SANS FOR578 GIAC GCTI Certification Exam Prep
LATEST EXAM QUESTIONS AND VERIFIED
ANSWERS GRADED A+ ASSURED SUCCESS fully
solved & updated 2026(latest version verified for
accuracy) 2026 Latest!! LATEST VERSIONS 230
QUESTIONS AND CORRECT VERIFIED
ANSWERS WITH RATIONALES (100%
CORRECT) A+ GRADED ASSURED
"Panama Paper-themed phishing emails will be used by opportunistic threats" is an example of
which type of hypothesis? - CORRECT ANSWER: Intelligence-driven hypothesis
A company is setting priorities for security spending. Which source will provide them the most
effective guidance in understanding their threats and where to spend their money?
Internally-identified key indicators
Analysis of Competing Hypotheses
Open source intelligence from malware analysis
Third party YARA rules
Feedback
Security product reviews - CORRECT ANSWER: Internally-identified key indicators
A company with limited budget and prgoramming skills is looking for a threat feed, which would
be most suitable? - CORRECT ANSWER: AlienVault OTX - open source so keeps cost low and
can work with a number of tools such as Splunk.
,A CTI analyst comes to an early conclusion based on a single piece of evidence and rejects any
evidence that does not support the initial hypothesis, what cognitive bias is this? - CORRECT
ANSWER: Confirmation bias
A CTI analyst is pivoting using loC 151.113.255.250. What does this mean? - CORRECT
ANSWER: The analyst is looking for meaningful data tha is linked to the loc
A government agency has reported a system on your network is communicating with a C2 ip.
What should your first course of action be? - CORRECT ANSWER: Validate the claim -
determine whether your tools have discovered this indicator before (e.g. NetFlow, packet
captures)
A SOC intends to ingest a large number of IOCs through threat feeds, what should they be aware
of? - CORRECT ANSWER: IOCs require tailoring to avoid false positives
A team received information from their ISAC about the TTPs of a particular threat reported by a
few others in their industry. The team soon tracked several intrusion attempts matching the
warning, and over time they noticed a cluster of these attempts had infrastructure that used a
unique C2 encoding. How could the team use this information?
Create a Persona
Create an Attribution
Define an Activity Group
Identify a Campaign - CORRECT ANSWER: Define an Activity Group
A team wants to analyze their incidents to find areas where they are having difficulty uncovering
intelligence, what would provide the best answer? - CORRECT ANSWER: Count of diamond
vertices with incident information collected mapped against kill chain phases
A whistleblower leaking documents relates to what type of intelligence? - CORRECT ANSWER:
HUMINT
, An adversary is targeting an organization using malicious email attachments for delivery. The
intelligence team decides to degrade the adversary's ability to deliver malware. Which of the
following CoAs aligns with their decision?
Deny all email from the adversary's known infrastructure
Use email filter to strip attachments from inbound email Reroute all email identified as
suspicious to permanent quarantine
Use email filter to quarantine inbound email with attachments - CORRECT ANSWER: Use
email filter to strip attachments from inbound email Reroute
An analyst is preparing data for collaboration with a NATO subcontractor in Europe that prefers
the use of the sharing platform that has heavy usage in Europe. What sharing platform will they
most likely be using? - CORRECT ANSWER: MISP
An analyst is reviewing 2 suspicious domains registered to the same email, what analysis is this?
- CORRECT ANSWER: Link analysis
An analyst is tasked with configuring a TAXII implementation where data can be pulled from
and pushed to a central location. But it is important for submitted data to be validated before it is
pushed back out from the central location. Which TAXII
implementation should be used?
Hub and Spoke
Source and Subscriber
Peer to Peer - CORRECT ANSWER: Hub and Spoke
An analyst is tasked with querying internet space that does not get indexed by google, what
OSINT tool can he use for the job? - CORRECT ANSWER: Recorded Future
LATEST EXAM QUESTIONS AND VERIFIED
ANSWERS GRADED A+ ASSURED SUCCESS fully
solved & updated 2026(latest version verified for
accuracy) 2026 Latest!! LATEST VERSIONS 230
QUESTIONS AND CORRECT VERIFIED
ANSWERS WITH RATIONALES (100%
CORRECT) A+ GRADED ASSURED
"Panama Paper-themed phishing emails will be used by opportunistic threats" is an example of
which type of hypothesis? - CORRECT ANSWER: Intelligence-driven hypothesis
A company is setting priorities for security spending. Which source will provide them the most
effective guidance in understanding their threats and where to spend their money?
Internally-identified key indicators
Analysis of Competing Hypotheses
Open source intelligence from malware analysis
Third party YARA rules
Feedback
Security product reviews - CORRECT ANSWER: Internally-identified key indicators
A company with limited budget and prgoramming skills is looking for a threat feed, which would
be most suitable? - CORRECT ANSWER: AlienVault OTX - open source so keeps cost low and
can work with a number of tools such as Splunk.
,A CTI analyst comes to an early conclusion based on a single piece of evidence and rejects any
evidence that does not support the initial hypothesis, what cognitive bias is this? - CORRECT
ANSWER: Confirmation bias
A CTI analyst is pivoting using loC 151.113.255.250. What does this mean? - CORRECT
ANSWER: The analyst is looking for meaningful data tha is linked to the loc
A government agency has reported a system on your network is communicating with a C2 ip.
What should your first course of action be? - CORRECT ANSWER: Validate the claim -
determine whether your tools have discovered this indicator before (e.g. NetFlow, packet
captures)
A SOC intends to ingest a large number of IOCs through threat feeds, what should they be aware
of? - CORRECT ANSWER: IOCs require tailoring to avoid false positives
A team received information from their ISAC about the TTPs of a particular threat reported by a
few others in their industry. The team soon tracked several intrusion attempts matching the
warning, and over time they noticed a cluster of these attempts had infrastructure that used a
unique C2 encoding. How could the team use this information?
Create a Persona
Create an Attribution
Define an Activity Group
Identify a Campaign - CORRECT ANSWER: Define an Activity Group
A team wants to analyze their incidents to find areas where they are having difficulty uncovering
intelligence, what would provide the best answer? - CORRECT ANSWER: Count of diamond
vertices with incident information collected mapped against kill chain phases
A whistleblower leaking documents relates to what type of intelligence? - CORRECT ANSWER:
HUMINT
, An adversary is targeting an organization using malicious email attachments for delivery. The
intelligence team decides to degrade the adversary's ability to deliver malware. Which of the
following CoAs aligns with their decision?
Deny all email from the adversary's known infrastructure
Use email filter to strip attachments from inbound email Reroute all email identified as
suspicious to permanent quarantine
Use email filter to quarantine inbound email with attachments - CORRECT ANSWER: Use
email filter to strip attachments from inbound email Reroute
An analyst is preparing data for collaboration with a NATO subcontractor in Europe that prefers
the use of the sharing platform that has heavy usage in Europe. What sharing platform will they
most likely be using? - CORRECT ANSWER: MISP
An analyst is reviewing 2 suspicious domains registered to the same email, what analysis is this?
- CORRECT ANSWER: Link analysis
An analyst is tasked with configuring a TAXII implementation where data can be pulled from
and pushed to a central location. But it is important for submitted data to be validated before it is
pushed back out from the central location. Which TAXII
implementation should be used?
Hub and Spoke
Source and Subscriber
Peer to Peer - CORRECT ANSWER: Hub and Spoke
An analyst is tasked with querying internet space that does not get indexed by google, what
OSINT tool can he use for the job? - CORRECT ANSWER: Recorded Future
