Questions for the 312-85 were updated on : Dec 11 ,2025
A threat analyst wants to incorporate a requirement in the threat knowledge repository that provides
an ability to modify or delete past or irrelevant threat data.
Which of the following requirement must he include in the threat knowledge repository to fulfil his
needs?
C
Explanation:
Incorporating a data management requirement in the threat knowledge repository is essential to
provide the ability to modify or delete past or irrelevant threat data. Effective data management
practices ensure that the repository remains accurate, relevant, and up-to-date by allowing for the
adjustment and curation of stored information. This includes removing outdated intelligence,
correcting inaccuracies, and updating information as new insights become available. A well-managed
repository supports the ongoing relevance and utility of the threat intelligence, aiding in informed
decision-making and threat mitigation strategies.
Reference:
"Building and Maintaining a Threat Intelligence Library," by Recorded Future
"Best Practices for Creating a Threat Intelligence Policy, and How to Use It," by SANS Institute
Tim is working as an analyst in an ABC organization. His organization had been facing many
challenges in converting the raw threat intelligence data into meaningful contextual information.
After inspection, he found that it was due to noise obtained from misrepresentation of data from
huge data collections. Hence, it is important to clean the data before performing data analysis using
techniques such as data reduction. He needs to choose an appropriate threat intelligence framework
that automatically performs data collection, filtering, and analysis for his organization.
Which of the following threat intelligence frameworks should he choose to perform such task?
C
Explanation:
Threat Grid is a threat intelligence and analysis platform that offers advanced capabilities for
automatic data collection, filtering, and analysis. It is designed to help organizations convert raw
threat data into meaningful, actionable intelligence. By employing advanced analytics and machine
learning, Threat Grid can reduce noise from large data sets, helping to eliminate misrepresentations
and enhance the quality of the threat intelligence. This makes it an ideal choice for Tim, who is
looking to address the challenges of converting raw data into contextual information and managing
the noise from massive data collections.
Reference:
"Cisco Threat Grid: Unify Your Threat Defense," Cisco
"Integrating and Automating Threat Intelligence," by Threat Grid
Henry. a threat intelligence analyst at ABC Inc., is working on a threat intelligence program. He was
assigned to work on establishing criteria for prioritization of intelligence needs and requirements.
Which of the following considerations must be employed by Henry to prioritize intelligence
requirements?
A
Explanation:
When prioritizing intelligence requirements, it is crucial to understand the frequency and impact of
various threats. This approach helps in allocating resources effectively, focusing on threats that are
both likely to occur and that would have significant consequences if they did. By assessing threats
based on these criteria, Henry can ensure that the threat intelligence program addresses the most
pressing and potentially damaging threats first, thereby enhancing the organization's security
posture. This prioritization is essential for effective threat management and for ensuring that the
most critical threats are addressed promptly.
Reference:
"Cyber Threat Intelligence: Prioritizing and Using CTI Effectively," by SANS Institute
"Threat Intelligence: What It Is, and How to Use It Effectively," by Gartner
H&P, Inc. is a small-scale organization that has decided to outsource the network security monitoring
due to lack of resources in the organization. They are looking for the options where they can directly
incorporate threat intelligence into their existing network defense solutions.
Which of the following is the most cost-effective methods the organization can employ?
D
Explanation:
For H&P, Inc., a small-scale organization looking to outsource network security monitoring and
incorporate threat intelligence into their network defenses cost-effectively, recruiting a Managed
Security Service Provider (MSSP) would be the most suitable option. MSSPs offer a range of services
including network security monitoring, threat intelligence, incident response, and compliance
management, often at a lower cost than maintaining an in-house security team. This allows
organizations to benefit from expert services and advanced security technologies without the need
for significant resource investment.
Reference:
"The Benefits of Managed Security Services," by Gartner
"How to Choose a Managed Security Service Provider (MSSP)," by CSO Online
In which of the following attacks does the attacker exploit vulnerabilities in a computer application
before the software developer can release a patch for them?
B
Explanation:
A zero-day attack exploits vulnerabilities in software or hardware that are unknown to the vendor or
for which a patch has not yet been released. These attacks are particularly dangerous because they
take advantage of the window of time between the vulnerability's discovery and the availability of a
fix, leaving systems exposed to potential exploitation. Zero-day attacks require a proactive and
comprehensive approach to security, including the use of advanced threat detection systems and
threat intelligence to identify and mitigate potential threats before they can be exploited.
Reference:
"Understanding Zero-Day Exploits," by MITRE
"Zero-Day Threats: What They Are and How to Protect Against Them," by Symantec
An analyst is conducting threat intelligence analysis in a client organization, and during the
information gathering process, he gathered information from the publicly available sources and
analyzed to obtain a rich useful form of intelligence. The information source that he used is primarily
used for national security, law enforcement, and for collecting intelligence required for business or
strategic decision making.
Which of the following sources of intelligence did the analyst use to collect information?
C
Explanation:
The analyst used Open Source Intelligence (OSINT) to gather information from publicly available
sources. OSINT involves collecting and analyzing information from publicly accessible sources to
produce actionable intelligence. This can include media reports, public government data,
professional and academic publications, and information available on the internet. OSINT is widely
used for national security, law enforcement, and business intelligence purposes, providing a rich
source of information for making informed decisions and understanding the threat landscape.
Reference:
"Open Source Intelligence (OSINT) Tools and Techniques," by SANS Institute
"The Role of OSINT in Cybersecurity and Threat Intelligence," by Recorded Future
Walter and Sons Company has faced major cyber attacks and lost confidential dat
a. The company has decided to concentrate more on the security rather than other resources.
Therefore, they hired Alice, a threat analyst, to perform data analysis. Alice was asked to perform
qualitative data analysis to extract useful information from collected bulk data.
Which of the following techniques will help Alice to perform qualitative data analysis?
C
Explanation:
For Alice to perform qualitative data analysis, techniques such as brainstorming, interviewing, SWOT
(Strengths, Weaknesses, Opportunities, Threats) analysis, and the Delphi technique are suitable.
Unlike quantitative analysis, which involves numerical calculations and statistical modeling,
qualitative analysis focuses on understanding patterns, themes, and narratives within the data.
These techniques enable the analyst to explore the data's deeper meanings and insights, which are
essential for strategic decision-making and developing a nuanced understanding of cybersecurity
threats and vulnerabilities.
Reference:
"Qualitative Research Methods in Cybersecurity," SANS Institute Reading Room
"The Delphi Method for Cybersecurity Risk Assessment," by Cybersecurity and Infrastructure Security
Agency (CISA)
Sarah is a security operations center (SOC) analyst working at JW Williams and Sons organization
based in Chicago. As a part of security operations, she contacts information providers (sharing
partners) for gathering information such as collections of validated and prioritized threat indicators
along with a detailed technical analysis of malware samples, botnets, DDoS attack methods, and
various other malicious tools. She further used the collected information at the tactical and
operational levels.
Sarah obtained the required information from which of the following types of sharing partner?
C
Explanation:
The information Sarah is gathering, which includes collections of validated and prioritized threat
indicators along with detailed technical analysis of malware samples, botnets, DDoS methods, and
other malicious tools, indicates that she is obtaining this intelligence from providers of
comprehensive cyber-threat intelligence. These providers offer a holistic view of the threat
landscape, combining tactical and operational threat data with in-depth analysis and context,
enabling security teams to make informed decisions and strategically enhance their defenses.
Reference:
"Cyber Threat Intelligence Providers: How to Choose the Right One for Your Organization," by
CrowdStrike
"The Role of Comprehensive Cyber Threat Intelligence in Effective Cybersecurity Strategies," by
FireEye
Karry, a threat analyst at an XYZ organization, is performing threat intelligence analysis. During the
data collection phase, he used a data collection method that involves no participants and is purely
based on analysis and observation of activities and processes going on within the local boundaries of
the organization.
Identify the type data collection method used by the Karry.
B
Explanation:
Karry's method of collecting data, which involves no active engagement with participants and is
purely based on analysis and observation of activities within the organization, is known as passive
data collection. This method is characterized by the non-intrusive monitoring of data and events,
allowing analysts to gather intelligence without alerting potential adversaries or disrupting ongoing
processes. Passive data collection is essential for maintaining operational security and obtaining an
unaltered view of system and network activities.
Reference:
"Passive Data Collection in Cybersecurity," by Cybersecurity Guide
"Understanding Passive and Active Data Collection for Cyber Threat Intelligence," by ThreatConnect
Alice, a threat intelligence analyst at HiTech Cyber Solutions, wants to gather information for
identifying emerging threats to the organization and implement essential techniques to prevent their
systems and networks from such attacks. Alice is searching for online sources to obtain information
such as the method used to launch an attack, and techniques and tools used to perform an attack
and the procedures followed for covering the tracks after an attack.
Which of the following online sources should Alice use to gather such information?
C
Explanation:
Alice, looking to gather information on emerging threats including attack methods, tools, and post-
attack techniques, should turn to hacking forums. These online platforms are frequented by
cybercriminals and security researchers alike, where information on the latest exploits, malware, and
hacking techniques is shared and discussed. Hacking forums can provide real-time insights into the
tactics, techniques, and procedures (TTPs) used by threat actors, offering a valuable resource for
threat intelligence analysts aiming to enhance their organization's defenses.
Reference:
"Hacking Forums: A Ground for Cyber Threat Intelligence," by Digital Shadows
"The Value of Hacking Forums for Threat Intelligence," by Flashpoint
ABC is a well-established cyber-security company in the United States. The organization
implemented the automation of tasks such as data enrichment and indicator aggregation. They also
joined various communities to increase their knowledge about the emerging threats. However, the
security teams can only detect and prevent identified threats in a reactive approach.
Based on threat intelligence maturity model, identify the level of ABC to know the stage at which the
organization stands with its security and vulnerabilities.
B
Explanation:
ABC cyber-security company, which has implemented automation for tasks such as data enrichment
and indicator aggregation and has joined various communities to increase knowledge about
emerging threats, is demonstrating characteristics of a Level 3 maturity in the threat intelligence
maturity model. At this level, organizations have a formal Cyber Threat Intelligence (CTI) program in
place, with processes and tools implemented to collect, analyze, and integrate threat intelligence
into their security operations. Although they may still be reactive in detecting and preventing
threats, the existence of structured CTI capabilities indicates a more developed stage of threat
intelligence maturity.
Reference:
"Building a Threat Intelligence Program," by Recorded Future
"The Threat Intelligence Handbook," by Chris Pace, Cybersecurity Evangelist at Recorded Future
In which of the following storage architecture is the data stored in a localized system, server, or
storage hardware and capable of storing a limited amount of data in its database and locally available
for data usage?
C
Explanation:
Centralized storage architecture refers to a system where data is stored in a localized system, server,
or storage hardware. This type of storage is capable of holding a limited amount of data in its
database and is locally available for data usage. Centralized storage is commonly used in smaller
organizations or specific departments within larger organizations where the volume of data is
manageable and does not require the scalability offered by distributed or cloud storage solutions.
Centralized storage systems simplify data management and access but might present challenges in
terms of scalability and data recovery.
Reference:
"Data Storage Solutions for Your Business: Centralized vs. Decentralized," Techopedia
"The Basics of Centralized Data Storage," by Margaret Rouse, SearchStorage
In which of the following forms of bulk data collection are large amounts of data first collected from
multiple sources in multiple formats and then processed to achieve threat intelligence?
D
Explanation:
In the context of bulk data collection for threat intelligence, data is often initially collected in an
unstructured form from multiple sources and in various formats. This unstructured data includes
information from blogs, news articles, threat reports, social media, and other sources that do not
follow a specific structure or format. The subsequent processing of this data involves organizing,
structuring, and analyzing it to extract actionable threat intelligence. This phase is crucial for turning
vast amounts of disparate data into coherent, useful insights for cybersecurity purposes.
Reference:
"The Role of Unstructured Data in Cyber Threat Intelligence," by Jason Trost, Anomali
"Turning Unstructured Data into Cyber Threat Intelligence," by Giorgio Mosca, IEEE Xplore
Alison, an analyst in an XYZ organization, wants to retrieve information about a company’s website
from the time of its inception as well as the removed information from the target website.
What should Alison do to get the information he needs.
B
Explanation:
To retrieve historical information about a company's website, including content that may have been
removed or altered, Alison should use the Internet Archive's Wayback Machine, accessible at
https://archive.org
. The Wayback Machine is a digital archive of the World Wide Web and other
information on the Internet, providing free access to snapshots of websites at various points in time.
This tool is invaluable for researchers and analysts looking to understand the evolution of a website
or recover lost information.
Reference:
"Using the Wayback Machine for Cybersecurity Research," Internet Archive Blogs
"Digital Forensics with the Archive's Wayback Machine," by Jeff Kaplan, Internet Archive
An XYZ organization hired Mr. Andrews, a threat analyst. In order to identify the threats and mitigate
the effect of such threats, Mr. Andrews was asked to perform threat modeling. During the process of
threat modeling, he collected important information about the treat actor and characterized the
analytic behavior of the adversary that includes technological details, goals, and motives that can be
useful in building a strong countermeasure.
What stage of the threat modeling is Mr. Andrews currently in?
C
Explanation:
During the threat modeling process, Mr. Andrews is in the stage of threat profiling and attribution,
where he is collecting important information about the threat actor and characterizing the analytic
behavior of the adversary. This stage involves understanding the technological details, goals,
motives, and potential capabilities of the adversaries, which is essential for building effective
countermeasures. Threat profiling and attribution help in creating a detailed picture of the adversary,
contributing to a more focused and effective defense strategy.
Reference:
"The Art of Threat Profiling," by John Pirc, SANS Institute Reading Room
"Threat Modeling: Designing for Security," by Adam Shostack