Eccouncil 212-89 Exam Questions Instant Access

Question 1

Lara, a SOC analyst, investigates multiple alerts generated by an IDS showing repeated login failures from a specific workstation to an internal application. When reviewing Windows Event Viewer logs, she discovers a user repeatedly attempting logins outside of working hours. Further checks reveal the user had installed an unauthorized remote desktop tool. Which of the following best describes this situation?

APolicy-enforced remote work attempt

BUnauthorized access incident from a third party

CInappropriate usage due to policy violation and software installation

DDoS attack against an internal application

Answer : C

The EC-Council Incident Handler (ECIH) curriculum categorizes incidents such as unauthorized software installation and policy violations under inappropriate usage incidents. In this scenario, the activity originated from a legitimate internal workstation and user account, not an external third party.

The repeated login failures outside business hours combined with installation of an unauthorized remote desktop tool indicate a breach of acceptable use policy and potentially malicious intent. However, the key factor is that the actions were performed by an internal user using valid access credentials, making this an insider-related policy violation rather than an external unauthorized access attack.

Option A implies legitimate remote work within policy boundaries, which is contradicted by the unauthorized software installation. Option B suggests a third-party compromise, but logs indicate activity from an internal user account. Option D (DoS attack) involves service disruption via traffic flooding, which is not described here.

ECIH stresses enforcing acceptable use policies, monitoring user behavior, restricting unauthorized software installation, and applying least privilege controls to mitigate insider misuse. Therefore, this scenario best fits inappropriate usage due to policy violation and unauthorized software installation.

Question 2

Zoe, a security analyst, deploys a high-interaction honeypot in the DMZ that mimics critical systems and monitors logs for scans, exploit attempts, and lateral movement techniques. What is the main purpose of Zoe's activity?

ADeceiving attackers to study their behavior.

BPreventing malware execution using sandboxing.

CBlocking DDoS traffic through ACL rules.

DTesting the organization's backup and recovery systems.

Answer : A

Explanation (aligned to threat intelligence & detection):

A high-interaction honeypot is designed to attract and engage adversaries, providing realistic services so defenders can observe tactics, techniques, and procedures (TTPs) with higher fidelity than a low-interaction decoy. The goal is not to ''stop'' attacks directly, but to detect and learn: identify scanning patterns, credential stuffing attempts, exploit chains, payload delivery methods, and post-exploitation behaviors such as enumeration and lateral movement. That intelligence is then used to improve controls---signatures, detections, segmentation, and hardening priorities.

Sandboxing (B) is typically about detonating suspicious files/URLs to observe behavior in a controlled environment; it's not what a DMZ honeypot primarily does. ACL rules and DDoS blocking (C) are traffic filtering measures, not deception telemetry. Backup/recovery testing (D) is resilience planning, unrelated to studying attacker behavior in real-time.

In incident handling terms, honeypots support the ''preparation'' and ''detection'' posture---expanding visibility, generating early warning, and enriching threat intelligence. They can also reduce risk by luring opportunistic attackers away from production assets, but their primary value is behavioral observation and evidence collection.

Question 3

Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

ADenial of service (DoS) attack

BFraud and theft

CUnauthorized access

DMalicious code or insider threat attack

Answer : A

A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability.

Question 4

Following an internal audit at a mid-sized software development firm, it was discovered that several employees had been sharing system login credentials using personal messaging applications that were not approved by the organization. The audit further revealed that no structured guidance, awareness training, or acceptable usage policies had been provided regarding how and where confidential organizational information should be transmitted. Which of the following preparation steps would have most effectively prevented this situation?

AProvide awareness sessions on identifying unauthorized surveillance tools in secure areas.

BSchedule recurring data backups to secondary storage locations for disaster recovery.

CEstablish defined protocols for appropriate digital channels when handling sensitive internal content.

DDeploy deception systems that simulate internal resources to lure potential insider threats.

Answer : C

This scenario represents a failure in the Preparation phase of the Incident Handling and Response (IH&R) lifecycle as defined by the EC-Council ECIH curriculum. Preparation focuses on establishing policies, procedures, standards, and awareness programs that define how systems and data must be used and protected. In this case, employees were sharing credentials via unauthorized channels because the organization failed to provide explicit rules governing acceptable communication practices.

Option C is correct because establishing defined protocols for approved digital channels directly addresses the root cause. ECIH emphasizes that organizations must define acceptable use policies, secure communication standards, and data handling procedures before incidents occur. These controls reduce the likelihood of human error and insider misuse by setting clear expectations and enforceable boundaries.

Option A relates to physical surveillance risks, which are unrelated to credential sharing. Option B is a recovery-focused control and does not prevent misuse. Option D is a detection mechanism that cannot compensate for missing governance controls.

By defining approved channels and educating users on their proper use, organizations significantly reduce the probability of credential leakage and insider-driven incidents, fulfilling a core ECIH preparation requirement.

Question 5

A cybersecurity analyst at a technology firm discovers suspicious activity on a network segment dedicated to research and development. The initial indicators suggest a possible compromise of several endpoints with potential intellectual property theft. Given the sensitive nature of the data involved, what is the most effective method for the analyst to detect and validate the security incident?

AImmediately notify law enforcement and regulatory bodies.

BIsolate the affected network segment and manually inspect each endpoint.

CDeploy an endpoint detection and response (EDR) solution to identify and investigate suspicious activities.

DConduct a network-wide vulnerability scan.

Answer : C

The ECIH Endpoint Security module stresses that modern endpoint incidents require advanced detection capabilities beyond traditional antivirus or manual inspection. Intellectual property theft often involves stealthy techniques that evade basic controls.

Option C is correct because an Endpoint Detection and Response (EDR) solution provides deep visibility into endpoint behavior, including process execution, memory activity, file changes, and lateral movement. EDR enables analysts to detect, investigate, and validate incidents efficiently across multiple endpoints.

Option B is slow and error-prone. Option A is premature without validation. Option D identifies vulnerabilities, not active compromise.

ECIH highlights EDR as a cornerstone technology for endpoint incident detection and validation, especially in high-value environments such as R&D networks.

Question 6

Adam is an incident handler who intends to use DBCC LOG command to analyze a database and retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler wants to retrieve. If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?

Answer : C

The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a database. It provides insights into the transactions that have occurred, which is crucial for forensic analysis in the event of an incident. The syntaxDBCC LOG(<database_name>, <output_level>)allows an incident handler to specify the level of detail they wish to retrieve from the log files. When an incident handler like Adam requires the full information on each operation along with the hex dump of the current transaction row, the output parameter should be set to 4. This level of output is the most verbose, providing comprehensive details about each transaction, including a hex dump which is essential for a deep forensic analysis. It helps in understanding the exact changes made by transactions, which can be pivotal in investigating incidents involving data manipulation or other unauthorized database activities.

Question 7

DigitalSoft, a major software development firm, recently discovered unauthorized access to its codebase. The culprit was a disgruntled employee who had been overlooked for a promotion. The company wants to prevent such insider threats in the future. What is the most effective measure it can implement?

AImplement mandatory password changes every 30 days.

BImplement a strict hierarchy where only senior employees have access to sensitive data.

CUse biometric authentication for accessing sensitive data.

DConduct regular audits of user access and use behavior analytics.

Answer : D

Explanation (aligned to IH&R best practice):

Insider threats are most effectively reduced by combining least privilege with continuous detection of abnormal behavior. Regular access reviews ensure that users only retain permissions needed for their roles (reducing ''privilege creep''), while behavior analytics help detect misuse that still occurs within ''legitimate'' access. Password rotation (A) is largely hygiene and does not prevent a determined insider who already has authorized access; frequent forced changes can also push unsafe behaviors (writing passwords down, predictable patterns). A strict hierarchy (B) is not practical and does not map to ''need-to-know''---seniority is not the right control boundary, job function is. Biometrics (C) strengthens authentication, but the scenario's problem is not identity uncertainty; it is misuse by a valid insider. The most effective approach is therefore governance + monitoring: (1) define data access baselines, (2) review permissions routinely, (3) alert on suspicious actions such as unusual repository cloning, bulk downloads, access outside normal hours, or atypical branches, and (4) investigate quickly with HR/legal processes. These measures directly address motive-driven misuse by enabling early detection and limiting the blast radius. This aligns with the broader incident handling emphasis on identifying affected systems/data, understanding scope, and improving controls post-incident to prevent recurrence.

Eccouncil EC-Council Certified Incident Handler v3 212-89 Exam Questions