miley, an analyst, wants to reduce the amount of collected data and make the storing and sharing process easy. She uses filtering, tagging, and queuing technique to sort out the relevant and structured data from the large amounts of unstructured data.
Which of the following techniques was employed by Miley?

• A. Data visualization
• B. Convenience sampling
• C. Normalization
• D. Sandboxing

Answer: C

NEW QUESTION # 40
In which of the following storage architecture is the data stored in a localized system, server, or storage hardware and capable of storing a limited amount of data in its database and locally available for data usage?

• A. Cloud storage
• B. Distributed storage
• C. Object-based storage
• D. Centralized storage

Answer: D

Explanation:
Centralized storage architecture refers to a system where data is stored in a localized system, server, or storage hardware. This type of storage is capable of holding a limited amount of data in its database and is locally available for data usage. Centralized storage is commonly used in smaller organizations or specific departments within larger organizations where the volume of data is manageable and does not require the scalability offered by distributed or cloud storage solutions. Centralized storage systems simplify data management and access but might present challenges in terms of scalabilityand data recovery.References:
* "Data Storage Solutions for Your Business: Centralized vs. Decentralized," Techopedia
* "The Basics of Centralized Data Storage," by Margaret Rouse, SearchStorage

NEW QUESTION # 41
Jame, a professional hacker, is trying to hack the confidential information of a target organization. He identified the vulnerabilities in the target system and created a tailored deliverable malicious payload using an exploit and a backdoor to send it to the victim.
Which of the following phases of cyber kill chain methodology is Jame executing?

• A. Exploitation
• B. Installation
• C. Reconnaissance
• D. Weaponization

Answer: D

NEW QUESTION # 42
......

312-85 Exam Dumps Pass with Updated 2024 Certified Exam Questions: https://www.validbraindumps.com/312-85-exam-prep.html

Guide (New 2024) Actual ECCouncil 312-85 Exam Questions: https://drive.google.com/open?id=1-ogr-iYujQibRRtJIPTB8YxUtfTEG3yL