312-85 Questions and Answers

In this scenario, Jacob has copied the entire contents of a legitimate website to his local system to create a replica or duplicate version that looks exactly like the original. This process of duplicating a website by copying its structure, design, content, and files is known as website mirroring.

Website mirroring is a technique used to create an identical copy (mirror) of a real website for different purposes. In ethical use cases, organizations create mirror sites to ensure high availability, load balancing, or offline backup of web content. However, in malicious or unethical scenarios, attackers use website mirroring to replicate legitimate sites for phishing or social engineering attacks, tricking users into entering credentials, financial data, or other sensitive information.

By creating a mirrored version of an authentic site, an attacker can redirect unsuspecting victims to the fake version, which appears genuine. Victims then provide information that is captured by the attacker for malicious use. This method is commonly employed in phishing campaigns and credential harvesting operations.

Why the Other Options Are Incorrect:

A. Data sampling:Data sampling refers to selecting a subset of data from a larger dataset for analysis or testing. It does not involve copying or cloning websites.

C. Tailgating:Tailgating is a physical security breach technique, where an unauthorized individual follows an authorized person into a secured area without proper authentication. It is unrelated to website replication.

D. Social engineering:Social engineering is a broader psychological manipulation technique that exploits human trust to gain confidential information. While Jacob’s goal is to perform a social engineering attack using the cloned website, the method he used to create the replica is website mirroring, not social engineering itself.

Conclusion:

Jacob used website mirroring to clone the online shopping website. The mirrored site will later serve as a platform to perform social engineering attacks by deceiving employees or customers into interacting with the fake site.

Final Answer: B. Website mirroring

Explanation Reference (Based on CTIA Study Concepts):

This explanation is based on EC-Council’s Certified Threat Intelligence Analyst (CTIA) study concepts under the topics of Adversary Tactics, Techniques, and Procedures (TTPs) and Threat Modeling of Infrastructure Attacks, which describe how attackers create cloned or mirrored websites to perform phishing and social engineering campaigns.

The question specifies that the vulnerabilities are application threats.

SQL injection and buffer overflow are both classic examples of application-layer attacks that target flaws in code and software design.

SQL Injection: Exploits improper input validation in database queries, allowing attackers to execute malicious SQL statements.

Buffer Overflow: Occurs when a program writes more data into a buffer than it can handle, leading to memory corruption and potential remote code execution.

Why the Other Options Are Incorrect:

B. Man-in-the-middle and physical security attack: MITM is a network attack, and physical attacks are not application-based.

C. DNS and ARP poisoning: These are network-level attacks, not application-level.

D. Footprinting and spoofing: Both are reconnaissance or identity-deception techniques, not application-layer threats.

Conclusion:

Bob identified application threats, namely SQL Injection and Buffer Overflow attacks.

Final Answer: A. SQL injection and buffer overflow attack

Explanation Reference (Based on CTIA Study Concepts):

CTIA categorizes SQL injection and buffer overflow as application-level vulnerabilities exploited through improper input handling and insecure coding.

Tracy, as a Chief Information Security Officer (CISO), requires intelligence that aids in understanding broader business and cybersecurity trends, making informed decisions regarding new technologies, security budgets, process improvements, and staffing. This need aligns with the role of a strategic user of threat intelligence. Strategic users leverage intelligence to guide long-term planning and decision-making, focusing on minimizing business risks and safeguarding against emerging threats to new technology and business initiatives. This type of intelligence is less about the technical specifics of individual threats and more about understanding the overall threat landscape, regulatory environment, and industry trends to inform high-level strategy and policy.

In the Analysis of Competing Hypotheses (ACH) process, the stage where Mr. Bob is applying analysis to reject hypotheses and select the most likely one based on listed evidence, followed by preparing a matrix with screened hypotheses and evidence, is known as the 'Refinement' stage. This stage involves refining the list of hypotheses by systematically evaluating the evidence against each hypothesis, leading to the rejection of inconsistent hypotheses and the strengthening of the most plausible ones. The preparation of a matrix helps visualize the relationship between each hypothesis and the available evidence, facilitating a more objective and structured analysis.

The attack described, where multiple connection requests from different geo-locations are received by a server within a short time span leading to stress and reduced performance, is indicative of a Distributed Denial-of-Service (DDoS) attack. In a DDoS attack, the attacker floods the target's resources (such as a server) with excessive requests from multiple sources, making it difficult for the server to handle legitimate traffic, leading to degradation or outright unavailability of service. The use of multiple geo-locations for the attack sources is a common characteristic of DDoS attacks, making them harder to mitigate.

The description focuses on contextual information about events and incidents, including attacker methodologies, risks, and historical malicious activity. This aligns with Operational Threat Intelligence.

Operational Threat Intelligence provides actionable insights about current or recent attacks, giving context that supports incident response and security operations. It connects individual technical indicators with the larger picture of attacker campaigns and motives.

Why the Other Options Are Incorrect:

B. Strategic threat intelligence: Focuses on long-term, high-level planning for executives.

C. Technical threat intelligence: Deals with raw indicators such as hashes, IPs, and URLs.

D. Tactical threat intelligence: Focuses on adversary TTPs for defense operations, not contextual event analysis.

Conclusion:

John is performing Operational Threat Intelligence, which enriches event data with contextual information for investigation and response.

Final Answer: A. Operational threat intelligence

Explanation Reference (Based on CTIA Study Concepts):

CTIA defines operational threat intelligence as intelligence that provides context for incidents and ongoing attacks, helping organizations understand threats at a campaign or activity level.

The method described involves analyzing activities, timeframes, dependencies, and milestones to understand project flow and relationships. This is known as Critical Path Analysis (CPA).

Critical Path Analysis helps identify the sequence of crucial tasks that determine the overall project duration. In the context of threat intelligence, it assists analysts in mapping adversary activities or operational timelines to determine key steps and dependencies in attack campaigns.

Why the Other Options Are Incorrect:

B. Timeline analysis: Focuses on chronological sequencing of events, not dependency or duration analysis.

C. Cone of plausibility: Used for scenario modeling and forecasting possible outcomes.

D. Analogy analysis: Compares new situations to historical cases, not time-dependent task mapping.

Conclusion:

Steve applied Critical Path Analysis to determine activity dependencies and durations.

Final Answer: A. Critical path analysis

Explanation Reference (Based on CTIA Study Concepts):

CTIA defines CPA as a structured approach for mapping and analyzing sequences of dependent activities or events.

Incorporating a scoring feature in a Threat Intelligence (TI) platform allows SecurityTech Inc. to evaluate and prioritize intelligence sources, threat actors, specific types of attacks, and the organization's digital assets based on their relevance and threat level to the organization. This prioritization helps in allocating resources more effectively, focusing on protecting critical assets and countering the most significant threats. A scoring system can be based on various criteria such as the severity of threats, the value of assets, the reliability of intelligence sources, and the potential impact of threat actors or attack vectors. By quantifying these elements, SecurityTech Inc. can make informed decisions on where to invest its limited funds to enhance its security posture most effectively.

The information Sarah is gathering, which includes collections of validated and prioritized threat indicators along with detailed technical analysis of malware samples, botnets, DDoS methods, and other malicious tools, indicates that she is obtaining this intelligence from providers of comprehensive cyber-threat intelligence. These providers offer a holistic view of the threat landscape, combining tactical and operational threat data with in-depth analysis and context, enabling security teams to make informed decisions and strategically enhance their defenses.

In the trust model described, where trust between two organizations depends on the degree and quality of evidence provided by the first organization, the model in use is 'Validated Trust.' This model relies on the validation of evidence or credentials presented by one party to another to establish trust. The validation process assesses the credibility, reliability, and relevance of the information shared, forming the basis of the trust relationship between the sharing partners. This approach is common in threat intelligence sharing where the accuracy and reliability of shared information are critical.

The methodology described—iterative and incremental prioritization of requirements based on importance—perfectly aligns with the MoSCoW method.

MoSCoW stands for:

M – Must have (critical requirements that are mandatory),

S – Should have (important but not essential),

C – Could have (desirable but optional),

W – Won’t have (this time) (deferred or out of scope).

It is widely used in security, risk management, and software development to determine the priority of tasks or requirements that should be implemented first.

By applying MoSCoW, Marry ensures that critical security requirements (such as protecting core assets) are addressed first before moving on to less critical ones.

Why the Other Options Are Incorrect:

A. Data sampling: Refers to statistical analysis methods, not prioritization.

C. Data visualization: Used to represent data graphically, not for setting priorities.

D. Fusion analysis: Used to integrate multiple data sources for intelligence analysis, not requirement prioritization.

Conclusion:

Marry should use the MoSCoW prioritization methodology to structure and prioritize her organization’s security requirements.

Final Answer: B. MoSCoW

Explanation Reference (Based on CTIA Study Concepts):

In CTIA’s requirement prioritization and planning stages, MoSCoW is used to assign importance levels to intelligence and security requirements for efficient implementation.

The phase described involves defining and setting up what intelligence needs to be collected before the actual collection process begins. This aligns with the Intelligence Requirements phase of the threat intelligence lifecycle.

Intelligence Requirements define what information is needed and why it is needed to support decision-making or intelligence production. These requirements guide the collection and analysis processes by specifying the goals and priorities of intelligence gathering.

Kira’s focus should be on determining the exact intelligence needs that will later drive the production of actionable insights.

Why the Other Options Are Incorrect:

A. Production requirements: Concerned with how intelligence reports and outputs will be formatted and disseminated after analysis, not what data should be collected.

C. Business requirements: Focus on organizational goals or project objectives, not specific intelligence needs.

D. Collection requirements: Define how and from where to gather data, but are based on intelligence requirements, which come first.

Conclusion:

Kira should define Intelligence Requirements, which determine what must be collected to fulfill intelligence production needs.

Final Answer: B. Intelligence requirements

Explanation Reference (Based on CTIA Study Concepts):

In the CTIA threat intelligence lifecycle, defining intelligence requirements is the first stage and establishes the foundation for effective intelligence collection and production.

The scenario describes a situation where Philip gathers intelligence through direct personal relationships or covert human contact with the target individual. This aligns with the intelligence source known as CHIS (Covert Human Intelligence Source).

CHIS refers to intelligence collected from a human source who provides information about individuals, groups, or organizations, often through personal relationships or covert interaction. This type of intelligence is gathered directly from people rather than technical or electronic means.

In the context of threat intelligence and security analysis, CHIS is part of Human Intelligence (HUMINT), which involves acquiring information through human interaction. Such sources can include insiders, informants, or individuals with access to sensitive details about the target organization.

Attackers or intelligence professionals use this method to gather sensitive or non-public information that cannot be obtained from open or technical sources. Philip’s method of maintaining a personal relationship with the target person to collect information fits perfectly into this category.

Why the Other Options Are Incorrect:

B. MASINT (Measurement and Signature Intelligence):This intelligence source collects and analyzes data obtained from sensors, measuring electromagnetic, acoustic, or nuclear signatures. It is a technical intelligence method and does not involve human relationships.

C. SOCMINT (Social Media Intelligence):SOCMINT involves collecting intelligence from social media platforms such as Facebook, LinkedIn, Twitter, or Instagram. It uses publicly available data rather than personal interaction.

D. FISINT (Foreign Instrumentation Signals Intelligence):This refers to intelligence derived from intercepted foreign instrument signals, such as telemetry or weapon system emissions. It is related to technical and signals intelligence, not human sources.

Conclusion:

Philip used a Covert Human Intelligence Source (CHIS) approach, which involves collecting intelligence through human interaction or relationships to gain insider knowledge about the target organization.

Final Answer: A. CHIS

Explanation Reference (Based on CTIA Study Concepts):

Based on the CTIA study guide section on “Sources of Threat Intelligence,” CHIS is recognized as a human intelligence source derived from interpersonal contact, covert sources, or informants that provide insider-level information about an organization or target individual.

For gathering strategic threat intelligence that provides a high-level overview of the current cybersecurity posture, potential financial impacts of cyber activities, and overarching threats, sources such as Open Source Intelligence (OSINT), Cyber Threat Intelligence (CTI) vendors, and Information Sharing and Analysis Organizations (ISAOs)/Information Sharing and Analysis Centers (ISACs) are invaluable. OSINT involves collecting data from publicly available sources, CTI vendors specialize in providing detailed threat intelligence services, and ISAOs/ISACs facilitate the sharing of threat data within specific industries or communities. These sources can provide broad insights into threat landscapes, helping organizations understand how to align their cybersecurity strategies with current trends and threats.

Passive DNS monitoring involves collecting data about DNS queries and responses without actively querying DNS servers, thereby not altering or interfering with DNS traffic. This technique allows analysts to track changes in DNS records and observe patterns that may indicate malicious activity. In the scenario described, Enrique is employing passive DNS monitoring by using a recursive DNS server to log the responses received from name servers, storing these logs in a central database for analysis. This approach is effective for identifying malicious domains, mapping malware campaigns, and understanding threat actors' infrastructure without alerting them to the fact that they are being monitored. This method is distinct from active techniques such as DNS interrogation or zone transfers, which involve sending queries to DNS servers, and dynamic DNS, which refers to the automatic updating of DNS records.

The focus of John’s testing is understanding the motives, methods, and identity of potential attackers. This type of approach aligns with Intelligence-Led Security Testing.

Intelligence-Led Security Testing uses real-world threat intelligence to simulate realistic cyberattack scenarios. It provides insight into adversary behavior, motivations, and techniques, helping organizations assess their resilience against targeted threats.

Such testing answers the why, how, and who questions of potential attacks and is used to validate security controls based on threat actor profiles and campaigns.

Why the Other Options Are Incorrect:

A. White box testing: The tester has full knowledge of systems and configurations; it focuses on internal vulnerabilities, not adversary motives.

C. Black box testing: The tester has no prior knowledge of the system; it focuses on external attacks, not on intelligence-driven insights about attackers.

Conclusion:

John is performing Intelligence-Led Security Testing, which combines threat intelligence with security assessment to evaluate real-world risks.

Final Answer: B. Intelligence-led security testing

Explanation Reference (Based on CTIA Study Concepts):

In CTIA, intelligence-led testing integrates threat intelligence with penetration testing to replicate realistic adversary scenarios.

Incorporating a data management requirement in the threat knowledge repository is essential to provide the ability to modify or delete past or irrelevant threat data. Effective data management practices ensure that the repository remains accurate, relevant, and up-to-date by allowing for the adjustment and curation of stored information. This includes removing outdated intelligence, correcting inaccuracies, and updating information as new insights become available. A well-managed repository supports the ongoing relevance and utility of the threat intelligence, aiding in informed decision-making and threat mitigation strategies.

The scenario describes a trust establishment process where one organization bases its trust in another on the degree and quality of evidence that the second organization provides. This concept is known as Validated Trust.

Validated Trust is built through the verification and assessment of presented evidence such as certifications, security audits, compliance documentation, or past performance. The higher the credibility and quality of the evidence, the greater the level of trust established.

This type of trust is evidence-based, meaning it does not rely solely on previous interactions or third-party mediation but on verifiable proof provided directly between the entities involved.

Why the Other Options Are Incorrect:

A. Mandated Trust:This is imposed by regulation, policy, or authority. It is not based on evidence but on obligation or requirement.

B. Direct Historical Trust:This trust is formed from prior experiences and a consistent history of interactions between the entities. It does not depend on new evidence or documentation.

D. Mediated Trust:This form of trust is established through an intermediary (such as a trusted third party or certificate authority) who vouches for the credibility of one organization to another.

Conclusion:

The process where trust is established based on the degree and quality of evidence provided by one party is known as Validated Trust.

Final Answer: C. Validated Trust

Explanation Reference (Based on CTIA Study Concepts):

According to the CTIA study topics under “Information Sharing and Trust Establishment,” validated trust is the level of confidence gained through verification of tangible evidence, certifications, or attestations demonstrating security assurance and reliability.

Advanced Persistent Threats (APTs) are characterized by their 'Multiphased' nature, referring to the various stages or phases the attacker undertakes to breach a network, remain undetected, and achieve their objectives. This characteristic includes numerous attempts to gain entry to the target's network, often starting with reconnaissance, followed by initial compromise, and progressing through stages such as establishment of a backdoor, expansion, data exfiltration, and maintaining persistence. This multiphased approach allows attackers to adapt and pursue their objectives despite potential disruptions or initial failures in their campaign.

The exchange of attack techniques, compromised systems, and immediate defensive actions represents Tactical Threat Intelligence sharing.

Tactical Threat Intelligence focuses on adversary Tactics, Techniques, and Procedures (TTPs) and helps defenders understand and counter ongoing attacks in real time.

Why the Other Options Are Incorrect:

B. Operational: Focuses on broader attack campaigns and contextual analysis.

C. Strategic: Provides high-level, long-term insights for executives.

D. Technical: Concerns low-level indicators like IPs and file hashes, not methodologies or immediate actions.

Conclusion:

The collaboration involves Tactical Threat Intelligence, which centers on sharing actionable TTPs and response techniques.

Final Answer: A. Sharing tactical threat intelligence

Explanation Reference (Based on CTIA Study Concepts):

CTIA defines tactical threat intelligence as intelligence describing attacker behaviors and techniques that can be acted upon immediately by defenders.

In the scenario described, where attackers have penetrated the network and are staging data for exfiltration, Jim should focus on monitoring network traffic for signs of malicious file transfers, implement file integrity monitoring, and scrutinize event logs. This approach is crucial for detecting unusual activity that could indicate data staging, such as large volumes of data being moved to uncommon locations, sudden changes in file integrity, or suspicious entries in event logs. Early detection of these indicators can help in identifying the staging activity before the data is exfiltrated from the network.