Download PrepIQ BSESTRESS BSE Stress Echo Ultimate Exam and more Exams Technology in PDF only on Docsity!
Ultimate Exam
Question 1. Which of the following best defines “threat intelligence” (TI)? A) The process of patching vulnerable systems B) Information that helps understand adversaries, their capabilities, and intent C) A list of all known malware signatures D) A tool for encrypting network traffic Answer: B Explanation: Threat intelligence is collected, processed, and analyzed information that provides insight into adversaries, their motives, capabilities, and potential targets, enabling proactive defense. Question 2. In the context of TI, what is the primary difference between a “vulnerability” and a “risk”? A) Vulnerability is a weakness; risk is the probability and impact of exploitation B) Vulnerability is a type of malware; risk is a firewall rule C) Vulnerability is a legal term; risk is a technical term D) Vulnerability and risk are interchangeable terms Answer: A Explanation: A vulnerability is a flaw in a system, while risk quantifies the likelihood and consequence of that flaw being exploited. Question 3. Which intelligence level is most concerned with strategic decision-making by senior leadership? A) Tactical B) Operational C) Strategic
Ultimate Exam
D) Technical Answer: C Explanation: Strategic intelligence informs long-term policy, budget, and resource allocation decisions made by senior executives. Question 4. A nation-state actor is most likely to pursue which primary motivation? A) Personal fame B) Financial gain through ransomware C) Political influence or espionage D) Random mischief Answer: C Explanation: Nation-state actors typically aim to advance political objectives, gather intelligence, or disrupt adversaries for strategic advantage. Question 5. Which of the following best describes a “script kiddie”? A) An insider with privileged access B) A well-funded cybercriminal group C) An inexperienced individual using pre-written tools D) A government-sponsored hacker unit Answer: C Explanation: Script kiddies lack deep technical skill and rely on existing exploit kits or scripts created by others. Question 6. In the intelligence cycle, which stage directly follows “Collection”? A) Dissemination
Ultimate Exam
Question 9. In MITRE ATT&CK, “T1059” corresponds to which tactic? A) Credential Access B) Lateral Movement C) Execution D) Persistence Answer: C Explanation: T1059 denotes “Command-Line Interface,” a technique under the Execution tactic. Question 10. Which method is most appropriate for prioritizing intelligence requirements using MoSCoW? A) Ranking by alphabetical order B) Categorizing as Must, Should, Could, Won’t have C) Scoring on a 1-10 scale D) Random selection Answer: B Explanation: MoSCoW categorizes requirements into Must have, Should have, Could have, and Won’t have to clarify priorities. Question 11. A “Terms of Reference” (ToR) document primarily defines: A) The budget for a TI project B) The technical tools to be used C) The scope, objectives, and deliverables of the intelligence effort D) The legal jurisdiction of the analysts Answer: C Explanation: The ToR outlines what the intelligence project will cover, its goals, and expected outputs.
Ultimate Exam
Question 12. Which quality criterion assesses whether intelligence was delivered in time to influence decision-making? A) Accuracy B) Timeliness C) Completeness D) Relevance Answer: B Explanation: Timeliness measures if the intelligence arrived early enough to be actionable. Question 13. An “intelligence gap” refers to: A) A missing piece of hardware in a network B) A period when no threats are observed C) A lack of needed information that hampers analysis D) A firewall rule that blocks data flow Answer: C Explanation: Gaps are deficiencies in knowledge that prevent a full understanding of a threat or situation. Question 14. Which of the following is a primary source of OSINT? A) Encrypted traffic captures B) Social media posts C) Internal log files D) Malware binaries Answer: B
Ultimate Exam
Answer: B Explanation: A collection plan defines what information is needed, where to get it, and by when. Question 18. Which Boolean operator narrows a search to results containing both terms? A) OR B) NOT C) AND D) XOR Answer: C Explanation: “AND” requires both terms to appear in the returned documents, refining the search. Question 19. In the UK 5x5x5 source reliability model, a source graded “A” indicates: A) Unreliable, unverified information B) Highly reliable, trustworthy source C) Information likely fabricated D) Neutral, unknown reliability Answer: B Explanation: Grade “A” denotes a source that is completely reliable and trustworthy. Question 20. OPSEC risk during collection is heightened when: A) Using a corporate VPN that logs activity B) Encrypting all communications C. Conducting searches from a personal device on a public Wi-Fi network
Ultimate Exam
D. Storing data in an offline archive Answer: A Explanation: Corporate VPN logs can expose collection activities, increasing attribution risk. Question 21. Which tool is commonly used to achieve anonymity when conducting open-source research? A. Wireshark B. Tor Browser C. PowerShell D. Snort Answer: B Explanation: Tor routes traffic through multiple relays, masking the researcher’s IP address. Question 22. If an OPSEC breach occurs, the first immediate action should be: A. Publish a public apology B. Shut down all collection activities until the breach is assessed C. Increase the budget for new tools D. Conduct a phishing test on the team Answer: B Explanation: Stopping collection prevents further exposure while the breach is investigated. Question 23. Which of the following is a fact, not an assumption? A. “The attacker probably used a phishing email.” B. “The server’s IP address is 192.168.1.10.”
Ultimate Exam
B. Displaying frequency distribution of a single variable C. Mapping geographic locations of attacks D. Plotting a time-series trend Answer: B Explanation: Histograms illustrate how often values fall within specific ranges, revealing distribution patterns. Question 27. “Pattern of Life” (PoL) analysis is used to: A. Identify the software version of an exploit B. Determine normal behavior of a target to spot anomalies C. Encrypt communications between analysts D. Generate random passwords Answer: B Explanation: PoL establishes baseline activities, making deviations easier to detect. Question 28. Which term from the “Words of Estimative Probability” indicates a high level of certainty? A. “Possible” B. “Likely” C. “Almost certain” D. “Unlikely” Answer: C Explanation: “Almost certain” conveys a probability near 100%, indicating strong confidence. Question 29. STIX is primarily used for:
Ultimate Exam
A. Encrypting threat data in transit B. Structuring threat information in a machine-readable format C. Scanning networks for open ports D. Managing user identities Answer: B Explanation: STIX defines a standardized schema for sharing cyber threat intelligence programmatically. Question 30. TAXII facilitates: A. Real-time video conferencing between analysts B. Automated exchange of STIX data over HTTP/S C. Generation of cryptographic hashes for files D. Password management for SOC staff Answer: B Explanation: TAXII (Trusted Automated eXchange of Indicator Information) transports STIX content between systems. Question 31. Which limitation is associated with automated threat sharing platforms? A. They guarantee zero false positives B. They cannot convey nuanced context or intent C. They replace the need for human analysts entirely D. They are immune to data corruption Answer: B Explanation: Automated formats often lack narrative context, making interpretation harder without human input.
Ultimate Exam
Question 35. “Need to Know” versus “Need to Share” primarily addresses: A. Hardware procurement processes B. Balancing confidentiality with collaborative intelligence exchange C. Software licensing agreements D. Physical office layout design Answer: B Explanation: It determines when information should be restricted to essential personnel versus when broader sharing is advantageous. Question 36. The Computer Misuse Act 1990 in the UK criminalises: A. Unauthorized access to computer material B. Use of open-source software C. Sharing of public domain data D. Installation of antivirus software Answer: A Explanation: The Act makes illegal the unauthorised access, modification, or impairment of computer systems. Question 37. GDPR’s principle of “data minimisation” requires: A. Collecting as much personal data as possible B. Retaining data indefinitely for forensic purposes C. Limiting collection to what is necessary for the intended purpose D. Sharing all data with third-party vendors Answer: C Explanation: Data minimisation obliges organisations to gather only the data needed for a specific purpose.
Ultimate Exam
Question 38. The Regulation of Investigatory Powers Act (RIPA) primarily governs: A. Export of cryptographic hardware B. Lawful interception and surveillance by public authorities C. Corporate tax filings D. Employee vacation policies Answer: B Explanation: RIPA provides the legal framework for covert investigations and communications interception. Question 39. Which classification level in the UK Government Security Classifications is the highest? A. Official B. Secret C. Top Secret D. Public Answer: C Explanation: “Top Secret” protects information whose unauthorised disclosure would cause exceptionally grave damage. Question 40. The CREST Code of Ethics requires analysts to: A. Disclose all sources publicly B. Maintain integrity, confidentiality, and professional competence C. Share all findings on social media instantly D. Avoid any form of documentation Answer: B
Ultimate Exam
D. Initial Access Answer: D Explanation: Using stolen or legitimate credentials is an Initial Access technique. Question 44. The “Reconnaissance” phase of the Kill Chain typically involves: A. Deploying ransomware on a target system B. Gathering information about the target’s network, personnel, and technologies C. Executing a data exfiltration script D. Installing a rootkit on the victim machine Answer: B Explanation: Reconnaissance is the information-gathering stage before any direct attack. Question 45. Which of the following best illustrates “anchoring bias” in threat analysis? A. Over-relying on the first piece of information when forming an assessment B. Assuming all attackers follow the same TTPs C. Ignoring evidence that contradicts a hypothesis D. Believing that a threat is more likely because it was recently publicised Answer: A Explanation: Anchoring bias occurs when initial data unduly influences subsequent judgments. Question 46. A Boolean search string for finding recent ransomware incidents in the UK could be:
Ultimate Exam
A. “ransomware AND UK AND 2024” B. “ransomware OR UK OR 2024” C. “ransomware NOT UK” D. “ransomware * UK * 2024” Answer: A Explanation: Using AND forces all three terms to appear, narrowing results to relevant recent incidents. Question 47. Which source reliability grade indicates “unreliable, unverified” according to the Admiralty Code? A. A B. B C. D D. E Answer: D Explanation: Grade “E” denotes unreliable sources; the numeric suffix reflects the confidence in the information. Question 48. In a collection plan, “frequency of collection” refers to: A. How many analysts are assigned to a task B. How often data should be gathered (e.g., hourly, daily) C. The budget allocated for tools D. The number of pages in the final report Answer: B Explanation: Frequency determines the collection cadence to maintain up-to-date intelligence.
Ultimate Exam
Question 52. CybOX is primarily used for: A. Defining observable cyber-security events in a structured format B. Encrypting email communications C. Managing user permissions in Active Directory D. Scheduling automated backups Answer: A Explanation: CybOX (Cyber Observable eXpression) captures details of cyber-observables (files, processes, network traffic) in a machine-readable way. Question 53. Which of the following best describes a “strategic report” in TI dissemination? A. A one-page summary of daily alerts B. A detailed analysis of long-term threat trends and policy implications C. A list of IP addresses blocked yesterday D. A technical manual for firewall configuration Answer: B Explanation: Strategic reports synthesize intelligence to guide high-level decision-making. Question 54. Under the Traffic Light Protocol, which color would you assign to intelligence that is only for internal use within a specific organization? A. TLP:RED B. TLP:AMBER C. TLP:GREEN D. TLP:CLEAR
Ultimate Exam
Answer: B Explanation: TLP:AMBER restricts sharing to the organization and trusted partners on a need-to-know basis. Question 55. The Data Protection Act 2018 aligns with which broader regulation? A. HIPAA B. PCI-DSS C. GDPR D. SOX Answer: C Explanation: The Act implements the EU General Data Protection Regulation (GDPR) into UK law. Question 56. Which of the following is a “technical indicator” commonly shared via STIX? A. A narrative describing attacker motives B. An IP address of a known C2 server C. A policy recommendation for password length D. A legal disclaimer Answer: B Explanation: STIX indicators include technical data such as IPs, hashes, or domain names. Question 57. In the intelligence cycle, “Production” most closely refers to: A. Writing the final intelligence product (report, alert) B. Collecting raw data from sensors C. Conducting a penetration test
