212-89 Exam Dumps - EC Council Certified Incident Handler (ECIH v3)

This scenario demonstrates manual phishing email verification, which is a foundational detection technique taught in the ECIH Email Security module. Manual verification involves human inspection of email characteristics such as sender address anomalies, mismatched URLs, unusual tone, urgency, and contextual inconsistencies.

Option D is correct because Ethan manually inspects the email by hovering over links, reviewing sender formatting, and evaluating message tone. These actions are key indicators used to identify phishing without relying on automated tools.

Option A relates to encoding analysis, which is not described. Option B involves automated network-based detection. Option C focuses on shortened URLs, which are not present here.

ECIH emphasizes that while automated defenses are important, human verification remains critical, especially for targeted phishing attacks that bypass technical controls. Therefore, Option D correctly identifies the detection approach used.

A TCP Xmas scan is a type of network scanning technique used by attackers to identify open ports on a target machine. The name "Xmas" comes from the set of flags that are turned on within the packet, making it 'lit up like a Christmas tree'. Specifically, the FIN, PSH, and URG flags are set, which corresponds to the hexadecimal value 0X029 in the TCP header's flags field. Wireshark, a popular network protocol analyzer, allows users to create custom filters to detect specific types of network traffic, including malicious scanning attempts. By using the filtertcp.flags==0X029, Rose can detect packets that have these specific flags set, indicating a potential TCP Xmas scan attempt.

Persistent mobile malware that survives antivirus scans indicates deep system compromise. The ECIH Endpoint and Mobile Incident Handling guidance states that when malware cannot be reliably removed, reimaging or OS reinstallation is the safest remediation.

Option C is correct because performing a factory reset or reinstalling the OS ensures complete removal of malicious components and restores device integrity. ECIH cautions that partial containment actions may stop symptoms but not eradicate threats.

Options A and B are temporary containment steps. Option D is ineffective against malware.

Therefore, full OS reinstallation is the correct next action.

Unauthorized access to backend services in a cloud environment most commonly results from overly permissive identity and access management (IAM) configurations. The ECIH cloud incident handling guidance emphasizes that identity controls are the primary security boundary in cloud platforms.

Option A is correct because reviewing and tightening IAM roles immediately reduces the attack surface and revokes excessive privileges that may be exploited. This action directly addresses the root cause of unauthorized access.

Option D is a strong additional control but should be applied after correcting IAM misconfigurations. Option B improves future detection but does not contain the current incident. Option C is disruptive and unnecessary as a first response.

Therefore, IAM review and privilege tightening is the correct first measure, consistent with ECIH best practices.

According to the EC-Council Incident Handler (ECIH) curriculum, the first responder’s primary responsibility upon discovering a potential cybercrime is to preserve and protect the crime scene. This includes isolating affected systems, preventing further network communication, restricting physical and logical access, and ensuring no evidence is altered or destroyed.

Sophia’s actions—isolating the system, restricting access, preventing tampering, and escalating to the IR team—align precisely with crime scene protection principles. ECIH emphasizes that improper handling during the early stages of an incident can contaminate evidence and compromise forensic investigations.

Option A (chain of custody documentation) occurs once evidence is formally collected. Option B (evidence log collection) is part of forensic acquisition. Option C (advanced forensic analysis) is performed by specialized investigators later in the response lifecycle.

Therefore, Sophia is performing the role of protecting the integrity of the crime scene as a first responder.

This scenario indicates identity compromise in a cloud environment, reflected by unusual API activity. The ECIH Cloud Security Incident Handling module emphasizes that in cloud platforms, identity and access management (IAM) is the primary security boundary. When API misuse is detected, the most urgent action is to invalidate potentially compromised credentials.

Option D is correct because rotating all IAM access keys immediately cuts off the attacker’s ability to continue abusing API access. Reviewing IAM policies for excessive permissions further reduces the attack surface and prevents privilege misuse. ECIH explicitly states that compromised credentials must be revoked before implementing additional detective or preventive controls.

Option A may help limit access but does not address stolen credentials that could still be abused elsewhere. Option B improves future visibility but does not mitigate the active incident. Option C is unrelated, as there is no indication of a DDoS attack.

ECIH guidance prioritizes containment through credential revocation in cloud incidents involving unauthorized API usage. Therefore, rotating IAM keys and reviewing permissions is the most critical immediate mitigation step.

Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into executing unauthorized actions on a website where they are currently authenticated. In this scenario, the attacker exploits the trust that a site has in the user's browser, effectively forcing the browser to perform actions without the user's knowledge or consent. For example, if the user is logged into their bank's website, an attacker could craft a malicious request to transfer funds without the user's direct interaction. CSRF attacks rely on authenticated sessions and typically target state-changing requests to compromise user or application data.

In incident response protocols, incidents are categorized based on their severity, impact, and the urgency of the response required. The categorization helps in prioritizing incident response activities and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest priority, involving significant threats that require immediate response. Given the scenario where a malware incident in one of the largest social network companies must be reported within 1 hour of discovery/detection, this indicates a high-priority incident due to the potential widespread impact and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the reporting timeframe suggests that the incident is considered critical, aligning with the characteristics of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption to the company's operations and services.