212-89 Exam Dumps - ECCouncil ECIH Questions and Answers

According to the EC-Council Incident Handler (ECIH) curriculum, first responders are responsible for gathering preliminary information to understand the nature and scope of an incident. Conducting interviews and collecting contextual evidence are essential components of information collection.

Jack’s targeted questioning and note-taking are part of collecting incident-related information to reconstruct timelines and identify potential attack vectors. While documentation (Option A) is occurring, the primary function described is information gathering.

Identifying the scope (Option B) typically involves system and asset evaluation. Protecting the crime scene (Option D) involves preserving digital evidence and preventing contamination. Although these may occur later, the scenario emphasizes interview-based data collection.

Therefore, Jack’s primary responsibility here is collecting information about the incident.

In this scenario, the inability to access the file server via Remote Desktop Protocol (RDP), despite the server being pingable and other services functioning normally, suggests a service-specific disruption rather than a complete system shutdown or broader network issue. This pattern is indicative of a denial-of-service (DoS) attack targeted at the file server's RDP service or network congestion that specifically affects RDP connectivity. A DoS attack aims to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. The fact that other services (like email) are operational rules out broader system or admin account issues, pointing towards a specific problem with accessing the file server, most likely due to a denial-of-service condition.

Thenetstat -ancommand is used to display network connections, routing tables, and a number of network interface statistics. It is particularly useful for identifying unusual volumes of traffic to and from a system, which can be indicative of a DoS/DDoS attack. The option-ashows all active connections and the TCP and UDP ports on which the computer is listening, and-ndisplays addresses and port numbers in numerical form. This can help the incident handling and response (IH&R) team to identify suspicious patterns, such as a large number of connections from a single source or to a specific port, which are common during DoS/DDoS attacks.

The EC-Council Incident Handler (ECIH) curriculum emphasizes that recovery must not only restore functionality but also eliminate residual security weaknesses that could enable reinfection or continued compromise. In operational technology (OT) and industrial environments, identity validation, certificate trust, and strict access control between interconnected systems are critical.

The scenario highlights two major issues: excessive permissions between authentication servers and automation modules, and anomalies in authentication tokens with unidentified fingerprints. These findings indicate compromised trust relationships and over-privileged system communications.

ECIH recovery guidance stresses revalidating authentication mechanisms, enforcing the Principle of Least Privilege, reviewing trust relationships, and ensuring certificate integrity before declaring systems fully restored. Implementing granular role-based access controls (RBAC) and validating trusted device certificates directly addresses both excessive permissions and authentication anomalies.

Option A improves detection but does not correct trust misconfigurations. Option B (red-team simulation) is useful but secondary to securing authentication controls. Option C (system reboot) does not resolve permission or certificate validation issues.

Therefore, enforcing granular role-based access policies and validating trusted device certificates is the most critical secure restoration action.

The correct sequence of steps performed by incident responders during the vulnerability assessment phase is as follows:

Perform OSINT information gathering to validate the vulnerabilities (4):Initially, Open Source Intelligence (OSINT) is used to gather information about the organization’s digital footprint and potential vulnerabilities.

Run vulnerability scans using tools (1):Next, specialized tools are employed to scan the organization's networks and systems for vulnerabilities.

Identify and prioritize vulnerabilities (2):The identified vulnerabilities are then analyzed and prioritized based on their severity and potential impact on the organization.

Examine and evaluate physical security (3):Physical security assessments are also crucial as they can impact the overall security posture and protection of digital assets.

Check for misconfigurations and human errors (6):This step involves looking for misconfigurations in systems and networks, as well as potential human errors that could lead to vulnerabilities.

Apply business and technology context to scanner results (5):The results from the scans are evaluated within the context of the business and its technology environment to accurately assess risks.

Create a vulnerability scan report (7):Finally, a comprehensive report is created, detailing the vulnerabilities, their severity, and recommended mitigation strategies.

This sequence ensures a thorough assessment, prioritizing vulnerabilities that pose the greatest risk and providing actionable insights for mitigation.

A negligent insider is an individual within an organization who, due to a lack of knowledge on security threats or in an attempt to increase workplace efficiency, inadvertently bypasses security procedures or makes errors that compromise security. This type of insider threat is not malicious in intent; rather, it stems from carelessness, oversight, or a lack of proper security training. Such insiders might click on phishing links, mishandle sensitive information, or use unsecured networks for work-related tasks, thereby exposing the organization to potential security breaches. This contrasts with compromised insiders (who are manipulated by external parties), professional insiders (who misuse their access for personal gain), and malicious insiders (who intentionally aim to harm the organization).

Process memory (RAM) is a type of digital evidence that is temporarily stored and requires a constant power supply to retain information. If the power supply is interrupted, the information stored in process memory is lost. This type of evidence can include data about running programs, user actions, system events, and more, making it crucial for forensic analysis, especially in identifying actions taken by both users and malware. Collecting data from process memory helps incident responders understand the state of the system at the time of an incident and can reveal valuable information that is not persisted elsewhere on the device.

A side channel attack, as described in the scenario, involves an attacker using indirect methods to gather information from a system. In this case, Alice is exploiting the shared physical resources, specifically the processor cache, of a virtual machine host to steal data from another virtual machine on the same host. This type of attack does not directly breach the system through conventional means like breaking encryption but instead takes advantage of the information leaked by the physical implementation of the system, such as timing information, power consumption, electromagnetic leaks, or, as in this case, shared resource utilization, to infer the secret data.

This incident demonstrates a document-based web malware delivery mechanism, specifically leveraging remotely hosted Rich Text Format (RTF) injection, which is explicitly discussed in ECIH web and malware handling modules. RTF documents can reference external objects or templates, allowing malicious payloads to be fetched dynamically when the document is opened—without requiring macros or user interaction.

Option A is correct because the behavior described aligns precisely with remote template injection. The absence of macros, the silent external connections, and the use of structural document elements are classic indicators of RTF-based malware delivery. ECIH highlights this as a high-risk technique because it bypasses traditional macro-based detection and user warning mechanisms.

Option B is incorrect because the payload was delivered via downloaded documents, not email impersonation of social contacts. Option C references browser extensions and PDFs, which are not involved. Option D describes lateral spread, not initial delivery.

ECIH emphasizes that modern web-based attacks increasingly abuse trusted document formats and remote object references to evade controls. Understanding these techniques enables responders to improve document sanitization, outbound traffic monitoring, and content disarm and reconstruction (CDR) controls.

This scenario clearly aligns with the eradication phase of the ECIH malware incident handling lifecycle. After detection and containment, eradication focuses on completely removing malicious artifacts and ensuring the threat cannot re-emerge.

Option D is correct because Liam’s actions—malware removal, account disabling, system restoration, and IOC documentation—are all aimed at fully eliminating the malware and attacker footholds. ECIH emphasizes that eradication must address malware binaries, persistence mechanisms, compromised credentials, and residual indicators.

Option B (forensic preservation) would avoid system changes, which Liam does not do. Option A is a training activity unrelated to response. Option C is infrastructure improvement, not incident handling.

ECIH explicitly states that failure to eradicate all traces often leads to reinfection or continued attacker access. Liam’s comprehensive approach ensures the environment is returned to a trusted state and prepares detection systems for future prevention.