AND VERIFIED ANSWERS GRADED A+ ASSURED SUCCESS .
What is anchoring?
Overvaluing one piece of information which forces an analyst to
be unable to seek new information or analyze competing
information
What is confirmation bias?
Including or rejecting evidence based on its alignment to a
preferred hypothesis
How can you avoid confirmation bias?
Fairly considering all hypothesis regardless of their implications
What is congruence bias?
The failure to present and test alternative competing hypothesis
and instead find different ways to present data that tests an
existing hypothesis
What is hindsight bias?
The tendency to see an unpredictable event as an obvious result
of a set of conditions or parameters
What is illusory correlation?
The perception of a relationship where none exists
,What is cum hoc ergo propter hoc?
Correlation is not causation - inexperienced analysts often
confuse correlation of 2 events with a casual relationship.
What is temporal data analysis?
Viewing datasets along a timeline to reveal patterns in the data
What might be included in a style guide?
Team Structure
Accepted Lexicon
Words, actions, phrases not to do/say
Sample structured analytical techniques
Sample intel requirements
Key processes
Name some do's when it comes to naming campaigns?
Do Use names inspired by incidents
Do Obscure name inspiration
Do Use humour
Name some don'ts when it comes to naming campaigns
Dont Name campaign after tool/TTP
Dont Use enumerated names
Dont Use an attribution scheme
Dont Name campaign after incident
,Why might naming a campaign after a national animal be an
issue?
If you are wrong on your attribution you will find it difficult to
change names
What is a rosetta stone in terms of APT groups?
A document which allows you to track a group and the various
names they have been given by different vendors.
Give a downsides to external reports
They may be incorrect
Why might external reports be useful?
They can fill in gaps in your analysis
Why should you avoid using the same APT names as vendors?
You can lose control of the narrative
What 3 classifications should you give to clusters?
Active - last seen in last 6 months
Inactive - no linked intrusion for more than 6 months
Dormant - no linked intrusion in a year
An analyst is reviewing 2 suspicious domains registered to the
same email, what analysis is this?
Link analysis
, A CTI analyst comes to an early conclusion based on a single
piece of evidence and rejects any evidence that does not support
the initial hypothesis, what cognitive bias is this?
Confirmation bias
When prioritizing hypotheses, Heuer recommends starting out
with what step?
Look for pieces of evidence that reduce the likelihood of certain
hypothesis.
What do crits, Threat_NOTE, and MISP have in common?
Allow you to store threat intelligence and information
Give 2 main features of MISP
Open source and high emphasis on automation
When refining the matrix of evidence to hypothesis, non-
diagnostic evidence is remoevd and overlooked hypotheses are
added, what additional action is performed during this step?
The excluded evidence is documented
How can new insights be revealed in data analysis?
Through new techniques, models, and correlations between data
sets