Eccouncil 212-89 Exam Questions Instant Access

Question 1

A cybersecurity team at a financial services firm detects abnormal behavior on several endpoints, suggesting a possible breach. The anomalies include unexpected data transfers and processes running with unusual permissions. Given the potential impact, the team needs to quickly validate whether these are indicators of a security incident or benign anomalies. What method should the team prioritize to detect and validate the incident effectively?

AUtilize an advanced behavioral analysis tool to differentiate between legitimate and malicious activities.

BImplement strict access control measures to limit permissions on all endpoints immediately.

CDisconnect the affected endpoints from the network to prevent potential data exfiltration.

DEngage an external cybersecurity consultancy to conduct an independent assessment.

Answer : A

Explanation (aligned to IH&R lifecycle):

This question is about triage/validation---determining whether what you see is truly an incident and establishing priority. The most appropriate first move is to use endpoint telemetry and behavioral analytics (A) to validate maliciousness (e.g., suspicious parent/child process chains, token manipulation, credential dumping patterns, anomalous privilege escalation, and data transfer behaviors). This supports fast, evidence-based classification and reduces unnecessary disruption. Option (C) is containment and may be required after validation or for clearly high-confidence cases, but immediately disconnecting multiple endpoints can destroy volatile evidence, break business operations, and reduce your ability to trace lateral movement patterns across hosts. Option (B) is a broad preventive change that can create outage risk and is not a validation method. Option (D) can be helpful, but it is slower and not the primary ''detect and validate'' action for an internal team facing active anomalies.

A disciplined approach is: validate via behavioral tooling + logs, scope affected endpoints, determine severity, then execute containment proportional to confirmed risk. That sequencing mirrors standard incident handling flow (identify validate/triage contain eradicate recover lessons learned). When time matters, the highest-value action is the one that converts ambiguous signals into confident incident classification quickly---behavioral validation does that best.

Question 2

In the gaming industry, Playverse Ltd. noticed that their latest game had an unauthorized ''mod'' that allowed players unique abilities. However, this mod was malicious, altering in-game purchases and accessing players' financial details. Having tools like a real-time game environment scanner and a user-behavior monitor, what's the best initial approach?

AUse the environment scanner to detect and remove the unauthorized mod.

BPush an update to disable all mods for the game.

CAnnounce the mod's risks on official channels and urge players to uninstall it.

DMonitor player behaviors to identify those using the mod and restrict access.

Answer : B

This incident involves malware embedded within third-party modifications, affecting financial data and game integrity. The ECIH malware handling framework prioritizes rapid containment to prevent further exploitation before analysis or public communication.

Option B is correct because disabling all mods immediately stops the malicious mod from continuing to operate, preventing additional data theft and financial abuse. This action contains the threat across the entire user base quickly and uniformly.

Option A focuses on detection and removal but may miss distributed instances already in use. Option C is a communication step that should follow containment. Option D delays action and allows continued exploitation.

ECIH stresses that when malware is actively impacting users at scale, containment actions that reduce attack surface globally are preferred. Disabling all mods is the fastest and safest initial containment measure, making Option B correct.

Question 3

An insider threat response plan helps an organization minimize the damage caused by malicious insiders. One of the approaches to mitigate these threats is setting up controls from the human resources department. Which of the following guidelines can the human resources department use?

AAccess granted to users should be documented and vetted by a supervisor.

BDisable the default administrative account to ensure accountability.

CImplement a person-to-person rule to secure the backup process and physical media.

DMonitor and secure the organization's physical environment.

Answer : A

One of the key approaches to mitigating insider threats is ensuring that access control policies are strictly implemented and monitored. This includes the guideline that access granted to users should be thoroughly documented and vetted by a supervisor. This control helps ensure that users have only the access necessary to perform their job functions, reducing the risk of inappropriate access or misuse of information. Proper documentation and supervisor approval also ensure accountability and traceability of access decisions, which is crucial for detecting and responding to insider threats. The human resources department plays a vital role in this process, working closely with IT and security teams to enforce access control policies, conduct regular reviews of access rights, and manage the onboarding and offboarding process to ensure that access rights are appropriately updated.

Question 4

Which of the following risk management processes identifies the risks, estimates the impact, and determines sources to recommend proper mitigation measures?

ARisk assessment

BRisk assumption

CRisk mitigation

DRisk avoidance

Answer : A

Risk assessment is the risk management process that involves identifying risks, estimating their impact on the organization, and determining the sources of those risks to recommend appropriate mitigation measures. The goal of a risk assessment is to understand the nature of potential threats, vulnerabilities, and the consequences of those risks materializing, allowing an organization to make informed decisions about how to address them effectively. Risk assumption involves accepting the potential impact of a risk, risk mitigation focuses on reducing the likelihood or impact of risks, and risk avoidance involves taking actions to avoid the risk entirely.

Question 5

An organization notices unusual API activity in its AWS account, suggesting unauthorized access and potential data exfiltration. What is the most critical immediate action to take to mitigate this security incident?

AIncrease the security group's restrictions to limit access to the affected resources.

BEnable AWS CloudTrail logs for all regions to track future API activities.

CDeploy AWS Shield to protect against potential DDoS attacks as a precaution.

DRotate all AWS IAM access keys and review IAM policies for excessive permissions.

Answer : D

This scenario indicates identity compromise in a cloud environment, reflected by unusual API activity. The ECIH Cloud Security Incident Handling module emphasizes that in cloud platforms, identity and access management (IAM) is the primary security boundary. When API misuse is detected, the most urgent action is to invalidate potentially compromised credentials.

Option D is correct because rotating all IAM access keys immediately cuts off the attacker's ability to continue abusing API access. Reviewing IAM policies for excessive permissions further reduces the attack surface and prevents privilege misuse. ECIH explicitly states that compromised credentials must be revoked before implementing additional detective or preventive controls.

Option A may help limit access but does not address stolen credentials that could still be abused elsewhere. Option B improves future visibility but does not mitigate the active incident. Option C is unrelated, as there is no indication of a DDoS attack.

ECIH guidance prioritizes containment through credential revocation in cloud incidents involving unauthorized API usage. Therefore, rotating IAM keys and reviewing permissions is the most critical immediate mitigation step.

Question 6

Which of the following is NOT a network forensic tool?

ACapsa Network Analyzer

BTcpdurnp

CAdvancec NTFS Journaling Parser

DWireshark

Answer : C

Network forensic tools are designed to capture, record, and analyze network traffic. Tools like Capsa Network Analyzer, Tcpdump, and Wireshark are specifically designed for this purpose, providing capabilities to capture live traffic, analyze packets, and understand network activities. Capsa Network Analyzer is a comprehensive network monitoring tool, Tcpdump is a powerful command-line packet analyzer, and Wireshark is a widely used network protocol analyzer that provides detailed information about network traffic.

Advanced NTFS Journaling Parser, on the other hand, is not a network forensic tool but a tool used for forensic analysis of NTFS file systems. It parses the NTFS journal ($LogFile), which contains a log of changes made to files on an NTFS volume. This tool is valuable for forensic analysts who are investigating the file system activities on a Windows system, such as file creation, modification, and deletion times, rather than analyzing network traffic. Therefore, it does not fit the category of a network forensic tool.

Question 7

David, a certified digital first responder, arrives at the scene of a reported security breach in the HR department of a corporate office. The breach involves multiple digital endpoints, including desktop systems and mobile devices. Upon entering the scene, David observes that one desktop computer is still powered ON and logged in, showing a sensitive financial dashboard on the screen. Realizing the importance of preserving this evidence, David refrains from interacting directly with the keyboard or running applications. Instead, he takes high-resolution photographs of the screen to capture the current session details, including open applications and time-sensitive data. To avoid altering the system state, David gently moves the mouse without clicking, just enough to dismiss a screen saver without triggering any on-screen changes. He records the system's behavior, notes any visible alerts or programs running, and tags all connected cables and peripheral ports for proper documentation. What step in the evidence handling process is David demonstrating?

ASeizing off-site backups

BPreserving volatile evidence from an active system

CExecuting a shutdown script on Linux

DHandling a powered-off device

Answer : B

This scenario demonstrates preservation of volatile evidence, a critical first-response principle in the ECIH forensic readiness module. Volatile evidence includes data that exists only while a system is powered on, such as active sessions, running processes, open files, and on-screen information.

Option B is correct because David documents the live system state without interacting in a way that would alter evidence. Photographing the screen, recording visible activity, and documenting connections are all recommended ECIH practices when dealing with powered-on systems.

Option A is unrelated. Option C alters system state. Option D applies only to inactive devices.

ECIH stresses that mishandling active systems can destroy crucial evidence. David's actions align precisely with first responder best practices, making Option B correct.

Eccouncil EC-Council Certified Incident Handler v3 212-89 Exam Questions