212-89 Exam Dumps - EC Council Certified Incident Handler (ECIH v3)

Yesware is a tool primarily known for its email tracking capabilities, which can be useful for sales, marketing, and customer relationship management. However, in the context of investigating email attacks and analyzing incidents to extract details such as sender identity, mail server, sender’s IP address, and location, a more appropriate tool would be one that specializes in analyzing and extracting detailed header information from emails, providing insights into the path an email took across the internet. While Yesware can provide data related to email interactions, it might not offer the depth of forensic analysis required for incident investigation. Tools like email header analyzers, which are designed specifically for dissecting and interpreting email headers, would be more fitting. In the absence of a direct match from the given options, the description might imply a broader interpretation of tools like Yesware in context but traditionally, tools specifically designed for email forensics would be sought after for this task.

Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts.

The EC-Council Incident Handler (ECIH) curriculum describes Security Orchestration, Automation, and Response (SOAR) platforms as integrated systems that combine automated detection, case management, workflow execution, and coordinated response actions.

The scenario includes automated abnormal behavior detection, endpoint isolation, log correlation, automatic incident ticket creation, asset mapping, user activity analysis, and adaptive containment using predefined workflows with analyst oversight. These capabilities align directly with incident response automation and orchestration technologies.

ECIH emphasizes that modern IR programs integrate SIEM, endpoint detection and response (EDR), and orchestration platforms to streamline alert triage, automate containment steps, and reduce response time. Automation ensures rapid isolation of infected systems, while orchestration coordinates multiple tools and teams across departments.

Option A lacks automation. Option B (legacy antivirus) cannot perform coordinated isolation and workflow execution. Option C (backup system) supports recovery but not detection or containment.

Therefore, a coordinated system combining incident response automation with orchestration capabilities best supports the described workflow.

In the scenario where Dolphin Investment needs to implement a ticketing system for employees like Jacob to report IT-related issues, ManageEngine ServiceDesk Plus is the most suitable option among the choices provided. ManageEngine ServiceDesk Plus is a comprehensive IT help desk software that facilitates issue tracking, incident management, and efficient resolution of IT-related problems and requests. It enables users to submit tickets through various channels, including email, web portal, phone, or chat, and allows IT support teams to manage these tickets through a centralized platform. This system is designed to streamline the process of reporting, tracking, and resolving IT issues and incidents, making it an ideal solution for organizations looking to establish a formalized incident reporting and resolution process. Other options like IBM X-Force Exchange, ThreatConnect, and MISP focus more on threat intelligence sharing and security incident analysis rather than functioning as an IT help desk or ticketing system.

Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.

Explanation (cloud IR reality):

In multi-vector cloud incidents, the defining challenge is coordination across layered services—identity (IAM), networking (WAF/CDN/LB), compute (VMs/containers/functions), email/collaboration, endpoints, and third-party SaaS integrations. Each vector often lands in a different plane: phishing compromises identities; malware persists on endpoints or workloads; DDoS stresses edge/network layers. Responding effectively requires aligning containment actions across these domains so one mitigation doesn’t leave another door open (e.g., stopping DDoS but leaving compromised identities active, or cleaning a workload while malicious OAuth tokens remain valid).

(B) is important but is a subset of coordination—CSP communication is one dependency in the broader multi-service response. (C) is a tactical DDoS problem and matters, but the incident includes phishing + malware, so focusing only on traffic classification is insufficient. (A) matters for regulated firms, but during active response, compliance is usually addressed through predefined procedures; it’s not the main operational obstacle in stopping a multi-vector campaign.

So (D) best captures the cloud-specific complexity: distributed ownership, shared responsibility boundaries, and the need for synchronized actions (revoking tokens, isolating workloads, adjusting security groups, WAF rules, email protections, and endpoint containment) to truly break the kill chain.

Network forensic tools are designed to capture, record, and analyze network traffic. Tools like Capsa Network Analyzer, Tcpdump, and Wireshark are specifically designed for this purpose, providing capabilities to capture live traffic, analyze packets, and understand network activities. Capsa Network Analyzer is a comprehensive network monitoring tool, Tcpdump is a powerful command-line packet analyzer, and Wireshark is a widely used network protocol analyzer that provides detailed information about network traffic.

Advanced NTFS Journaling Parser, on the other hand, is not a network forensic tool but a tool used for forensic analysis of NTFS file systems. It parses the NTFS journal ($LogFile), which contains a log of changes made to files on an NTFS volume. This tool is valuable for forensic analysts who are investigating the file system activities on a Windows system, such as file creation, modification, and deletion times, rather than analyzing network traffic. Therefore, it does not fit the category of a network forensic tool.

This scenario involves an active malware incident affecting content integrity, which directly impacts public trust and organizational credibility. According to the ECIH malware response lifecycle, the first priority is containment, not correction or recovery.

Option B is correct because network segregation and isolation prevent the malware from continuing to spread, communicating with command-and-control infrastructure, or further manipulating content. Containment stabilizes the environment and preserves evidence for forensic analysis.

Option C focuses on correction rather than stopping the attack and may allow malware persistence. Option D risks restoring infected components and destroying forensic artifacts. Option A is a communication decision that should follow containment and validation.

ECIH explicitly warns against performing remediation or rollback actions before containment, as doing so may worsen impact or obscure root cause analysis. Isolating compromised systems is therefore the correct immediate response.