212-89 Exam Dumps - EC Council Certified Incident Handler (ECIH v3)

Comprehensive and Detailed Explanation (ECIH-aligned):

Advanced persistent threats require coordinated, intelligence-driven response. ECIH emphasizes that APT investigations generate massive volumes of telemetry across endpoints, networks, and cloud platforms.

Option D is correct because Incident Response Automation and Orchestration (IRAO) tools correlate disparate data sources, automate enrichment, and accelerate threat hunting. This enables responders to identify hidden persistence mechanisms and attacker TTPs efficiently.

Options A, B, and C are important but not immediate investigative actions.

ECIH explicitly recommends orchestration platforms for complex, multi-vector incidents such as APTs.

Comprehensive and Detailed Explanation (ECIH-aligned):

The described symptoms—numerous incomplete TCP connections consuming server resources—are characteristic of a SYN flood attack, a denial-of-service technique targeting the transport layer. In such attacks, attackers send SYN packets without completing the TCP handshake, leaving servers overwhelmed with half-open connections.

ECIH network incident handling guidance emphasizes rapid identification and containment of DoS conditions to preserve service availability. By configuring the router to validate connection requests (for example, using SYN cookies or proxy validation), illegitimate handshake attempts are filtered before reaching the server.

Option A involves payload inspection, which is irrelevant here. Option B relates to authentication attacks, which require completed connections. Option D is a detection activity, not mitigation.

Therefore, the purpose of Sophia’s action was to block SYN flood attempts, making Option C correct.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario exemplifies a classic malicious insider threat, where a trusted employee with legitimate access abuses their privileges. According to the EC-Council ECIH curriculum, traditional perimeter controls and static access restrictions are often ineffective against insiders because the actions appear legitimate at a surface level. Therefore, the primary emphasis must be on behavior-based detection.

Option D is correct because behavioral analytics enables organizations to establish baselines of normal employee behavior and identify deviations such as unusual access times, excessive data downloads, atypical system usage, or abnormal data transfer patterns. ECIH highlights behavioral monitoring as a critical control for detecting insider threats early, especially when access credentials are valid and authorized.

Option A may limit productivity and does not detect malicious intent. Option B is an administrative practice with limited security value. Option C improves awareness but does not detect deliberate malicious behavior.

By implementing behavioral analytics, ClobalTech can identify subtle indicators of insider misuse, respond earlier, and reduce the impact of long-term data exfiltration, aligning with ECIH best practices for insider threat mitigation.

Obfuscation is a technique used to make data or code difficult to understand. It is often employed by attackers to conceal the true intent of their code or communications, making it harder for security professionals, automated tools, and others to analyze or detect malicious activity. Obfuscation can involve the use of ambiguous or misleading language, as well as more technical methods such as encoding, encryption, or the use of nonsensical variable names in source code to hide its true functionality.

Comprehensive and Detailed Explanation (ECIH-aligned):

The primary indicator here is suspicious outbound connections, a key detection category in ECIH network incident analysis. Unexpected communications to known high-risk domains often indicate malware, misconfiguration, or compromise.

Option C is correct because outbound traffic patterns revealed the issue. ECIH highlights that IoT devices frequently lack visibility and controls, making outbound monitoring critical.

Options A, B, and D do not reflect the described behavior.

Monitoring outbound traffic is therefore essential for early detection of compromised or misconfigured devices.

Comprehensive and Detailed Explanation (ECIH-aligned):

The primary objective of endpoint incident handling, as outlined in the ECIH curriculum, is rapid containment and eradication of threats to preserve business operations. Advanced malware that bypasses traditional defenses requires coordinated response capabilities to prevent widespread compromise.

Option D is correct because endpoint IH&R enables organizations to quickly isolate infected systems, remove malicious components, and restore trusted states, thereby maintaining operational continuity. ECIH emphasizes speed and coordination as critical success factors in endpoint response.

Option A is secondary. Option B is a compliance outcome, not a response objective. Option C is a consequence, not the primary driver.

Therefore, the most critical reason is to ensure rapid containment and eradication, making Option D correct.

Comprehensive and Detailed Explanation (ECIH-aligned):

Persistent mobile malware that survives antivirus scans indicates deep system compromise. The ECIH Endpoint and Mobile Incident Handling guidance states that when malware cannot be reliably removed, reimaging or OS reinstallation is the safest remediation.

Option C is correct because performing a factory reset or reinstalling the OS ensures complete removal of malicious components and restores device integrity. ECIH cautions that partial containment actions may stop symptoms but not eradicate threats.

Options A and B are temporary containment steps. Option D is ineffective against malware.

Therefore, full OS reinstallation is the correct next action.