212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

Incident triage is the stage in the incident response process where the incident handler, like Mike, performs an initial assessment of the reported incident to determine its validity, severity, and potential impact. This includes analyzing the incident to verify if it is a genuine threat or a false positive. The purpose of incident triage is to prioritize incidents based on their criticality and ensure that resources are allocated effectively to address the most serious threats first. This stage is crucial for efficient incident management, as it helps in filtering out false alarms and focusing on real security incidents that require immediate attention.

Anti-forensics techniques are designed to prevent, mislead, or interfere with the incident handling process, affecting the collection, preservation, and identification phases of the forensic investigation process. These techniques include methods to erase, encrypt, or alter information, make data recovery difficult, hide data (e.g., steganography), or otherwise obstruct forensic analysis and investigation efforts. Anti-forensics can significantly challenge the efforts of incident responders and forensic investigators in establishing the facts of a security incident or crime.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario demonstrates a preventive containment action during an email security incident. The ECIH Email Security Incident Handling module emphasizes that once phishing is identified, responders should immediately prevent further delivery to reduce organizational exposure.

Option A is correct because Lena removes malicious emails from the mail server’s delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.

Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.

By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario demonstrates manual phishing email verification, which is a foundational detection technique taught in the ECIH Email Security module. Manual verification involves human inspection of email characteristics such as sender address anomalies, mismatched URLs, unusual tone, urgency, and contextual inconsistencies.

Option D is correct because Ethan manually inspects the email by hovering over links, reviewing sender formatting, and evaluating message tone. These actions are key indicators used to identify phishing without relying on automated tools.

Option A relates to encoding analysis, which is not described. Option B involves automated network-based detection. Option C focuses on shortened URLs, which are not present here.

ECIH emphasizes that while automated defenses are important, human verification remains critical, especially for targeted phishing attacks that bypass technical controls. Therefore, Option D correctly identifies the detection approach used.

Comprehensive and Detailed Explanation (ECIH-aligned):

This incident involves adaptive malware embedded within an AI system, actively evolving its behavior. The ECIH malware incident handling methodology prioritizes containment and eradication of the threat before recovery actions. Restoring data without removing the malware risks immediate reinfection and continued manipulation.

Option B is correct because deploying the AI-security module directly targets the malware’s adaptive mechanisms, allowing responders to detect, contain, and eradicate the malicious logic within the AI environment. ECIH emphasizes using appropriate, context-aware security controls that match the technology stack involved in the incident. For AI-driven environments, specialized tools are necessary to counter threats that traditional controls may not detect.

Option A is premature and unsafe prior to eradication. Option C disrupts business operations without resolving the threat. Option D is a communication step that should follow containment and validation.

Therefore, neutralizing the evolved malware using the AI-security module is the correct primary step.

The correct flow of stages in an Incident Handling and Response (IH&R) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability.

In this scenario, the inability to access the file server via Remote Desktop Protocol (RDP), despite the server being pingable and other services functioning normally, suggests a service-specific disruption rather than a complete system shutdown or broader network issue. This pattern is indicative of a denial-of-service (DoS) attack targeted at the file server's RDP service or network congestion that specifically affects RDP connectivity. A DoS attack aims to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. The fact that other services (like email) are operational rules out broader system or admin account issues, pointing towards a specific problem with accessing the file server, most likely due to a denial-of-service condition.

By classifying and encrypting customer Personally Identifiable Information (PHI), you are specifically guarding against the risk of Sensitive Data Exposure. This OWASP security risk involves the accidental or unlawful exposure of protected data to unauthorized individuals. Encryption serves as a critical defense mechanism by ensuring that, even if data is accessed without authorization, it remains unintelligible and useless to the attacker without the decryption keys. Data classification further supports this by identifying which data is sensitive and requires such protections, ensuring that appropriate security controls are applied to prevent exposure.

Logging User IDs (D) can pose privacy concerns and may conflict with regulations such as the General Data Protection Regulation (GDPR), which emphasizes the protection of personal data and privacy. Therefore, while logging details such as Timestamps, Session IDs, and Source IP addresses are essential for security auditing to track when events occur, who is initiating sessions, and from where, care must be taken with User IDs. The handling of personally identifiable information (PII) must comply with privacy laws and organizational policies to safeguard individual privacy rights.