Free ECCouncil 212-89 Practice Exam with Questions & Answers | Set: 3

The EC-Council Incident Handler (ECIH) curriculum explains that insider threat investigations frequently depend on endpoint monitoring and user behavior analytics (UBA/UEBA). In this case, the Nuix Adaptive Security tool captured screenshots, file metadata, and keystroke logs—forms of host-level monitoring that directly observe user activity on the endpoint.

User behavior analytics focuses on detecting deviations from normal patterns, such as sending attachments to unknown external addresses during non-business hours. ECIH identifies this as anomalous insider behavior indicative of potential data exfiltration. Endpoint monitoring tools provide detailed artifacts including screen captures, application usage logs, keystroke records, and file transfer metadata, which are critical for forensic analysis and evidence preservation.

Option B (SIEM event correlation) aggregates logs from multiple systems but does not typically capture screenshots or keystroke-level data. Option C (network forensics) focuses on packet captures and traffic analysis rather than user-level interaction evidence. Option D (host-based intrusion prevention systems) primarily block or detect malicious activity but do not provide comprehensive behavioral monitoring data like screenshots and keystroke logs.

ECIH emphasizes that insider threat cases rely heavily on behavioral indicators, digital activity reconstruction, and endpoint telemetry to determine intent and scope. Lina’s reliance on user activity reconstruction and endpoint-level artifacts clearly aligns with user behavior analytics and endpoint monitoring.

Therefore, the correct answer is User behavior analytics and endpoint monitoring.

The described attack is a "Watering hole" attack. This type of attack targets specific groups of users by infecting websites they are known to frequently visit. The attacker first identifies websites that are popular with the target group, then finds vulnerabilities in those websites to inject malicious code. When the victims visit the compromised site, the code redirects them to other sites or automatically downloads malware onto their machines. This attack leverages the trust users have in regularly visited sites to distribute malware. Unlike obfuscation application, directory traversal, or cookie/session poisoning attacks, watering hole attacks specifically aim to compromise a commonly used and trusted website to target its users.

In the static data collection process, which is part of digital forensics and incident handling, the focus is on acquiring and examining digital evidence without altering the system or the data itself. This process includes evidence examination, where the data is analyzed; system preservation, where the current state of a system or data is maintained to ensure no alteration occurs; and evidence acquisition, which involves creating an exact binary copy of the digital evidence. Password protection, however, is not a part of the static data collection process. Instead, it relates to securing access to data or systems but does not directly involve the collection or preservation of static data for forensic purposes.

A negligent insider is an individual within an organization who, due to a lack of knowledge on security threats or in an attempt to increase workplace efficiency, inadvertently bypasses security procedures or makes errors that compromise security. This type of insider threat is not malicious in intent; rather, it stems from carelessness, oversight, or a lack of proper security training. Such insiders might click on phishing links, mishandle sensitive information, or use unsecured networks for work-related tasks, thereby exposing the organization to potential security breaches. This contrasts with compromised insiders (who are manipulated by external parties), professional insiders (who misuse their access for personal gain), and malicious insiders (who intentionally aim to harm the organization).

Persistent mobile malware that survives antivirus scans indicates deep system compromise. The ECIH Endpoint and Mobile Incident Handling guidance states that when malware cannot be reliably removed, reimaging or OS reinstallation is the safest remediation.

Option C is correct because performing a factory reset or reinstalling the OS ensures complete removal of malicious components and restores device integrity. ECIH cautions that partial containment actions may stop symptoms but not eradicate threats.

Options A and B are temporary containment steps. Option D is ineffective against malware.

Therefore, full OS reinstallation is the correct next action.

This scenario describes a persistent phishing campaign leveraging spoofed domains and variant-based delivery mechanisms. According to the EC-Council Incident Handler (ECIH) curriculum under Email Security Incident Handling and Eradication, once detection and containment measures (such as blocking malicious IP addresses and purging emails) have been implemented, the eradication phase must focus on eliminating root causes and recurring technical vectors.

The key phrase in the question is “eliminate recurring delivery mechanisms and close technical loopholes.” ECIH emphasizes that phishing campaigns frequently evolve by modifying URLs, sender domains, encoding techniques, and payload structures to bypass simple IP blocking controls. Therefore, security teams must analyze decoded message components, extract malicious URLs, and generate URL-based deny-lists at the secure email gateway, web proxy, and firewall layers.

Creating email-specific URL deny-lists directly disrupts the attack infrastructure and prevents repeated access to malicious domains—even when attackers use variant IP addresses or modified content. This is a technical eradication control aligned with eliminating delivery vectors.

Options B and C (training and simulations) are preventive awareness measures and fall under the preparation or post-incident improvement phase—not eradication. Option A (WHOIS masking) is unrelated to preventing phishing delivery.

ECIH guidance stresses strengthening email filtering rules, updating domain and URL blacklists, implementing SPF/DKIM/DMARC validation, and hardening secure email gateways as core eradication techniques. Therefore, option D best aligns with the eradication objective.

When Investigator Ian gives you a drive image to investigate, the type of analysis you are performing is static analysis. Static analysis involves examining the contents of a drive, file, or binary without executing the system or the application. It's about analyzing the data at rest. This type of analysis is crucial for forensics investigations because it allows for the examination of files, directories, and system information without altering any state or data, thereby preserving the integrity of the evidence. Static analysis is contrasted with dynamic analysis, which involves analyzing a system in operation (real-time or live) or executing the application to observe its behavior.

ECIH emphasizes that advanced persistent threats require intelligence beyond static indicators. While IOCs are useful, they often change quickly and provide limited context.

Option B is correct because collaboration with industry peers enables sharing of tactics, techniques, and procedures (TTPs), which are more stable and actionable than IOCs. ECIH strongly promotes information sharing communities, ISACs, and trusted peer collaboration to improve situational awareness against APTs.

Options A, C, and D provide partial or outdated insights and lack operational depth.

Therefore, peer collaboration focused on attacker behavior is the most effective approach.

The primary indicator here is suspicious outbound connections, a key detection category in ECIH network incident analysis. Unexpected communications to known high-risk domains often indicate malware, misconfiguration, or compromise.

Option C is correct because outbound traffic patterns revealed the issue. ECIH highlights that IoT devices frequently lack visibility and controls, making outbound monitoring critical.

Options A, B, and D do not reflect the described behavior.

Monitoring outbound traffic is therefore essential for early detection of compromised or misconfigured devices.

Ping sweeping is a technique used in network reconnaissance to identify which IP addresses in a range are active or live. By sending ICMP echo requests ("ping") to multiple hosts and observing which ones respond, an attacker or, in this case, a red team member like Allan, can determine which systems are up and potentially vulnerable to further exploration or attack. This method is foundational for mapping the network before deploying more targeted exploits or scans.