AlphaTech recently discovered signs of an advanced persistent threat (APT) in its infrastructure. The incident response team is trying to gather more information about the threat to form a comprehensive response strategy. While leveraging threat intelligence platforms, which of the following approaches would be most effective in gathering detailed and actionable insights about the APT?
Correct Answer: B
ECIH emphasizes that advanced persistent threats require intelligence beyond static indicators. While IOCs are useful, they often change quickly and provide limited context. Option B is correct because collaboration with industry peers enables sharing of tactics, techniques, and procedures (TTPs), which are more stable and actionable than IOCs. ECIH strongly promotes information sharing communities, ISACs, and trusted peer collaboration to improve situational awareness against APTs. Options A, C, and D provide partial or outdated insights and lack operational depth. Therefore, peer collaboration focused on attacker behavior is the most effective approach.
212-89 Exam Question 47
A colleague wants to minimize their security responsibility because they are in a small organization. They are evaluating a new application that is offered in different forms. Which form would result in the least amount of responsibility for the colleague?
Correct Answer: B
Software as a Service (SaaS) offers the least amount of security responsibility for the end-user or organization, as the service provider manages the underlying infrastructure, software maintenance, security patching, and updates. Choosing a SaaS application means the colleague's organization would not be responsible for the physical servers, operating systems, or the application's security configurations, making it the best option for minimizing their security responsibilities. References:In the Certified Incident Handler (ECIH v3) course materials, the various cloud service models (IaaS, PaaS, SaaS) are discussed with a focus on their implications for security responsibilities and management.
212-89 Exam Question 48
Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to execute the command to send emailsand Syslog to maintain logs. To validate the data within email headers, which of the following directories should Khai check for information such as source and destination IP addresses, dates, and timestamps?
Correct Answer: A
In a Linux environment, email servers such as Sendmail log events, including details about sent and received emails, in a specific log file. The correct directory and file for examining email logs, particularly for Sendmail and using Syslog for logging, is /Var/log/maillog. Thisfile contains vital information for forensic and incident response purposes, including source and destination IP addresses, email addresses, timestamps, and other data relevant to the email traffic handled by the server. By analyzing this log, incident responders can gather evidence related to email-based incidents, trace the source of malicious emails, and understand the scope of an incident. It's crucial for individuals like Khai, who are tasked with examining logs, to know the correct log file locations and their contents to effectively validate and analyze email header information and other relevant data. References:Incident Handler (ECIH v3) study materials often cover the logging mechanisms of common services and applications on Linux systems, including email servers like Sendmail, and the importance of log files like /var/log/maillog in incident investigation and response activities.
212-89 Exam Question 49
After a recent cloud migration, AeroFlights, an airline company, spotted unauthorized data access. Preliminary checks hinted at malware that used cloud resources to spread, impacting flight schedules. Equipped with a cloud-specific security tool and a real-time scheduling monitor, what should be the primary action?
Correct Answer: B
This scenario involves an active cloud malware incident affecting operational systems. According to the ECIH cloud incident handling process, the priority after detection is containment and eradication using appropriate tooling. Cloud-specific security tools provide visibility into workloads, API activity, lateral movement, and malicious persistence mechanisms unique to cloud environments. Option B is correct because deploying the cloud security tool enables identification of infected resources, malicious processes, compromised identities, and abnormal API usage. This allows responders to contain spread, remove malware, and restore integrity without unnecessary disruption. Option A is an extreme business decision that could cause severe operational and financial damage and should only occur if safety is directly threatened. Option C is a communication step that must be based on verified impact. Option D is monitoring, not response. ECIH emphasizes that incident response actions must be proportional, evidence-based, and targeted. Leveraging cloud-native or cloud-aware security tools is the most effective primary response in such incidents, making Option B correct.
212-89 Exam Question 50
Lara, a SOC analyst, investigates multiple alerts generated by an IDS showing repeated login failures from a specific workstation to an internal application. When reviewing Windows Event Viewer logs, she discovers a user repeatedly attempting logins outside of working hours. Further checks reveal the user had installed an unauthorized remote desktop tool. Which of the following best describes this situation?
Correct Answer: C
The EC-Council Incident Handler (ECIH) curriculum categorizes incidents such as unauthorized software installation and policy violations under inappropriate usage incidents. In this scenario, the activity originated from a legitimate internal workstation and user account, not an external third party. The repeated login failures outside business hours combined with installation of an unauthorized remote desktop tool indicate a breach of acceptable use policy and potentially malicious intent. However, the key factor is that the actions were performed by an internal user using valid access credentials, making this an insider-related policy violation rather than an external unauthorized access attack. Option A implies legitimate remote work within policy boundaries, which is contradicted by the unauthorized software installation. Option B suggests a third-party compromise, but logs indicate activity from an internal user account. Option D (DoS attack) involves service disruption via traffic flooding, which is not described here. ECIH stresses enforcing acceptable use policies, monitoring user behavior, restricting unauthorized software installation, and applying least privilege controls to mitigate insider misuse. Therefore, this scenario best fits inappropriate usage due to policy violation and unauthorized software installation.