Free ECCouncil 212-89 Practice Exam with Questions & Answers | Set: 8

Turning off the infected machine is a common immediate response to contain a malware incident and prevent it from spreading to other systems on the network. This action halts any ongoing malicious activities by the malware, thereby limiting the potential for further damage or data exfiltration. However, it is essential to note that this step can lead to the loss of volatile data that might be useful for forensic analysis. Therefore, it is advisable only when it's critical to stop the malware immediately, and there's a strategy in place for forensic investigation that includes handling non-volatile data or when the preservation of volatile data is not possible.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario clearly aligns with the eradication phase of the ECIH malware incident handling lifecycle. After detection and containment, eradication focuses on completely removing malicious artifacts and ensuring the threat cannot re-emerge.

Option D is correct because Liam’s actions—malware removal, account disabling, system restoration, and IOC documentation—are all aimed at fully eliminating the malware and attacker footholds. ECIH emphasizes that eradication must address malware binaries, persistence mechanisms, compromised credentials, and residual indicators.

Option B (forensic preservation) would avoid system changes, which Liam does not do. Option A is a training activity unrelated to response. Option C is infrastructure improvement, not incident handling.

ECIH explicitly states that failure to eradicate all traces often leads to reinfection or continued attacker access. Liam’s comprehensive approach ensures the environment is returned to a trusted state and prepares detection systems for future prevention.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario describes an active exploitation of a vulnerable application feature. The ECIH Web Application Incident Handling module emphasizes that when a specific feature is being abused, immediate containment requires removing or disabling that attack surface.

Option B is correct because disabling the vulnerable advanced search feature immediately stops further exploitation while allowing the team to analyze and remediate the flaw safely. ECIH warns against leaving known-vulnerable functionality active during investigation.

Options A and C improve authentication but do not stop exploitation of backend logic. Option D protects stored data but does not prevent further abuse.

Therefore, disabling the exploited feature is the best immediate action.

Incident response orchestration refers to the process and technologies used to coordinate and streamline the response to security incidents. This approach ensures that incident response teams have clear procedures and workflows to follow, enabling them to act swiftly and effectively when dealing with security incidents. By orchestrating the response, organizations can minimize the impact of incidents, ensure consistent and thorough investigation and remediation activities, and improve their overall security posture. Incident response orchestration involves integrating various security tools, automating response actions where possible, and providing a centralized platform for managing incidents.

An Intrusion Prevention System (IPS) device placed inline is best suited to block attacks on a network actively. Being inline allows the IPS to analyze and take action on the traffic as it passes through the device, effectively preventing malicious traffic from reaching its target. The IPS can detect and block a wide range of attacks in real-time by using various detection methods, such as signature-based detection, anomaly detection, and policy-based detection. Unlike Host-based Intrusion Prevention Systems (HIPS), web proxies, or load balancers, an inline IPS is specifically designed to inspect and act on incoming and outgoing network traffic to prevent attacks before they reach network devices or applications.

Comprehensive and Detailed Explanation (ECIH-aligned):

The described symptoms—numerous incomplete TCP connections consuming server resources—are characteristic of a SYN flood attack, a denial-of-service technique targeting the transport layer. In such attacks, attackers send SYN packets without completing the TCP handshake, leaving servers overwhelmed with half-open connections.

ECIH network incident handling guidance emphasizes rapid identification and containment of DoS conditions to preserve service availability. By configuring the router to validate connection requests (for example, using SYN cookies or proxy validation), illegitimate handshake attempts are filtered before reaching the server.

Option A involves payload inspection, which is irrelevant here. Option B relates to authentication attacks, which require completed connections. Option D is a detection activity, not mitigation.

Therefore, the purpose of Sophia’s action was to block SYN flood attempts, making Option C correct.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario focuses on user-driven mitigation of phishing threats, a key element of the ECIH Email Security Incident Handling module. Aarav’s guidance directly reinforces one of the most important user best practices: never engage with suspicious emails.

Option D is correct because avoiding replies or forwarding suspicious emails prevents attackers from validating active accounts, spreading malware, or escalating social engineering attacks. ECIH emphasizes that user interaction often determines the success of phishing campaigns, making awareness and behavior critical controls.

Option A is unrelated to security. Option B is a sender-side control, not a user response. Option C may reduce accidental clicks but does not address the broader behavioral risk.

By instructing users to report, delete, and avoid engagement, Aarav strengthens the organization’s human firewall, which ECIH recognizes as essential in reducing phishing impact.

Comprehensive and Detailed Explanation (ECIH-aligned):

This incident represents an application-layer DoS attack, which targets specific functions rather than bandwidth. ECIH emphasizes function-level protection in such scenarios.

Option C is correct because rate limiting restricts abusive request frequency while allowing legitimate usage. It directly addresses the exploited feature without disrupting service availability.

Option D may block legitimate users behind shared IPs. Options A and B do not mitigate the attack vector.

Rate limiting aligns with ECIH guidance for preserving availability during Layer 7 attacks.

In the context of incident handling, the "point of contact" list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination.

Explanation (aligned to IH&R best practice):

Insider threats are most effectively reduced by combining least privilege with continuous detection of abnormal behavior. Regular access reviews ensure that users only retain permissions needed for their roles (reducing “privilege creep”), while behavior analytics help detect misuse that still occurs within “legitimate” access. Password rotation (A) is largely hygiene and does not prevent a determined insider who already has authorized access; frequent forced changes can also push unsafe behaviors (writing passwords down, predictable patterns). A strict hierarchy (B) is not practical and does not map to “need-to-know”—seniority is not the right control boundary, job function is. Biometrics (C) strengthens authentication, but the scenario’s problem is not identity uncertainty; it is misuse by a valid insider. The most effective approach is therefore governance + monitoring: (1) define data access baselines, (2) review permissions routinely, (3) alert on suspicious actions such as unusual repository cloning, bulk downloads, access outside normal hours, or atypical branches, and (4) investigate quickly with HR/legal processes. These measures directly address motive-driven misuse by enabling early detection and limiting the blast radius. This aligns with the broader incident handling emphasis on identifying affected systems/data, understanding scope, and improving controls post-incident to prevent recurrence.