Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Exam (elaborations)

SANS FOR578 | GIAC GCTI EXAM |QUESTIONS WITH VERIFIED ACCURATE ANSWERS | LATEST UPDATED

Rating
-
Sold
-
Pages
20
Grade
A+
Uploaded on
19-02-2026
Written in
2025/2026

SANS FOR578 | GIAC GCTI EXAM |QUESTIONS WITH VERIFIED ACCURATE ANSWERS | LATEST UPDATED

Institution
SANS FOR578
Course
SANS FOR578

Content preview

SANS FOR578 | GIAC GCTI EXAM |QUESTIONS WITH
VERIFIED ACCURATE ANSWERS | LATEST UPDATED


What is counterintelligence? - Answers -The identification, assessment, and
neutralisation of adversary intelligence activities.

Which type of memory is the most critical in intel analysis and why? - Answers -
Working memory as it processes inputs and determines whether to store them for long
or short term memory

What is template matching? - Answers -Theory that every object is processed by the
brain and stored as a template in long term memory

Compare system 1 and 2 thinking - Answers -System 1 - intuitive, fast, effective

System 2 - analytical, slow, methodical

Which system of thinking requires mental models? - Answers -System 1

What is an activity group? - Answers -A clustering of intrusions which cover 2 or more
phases in the diamond model

What is a key indicator? - Answers -An indicator that remains constant across multiple
intrusions, uniquely distinguishes a campaign from other campaigns, and aligns to a
single category of adversary action.

What is a Collection Management Framework (CMF)? - Answers -A CMF is the plan for
how you collect data, where you collect it, and what type of data you collect.

What 3 aspects make up a threat? - Answers -Intent, Capability, Opportunity

Which level of effort is required to change a domain name according to the pyramid of
pain? - Answers -Simple

What is the importance of understanding intelligence collection on a technical level? -
Answers -Ensures analyst understands limitations of their data sources

What is counter intelligence? - Answers -The identification, assessment, neutralisation,
and exploitation of adversarial entities.

Understanding your organizations vulnerabilities using models and config analysis is
what type of threat detection? - Answers -Environmental

,Which TLP level allows intel to be shared online? - Answers -TLP: White

On the sliding scale of cyber security, what category to analysts respond to and learn
from adversaries on their network? - Answers -Active Defence

Before satisfying an intel requirement, what must an analyst do to determine if it is
achievable? - Answers -Determine whether they have enough data to satisfy the
requirement. A Collection Management Framework (CMF) defines how you collect data.

What TLP level allows you to share intel within your community? - Answers -TLP:Green

IOCs are used to improve signatures of an organizations NIDS, what category on the
sliding scale of security does this all under? - Answers -Passive Defence

How can intel teams prevent bias? - Answers -Use of Structured Analytic Techniques
(SATs)

Inclusion of diversity

Questioning the ROI and reduction of risk of security intel functions within an
organization is an example of what category of intelligence? - Answers -Strategic

What is synthesis in CTI field? - Answers -Combination of various event data sources,
historical information, and digital forensics to form a theory or system

What is a priority intelligence requirement (PIR)? - Answers -Intelligence requirements
that are seen as critical to mission success.

Which non-linear approach to modelling was meant to eliminate stovepiping that occurs
in intel work? - Answers -Target-centric intelligence

What is bouncing malware? - Answers -User is passed between multiple sites and
numerous exploits used in convoluted combinations

Give 2 common examples of protocols used as delivery methods for malware -
Answers -SMTP
HTTP

Which part of the CoA matrix involves hacking back? - Answers -Destroy

What are the 3 stages of the indicator lifecycle? - Answers -Revealed
Mature
Utilized

When completing the kill chain should the investigators go backwards or forwards? -
Answers -Investigators should always proceed from the point detection takes place to

, the end of the kill chain to ensure the threat has been dealt with, then they can work
backwards after that.

What is temporal triangulation? - Answers -Looking for files that might have different
types of timestamps with the same value

What is temporal clustering? - Answers -Looking for clusters of EXE or DLL files being
created

Malware often maps to which part of the diamond model? - Answers -Capability

Name 3 common locations for human fingerprints in malware - Answers -Header
metadata
Code reuse
Config data

Name 4 places to get malware samples - Answers -First party data
Partners
Sharing groups
Commerical data sets - VirusTotal

Why might it be a bad thing to upload to VirusTotal? - Answers -Adversaries will find
out that their malware has been detected

What is DC3? - Answers -A framework for creating modules to parse malware config
data

Name 3 classes of C2 domains - Answers -Adversary registered (e.g. GoDaddy)
Dynamic DNS domains
Legitimate but compromised

Whats the downside of an adversary registered domain for an adversary? - Answers -
Potentially requires personal information of the attacker to sign up
May lead to a money trail

What is an ANS lookup? - Answers -Autonomous System Number (ASN) lookups
detemrine organizational ownership of IP addresses and can reveal the relationship
between 2 addresses.

Which high value/high cost security monitoring source allows you to reproduce actions
of an adversary on your network? - Answers -Full packet capture

Which part of a URL is variable? - Answers -The query portion

Which 2 categories can adversary be broken into? - Answers -Adversary Operator - the
individual executing the action directly

Written for

Institution
SANS FOR578
Course
SANS FOR578

Document information

Uploaded on
February 19, 2026
Number of pages
20
Written in
2025/2026
Type
Exam (elaborations)
Contains
Questions & answers

Subjects

$15.99
Get access to the full document:

Wrong document? Swap it for free Within 14 days of purchase and before downloading, you can choose a different document. You can simply spend the amount again.
Written by students who passed
Immediately available after payment
Read online or as PDF

Get to know the seller

Seller avatar
Reputation scores are based on the amount of documents a seller has sold for a fee and the reviews they have received for those documents. There are three levels: Bronze, Silver and Gold. The better the reputation, the more your can rely on the quality of the sellers work.
GEEKA YALA UNIVERSITY
Follow You need to be logged in order to follow users or courses
Sold
2120
Member since
4 year
Number of followers
1446
Documents
55982
Last sold
1 day ago

3.8

360 reviews

5
179
4
61
3
48
2
17
1
55

Recently viewed by you

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their tests and reviewed by others who've used these notes.

Didn't get what you expected? Choose another document

No worries! You can instantly pick a different document that better fits what you're looking for.

Pay as you like, start learning right away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and aced it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions