GCTI Exam Prep Free practice test →

Free GCTI Practice Questions

10 free, exam-style GIAC Cyber Threat Intelligence (GCTI) practice questions with answers and explanations. No signup required. Work through them below, then take the full free GCTI practice test to study every exam domain.

Question 1

A threat feed providing 10,000 malicious IP addresses per day without context, confidence scores, or analytical commentary is BEST described as providing:

  1. Data or information, not intelligence
  2. Raw threat intelligence
  3. Tactical threat intelligence
  4. Operational threat intelligence
Show answer & explanation

Correct answer: A - Data or information, not intelligence

Question 2

An analyst receives an alert about a suspicious email with a malicious attachment. Using the integrated framework approach (Kill Chain + Diamond Model + COA Matrix), they should:

  1. Map to Reconnaissance phase and create IOC signatures
  2. Map to Weaponization phase and update threat intelligence feeds
  3. Map to Delivery phase and identify Diamond Model elements
  4. Map to Installation phase and implement network segmentation controls
Show answer & explanation

Correct answer: C - Map to Delivery phase and identify Diamond Model elements

Question 3

An ACH matrix shows that Evidence Item 3 is marked 'Consistent' with all five hypotheses. What is the diagnostic value of this evidence?

  1. Very high - it strongly supports the primary hypothesis
  2. No diagnostic value - it doesn't differentiate between hypotheses
  3. Moderate - it provides partial confirmation of key hypotheses
  4. Low - it offers minimal analytical insight for decision-making
Show answer & explanation

Correct answer: B - No diagnostic value - it doesn't differentiate between hypotheses

Question 4

An analyst believes an intrusion was conducted by APT28. When reviewing evidence, the analyst highlights every indicator consistent with APT28 while dismissing evidence pointing to other groups as 'likely coincidental.' This is an example of:

  1. Structured analytical technique
  2. Attribution anchoring bias
  3. Availability heuristic bias
  4. Confirmation bias
Show answer & explanation

Correct answer: D - Confirmation bias

Question 5

The Olympic Destroyer malware (targeting the 2018 Winter Olympics) contained code fragments and artifacts deliberately designed to resemble malware from multiple different threat groups. This is an example of:

  1. A false flag operation to confuse attribution
  2. Coincidental code similarity between groups
  3. Shared tooling and resources between groups
  4. Poor operational security practices
Show answer & explanation

Correct answer: A - A false flag operation to confuse attribution

Question 6

An analyst attributes an intrusion based solely on the use of X-Agent malware (historically associated with APT28). The PRIMARY weakness of this attribution is:

  1. This is a strong attribution
  2. Malware-based attribution is always accurate
  3. X-Agent is not associated with APT28
  4. Single-indicator attribution is unreliable
Show answer & explanation

Correct answer: D - Single-indicator attribution is unreliable

Question 7

An analyst examining a memory image wants to identify potential code injection in running processes. The MOST appropriate Volatility plugin is:

  1. pslist
  2. netscan
  3. malfind
  4. dlllist
Show answer & explanation

Correct answer: C - malfind

Question 8

An analyst runs the Volatility 'cmdline' plugin on a memory image and sees: powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBj... - The '-enc' flag with a long Base64 string indicates:

  1. A legitimate PowerShell script execution for system administration tasks
  2. An encoded PowerShell command used to obfuscate malicious commands
  3. A corrupted memory image artifact causing Base64 encoding errors
  4. A standard PowerShell configuration parameter for remote execution
Show answer & explanation

Correct answer: B - An encoded PowerShell command used to obfuscate malicious commands

Question 9

A pivot chain reveals that three adversary domains share the same hosting provider. This hosting provider serves millions of customers. The analyst should:

  1. Recognize that the shared hosting provider is NOT diagnostically significant alone
  2. Document this as moderate evidence requiring additional correlation with other indicators
  3. Prioritize investigation of other domains hosted by the same provider for potential threats
  4. Report the hosting provider as a potential threat actor infrastructure enabler
Show answer & explanation

Correct answer: A - Recognize that the shared hosting provider is NOT diagnostically significant alone

Question 10

A YARA rule with the condition: uint16(0) == 0x5A4D and ($string1 or $hex1) and filesize < 1MB - will match files that:

  1. Are not PE files
  2. Contain no strings
  3. Are larger than 1MB
  4. Are PE files under 1MB with patterns
Show answer & explanation

Correct answer: D - Are PE files under 1MB with patterns

Ready for the real thing?

Practice hundreds more GCTI questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing