Nervous Nat often sends emails with screenshots of what he thinks are serious incidents, but they always turn out to be false positives. Today, he sends another screenshot, suspecting a nation-state attack. As usual, you go through your list of questions, check your resources for information to determine whether the screenshot shows a real attack, and determine the condition of your network. Which step of IR did you just perform?
Correct Answer: D
When you receive a screenshot from Nervous Nat and go through a list of questions, check resources for information to determine the nature of the screenshot, and assess the condition of your network, you are engaging in the Detection and Analysis (or Identification) phase of Incident Response (IR). This phase is about identifying potential security incidents based on reported concerns, anomalies detected by security tools, or through the analysis of security alerts. In this scenario, despite the historical context of false positives, each report is treated seriously, requiring you to collect and analyze information to determine whether a real attack is happening. This involves verifying the validity of the incident, assessing its nature, scope, and impact, and deciding on the appropriate next steps. The detection and analysis phase is critical for determining the course of the IR process, including whether escalation is needed and what response measures should be initiated. References:The ECIH v3 certification materials outline the Incident Response process, detailing steps from preparation, detection and analysis, containment, eradication, and recovery, to post-incident activities, highlighting the importance of thorough detection and analysis as the foundation for effective incident management.
212-89 Exam Question 12
A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?
Correct Answer: A
A Trojan, short for Trojan horse, is a type of malicious software that misleads users of its true intent. It disguises itself as a legitimate and useful program, but once executed, it allows unauthorized access to the user's system. Unlike viruses and worms, Trojans do not replicate themselves but can be just as destructive. They are often used to create a backdoor to a computer system, allowing an attacker to gain access to the system or to deliver other malware. Trojans can be used for a variety of purposes, including stealing information, downloading or uploading files, monitoring the user's screen and keyboard, and more. The term "Trojan" comes from the Greek story of the wooden horse that was used to sneak soldiers into the city of Troy, which is analogous to the deceptive nature of this type of malware in cyber security. References:The EC-Council's Certified Incident Handler (ECIH v3) program covers various types of malware, including Trojans, in detail, explaining their mechanisms, how they can be identified, and the steps to take in response to such threats.
212-89 Exam Question 13
Daniel, a system administrator, was discovered accessing encrypted project files that had no relevance to his job responsibilities. A security audit revealed that his account had unrestricted access to all file servers, and there were no alerts or enforcement mechanisms in place to block or flag such access. Which countermeasure should have been in place to prevent this abuse?
Correct Answer: D
The EC-Council Incident Handler (ECIH) curriculum identifies excessive privileges as a major contributor to insider threats. In this scenario, Daniel had unrestricted access to all file servers, violating the Principle of Least Privilege (PoLP). The absence of enforcement mechanisms or alerts further indicates a lack of access governance. Zero Trust architecture operates on the principle of "never trust, always verify." It enforces strict identity verification, continuous authentication, micro-segmentation, and role-based access control. Under Zero Trust, users are granted access only to specific resources required for their job role, and all access attempts are logged and monitored. User segmentation ensures that even administrators are restricted to only authorized systems and datasets. ECIH stresses the importance of monitoring privileged accounts, implementing least privilege, enabling access auditing, and enforcing real-time alerting for unauthorized data access attempts. Option A (manual surveillance) is impractical and ineffective at scale. Option B (personal firewall rules) protects network traffic but does not restrict file server permissions. Option C (disabling removable media) addresses data exfiltration via USB devices, not unauthorized file access. Therefore, user segmentation through Zero Trust access would have prevented Daniel from accessing irrelevant encrypted project files and aligns directly with ECIH insider threat mitigation strategies.
212-89 Exam Question 14
NovoMed discovers encrypted data transfers of drug research and participant data to an unknown location and receives an extortion-like message implying the formula may be released. What is the most prudent course of action?
Correct Answer: D
Explanation (incident response governance): This scenario combines data theft + extortion involving highly sensitive IP and regulated participant data. The prudent course is to trigger formal legal/incident governance: engage law enforcement and appropriate cybercrime agencies (D), preserve evidence, and coordinate with legal counsel, regulators (if required), and cyber-insurance response processes. Law enforcement engagement can support intelligence sharing, preservation orders, and broader investigation into the infrastructure receiving the exfiltrated data. (A) recalling the drug is not directly tied to the incident's immediate technical or legal response; it's a business decision that may be unnecessary and harmful without evidence of counterfeit risk. (B) immediate public announcement may be legally required in some jurisdictions, but it must be accurate and coordinated; doing it prematurely can worsen harm. (C) negotiation is risky and typically handled only through controlled legal and executive channels; it does not ensure data return and can incentivize further extortion. Thus, (D) reflects best-practice escalation: treat it as a serious crime, preserve chain of custody, and coordinate response through legal and investigative authorities while technical teams contain and scope.
212-89 Exam Question 15
Francis received a spoof email asking for his bank information. He decided to use a tool to analyze the email headers. Which of the following should he use?
Correct Answer: B
MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various email delivery issues. When Francis received a spoofed email asking for his bank information, using MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the source of the email, tracking the email's path across the internet from the sender to the receiver, and identifying any signs of email spoofing or malicious activity. It provides detailed information about the email servers encountered along the way and can help in verifying the authenticity of the email sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for different purposes such as analyzing system event logs, checking email address validity, and managing email communications, respectively, and do not specifically focus on analyzing email headers to the extent required for investigating a spoofed email incident. References:The use of MxToolbox in incident handling and email security analysis is commonly recommended in Incident Handler (ECIH v3) study materials as a practical tool for email header analysis and spoofing investigation.