Free ECCouncil 212-89 Practice Exam with Questions & Answers | Set: 8

Thenetstat -ancommand is used to display network connections, routing tables, and a number of network interface statistics. It is particularly useful for identifying unusual volumes of traffic to and from a system, which can be indicative of a DoS/DDoS attack. The option-ashows all active connections and the TCP and UDP ports on which the computer is listening, and-ndisplays addresses and port numbers in numerical form. This can help the incident handling and response (IH&R) team to identify suspicious patterns, such as a large number of connections from a single source or to a specific port, which are common during DoS/DDoS attacks.

Email-bombing refers to the attack where the attacker sends a massive volume of emails to a specific email address or mail server in order to overflow the mailbox or overwhelm the server, potentially causing it to fail or deny service to legitimate users. This attack can disrupt communications and, in some cases, lead to the targeted email account being disabled. Masquerading involves pretending to be another legitimate user, spoofing is the creation of emails (or other communications) with a forged sender address, and a smurf attack is a specific type of Distributed Denial of Service (DDoS) attack that exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP) to flood a target with traffic. Email-bombing specifically targets email services with the goal of causing disruption by overflowing inboxes.

In Wireshark, to identify ICMP ping sweep attempts, the filtericmp.type == 8 or icmp.type ==0is used. This filter captures ICMP echo requests and echo replies, which are indicative of ping commands. Type 8 represents an echo request used when a source sends a ping, and type 0 represents an echo reply, which is the response from the target. By filtering for these ICMP types, Miko can detect a surge in ping requests across the network, which could indicate a ping sweep attempt—an exploratory activity often used by attackers to discover active hosts on a network by sending ping requests to multiple addresses.

SSRF vulnerabilities allow attackers to coerce a server into making unauthorized internal or external requests. The ECIH Web Application Security module states that controlling outbound traffic is the most effective mitigation against SSRF.

Option D is correct because restricting outbound traffic ensures that even if an SSRF flaw exists, the server cannot access internal resources or attacker-controlled endpoints. ECIH emphasizes network-level egress filtering as a primary defensive control for SSRF.

Option A reduces attack surface but does not stop exploitation. Option B addresses client-side risks, not server-side requests. Option C improves detection but does not prevent exploitation.

Thus, outbound traffic restriction is the priority mitigation measure.

The indicators described align closely with a Distributed Denial-of-Service (DDoS) attack, a major topic in the ECIH Network Security Incidents module. DDoS attacks overwhelm network and system resources using traffic from multiple sources, often distributed across geographic regions.

Excessive ARP traffic, NAT table exhaustion, elevated CPU usage on routers, and simultaneous connection attempts are classic symptoms of volumetric and protocol-based DDoS attacks. The involvement of multiple geolocations, as reported by the ISP, further confirms the distributed nature of the attack.

Option B is correct because no single-host misconfiguration or reconnaissance activity would generate this volume and diversity of traffic. Option A would cause IP conflicts, not global traffic floods. Option C focuses on stealthy outbound activity, not inbound saturation. Option D is low-volume and targeted.

ECIH emphasizes early identification of DDoS conditions to enable rapid containment using rate limiting, blackholing, or ISP coordination. Recognizing these indicators is critical to protecting service availability.

The Microsoft Baseline Security Analyzer (MBSA) is a tool designed to assess a computer or network's security state by checking for missing security updates and common security misconfigurations. In the scenario with Finn, who is working in the eradication phase of an incident response process, the use of MBSA makes sense. The tool's ability to detect missing security patches and recommend the installation of the latest patches is crucial for eliminating vulnerabilities in the Windows operating system that could be the root cause of the incident.

MBSA scans the system for missing security updates, misconfigurations, and other vulnerabilities and provides detailed reports and recommendations for remediation. This step is vital in the eradication phase, where the goal is to remove the root causes of the incident and secure the system against future attacks. By ensuring that all necessary patches are applied, Finn is addressing any security gaps that could be exploited by attackers.

This scenario demonstrates preservation of volatile evidence, a critical first-response principle in the ECIH forensic readiness module. Volatile evidence includes data that exists only while a system is powered on, such as active sessions, running processes, open files, and on-screen information.

Option B is correct because David documents the live system state without interacting in a way that would alter evidence. Photographing the screen, recording visible activity, and documenting connections are all recommended ECIH practices when dealing with powered-on systems.

Option A is unrelated. Option C alters system state. Option D applies only to inactive devices.

ECIH stresses that mishandling active systems can destroy crucial evidence. David’s actions align precisely with first responder best practices, making Option B correct.

In IoT and OT environments, the ECIH curriculum emphasizes that containment is the highest first-response priority, especially when public safety and critical services are involved. The abnormal data transmission strongly suggests compromise, and allowing the device to remain connected risks lateral movement, data exfiltration, and operational disruption.

Option C is correct because immediate isolation of the affected IoT device prevents further unauthorized communication while preserving the system’s current state for forensic analysis. Isolation limits the blast radius without unnecessarily disrupting the entire infrastructure.

Option A introduces risk by changing system states during an active incident. Option B is preventive and not an incident response action. Option D is appropriate after containment but not before.

Thus, isolating the compromised device aligns with ECIH endpoint and IoT incident handling principles.

A rogue-access point attack occurs when attackers or insiders install an unsecured access point within a trusted network, typically behind a firewall, to create a backdoor. This allows them to bypass network security measures and perform various malicious activities undetected. The use of any software or hardware access point to gain unauthorized access and conduct an attack characterizes a rogue-access point attack. This contrasts with password-based attacks, malware attacks, and email infections, which involve different methodologies and objectives, such as stealing credentials, distributing malicious software, or propagating through email systems, respectively.