GCTI Practice Questions: Intrusion & Campaign Analysis Domain

Published: October 27, 2025 | 20 min read

Test your GCTI knowledge with 10 practice questions from the Intrusion & Campaign Analysis domain. Includes detailed explanations and answers.

GCTI Practice Questions

Master the Intrusion & Campaign Analysis Domain

Test your knowledge in the Intrusion & Campaign Analysis domain with these 10 practice questions. Each question is designed to help you prepare for the GCTI certification exam with detailed explanations to reinforce your learning.

Question 1

A security operations center (SOC) receives alerts about unusual outbound traffic from several endpoints. Upon investigation, the traffic is traced back to a newly discovered malware variant. Which approach would best help the SOC determine if this malware is part of a larger campaign?

A) Malware behavior analysis

B) Threat feed analysis

C) DNS/WHOIS lookup

D) Intelligence product reporting

Show Answer & Explanation

Correct Answer: A

Explanation: Malware behavior analysis involves examining the actions and patterns of the malware to identify similarities with known campaigns. By understanding the behavior of the new malware variant, the SOC can determine if it fits the profile of a larger campaign. Threat feed analysis provides information on known threats, DNS/WHOIS lookup identifies domain information, and intelligence product reporting focuses on communicating findings.

Question 2

A threat intelligence analyst is tasked with assessing the risk of a new ransomware variant discovered in the wild. The ransomware uses a unique encryption method and a new C2 protocol. To understand the potential impact and reach of this ransomware, which of the following should the analyst prioritize?

A) Reverse engineering the ransomware to extract the encryption keys

B) Mapping the ransomware's techniques to the MITRE ATT&CK framework

C) Cross-referencing the C2 protocol with known threat actor profiles

D) Identifying the initial infection vector used in the campaign

Show Answer & Explanation

Correct Answer: D

Explanation: Identifying the initial infection vector used in the campaign (D) is crucial to understanding how the ransomware spreads and which systems are at risk, which directly affects the potential impact and reach. Reverse engineering (A) is important for mitigation but not for assessing spread. Mapping to MITRE ATT&CK (B) helps understand techniques but not impact. Cross-referencing the C2 protocol (C) can help attribute the campaign but not assess immediate risk.

Question 3

While analyzing a cyber espionage campaign, an analyst finds that the attackers frequently change their command and control (C2) infrastructure. What is the best approach to maintain visibility on the evolving C2 infrastructure?

A) Use DNS sinkholing to capture C2 domain requests.

B) Implement network intrusion detection systems (NIDS).

C) Monitor threat actor chatter on underground forums.

D) Leverage passive DNS data to track domain changes.

Show Answer & Explanation

Correct Answer: D

Explanation: Leveraging passive DNS data allows analysts to track changes in domain resolution over time, maintaining visibility on evolving C2 infrastructure. DNS sinkholing (A) captures domain requests but requires control over DNS queries. NIDS (B) can detect known C2 traffic but not evolving infrastructure. Monitoring underground forums (C) provides intelligence but is indirect for tracking C2 changes.

Question 4

During a routine threat intelligence analysis, you come across a series of suspicious DNS queries originating from a compromised server in your network. The queries are directed towards a known command-and-control (C2) domain associated with the APT29 threat actor group. Which step should you prioritize to effectively analyze and correlate this activity with a potential ongoing campaign?

A) Immediately block the DNS queries to prevent further communication.

B) Look for additional indicators of compromise (IOCs) related to APT29 in your network logs.

C) Pivot on the C2 domain to identify other infrastructure potentially linked to APT29.

D) Notify the affected users and advise them to change their passwords.

Show Answer & Explanation

Correct Answer: C

Explanation: Pivoting on the C2 domain is crucial for identifying other infrastructure that may be linked to APT29. This can help you understand the breadth of the campaign and potentially discover other compromised assets. While blocking the DNS queries (A) and searching for IOCs (B) are important actions, they come after understanding the full scope of the attack. Notifying users (D) is not directly relevant to understanding the campaign's infrastructure.

Question 5

During an analysis of a recent data breach, you discover that the attackers used a sophisticated spear-phishing email to gain initial access. The email contained a link to a fake login page designed to capture credentials. Which technique would help you determine if the infrastructure hosting the fake login page is part of a broader campaign?

A) Use WHOIS lookup to identify the domain registrant details.

B) Perform a reverse DNS lookup to find other domains hosted on the same server.

C) Check the SSL certificate of the fake login page for common attributes with other phishing sites.

D) Analyze the HTML source code of the fake login page for unique identifiers.

Show Answer & Explanation

Correct Answer: B

Explanation: Performing a reverse DNS lookup can reveal other domains hosted on the same server, which may be part of a broader phishing campaign. This technique helps identify other potential targets or malicious sites linked to the same threat actor. While WHOIS lookup (A) and SSL certificate analysis (C) can provide useful information, they may not directly indicate a broader campaign. Analyzing HTML source code (D) is more useful for identifying specific techniques used in the phishing page itself.

Question 6

An organization is experiencing repeated intrusions that seem to target the same set of internal systems. The security team wants to determine if these attacks are part of a coordinated effort by a specific threat actor. Which analysis technique should the team prioritize?

A) Campaign linkage

B) TTP mapping

C) Source validation

D) OSINT collection

Show Answer & Explanation

Correct Answer: A

Explanation: Campaign linkage involves connecting multiple intrusion events to determine if they are part of a coordinated effort by a specific threat actor. This technique helps the team identify patterns and relationships between the attacks. TTP mapping focuses on specific tactics and techniques, source validation ensures information reliability, and OSINT collection gathers publicly available information.

Question 7

A CTI analyst is examining a series of phishing attacks that use lookalike domains to impersonate a popular online service. To prevent future attacks, the analyst needs to identify potential lookalike domains that could be registered by the threat actor. Which method would be most effective for this task?

A) Use a domain generation algorithm (DGA) to predict future domain names.

B) Employ a tool that performs typosquatting analysis on the legitimate domain.

C) Set up alerts for new domain registrations containing the brand name.

D) Conduct a manual search for similar domains using search engines.

Show Answer & Explanation

Correct Answer: B

Explanation: Using a tool that performs typosquatting analysis on the legitimate domain is the most effective method for identifying potential lookalike domains. This approach systematically checks for common typographical errors and variations that could be registered by attackers. DGAs (A) are not applicable for lookalike domains, alerts for new registrations (C) may not catch all variations, and manual searches (D) are inefficient.

Question 8

During a campaign analysis, a CTI analyst identifies a set of Indicators of Compromise (IOCs) that include IP addresses, domain names, and file hashes. To enhance the context of these IOCs, the analyst decides to use data enrichment techniques. Which of the following approaches would best help in understanding the threat landscape related to these IOCs?

A) Cross-reference the IOCs with threat intelligence feeds for additional context.

B) Use a malware sandbox to execute the files and observe behavior.

C) Perform a manual search for the IOCs on social media platforms.

D) Check the IOCs against internal logs to see if they have been seen before.

Show Answer & Explanation

Correct Answer: A

Explanation: Cross-referencing the IOCs with threat intelligence feeds provides additional context by correlating them with known threat actors, campaigns, or attack patterns. This approach helps in understanding the broader threat landscape. While using a malware sandbox (B) can provide behavioral insights, it doesn't enrich the context of IPs or domains. Manual searches on social media (C) are unlikely to yield relevant intelligence, and checking internal logs (D) only shows past occurrences within the organization, not external context.

Question 9

An organization has been targeted by a threat actor known for using spear phishing and custom malware. The security team has collected several indicators of compromise (IOCs) including IP addresses, domain names, and file hashes. Which method would be most effective in determining if these IOCs are part of a larger coordinated campaign?

A) Cross-referencing the IOCs against threat intelligence feeds to check for known associations.

B) Using a link analysis tool to visualize and identify relationships between the IOCs.

C) Performing a reverse DNS lookup on the IP addresses to find related domains.

D) Submitting the file hashes to a malware analysis platform for behavioral analysis.

Show Answer & Explanation

Correct Answer: B

Explanation: Using a link analysis tool to visualize and identify relationships between the IOCs is the most effective method to determine if they are part of a larger coordinated campaign. This approach allows analysts to see connections and patterns that might not be immediately obvious. Cross-referencing threat intelligence feeds (A) can provide context but may not reveal new relationships. Reverse DNS lookups (C) and malware analysis (D) are useful for gathering specific details but do not focus on the broader campaign context.

Question 10

A CTI analyst is tasked with profiling a new threat actor group that has been targeting financial institutions with spear-phishing campaigns. The group uses a specific set of IP addresses and domains that change frequently. Which technique should the analyst use to effectively track the infrastructure used by this threat actor?

A) Use WHOIS history to track domain ownership changes.

B) Leverage passive DNS data to monitor domain resolutions over time.

C) Employ geolocation tools to identify the physical location of IP addresses.

D) Analyze SSL certificate fingerprints to find related domains and IPs.

Show Answer & Explanation

Correct Answer: B

Explanation: Leveraging passive DNS data allows the analyst to monitor domain resolutions over time, providing insights into how the threat actor's infrastructure changes. This is particularly useful for tracking frequently changing IP addresses and domains. WHOIS history (A) might provide ownership details but is less dynamic. Geolocation (C) and SSL certificate analysis (D) are not as directly useful for tracking infrastructure changes.

Ready to Accelerate Your GCTI Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

✅ Unlimited practice questions across all GCTI domains
✅ Full-length exam simulations with real-time scoring
✅ AI-powered performance tracking and weak area identification
✅ Personalized study plans with adaptive learning
✅ Mobile-friendly platform for studying anywhere, anytime
✅ Expert explanations and study resources

Start Free Practice Now

Already have an account? Sign in here

About GCTI Certification

The GCTI certification validates your expertise in intrusion & campaign analysis and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

GCTI Practice Question Sets

Sharpen your skills by domain with realistic, exam-style questions.

GCTI — Application & Reporting: Practice Questions

Write actionable intel, tailor to stakeholders, and practice reporting tradecraft.

Start Practicing →

GCTI — Intrusion & Campaign Analysis: Practice Questions

Map TTPs, track campaigns, and strengthen attribution skills with ATT&CK and Diamond Model.

Start Practicing →

GCTI — OSINT Collection & Analysis: Practice Questions

Hone collection planning, pivoting, and source validation across domains and infrastructure.

Start Practicing →

GCTI — Fundamentals of CTI: Practice Questions

Master lifecycle, tradecraft, bias mitigation, and core frameworks used across CTI.

Start Practicing →

Level Up Your Cyber Skills: The Ultimate Guide to GIAC Cyber Threat Intelligence (GCTI) Certification

Explore everything you need to know about the GCTI certification — domains, frameworks, exam tips, and strategies to master threat intelligence analysis.

Read the Ultimate Guide →