The CREST Practitioner Intrusion Analyst (CPIA) is an entry level exam that tests a candidate’s knowledge in assessing fundamental aspects of Incident Response. This includes administration and incident management, the core technical skills required to deal with an incident, Information Gathering, Network and Host Intrusion knowledge and Malware Analysis to a basic level.
CPIA validates a practitioner’s knowledge of Incident Response beyond terminology. Successful CPIA candidates will be able to demonstrate that they are qualified for hands on Incident Response roles (indicative of 2 years experience).
The CREST Practitioner Intrusion Analyst (CPIA) is an entry-level exam that tests a candidate’s knowledge in assessing fundamental aspects of Incident Response. This includes administration and incident management, the core technical skills required to deal with an incident, Information gathering, Network and Host Intrusion knowledge and Malware Analysis to a basic level.
CPIA validates a practitioner’s knowledge of Incident Response beyond terminology. Successful CPIA candidates will be able to demonstrate that they are qualified for hands-on Incident Response roles (indicative of 2 years experience) with respect to:
– Soft Skills and Incident Handling
– Core Technical Skills
– Background Information Gathering and Open Source
– Network Intrusion Analysis
– Analysing Host Intrusions
– Malware Analysis/Reverse Engineering
Exam Certification Objectives & Outcome Statements
The candidate will understand the Engagement Lifecycle, Incident Chronology, Record Keeping, Interim Reporting and Results and Threat Assessment.
The candidate will demonstrate an understanding of IP protocols, Network Architectures, Commons Classes of Tools, OS Fingerprinting, Application Fingerprinting, Network Access Control Analysis, Cryptography, Applications of Cryptography, File System Permissions, Host Analysis Techniques and Understanding Common Data Formats.
The candidate will demonstrate an understanding of Registration Records, DNS, Open-Source Investigation and Web Enumeration, Extraction of Document Meta Date and Community Knowledge.
The candidate will understand the Network Traffic Capture, Data Sources and Network Log Sources, Network Configuration Security Issues, Unusual Protocol Behaviour, Beaconing, Encryption, Command and Control Channels, Exfiltration of Data, Incoming Attacks, Reconnaissance, Internal Spread and Privilege Escalation, Web Based Attacks and False Positive Acknowledgement.
The candidate will demonstrate an understanding of Host-based Data Acquisition, Windows File System Essentials, Windows File Structures, Application File Structures, Windows Registry Essentials, Identifying Suspect Files, Storage Media, Memory Analysis, Infection Vectors, Malware Behaviours and Anti-Forensics, Rootkit Identification, Live Malware Analysis and Linux OS File Structures.
The candidate will have a high-level understanding of Functionality Identification, Cryptographic Techniques, Windows Executable File Formats, Hiding Techniques and Behavioural Analysis.
A full version of the CPIA syllabus is available here.
CREST Practitioner Intrusion Analyst (CPIA) – Notes for Candidates
The Notes for Candidates gathers essential information about the CPIA exam and intends to support CREST candidates on their preparation, increasing their chances of success.
1. Exam overview
The CPIA exam is an entry-level exam that tests a candidate’s knowledge in assessing fundamental aspects of Incident Response below that of the CRIA qualification. This includes administration and incident management, the core technical skills required to deal with an incident, Information Gathering, Network and Host Intrusion knowledge and Malware Analysis to a basic level.
2. Exam structure
The exam covers a common set of core skills and knowledge. The candidate must demonstrate that they have the knowledge to perform basic Network and Host Intrusion and Malware Analysis.
Exam duration
The CPIA Examination is comprised of one hundred and twenty (120) multiple choice questions to be completed over a 2-hour period with a result of 60% or more required to achieve a pass. Details of the areas covered can be found in the Syllabus document. Note that your permitted maximum session time at Pearson VUE is 2.5 hours in total.
Pre-requisites
The CPIA has no prerequisite exam but is the prerequisite to the CRIA exam.
Exam notes
The CPIA is a closed book exam. Therefore, no books, written notes, internet access or other electronic devices will be allowed.
3. Exam preparation and practice
In order to aid in the preparation for your exam, we have compiled a list of recommended reading materials, found below:
We have also partnered with a Training Provider to supplement your knowledge on the topic areas detailed in the syllabus. This training course can be found below:
Websites: OverAPI.com
Sample questions
Examples of questions that help candidates to understand what to expect from the examination environment. You’ll find our sample questions here.
4. Exam content
CPIA validates a practitioner’s knowledge of Incident Response beyond terminology. Successful CPIA candidates will be able to demonstrate that they are qualified for hands-on Incident Response roles (indicative of 2 years experience) with respect to:
– Soft Skills and Assessment Management
– Core Technical Skills
– Background Information Gathering and Open Source
– Network Intrusion Analysis
– Analysing Host Intrusions
– Malware Analysis/Reverse Engineering
– Exam Certification Objectives & Outcome Statements
For further information on the skills being assessed, consult the CPIA exam Syllabus.
5. Exam grading
Each multiple-choice answer is worth one (1) mark. No points are deducted for incorrect answers. The marking scheme is given in the table below:
Component | Total Marks |
---|---|
Total marks written (multiple choice) | 120 |
Pass mark
Successful candidates must score 60% of the available marks. That is:
Feedback
Unsuccessful candidates will be told their final scores where they haven’t reached the required standard. The score will not be disclosed where candidates have achieved 60% or more.
6. Exam booking and logistics
Exam location
The CPIA exam is delivered at a Pearson VUE centre of your choice. Please visit the Pearson VUE website and follow the on-screen instructions to register and schedule your chosen examination.
Retake policy
Unsuccessful candidates may retake the CPIA exam 7 days after the original exam date.
Invigilation
A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content.
If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.
Communication of results
Examination results from the automated process are provided by Pearson VUE to the candidate at the end of the exam session and electronically sent from CREST within 5 working days. Digitally signed certificates, where appropriate, will be emailed to candidates.
Special accommodations
Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected].
The CREST Practitioner Intrusion Analyst (CPIA) exam is a 120-mark, 2 hour long exam that can be taken globally in Pearson VUE centres. The exam is made up of multiple sections, which can be viewed above in our ‘Syllabus’ section.
We recommend that candidates also read and understand both the Notes for Candidates and CPIA FAQs sections, as these both provide useful information for your exam.
In order to aid in the preparation for your exam, we have compiled a list of recommended reading materials, found below:
Websites: OverAPI.com
Finally, we have compiled a list of sample questions that are designed to be similar to those you will see in the exam itself. Please take the time to go through these questions, found in the ‘Sample Questions’ section below.
Below are some official sample questions and answers that will help familiarise you with the exam structure and wording as well as some of the key terms and definitions.
Question 1 (1 mark)
When analysing a system compromised by an attacker, there are no off-network connections, but still the attacker is able to leverage the host. What LAN protocols are most likely to provide the attacker access to the system?
A. SMB
B. ICMP
C. RTP
D. ARP
E. XMPP
Answer
A. SMB
Question 2 (1 mark)
Which protocol can be used by malware to exfiltrate data over the Internet?
A. ICMP
B. DNS
C. HTTP
D. ARP
E. ICMP, DNS and HTTP
Answer
E. ICMP, DNS and HTTP
Question 3 (1 mark)
What is considered an indication of malware beaconing?
A. Anti Malware services stopping.
B. Systems crashing.
C. ICMP unreachable packets received from unknown hosts.
D. BITS Service restarts.
E. Regular SYN requests from unknown services.
Answer
E. Regular SYN requests from unknown services.
Question 4 (1 mark)
You have identified a suspicious process. What command will allow you to see the owner of the process?
A. Get-Process -User ‘<suspicious_process>’
B. Get-Process -Name ‘<suspicious_process>’
C. Get-Process -Name ‘<suspicious_process>’ -IncludeUserName
D. Get-Process -ProcessOwner ‘<suspicious_process>’
E. Get-Process -Name ‘<suspicious_process>’ | Get-Property -User
Answer
C. Get-Process -Name ‘<suspicious_process>’ -IncludeUserName
Question 5 (1 mark)
What is an indication of DNS C2?
A. Large numbers of sub-domains.
B. Fewer ARP storms.
C. TCP Resets are no longer blocked.
D. The TTL for the record changes.
E. The who is record for the owner lacks personal information.
Answer
A. Large numbers of sub-domains.
You can download a PDF version of these questions here.
The CREST Practitioner Intrusion Analyst (CPIA) exam is available in selected Pearson VUE Test Centres across the globe. You can book your CPIA exam now via the Pearson VUE website.
CREST Pearson VUE vouchers
Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected].
Special accommodations
Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected].
How to cancel, postpone or reschedule
This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.
Looking for more info on our CPIA exam? Check out our handy CPIA FAQs page.
Check out these handy resources to help you on your cyber security career pathway
Watch on YouTube