Chapter 83 · Quiz

Threat Intelligence — Quiz

10-question assessment covering OSINT sources, OSINT validation requirements, proprietary intelligence advantages, the CTA model, dark web access, dark web monitoring purposes, and intelligence source matching.

Question 1 of 6
A security analyst is building a threat profile of a suspected nation-state threat actor group. She reviews public congressional hearing transcripts, downloads reports from a national cybersecurity agency's website, and scans security researcher blogs for published analysis of the group's campaigns. All sources are freely accessible without payment or authorization. Which category of intelligence is she using?
Question 2 of 6
A financial services firm's security team subscribes to a threat intelligence service. The service notifies them on a Thursday that a ransomware campaign has been spreading through the banking sector since Tuesday — before any of the firm's systems were affected — and provides specific indicators of compromise, affected infrastructure, and detection rules. No government advisory has yet been published and no public forum post exists about the campaign. What capability of the threat intelligence service made this advance warning possible?
Question 3 of 6
An organization joins the Cyber Threat Alliance. After joining, they submit intelligence about a phishing campaign that targeted them. Another member questions the reliability of the submission. What process does the CTA use to address reliability concerns and ensure distributed intelligence is trustworthy?
Question 4 of 6
A security researcher wants to access a dark web forum used by a criminal hacking group to monitor for mentions of client organizations. She opens her standard web browser and types the forum's address. The page does not load. What is the most likely reason, and what does she actually need?
Question 5 of 6
A security analyst finds a post on a public security forum claiming that a specific IP address block is being used by a threat actor group targeting financial institutions. The post is detailed and includes what appear to be technical indicators. Before taking any blocking action, what is the correct next step, and why?
Question 6 of 6
A security operations team is deciding which threat intelligence sources to monitor for their organization's specific situation. They have been targeted by a financially motivated criminal group that is known to post proof-of-compromise screenshots on underground forums and list stolen credentials for sale before using them for further access. Which intelligence source most directly addresses the need for early warning about this specific threat behavior?

Matching

ndash;10. Match each threat intelligence scenario to the source type it best represents.

1. A security researcher uses national cybersecurity agency advisories, public congressional hearing transcripts, and security researcher blogs to build a profile of a threat actor group — all without paying for any service or accessing any restricted system.
2. A company subscribes to a service that aggregates threat data from thousands of global sensors, honeypots, and incident response engagements. When a new attack campaign targets one subscriber, the service analyzes it and automatically pushes indicators and blocking rules to all other subscribers within hours — before the campaign reaches them.
3. After responding to a zero-day exploit, a cybersecurity firm submits structured, standardized threat data to an industry collaboration group. The group validates the submission, scores it as Critical severity, and makes it available to all member organizations to integrate into their defenses within 24 hours of the original attack.
4. A monitoring service alerts a healthcare organization that 340 employee email addresses and passwords matching the organization's domain have appeared in a credential listing on an underground marketplace accessible only through specialized anonymizing software — and that the same marketplace includes a forum post referencing the organization's name as a planned target.
A. OSINT
B. Proprietary / commercial intelligence
C. Cyber Threat Alliance (CTA)
D. Dark web intelligence