212-89 EC Council Certified Incident Handler (ECIH v3) Questions and Answers

Volatile data refers to information that is stored temporarily and is lost when a computer is turned off or restarted, such as RAM contents, including open sockets and open ports, the date and time of the system, and the state of the network interface. The creation dates of files, however, are considered non-volatile data because they are preserved on the hard drive and remain available after the system is restarted or turned off. Non-volatile data is stored on persistent storage mediums like hard drives, SSDs, and magnetic tapes, where it remains until it is deleted or overwritten.

System characterization is the process of defining the boundaries of an IT system, which includes identifying the resources, information, and functionality that constitute the system. This process is crucial for understanding the scope of the system, the data it processes, and the technology it employs. By characterizing a system, incident handlers can better understand the system's normal operations and behaviors, which is essential for identifying anomalies that may indicate a security incident. System characterization involves documenting the hardware, software, network configuration, data flows, and other critical elements of the IT environment. This foundational knowledge supports effective incident handling by providing a baseline against which suspicious activities can be compared.

Explanation (OT/IoT incident handling):

For smart grid and IoT/OT environments, the first step is to activate the dedicated incident response process that prioritizes safety and continuity while isolating affected components. Immediate shutdown (A) can create operational and safety consequences and should be reserved for clear safety threats. Firmware updates (B) are risky during an active incident; updating can brick devices, change system states, and destroy evidence while not guaranteeing removal of compromise. Third-party engagement (D) can help, but it’s not the first operational step—your internal playbook must begin containment now.

(C) correctly focuses on isolating affected devices/segments, limiting lateral movement, and preserving operational stability. In practice, this can include network segmentation, blocking suspicious outbound communications, switching to manual controls where necessary, and capturing logs/telemetry before making changes. This aligns with common containment strategy: stop spread first, then analyze/eradicate, then recover with validated clean states.

When you receive a screenshot from Nervous Nat and go through a list of questions, check resources for information to determine the nature of the screenshot, and assess the condition of your network, you are engaging in the Detection and Analysis (or Identification) phase of Incident Response (IR). This phase is about identifying potential security incidents based on reported concerns, anomalies detected by security tools, or through the analysis of security alerts. In this scenario, despite the historical context of false positives, each report is treated seriously, requiring you to collect and analyze information to determine whether a real attack is happening. This involves verifying the validity of the incident, assessing its nature, scope, and impact, and deciding on the appropriate next steps. The detection and analysis phase is critical for determining the course of the IR process, including whether escalation is needed and what response measures should be initiated.

The described activity—ICMP echo requests sent sequentially across many IP addresses—is a classic ping sweep, a reconnaissance technique used to identify live hosts on a network. ECIH network incident handling identifies reconnaissance as an early-stage attack activity that often precedes exploitation.

Option B is correct because ping sweeps use ICMP echo requests to determine which hosts respond, allowing attackers to map the network. This aligns exactly with the observed traffic.

Option A involves DNS manipulation. Option C involves probing TCP/UDP ports rather than ICMP. Option D describes a denial-of-service technique, not reconnaissance.

Recognizing reconnaissance activity early allows defenders to implement controls before exploitation occurs, aligning with ECIH detection and prevention guidance.

The EC-Council Incident Handler (ECIH) curriculum identifies email spoofing as a common technique in business email compromise (BEC) attacks. Attackers exploit weak or misconfigured DNS-based email authentication controls to forge sender identities.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are DNS-based mechanisms that validate legitimate email senders and prevent spoofing. Proper configuration ensures that receiving mail servers can verify message authenticity and reject forged communications.

In this scenario, unsecured DNS entries enabled identity relay spoofing. Strengthening SPF, DKIM, and DMARC directly addresses the root cause and prevents recurring forged message injections. This is a clear eradication measure aimed at eliminating the exploitation pathway.

Options A and B relate to review and analysis phases. Option C supports threat intelligence sharing but does not remediate the internal DNS weakness.

Therefore, strengthening SPF, DKIM, and DMARC configurations is the appropriate eradication strategy.

This scenario describes a SYN flood attack, a classic protocol-level Denial-of-Service technique covered in the ECIH Network Security Incidents module. In a SYN flood, attackers send a large volume of TCP SYN packets but never complete the three-way handshake, leaving the server waiting for responses and exhausting connection resources.

Option D is correct because incomplete TCP handshakes, half-open connections, and resource exhaustion are defining characteristics of SYN flood attacks. The presence of multiple source IPs further suggests a distributed attack.

Option A involves taking over an existing session, not exhausting resources. Option B applies to UDP-based amplification attacks. Option C affects DNS resolution, not TCP handshakes.

ECIH stresses that early identification of SYN floods allows defenders to deploy SYN cookies, rate limiting, and upstream filtering. Recognizing handshake anomalies is therefore critical in protecting service availability.

When an attacker installs a fake AP (Access Point) within a company's network, especially behind a firewall, this constitutes the deployment of a Rogue Access Point. Rogue APs are unauthorized wireless access points installed within a network without the network administrator's knowledge or consent. They pose a significant security risk because they can be used to intercept sensitive information, bypass network security configurations, and provide a gateway for attackers to enter the network undetected. This type of attack circumvents the security measures put in place by a company, including firewalls, by creating an illicit entry point into the network that is under the control of the attacker.

MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various email delivery issues. When Francis received a spoofed email asking for his bank information, using MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the source of the email, tracking the email's path across the internet from the sender to the receiver, and identifying any signs of email spoofing or malicious activity. It provides detailed information about the email servers encountered along the way and can help in verifying the authenticity of the email sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for different purposes such as analyzing system event logs, checking email address validity, and managing email communications, respectively, and do not specifically focus on analyzing email headers to the extent required for investigating a spoofed email incident.

This scenario directly reflects crime scene documentation and physical reconstruction, a core principle in the Forensic Readiness and First Response module of the ECIH curriculum. First responders must assume that every physical detail may later become relevant in court proceedings or advanced forensic reconstruction.

Option A is correct because Tara’s actions—photographing cable connections, labeling ports, documenting power states, and noting spatial orientation—are explicitly designed to allow investigators to recreate the original physical environment. ECIH emphasizes that improper documentation of physical layout can invalidate conclusions about device usage, peripheral connections, or data paths.

Option B is incorrect because uptime continuity is not her objective. Option C refers to live system analysis, which she is not performing. Option D applies to digital evidence integrity after acquisition, not scene documentation.

ECIH stresses that physical reconstruction references are especially important in insider threat investigations, where proving who had access, which devices were connected, and how data could have been transferred is critical. Tara’s approach ensures forensic soundness, minimizes contamination risk, and preserves contextual evidence.

The Microsoft Baseline Security Analyzer (MBSA) is a tool designed to assess a computer or network's security state by checking for missing security updates and common security misconfigurations. In the scenario with Finn, who is working in the eradication phase of an incident response process, the use of MBSA makes sense. The tool's ability to detect missing security patches and recommend the installation of the latest patches is crucial for eliminating vulnerabilities in the Windows operating system that could be the root cause of the incident.

MBSA scans the system for missing security updates, misconfigurations, and other vulnerabilities and provides detailed reports and recommendations for remediation. This step is vital in the eradication phase, where the goal is to remove the root causes of the incident and secure the system against future attacks. By ensuring that all necessary patches are applied, Finn is addressing any security gaps that could be exploited by attackers.

The Volatility framework is a widely used tool for analyzing volatile memory (RAM) dumps. It is especially useful in digital forensics and malware analysis. One of the fundamental tasks in memory analysis is to list the processes that were running on the system at the time the memory dump was taken. Thepslistcommand in the Volatility framework serves this purpose by listing all processes from the process list in memory, which can provide valuable insights into what was happening on the system, including the presence of any malicious processes.

The syntax provided in the answer option corresponds to the usage of thepslistcommand with the Volatility tool, specifying the memory dump file to be analyzed (-f /root/Desktop/memdump.mem) and the profile of the system from which the dump was taken (--profile=Win2008SP1x86). This information is crucial for accurate analysis, as the profile helps Volatility interpret the memory structures correctly.

This scenario demonstrates a preventive containment action during an email security incident. The ECIH Email Security Incident Handling module emphasizes that once phishing is identified, responders should immediately prevent further delivery to reduce organizational exposure.

Option A is correct because Lena removes malicious emails from the mail server’s delivery queue before users receive them. This action directly reduces risk by preventing additional users from clicking malicious links or submitting credentials. ECIH identifies email purging as a critical containment technique during active phishing campaigns.

Option B is an investigative action, not containment. Option C applies after delivery and compromise. Option D addresses already compromised accounts rather than preventing exposure.

By stopping malicious emails before delivery, Lena aligns with ECIH best practices for rapid containment of email-based threats.

The correct sequence to examine the originating IP address of emails involves first accessing the email's header to locate the IP address, then using external resources to investigate that address further. The steps are as follows:

Step 2:Open the email to trace and find its header. This is the initial step because the header contains valuable information about the email's journey across the internet, including the originating IP address.

Step 3:Collect the IP address of the sender from the header of the received mail. This detail is crucial for the next steps in the investigation.

Step 1:Search for the IP in the WHOIS database. This database can provide information about the owner of the IP address, including the ISP and sometimes the geographic location.

Step 4:Look for the geographic address of the sender in the WHOIS database. With the IP address information obtained from the WHOIS search, the geographic location or the originating country of the email can often be deduced, contributing to the analysis of the email's legitimacy.

The correct sequence of steps performed by incident responders during the vulnerability assessment phase is as follows:

Perform OSINT information gathering to validate the vulnerabilities (4):Initially, Open Source Intelligence (OSINT) is used to gather information about the organization’s digital footprint and potential vulnerabilities.

Run vulnerability scans using tools (1):Next, specialized tools are employed to scan the organization's networks and systems for vulnerabilities.

Identify and prioritize vulnerabilities (2):The identified vulnerabilities are then analyzed and prioritized based on their severity and potential impact on the organization.

Examine and evaluate physical security (3):Physical security assessments are also crucial as they can impact the overall security posture and protection of digital assets.

Check for misconfigurations and human errors (6):This step involves looking for misconfigurations in systems and networks, as well as potential human errors that could lead to vulnerabilities.

Apply business and technology context to scanner results (5):The results from the scans are evaluated within the context of the business and its technology environment to accurately assess risks.

Create a vulnerability scan report (7):Finally, a comprehensive report is created, detailing the vulnerabilities, their severity, and recommended mitigation strategies.

This sequence ensures a thorough assessment, prioritizing vulnerabilities that pose the greatest risk and providing actionable insights for mitigation.

The EC-Council Incident Handler (ECIH) curriculum stresses the importance of maintaining evidence integrity during recovery operations. Documenting the chain of custody ensures that evidence remains admissible in legal proceedings and maintains forensic validity.

Chain of custody documentation tracks who handled the evidence, when it was accessed, how it was stored, and what actions were performed. This aligns directly with forensic compliance principles, which require proper evidence preservation, documentation, and controlled handling procedures.

While restoring systems, responders must ensure that backup media and affected systems are handled in a way that does not compromise evidence. ECIH emphasizes that recovery should not destroy or contaminate forensic artifacts that may be required for legal, regulatory, or disciplinary action.

Option B (Network segmentation) relates to containment strategies. Option C (Immutable infrastructure) refers to architectural resilience models. Option D (Enhanced authentication) concerns access control, not evidence handling.

Therefore, Logan is adhering to forensic compliance principles during recovery.

The EC-Council Incident Handler (ECIH) curriculum defines drive-by download attacks as web-based attacks where malicious code is automatically executed when a user visits a compromised website. These attacks often exploit browser or rendering engine vulnerabilities without requiring user interaction or explicit file downloads.

In this scenario, trusted informational websites were covertly modified to include obfuscated scripts that executed upon page rendering. The exploit chains targeted unpatched vulnerabilities and injected payloads directly into memory, avoiding file creation and traditional detection mechanisms. This behavior is characteristic of drive-by download attacks leveraging exploit kits.

Option A involves email-based delivery, which is not described. Option B relates to manipulating search engine rankings but does not inherently describe memory-based exploit execution. Option D involves malicious advertisements; however, the scenario specifically references compromised websites rather than third-party ad platforms.

ECIH emphasizes patch management, browser hardening, memory analysis, and exploit mitigation technologies to defend against drive-by downloads. Therefore, the most consistent technique is a drive-by download attack exploiting vulnerabilities.

A negligent insider is an individual within an organization who, due to a lack of knowledge on security threats or in an attempt to increase workplace efficiency, inadvertently bypasses security procedures or makes errors that compromise security. This type of insider threat is not malicious in intent; rather, it stems from carelessness, oversight, or a lack of proper security training. Such insiders might click on phishing links, mishandle sensitive information, or use unsecured networks for work-related tasks, thereby exposing the organization to potential security breaches. This contrasts with compromised insiders (who are manipulated by external parties), professional insiders (who misuse their access for personal gain), and malicious insiders (who intentionally aim to harm the organization).

Explanation (first response priorities):

First responders prioritize containment and preservation: stop ongoing harm while protecting evidence. The scenario suggests active misuse (dormant accounts modifying data) and possible exfiltration (encrypted transmissions). The quickest way to prevent further manipulation/leakage is isolating affected services/segments—reducing attacker access paths and limiting spread. This also prevents additional data corruption while investigators capture logs, account activity, and network traces.

(A) decrypting traffic is not a first responder priority; it may be impossible (TLS/unknown keys) and consumes time while damage continues. (B) external notification can be necessary later, but premature partner notification can create panic and doesn’t stop the incident. (C) rollback is a recovery step and can destroy forensic context or reintroduce compromised states if you haven’t validated backup integrity; it also doesn’t address how access happened or stop current attacker sessions unless paired with containment.

Therefore, (D) best matches initial response doctrine: contain first, preserve evidence, then analyze and recover.

Email-bombing refers to the attack where the attacker sends a massive volume of emails to a specific email address or mail server in order to overflow the mailbox or overwhelm the server, potentially causing it to fail or deny service to legitimate users. This attack can disrupt communications and, in some cases, lead to the targeted email account being disabled. Masquerading involves pretending to be another legitimate user, spoofing is the creation of emails (or other communications) with a forged sender address, and a smurf attack is a specific type of Distributed Denial of Service (DDoS) attack that exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP) to flood a target with traffic. Email-bombing specifically targets email services with the goal of causing disruption by overflowing inboxes.

Evidence assessment is a critical step in the investigation phase of the computer forensics process. This step involves evaluating the evidence collected to determine its relevance and significance to the case at hand. It includes analyzing the secured data to identify what information can be used as evidence, its integrity, and how it can be related to the security incident. This phase is pivotal as it helps in building a coherent understanding of the incident and in establishing facts that can be presented in management reports or legal proceedings.

ECIH emphasizes that advanced persistent threats require intelligence beyond static indicators. While IOCs are useful, they often change quickly and provide limited context.

Option B is correct because collaboration with industry peers enables sharing of tactics, techniques, and procedures (TTPs), which are more stable and actionable than IOCs. ECIH strongly promotes information sharing communities, ISACs, and trusted peer collaboration to improve situational awareness against APTs.

Options A, C, and D provide partial or outdated insights and lack operational depth.

Therefore, peer collaboration focused on attacker behavior is the most effective approach.

This incident is a classic spear phishing attack, where a targeted individual is deceived into entering credentials on a fraudulent login page. The ECIH Email Security module describes spear phishing as highly targeted and often tailored to specific roles, such as executives.

Option D is correct because the CFO was targeted with a convincing fake Microsoft 365 login prompt, leading to credential theft. The use of valid credentials afterward confirms successful social engineering rather than technical exploitation.

Option A involves email flooding. Option B redirects traffic via DNS manipulation. Option C targets mobile messaging platforms.

Recognizing spear phishing is critical because it informs remediation steps such as credential resets, MFA enforcement, and executive awareness training, all emphasized in ECIH guidance.

In the ECIH email incident response framework, eradication extends beyond internal cleanup and includes threat intelligence sharing. Option B is correct because sharing phishing indicators with trusted security communities helps disrupt attacker infrastructure and prevents reuse of the same campaign against other organizations.

Option A is unrelated. Option C is ineffective against phishing. Option D is overly destructive and unnecessary.

ECIH promotes collaborative defense as part of post-detection eradication and prevention.

The EC-Council Incident Handler (ECIH) curriculum explains that dictionary attacks are a form of brute-force authentication attack where an attacker systematically attempts multiple username-password combinations until valid credentials are found.

In web server logs, repeated HTTP POST requests targeting login endpoints with consistent status codes indicate automated credential attempts. The repeated failed attempts followed by a 302 redirect (commonly used after successful authentication to redirect users to a dashboard or landing page) strongly suggests that valid credentials were eventually discovered.

Option B (session hijacking) involves stealing session tokens rather than repeated login attempts. Option C (SQL injection) typically includes abnormal query strings or database errors in logs. Option D (CSRF) involves unauthorized actions triggered via authenticated sessions, not repetitive login attempts.

ECIH emphasizes monitoring authentication logs, implementing account lockout policies, enforcing strong password policies, and deploying multi-factor authentication to mitigate dictionary and brute-force attacks.

Therefore, the observed log pattern is indicative of a dictionary attack.

This scenario involves a suspected malicious insider threat with potential external collusion, which significantly elevates legal, regulatory, and evidentiary requirements. The ECIH curriculum emphasizes that when insider activity is suspected—especially involving terminated employees and possible corporate espionage—organizations must prioritize forensic integrity, confidentiality, and lawful investigation.

Option B is correct because collaborating with external forensic experts and law enforcement ensures a neutral, legally defensible investigation. ECIH stresses that insider cases often require specialized forensic capabilities, evidence preservation, and legal authority that internal teams alone may not possess. Maintaining confidentiality protects the organization from reputational damage and legal exposure while facts are being established.

Option A ignores the insider dimension and risks repeat incidents. Option C bypasses legal safeguards and could be interpreted as obstruction or collusion. Option D is premature and exposes the organization to defamation and legal risk without substantiated evidence.

ECIH guidance is clear that complex insider incidents should be escalated appropriately with legal and forensic rigor. Therefore, Option B aligns best with recommended practice.

A Trojan, or Trojan horse, is a type of malware that disguises itself as a legitimate, harmless program or file to trick users into downloading and installing it. Once activated, a Trojan can perform a range of malicious activities, including giving attackers unauthorized access to the infected system. This can lead to the theft of sensitive information, such as credit card numbers and passwords, and can also allow the attacker to install additional malware, potentially leading to further damage, such as the erasure of data. Unlike viruses and worms, Trojans do not replicate themselves but rely on the deception of users to spread.

This scenario reflects inappropriate resource usage, a category of network and system misuse defined in the ECIH Network Security Incident module. Excessive outbound traffic during non-business hours combined with high CPU and memory utilization indicates unauthorized or improper use of system resources.

Option A is correct because the behavior suggests activities such as cryptomining, data exfiltration, or unauthorized processing. These activities strain system resources and often occur outside normal working hours to avoid detection.

Option B would not necessarily cause sustained resource strain. Option C focuses on physical changes. Option D relates to permission enforcement, not usage behavior.

ECIH categorizes inappropriate usage as a security incident when system resources are misused in ways that violate policy or threaten availability, making Option A correct.

The ECIH Endpoint Security module identifies EDR systems as the cornerstone of modern endpoint incident response. Advanced attacks targeting intellectual property often bypass traditional antivirus controls.

Option C is correct because EDR provides continuous monitoring, behavioral detection, rapid containment, and automated response across endpoints. This capability is critical during high-risk periods such as product launches.

Options A, B, and D are important but insufficient alone for real-time detection and response.

Therefore, deploying a robust EDR system is essential.

Fragmentation is a technique used by attackers to evade detection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). By breaking down packets into smaller fragments, attackers can make it more difficult for these security systems to detect malicious payloads or signature-based patterns associated with known attacks. This method exploits the fact that some IDS/IPS solutions may not properly reassemble packet fragments for analysis, thereby allowing malicious fragments to pass through undetected.

Incident triage is the stage in the incident response process where the incident handler, like Mike, performs an initial assessment of the reported incident to determine its validity, severity, and potential impact. This includes analyzing the incident to verify if it is a genuine threat or a false positive. The purpose of incident triage is to prioritize incidents based on their criticality and ensure that resources are allocated effectively to address the most serious threats first. This stage is crucial for efficient incident management, as it helps in filtering out false alarms and focusing on real security incidents that require immediate attention.

According to the EC-Council Incident Handler (ECIH) curriculum, proper handling of digital evidence is a critical responsibility of first responders. This includes photographing the scene, labeling devices, packaging them in anti-static or static-resistant bags, and documenting detailed information such as time, location, and device identifiers.

These steps are part of evidence preservation and packaging procedures designed to prevent contamination, electrostatic damage, or loss of evidentiary integrity. ECIH emphasizes maintaining a clear chain of custody and ensuring that all digital evidence is properly documented before transportation to a forensic laboratory.

Option B relates to policy review, not field evidence handling. Option C involves technical log analysis performed later during investigation. Option D concerns witness interviews, which are separate from physical evidence handling.

Rachel’s actions clearly describe the packaging and transporting of electronic evidence while maintaining forensic standards and documentation integrity.

Reducing the success rate of SQL injection attacks is focused on minimizing vulnerabilities within the application's database interactions, rather than the broader server or network services. SQL injection prevention techniques typically involve input validation, parameterized queries, and the use of stored procedures, rather than changes to the network or server configuration.

A) Closing unnecessary application services and ports on the server is a general security best practice to reduce the attack surface but does not directly impact the success rate of SQL injection attacks. This action limits access to potential vulnerabilities across the network and server but doesn't address the specific ways SQL injection exploits input handling within web applications.

B) Automatically locking a user account after a predefined number of invalid login attempts within a predefined interval can help mitigate brute force attacks but has no direct effect on preventing SQL injection, which exploits code vulnerabilities to manipulate database queries.

C) Constraining legitimate characters to exclude special characters and D) Limiting the length of the input field are both direct methods to reduce the risk of SQL injection. They focus on controlling user input, which is the vector through which SQL injection attacks are launched. By restricting special characters that could be used in SQL commands and limiting input lengths, an application can reduce the potential for malicious input to form a part of SQL queries executed by the backend database.

The ECIH Incident Handling lifecycle prioritizes containment during first response when active compromise threatens data integrity and operational continuity. In this scenario, the risk extends beyond data theft to potential manipulation of examination materials.

Option C is correct because isolating the affected academic systems immediately prevents further unauthorized access and preserves the integrity of examination content. Containment ensures that attackers cannot alter or leak sensitive academic materials while investigations proceed.

Option A supports investigation but does not stop ongoing risk. Option B is a contingency plan, not a response action. Option D is premature and does not address system compromise.

According to ECIH, first responders must act decisively to prevent further damage before moving into analysis and recovery, making Option C correct.

This question is based on the shared responsibility model, a fundamental concept in ECIH cloud incident handling. While customers manage applications, configurations, and data, the cloud service provider (CSP) controls the underlying infrastructure, including orchestration engines, schedulers, and runtime environments.

System-level telemetry such as hypervisor activity and orchestration logs cannot be accessed by customers. Only the CSP can provide this visibility. Therefore, Option C is correct.

The other options manage higher-level responsibilities but lack authority over infrastructure-layer components.

A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that targets hardware, causing irreversible damage to the hardware components, thereby making the device unusable without a replacement or significant hardware intervention. In the scenario described with Zaimasoft, the attackers' actions leading to the damage of hardware components align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted organization's hardware infrastructure.

Unauthorized access to backend services in a cloud environment most commonly results from overly permissive identity and access management (IAM) configurations. The ECIH cloud incident handling guidance emphasizes that identity controls are the primary security boundary in cloud platforms.

Option A is correct because reviewing and tightening IAM roles immediately reduces the attack surface and revokes excessive privileges that may be exploited. This action directly addresses the root cause of unauthorized access.

Option D is a strong additional control but should be applied after correcting IAM misconfigurations. Option B improves future detection but does not contain the current incident. Option C is disruptive and unnecessary as a first response.

Therefore, IAM review and privilege tightening is the correct first measure, consistent with ECIH best practices.

Restoring web application services with the help of existing backups, as performed by Robert, falls under the Recovery stage of the Incident Handling and Response (IH&R) process. The Recovery stage involves actions taken to return the organization to normal operations after an incident, which includes restoring systems to their operational state using backups, patching vulnerabilities, and ensuring that all systems are clean and secure before being brought back online. This step is crucial for resuming business operations and mitigating the impact of the incident.

Explanation (aligned to IH&R best practice):

Insider threats are most effectively reduced by combining least privilege with continuous detection of abnormal behavior. Regular access reviews ensure that users only retain permissions needed for their roles (reducing “privilege creep”), while behavior analytics help detect misuse that still occurs within “legitimate” access. Password rotation (A) is largely hygiene and does not prevent a determined insider who already has authorized access; frequent forced changes can also push unsafe behaviors (writing passwords down, predictable patterns). A strict hierarchy (B) is not practical and does not map to “need-to-know”—seniority is not the right control boundary, job function is. Biometrics (C) strengthens authentication, but the scenario’s problem is not identity uncertainty; it is misuse by a valid insider. The most effective approach is therefore governance + monitoring: (1) define data access baselines, (2) review permissions routinely, (3) alert on suspicious actions such as unusual repository cloning, bulk downloads, access outside normal hours, or atypical branches, and (4) investigate quickly with HR/legal processes. These measures directly address motive-driven misuse by enabling early detection and limiting the blast radius. This aligns with the broader incident handling emphasis on identifying affected systems/data, understanding scope, and improving controls post-incident to prevent recurrence.

The vulnerability exploited by Clark through tampering with form and parameter values to gain unauthorized access to information assets is indicative of Broken Access Control. Broken Access Control vulnerabilities occur when a web application does not properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to access unauthorized functionality or data, such as accessing other users' accounts, viewing sensitive files, and modifying other users’ data.

Process memory (RAM) is a type of digital evidence that is temporarily stored and requires a constant power supply to retain information. If the power supply is interrupted, the information stored in process memory is lost. This type of evidence can include data about running programs, user actions, system events, and more, making it crucial for forensic analysis, especially in identifying actions taken by both users and malware. Collecting data from process memory helps incident responders understand the state of the system at the time of an incident and can reveal valuable information that is not persisted elsewhere on the device.

Incident triage is the phase in the incident handling and response process where identified security incidents are analyzed, validated, categorized, and prioritized. This step is critical for determining the severity of incidents and deciding on the allocation of resources for effective response. It involves initial analysis to understand the nature of the incident, its impact, and urgency, which guides the subsequent response actions.

The statement "Do not download or execute applications from trusted sources" is incorrect and not considered a good practice for maintaining information security and eradicating malware incidents. In contrast, downloading or executing applications from trusted sources is a fundamental security best practice. Trusted sources are vetted and are generally considered safe for downloading software, updates, and applications. This practice helps to minimize the risk of introducing malware into the organizational environment. The other options (A, B, C) represent good practices that help in reducing the likelihood of malware infections by avoiding potentially harmful actions.

Farheen's activity of using the DD tool to create a sector-by-sector mirror image of the original disk is an example of system preservation. This process is crucial in digital forensics for creating an exact copy of a storage device to ensure that the original data remains unchanged during the investigation. By making a forensic duplication, or image, of the disk, Farheen ensures that the static data on the disk is preserved in its current state for thorough analysis, without altering the original evidence. This step allows investigators to work with a precise replica of the data, protecting the integrity of the original evidence.

The ECIH Endpoint Security module stresses that modern endpoint incidents require advanced detection capabilities beyond traditional antivirus or manual inspection. Intellectual property theft often involves stealthy techniques that evade basic controls.

Option C is correct because an Endpoint Detection and Response (EDR) solution provides deep visibility into endpoint behavior, including process execution, memory activity, file changes, and lateral movement. EDR enables analysts to detect, investigate, and validate incidents efficiently across multiple endpoints.

Option B is slow and error-prone. Option A is premature without validation. Option D identifies vulnerabilities, not active compromise.

ECIH highlights EDR as a cornerstone technology for endpoint incident detection and validation, especially in high-value environments such as R&D networks.

The EC-Council Incident Handler (ECIH) curriculum explains that email account compromise often involves attackers creating persistent mechanisms such as auto-forwarding rules, mailbox delegation changes, or hidden inbox rules to exfiltrate data even after password resets.

In this scenario, unauthorized message redirection continued despite credential resets and session termination. This strongly indicates the presence of malicious mailbox configuration changes, specifically auto-forwarding rules sending copies of emails to external attacker-controlled addresses.

ECIH emphasizes that eradication requires removal of persistence mechanisms—not just resetting credentials. During email security incident eradication, responders must review mailbox rules, forwarding settings, API tokens, and delegated access permissions. Attackers frequently create hidden rules to maintain access to sensitive communications.

Option A (auditing logs) supports investigation but does not eliminate persistence. Option B (credential resets) is a containment measure already performed but insufficient alone. Option C (client advisory messages) is part of communication management, not technical eradication.

Deleting malicious auto-forwarding rules directly neutralizes the attacker’s ongoing access channel and aligns with ECIH’s guidance on removing unauthorized configurations, validating account integrity, enforcing MFA, and auditing cloud email security settings.

Therefore, deleting malicious auto-forwarding rules is the most appropriate eradication step in this scenario.

MxToolbox is an online tool that provides various network diagnostics and email security checks, including looking up DNS and MX records, SPF records, and more. It can be used by incident handlers to prevent the organization against evolving email threats by analyzing domain health, checking blacklists, verifying email delivery issues, and more. While Email Header Analyzer is useful for analyzing specific emails for traces of phishing or spoofing, G Suite Toolbox might be specific to Google's services, and Gpg4win is more focused on email encryption. MxToolbox provides a broader set of functionalities for monitoring and troubleshooting email delivery issues and security threats, making it a versatile tool for incident handlers.

Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely.

An inappropriate usage incident involves misuse of the organization's resources or violations of its acceptable use policies. Sam's actions, where he sends emails to third-party organizations with a spoofed email address of his employer, constitute misuse of the organization's email system and misrepresentation of the organization. This behavior can harm the organization's reputation, violate policy, and potentially lead to legal consequences. Inappropriate usage incidents can range from unauthorized use of systems for personal gain to the dissemination of unapproved content.

A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability.

In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion, aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its acceptability in a court of law, which hinges on the evidence being collected, handled, and presented in a manner that complies with legal standards and procedures. This includes ensuring the evidence is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that the evidence meets the criteria for admissibility in the legal proceedings. Completeness, believability, and authenticity are also important characteristics of digital evidence, but the context provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence to be considered valid in court.

Disabling security options such as two-factor authentication (2FA) and CAPTCHA is not a countermeasure to eradicate cloud security incidents. In fact, it is contrary to best security practices. 2FA adds an additional layer of security by requiring two forms of verification before granting access to an account or system. CAPTCHA helps prevent automated attacks by ensuring that the entity accessing the service is human. Both are important security measures that protect against unauthorized access and automated attacks, thereby enhancing cloud security.

Thenetstat -abcommand is useful in Windows operating systems for displaying all connections and listening ports, along with the executable involved in creating each connection or listening port. This can be particularly valuable for an incident responder like James when attempting to determine which processes are running on a system and how they are communicating over the network. This information can help identify malicious processes, unauthorized connections, or other signs of compromise on the system. Whilenetstat -abdoes not exclusively list executable files for running processes, it ties processes to network activity, which is a critical part of collecting volatile information during a cybersecurity incident investigation.

Software as a Service (SaaS) offers the least amount of security responsibility for the end-user or organization, as the service provider manages the underlying infrastructure, software maintenance, security patching, and updates. Choosing a SaaS application means the colleague's organization would not be responsible for the physical servers, operating systems, or the application's security configurations, making it the best option for minimizing their security responsibilities.

The regular expression/exec(\s|\+)+(s|x)p\w+/ixis designed to match patterns that resemble SQL injection attempts, specifically targeting MS SQL Server. This expression looks for the use of theexeccommand followed by one or more spaces or plus signs, and then patterns that start withsporxp, which are prefixes commonly used in SQL Server stored procedures and extended stored procedures. These are often targeted in SQL injection attacks to execute malicious SQL statements. The regular expression provided is a tool used by incident responders like Tibson to identify and analyze potential SQL injection attempts by looking for suspicious patterns in SQL queries.

The correct flow of stages in an Incident Handling and Response (IH&R) process as outlined in the Incident Handler (ECIH v3) by EC-Council begins with Preparation. This phase involves getting ready for potential incidents by developing plans, policies, and procedures, and ensuring that tools and team training are up to date. Incident Recording is the next stage, where incidents are documented and reported. Incident Triage follows, prioritizing incidents based on their impact and urgency. Containment is next, aiming to limit the damage of the incident and prevent further spread. Eradication comes after containment, where the root cause of the incident is removed. Recovery is the stage where affected systems are restored to their operational status. Post-Incident Activities conclude the process, reviewing and learning from the incident to improve future response efforts.

Yesware is a tool primarily known for its email tracking capabilities, which can be useful for sales, marketing, and customer relationship management. However, in the context of investigating email attacks and analyzing incidents to extract details such as sender identity, mail server, sender’s IP address, and location, a more appropriate tool would be one that specializes in analyzing and extracting detailed header information from emails, providing insights into the path an email took across the internet. While Yesware can provide data related to email interactions, it might not offer the depth of forensic analysis required for incident investigation. Tools like email header analyzers, which are designed specifically for dissecting and interpreting email headers, would be more fitting. In the absence of a direct match from the given options, the description might imply a broader interpretation of tools like Yesware in context but traditionally, tools specifically designed for email forensics would be sought after for this task.

James is working on the post-incident activities stage of the Incident Handling and Response (IH&R) process. After containing the spread of the infection and removing the malware, the focus shifts to assessing the impact of the incident on the organization and preparing a detailed report. This phase involves analyzing the extent of the damage, determining the cost of the attack, evaluating how well the incident was managed, and identifying lessons learned to improve future response efforts. The objective is to restore systems to normal operation, ensure no remnants of the threat remain, and implement measures to prevent recurrence.

Logging User IDs (D) can pose privacy concerns and may conflict with regulations such as the General Data Protection Regulation (GDPR), which emphasizes the protection of personal data and privacy. Therefore, while logging details such as Timestamps, Session IDs, and Source IP addresses are essential for security auditing to track when events occur, who is initiating sessions, and from where, care must be taken with User IDs. The handling of personally identifiable information (PII) must comply with privacy laws and organizational policies to safeguard individual privacy rights.

Rachel is applying the forensic principle of preserving volatile and screen-based digital evidence, which is a core concept in the ECIH First Response and Digital Forensics modules. When a mobile device is powered on and unlocked, the data visible on the screen—such as messages, timestamps, sender details, and session states—constitutes volatile evidence that may be lost permanently if the device locks, reboots, or powers off.

ECIH guidance instructs first responders to document the live state of a device before any interaction that could alter its condition. Photographing the screen captures evidence that may not be recoverable later due to encryption or session expiration. Maintaining power ensures the device does not enter a locked or encrypted state during transport.

Option A refers to forensic analysis, not first response. Option C would destroy evidence and violates forensic principles. Option D risks loss of volatile data.

Preserving screen-based evidence ensures integrity, admissibility, and continuity of evidence, making Option B correct.

Centralized logging and monitoring is a core best practice in cloud incident detection and response under ECIH. Cloud environments are distributed and dynamic, making visibility a major challenge.

Option C is correct because aggregating logs from multiple cloud platforms enables correlation, faster detection, and effective incident triage. ECIH emphasizes centralized visibility as essential for identifying cross-platform threats.

Options A and D are limited in scope. Option B does not address cloud-specific risks.

Alert Logic is a cloud-based security tool that provides Security-as-a-Service solutions including threat management, vulnerability assessment, and improved security outcomes. It is designed specifically to secure cloud resources and services, making it an ideal choice for organizations like Sam Morison Inc. that are moving their operations to the cloud and are concerned about the security of their data. Tools like Nmap, Burp Suite, and Wireshark, while valuable in certain contexts, do not offer the same cloud-focused security capabilities as Alert Logic.

User Behavior Analytics (UBA) is a cybersecurity process or tool that utilizes machine learning, algorithms, and statistical analyses to detect potentially harmful activities within an organization's network by comparing them against established patterns of users' behavior. It is particularly effective in identifying malicious internal actors or compromised users who may be conducting activities that deviate from their normal behavior patterns, such as accessing unauthorized data or systems, excessive file downloads, or unusual login times. UBA tools can flag these activities for further investigation, often before traditional security tools detect a breach. In contrast, SOC2 compliance reports, log forwarding, and syslog configuration are important for maintaining and auditing security standards and for infrastructure monitoring, but they are not primarily focused on detecting malicious behavior based on deviations from established user behavior patterns.

Obfuscation is a technique used to make data or code difficult to understand. It is often employed by attackers to conceal the true intent of their code or communications, making it harder for security professionals, automated tools, and others to analyze or detect malicious activity. Obfuscation can involve the use of ambiguous or misleading language, as well as more technical methods such as encoding, encryption, or the use of nonsensical variable names in source code to hide its true functionality.

In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/detection, this indicates a high-priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company's operations and services.

By classifying and encrypting customer Personally Identifiable Information (PHI), you are specifically guarding against the risk of Sensitive Data Exposure. This OWASP security risk involves the accidental or unlawful exposure of protected data to unauthorized individuals. Encryption serves as a critical defense mechanism by ensuring that, even if data is accessed without authorization, it remains unintelligible and useless to the attacker without the decryption keys. Data classification further supports this by identifying which data is sensitive and requires such protections, ensuring that appropriate security controls are applied to prevent exposure.

Incident response orchestration refers to the process and technologies used to coordinate and streamline the response to security incidents. This approach ensures that incident response teams have clear procedures and workflows to follow, enabling them to act swiftly and effectively when dealing with security incidents. By orchestrating the response, organizations can minimize the impact of incidents, ensure consistent and thorough investigation and remediation activities, and improve their overall security posture. Incident response orchestration involves integrating various security tools, automating response actions where possible, and providing a centralized platform for managing incidents.

The EC-Council Incident Handler (ECIH) curriculum explains that insider data exfiltration frequently occurs through legitimate channels such as HTTPS to bypass traditional firewall rules. When encrypted traffic is not inspected, sensitive data can be transmitted without detection.

Data Loss Prevention (DLP) tools monitor, detect, and block unauthorized transmission of sensitive information across endpoints, networks, and cloud services. DLP solutions can inspect encrypted traffic (when integrated with SSL/TLS inspection mechanisms) and enforce policies that prevent confidential data from leaving the organization.

The absence of deep packet inspection allowed encrypted HTTPS traffic to evade detection. Implementing DLP would provide content-aware monitoring and policy-based enforcement, reducing insider exfiltration risk.

Option A (biometric authentication) controls access, not outbound data flows. Option C (secure coding) relates to software development security. Option D (USB blocking) addresses removable media exfiltration, not encrypted network traffic.

Therefore, implementing Data Loss Prevention (DLP) tools is the appropriate eradication control.

This incident represents an application-layer DoS attack, which targets specific functions rather than bandwidth. ECIH emphasizes function-level protection in such scenarios.

Option C is correct because rate limiting restricts abusive request frequency while allowing legitimate usage. It directly addresses the exploited feature without disrupting service availability.

Option D may block legitimate users behind shared IPs. Options A and B do not mitigate the attack vector.

Rate limiting aligns with ECIH guidance for preserving availability during Layer 7 attacks.

When a browser does not expire a session after the user fails to logout properly, it is indicative of a vulnerability related to broken authentication. Broken authentication is a security issue where attackers can exploit flaws in the authentication mechanism to impersonate other users or take over their sessions. Failure to properly manage session lifetimes, such as not expiring sessions on logout, can allow an attacker to reuse old sessions or session IDs, potentially gaining unauthorized access to user accounts. This vulnerability is classified under A2: Broken Authentication in the OWASP Top 10, which lists the most critical web application security risks. The OWASP Top 10 serves as a guideline for developers and web application providers to understand and mitigate common security risks.

In the context of information security, the Incident Manager (IM) plays a crucial role in handling incidents from both a management and technical perspective. The Incident Manager is responsible for overseeing the entire incident response process, coordinating with relevant stakeholders, ensuring that incidents are analyzed, contained, and eradicated efficiently, and that recovery processes are initiated promptly. They are pivotal in ensuring communication flows smoothly between technical teams and upper management and that all actions taken are aligned with the organization's broader security policies and objectives. Unlike network administrators, threat researchers, or forensic investigators who may play more specialized roles within the incident response process, the Incident Manager has a broad oversight role that encompasses both technical and managerial aspects to ensure a comprehensive and coordinated response to security incidents.

Eradication is the step in the incident handling and response process where the root cause of an incident is removed, and measures are taken to close all attack vectors to prevent similar incidents in the future. After an incident has been properly contained to stop it from spreading or causing further damage, the eradication phase focuses on eliminating the source of the incident. This could involve removing malware, closing vulnerabilities, or implementing stronger security measures to address the exploitation paths used by the attacker.

In the scenario with Raven, notifying service providers and developers of affected resources is part of the actions taken to address the root cause of the incident. This ensures that any vulnerabilities or issues that contributed to the incident are fixed. By working to remove the root cause and secure the system against similar attacks, Raven is effectively implementing the eradication step of the incident handling process.

The EC-Council Incident Handler (ECIH) curriculum explains that insider threat investigations frequently depend on endpoint monitoring and user behavior analytics (UBA/UEBA). In this case, the Nuix Adaptive Security tool captured screenshots, file metadata, and keystroke logs—forms of host-level monitoring that directly observe user activity on the endpoint.

User behavior analytics focuses on detecting deviations from normal patterns, such as sending attachments to unknown external addresses during non-business hours. ECIH identifies this as anomalous insider behavior indicative of potential data exfiltration. Endpoint monitoring tools provide detailed artifacts including screen captures, application usage logs, keystroke records, and file transfer metadata, which are critical for forensic analysis and evidence preservation.

Option B (SIEM event correlation) aggregates logs from multiple systems but does not typically capture screenshots or keystroke-level data. Option C (network forensics) focuses on packet captures and traffic analysis rather than user-level interaction evidence. Option D (host-based intrusion prevention systems) primarily block or detect malicious activity but do not provide comprehensive behavioral monitoring data like screenshots and keystroke logs.

ECIH emphasizes that insider threat cases rely heavily on behavioral indicators, digital activity reconstruction, and endpoint telemetry to determine intent and scope. Lina’s reliance on user activity reconstruction and endpoint-level artifacts clearly aligns with user behavior analytics and endpoint monitoring.

Therefore, the correct answer is User behavior analytics and endpoint monitoring.

During the incident handling and response (IH&R) process, the stage of "Evidence gathering and forensics analysis" involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.

Auditing the system and network log files is a crucial step in the incident triage phase of the incident response and handling process. During incident triage, incident handlers assess and prioritize incidents based on their severity, impact, and the urgency of the response required. Part of this assessment involves reviewing log files to understand the nature of the incident, its scope, and the systems or networks affected. This information helps in categorizing the incident and deciding on the appropriate response actions. Unlike containment, which aims to limit the damage, incident disclosure, which involves communicating about the incident, or incident eradication, which focuses on removing the threat, incident triage is about evaluating and prioritizing the incident based on detailed log analysis among other factors.

ISO/IEC 27001 Annex A.16 focuses on information security incident management, including reporting, assessment, response, and learning. The ECIH curriculum aligns closely with these requirements, emphasizing structured procedures and continuous improvement.

Option C is correct because it directly addresses the identified gaps: clear escalation channels, consistent outcome tracking, and incorporation of lessons learned. ECIH stresses that post-incident activities—often overlooked—are essential for improving readiness and preventing recurrence.

Option A supports preparedness but does not address systemic process gaps. Option B improves visibility but not governance. Option D is a technical control unrelated to incident learning and escalation.

Thus, implementing structured incident escalation and post-incident knowledge integration is the priority action for compliance and resilience.

According to the EC-Council Incident Handler (ECIH) curriculum, an unauthorized access incident occurs when an attacker gains access to a system without proper authorization, often through credential compromise, brute-force attacks, or exploitation of weak authentication controls.

The scenario describes repeated failed login attempts followed by successful access and subsequent data exfiltration. This sequence—brute-force attempts leading to compromise and data transmission—clearly indicates unauthorized system access. The large outbound traffic spike to an unfamiliar IP further confirms potential data exfiltration following successful authentication bypass.

Option A is unrelated to wireless-specific attacks. Option C refers to policy misuse by authorized users. Option D (denial-of-service) focuses on service disruption rather than data theft or credential compromise.

ECIH recommends immediate isolation of affected systems, log preservation, credential resets, forensic analysis, and review of access controls following unauthorized access incidents. Maria’s actions align with these best practices.

Therefore, this incident is classified as an unauthorized access incident.

The described attack is a "Watering hole" attack. This type of attack targets specific groups of users by infecting websites they are known to frequently visit. The attacker first identifies websites that are popular with the target group, then finds vulnerabilities in those websites to inject malicious code. When the victims visit the compromised site, the code redirects them to other sites or automatically downloads malware onto their machines. This attack leverages the trust users have in regularly visited sites to distribute malware. Unlike obfuscation application, directory traversal, or cookie/session poisoning attacks, watering hole attacks specifically aim to compromise a commonly used and trusted website to target its users.

The root cause of this incident is unvalidated input poisoning the AI training process, resulting in malicious output. ECIH web application security principles emphasize that input validation is the primary control against injection and manipulation attacks.

Option B is correct because strict validation ensures that malicious or untrusted data cannot influence training or response generation. This addresses the vulnerability at its source.

Option A adds friction but does not stop poisoning. Option C is disruptive and not efficient. Option D limits functionality without fixing the underlying issue.

ECIH stresses fixing vulnerabilities at the root rather than applying superficial controls, making Option B correct.

Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts.

This scenario highlights a preparation phase improvement. ECIH strongly emphasizes the importance of out-of-band communication during incidents, especially when primary systems are compromised.

Option D is correct because VOIP and SMS reporting channels allow incident reporting even when email systems are unavailable or under attack. ECIH identifies out-of-band communication as critical for maintaining coordination and timely escalation during incidents.

Options A–C do not address the reporting failure described.

Establishing alternate communication channels strengthens incident readiness and response resilience, aligning directly with ECIH best practices.

Ping sweeping is a technique used in network reconnaissance to identify which IP addresses in a range are active or live. By sending ICMP echo requests ("ping") to multiple hosts and observing which ones respond, an attacker or, in this case, a red team member like Allan, can determine which systems are up and potentially vulnerable to further exploration or attack. This method is foundational for mapping the network before deploying more targeted exploits or scans.

This scenario indicates identity compromise in a cloud environment, reflected by unusual API activity. The ECIH Cloud Security Incident Handling module emphasizes that in cloud platforms, identity and access management (IAM) is the primary security boundary. When API misuse is detected, the most urgent action is to invalidate potentially compromised credentials.

Option D is correct because rotating all IAM access keys immediately cuts off the attacker’s ability to continue abusing API access. Reviewing IAM policies for excessive permissions further reduces the attack surface and prevents privilege misuse. ECIH explicitly states that compromised credentials must be revoked before implementing additional detective or preventive controls.

Option A may help limit access but does not address stolen credentials that could still be abused elsewhere. Option B improves future visibility but does not mitigate the active incident. Option C is unrelated, as there is no indication of a DDoS attack.

ECIH guidance prioritizes containment through credential revocation in cloud incidents involving unauthorized API usage. Therefore, rotating IAM keys and reviewing permissions is the most critical immediate mitigation step.

The indicators described align closely with a Distributed Denial-of-Service (DDoS) attack, a major topic in the ECIH Network Security Incidents module. DDoS attacks overwhelm network and system resources using traffic from multiple sources, often distributed across geographic regions.

Excessive ARP traffic, NAT table exhaustion, elevated CPU usage on routers, and simultaneous connection attempts are classic symptoms of volumetric and protocol-based DDoS attacks. The involvement of multiple geolocations, as reported by the ISP, further confirms the distributed nature of the attack.

Option B is correct because no single-host misconfiguration or reconnaissance activity would generate this volume and diversity of traffic. Option A would cause IP conflicts, not global traffic floods. Option C focuses on stealthy outbound activity, not inbound saturation. Option D is low-volume and targeted.

ECIH emphasizes early identification of DDoS conditions to enable rapid containment using rate limiting, blackholing, or ISP coordination. Recognizing these indicators is critical to protecting service availability.

Not enabling default administrative accounts is crucial to ensuring accountability and minimizing the risk of insider attacks by privileged users. By disabling or renaming default accounts, organizations can better track the actions performed by individual administrators, reducing the risk of unauthorized or malicious activities going unnoticed. This practice is part of a broader approach to privilege management that includes limiting permissions to the minimum necessary and monitoring the use of administrative privileges.

The Sarbanes–Oxley Act (SOX) Title V, titled "Analyst Conflicts of Interest," contains measures specifically designed to restore investor confidence in the reporting of securities analysts. It addresses the issue of potential conflicts of interest for securities analysts who recommend stocks and other securities by requiring disclosure of certain relationships and financial interests between analysts and the companies they cover. This part of the SOX Act aims to ensure that investors receive unbiased and accurate information from analysts, thereby helping to restore trust in financial markets. Title V consists of only one section, making it unique compared to other titles within the Act that may encompass multiple sections or provisions.

This scenario requires stealthy containment, a technique emphasized in ECIH when dealing with advanced threats, particularly in OT environments.

Option A is correct because disabling selective services while maintaining passive monitoring restricts attacker movement without tipping them off. ECIH stresses that premature disruption can cause attackers to destroy evidence or accelerate damage.

Options B, C, and D are noisy actions that alert the adversary and risk operational disruption.

ECIH recommends low-profile containment for advanced and persistent threats, especially in critical infrastructure, making Option A the correct response.