CREST Practitioner Intrusion Analyst (CPIA)

The CREST Practitioner Intrusion Analyst (CPIA) is an entry-level exam that tests a candidate’s knowledge in assessing fundamental aspects of Incident Response. This includes administration and incident management, the core technical skills required to deal with an incident, Information gathering, Network and Host Intrusion knowledge and Malware Analysis to a basic level.

CPIA validates a practitioner’s knowledge of Incident Response beyond terminology.  Successful CPIA candidates will be able to demonstrate that they are qualified for hands-on Incident Response roles (indicative of 2 years experience) with respect to:

– Soft Skills and Incident Handling

– Core Technical Skills

– Background Information Gathering and Open Source

– Network Intrusion Analysis

– Analysing Host Intrusions

– Malware Analysis/Reverse Engineering

Exam Certification Objectives & Outcome Statements

• Soft Skills and Incident Handling 

The candidate will understand the Engagement Lifecycle, Incident Chronology, Record Keeping, Interim Reporting and Results and Threat Assessment.

• Core Technical Skills

The candidate will demonstrate an understanding of IP protocols, Network Architectures, Commons Classes of Tools, OS Fingerprinting, Application Fingerprinting, Network Access Control Analysis, Cryptography, Applications of Cryptography, File System Permissions, Host Analysis Techniques and Understanding Common Data Formats.

• Background Information Gathering and Open Source

The candidate will demonstrate an understanding of Registration Records, DNS, Open-Source Investigation and Web Enumeration, Extraction of Document Meta Date and Community Knowledge.

• Network Intrusion Analysis

The candidate will understand the Network Traffic Capture, Data Sources and Network Log Sources, Network Configuration Security Issues, Unusual Protocol Behaviour, Beaconing, Encryption, Command and Control Channels, Exfiltration of Data, Incoming Attacks, Reconnaissance, Internal Spread and Privilege Escalation, Web Based Attacks and False Positive Acknowledgement.

• Analysing Host Intrusions

The candidate will demonstrate an understanding of Host-based Data Acquisition, Windows File System Essentials, Windows File Structures, Application File Structures, Windows Registry Essentials, Identifying Suspect Files, Storage Media, Memory Analysis, Infection Vectors, Malware Behaviours and Anti-Forensics, Rootkit Identification, Live Malware Analysis and Linux OS File Structures.

• Malware Analysis/Reverse Engineering

The candidate will have a high-level understanding of Functionality Identification, Cryptographic Techniques, Windows Executable File Formats, Hiding Techniques and Behavioural Analysis.

A full version of the CPIA syllabus is available here.

CREST Practitioner Intrusion Analyst (CPIA) – Notes for Candidates

The Notes for Candidates gathers essential information about the CPIA exam and intends to support CREST candidates on their preparation, increasing their chances of success.

1. Exam overview

The CPIA exam is an entry-level exam that tests a candidate’s knowledge in assessing fundamental aspects of Incident Response below that of the CRIA qualification. This includes administration and incident management, the core technical skills required to deal with an incident, Information Gathering, Network and Host Intrusion knowledge and Malware Analysis to a basic level.

2. Exam structure

The exam covers a common set of core skills and knowledge. The candidate must demonstrate that they have the knowledge to perform basic Network and Host Intrusion and Malware Analysis.

Exam duration

The CPIA Examination is comprised of one hundred and twenty (120) multiple choice questions to be completed over a 2-hour period with a result of 60% or more required to achieve a pass. Details of the areas covered can be found in the Syllabus document. Note that your permitted maximum session time at Pearson VUE is 2.5 hours in total.

Pre-requisites

The CPIA has no prerequisite exam but is the prerequisite to the CRIA exam.

Exam notes

The CPIA is a closed book exam. Therefore, no books, written notes, internet access or other electronic devices will be allowed.

3. Exam preparation and practice

In order to aid in the preparation for your exam, we have compiled a list of recommended reading materials, found below:

• Hacking Exposed – Scanning and Enumeration
• The ART of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (by Michael Hale Ligh/Andrew Case/Jamie Levy/Aaron Walters)
• Malware Forensic Field Guide for Windows Systems (by Syngress)
• Practical Malware Analysis
• Network Fundamentals: CCNA Exploration Companion Guide
• Real Digital Forensics (particularly Chapter 1, Windows Live Response)
• TCP/IP Illustrated

We have also partnered with a Training Provider to supplement your knowledge on the topic areas detailed in the syllabus.  This training course can be found below:

• PGI Cyber Academy – CREST Approved Training Provider

Websites: OverAPI.com

Sample questions

Examples of questions that help candidates to understand what to expect from the examination environment. You’ll find our sample questions here.

4. Exam content

CPIA validates a practitioner’s knowledge of Incident Response beyond terminology. Successful CPIA candidates will be able to demonstrate that they are qualified for hands-on Incident Response roles (indicative of 2 years experience) with respect to:

– Soft Skills and Assessment Management

– Core Technical Skills

– Background Information Gathering and Open Source

– Network Intrusion Analysis

– Analysing Host Intrusions

– Malware Analysis/Reverse Engineering

– Exam Certification Objectives & Outcome Statements

For further information on the skills being assessed, consult the CPIA exam Syllabus.

5. Exam grading

Each multiple-choice answer is worth one (1) mark. No points are deducted for incorrect answers. The marking scheme is given in the table below:

Pass mark

Successful candidates must score 60% of the available marks. That is:

• at least 72 marks from the written component (possible total: 120 marks).

Feedback

Unsuccessful candidates will be told their final scores where they haven’t reached the required standard. The score will not be disclosed where candidates have achieved 60% or more.

6. Exam booking and logistics

Exam location

The CPIA exam is delivered at a Pearson VUE centre of your choice. Please visit the Pearson VUE website and follow the on-screen instructions to register and schedule your chosen examination.

Retake policy

Unsuccessful candidates may retake the CPIA exam 7 days after the original exam date.

Invigilation

A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content.

If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.

Communication of results

Examination results from the automated process are provided by Pearson VUE to the candidate at the end of the exam session and electronically sent from CREST within 5 working days. Digitally signed certificates, where appropriate, will be emailed to candidates.

Special accommodations

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected].

The CREST Practitioner Intrusion Analyst (CPIA) exam is a 120-mark, 2 hour long exam that can be taken globally in Pearson VUE centres. The exam is made up of multiple sections, which can be viewed above in our ‘Syllabus’ section.

We recommend that candidates also read and understand both the Notes for Candidates and CPIA FAQs sections, as these both provide useful information for your exam.

In order to aid in the preparation for your exam, we have compiled a list of recommended reading materials, found below:

• Hacking Exposed – Scanning and Enumeration
• The ART of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (by Michael Hale Ligh/Andrew Case/Jamie Levy/Aaron Walters)
• Malware Forensic Field Guide for Windows Systems (by Syngress)
• Practical Malware Analysis
• Network Fundamentals: CCNA Exploration Companion Guide
• Real Digital Forensics (particularly Chapter 1, Windows Live Response)
• TCP/IP Illustrated

Websites: OverAPI.com

Finally, we have compiled a list of sample questions that are designed to be similar to those you will see in the exam itself. Please take the time to go through these questions, found in the ‘Sample Questions’ section below.

Below are some official sample questions and answers that will help familiarise you with the exam structure and wording as well as some of the key terms and definitions. 

Question 1 (1 mark)

When analysing a system compromised by an attacker, there are no off-network connections, but still the attacker is able to leverage the host.  What LAN protocols are most likely to provide the attacker access to the system?

A. SMB
B. ICMP
C. RTP
D. ARP
E. XMPP

Answer

A. SMB

Question 2 (1 mark)

Which protocol can be used by malware to exfiltrate data over the Internet?

A. ICMP
B. DNS
C. HTTP
D. ARP
E. ICMP, DNS and HTTP

Answer

E. ICMP, DNS and HTTP

Question 3 (1 mark)

What is considered an indication of malware beaconing?

A. Anti Malware services stopping.
B. Systems crashing.
C. ICMP unreachable packets received from unknown hosts.
D. BITS Service restarts.
E. Regular SYN requests from unknown services.

Answer

E. Regular SYN requests from unknown services.

Question 4 (1 mark)

You have identified a suspicious process.  What command will allow you to see the owner of the process?

A. Get-Process -User ‘<suspicious_process>’
B. Get-Process -Name ‘<suspicious_process>’
C. Get-Process -Name ‘<suspicious_process>’ -IncludeUserName
D. Get-Process -ProcessOwner ‘<suspicious_process>’
E. Get-Process -Name ‘<suspicious_process>’ | Get-Property -User

Answer

C. Get-Process -Name ‘<suspicious_process>’ -IncludeUserName

Question 5 (1 mark)

What is an indication of DNS C2?

A. Large numbers of sub-domains.
B. Fewer ARP storms.
C. TCP Resets are no longer blocked.
D. The TTL for the record changes.
E. The who is record for the owner lacks personal information.

Answer

A. Large numbers of sub-domains.

You can download a PDF version of these questions here.

The CREST Practitioner Intrusion Analyst (CPIA) exam is available in selected Pearson VUE Test Centres across the globe.  You can book your CPIA exam now via the Pearson VUE website.

CREST Pearson VUE vouchers

Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected].

Special accommodations

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected].

How to cancel, postpone or reschedule

This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.

Looking for more info on our CPIA exam? Check out our handy CPIA FAQs page.