Web: www.solution2pass.com Email: support@solution2pass.com Version: Demo [ Total Questions: 10] ECCouncil 212-89 EC Council Certified Incident Handler (ECIH v3) IMPORTANT NOTICE Feedback We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at feedback@solution2pass.com Support If you have any questions about our product, please provide the following items: exam code screenshot of the question login id/email please contact us at and our technical experts will provide support within 24 hours. support@solution2pass.com Copyright The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement. ECCouncil - 212-89 Pass Guaranteed 1 of 8 Only Solution2Pass for Any Exam A. B. C. D. Category Breakdown Category Number of Questions Introduction to Incident Handling and Response 7 Handling and Responding to Network Security Incidents 2 Incident Handling and Response Process 1 TOTAL 10 Question #:1 - [Introduction to Incident Handling and Response] The following steps describe the key activities in forensic readiness planning: 1. Train the staff to handle the incident and preserve the evidence 2. Create a special process for documenting the procedure 3. Identify the potential evidence required for an incident 4. Determine the source of the evidence 5. Establish a legal advisory board to guide the investigation process 6. Identify if the incident requires full or formal investigation 7. Establish a policy for securely handling and storing the collected evidence 8. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption Identify the correct sequence of steps involved in forensic readiness planning. 2-->3-->1-->4-->6-->5-->7-->8 3-->4-->8-->7-->6-->1-->2-->5 3-->1-->4-->5-->8-->2-->6-->7 1-->2-->3-->4-->5-->6-->7-->8 Answer: B Explanation The correct sequence of steps involved in forensic readiness planning, based on the activities described, is as follows: Identify the potential evidence required for an incident. Determine the source of the evidence. ECCouncil - 212-89 Pass Guaranteed 2 of 8 Only Solution2Pass for Any Exam A. B. C. D. A. B. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption. Establish a policy for securely handling and storing the collected evidence. Identify if the incident requires full or formal investigation. Train the staff to handle the incident and preserve the evidence. Create a special process for documenting the procedure. References: Incident Handler (ECIH v3) courses and study guides include discussions on forensic readiness planning, highlighting the importance of preparing organizations for effective legal and technical handling of incidents. Question #:2 - [Handling and Responding to Network Security Incidents] Which of the following has been used to evade IDS and IPS? Fragmentation TNP HTTP SNMP Answer: A Explanation Fragmentation is a technique used by attackers to evade detection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). By breaking down packets into smaller fragments, attackers can make it more difficult for these security systems to detect malicious payloads or signature-based patterns associated with known attacks. This method exploits the fact that some IDS/IPS solutions may not properly reassemble packet fragments for analysis, thereby allowing malicious fragments to pass through undetected. References:In its coverage of network security mechanisms and evasion techniques, the ECIH v3 certification details how attackers exploit vulnerabilities in the implementation of IDS and IPS systems, including the use of packet fragmentation. Question #:3 - [Handling and Responding to Network Security Incidents] An attack on a network is BEST blocked using which of the following? IPS device inline ECCouncil - 212-89 Pass Guaranteed 3 of 8 Only Solution2Pass for Any Exam B. C. D. A. B. C. D. HIPS Web proxy Load balancer Answer: A Explanation An Intrusion Prevention System (IPS) device placed inline is best suited to block attacks on a network actively. Being inline allows the IPS to analyze and take action on the traffic as it passes through the device, effectively preventing malicious traffic from reaching its target. The IPS can detect and block a wide range of attacks in real-time by using various detection methods, such as signature-based detection, anomaly detection, and policy-based detection. Unlike Host-based Intrusion Prevention Systems (HIPS), web proxies, or load balancers, an inline IPS is specifically designed to inspect and act on incoming and outgoing network traffic to prevent attacks before they reach network devices or applications. References:The Incident Handler (ECIH v3) certification materials discuss network security controls and emphasize the role of intrusion prevention systems in protecting networks against threats. Question #:4 - [Introduction to Incident Handling and Response] A US Federal Agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within 2 h of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of US Federal Agency does this incident belong to? CAT 6 CAT 2 CAT 1 CAT 5 Answer: B Explanation In the context of US Federal Agencies, incidents are categorized based on their impact on operations, assets, or individuals. A DoS attack that prevents or impairs the authorized functionality of networks and is still ongoing without successful mitigation efforts typically falls under Category 2 (CAT 2). This category is ECCouncil - 212-89 Pass Guaranteed 4 of 8 Only Solution2Pass for Any Exam A. B. C. D. A. designated for incidents that have a significant impact, requiring immediate reporting and response. The reporting timeframe of within 2 hours as mentioned aligns with the urgency associated with CAT 2 incidents, emphasizing the need for swift action to address the attack and restore normal operations. References:US Federal incident response guidelines and the Incident Handler (ECIH v3) courses outline the categorization of cybersecurity incidents, detailing the response protocols for each category, including the reporting timeframes. Question #:5 - [Incident Handling and Response Process] Chandler is a professional hacker who is targeting Technote organization. He wants to obtain important organizational information that is being transmitted between different hierarchies. In the process, he is sniffing the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports, protocols, devices, issues in network transmission, and other network specifications. Which of the following tools Chandler must employ to perform packet analysis? BeEf IDAPro Omnipeek shARP Answer: C Explanation Omnipeek is a network analyzer tool that allows for the capture and analysis of data packets transmitted across a network. It is designed to provide deep insights into network traffic, enabling users to examine various aspects of the data packets, including network protocols, ports, devices, and potential issues in network transmission. This tool would be ideal for Chandler, who is targeting the Technote organization with the intent of intercepting and analyzing network traffic to obtain sensitive organizational information. Omnipeek's capabilities in packet analysis make it suitable for such activities, offering detailed visibility into the network's operation and data flows. References:The ECIH v3 certification program includes discussions on network monitoring and analysis tools, including packet sniffers like Omnipeek, and their role in both cybersecurity defense and offensive activities like hacking. Question #:6 - [Introduction to Incident Handling and Response] Shiela is working at night as an incident handler. During a shift, servers were affected by a massive cyberattack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions. What list should she check to notify other responsible personnel? HR log book ECCouncil - 212-89 Pass Guaranteed 5 of 8 Only Solution2Pass for Any Exam B. C. D. A. B. C. D. Point of contact Email list Phone number list Answer: B Explanation In the context of incident handling, the "point of contact" list is essential for ensuring that Sheila, the incident handler working at night, can quickly notify the responsible personnel within the organization about the cyberattack. This list typically includes the contact information of key stakeholders and decision-makers who need to be informed about security incidents, allowing for timely communication, decision-making, and response coordination. References:Incident Handler (ECIH v3) courses and study guides stress the importance of having a well- maintained point of contact list as part of an organization's incident response plan to facilitate efficient and effective communication during and after cybersecurity incidents. Question #:7 - [Introduction to Incident Handling and Response] A user downloaded what appears to be genuine software. Unknown to her, when she installed the application, it executed code that provided an unauthorized remote attacker access to her computer. What type of malicious threat displays this characteristic? Backdoor Trojan Spyware Virus Answer: B Explanation The scenario described is characteristic of a Trojan. A Trojan is a type of malware that disguises itself as legitimate software but performs malicious actions once installed. Unlike viruses, which can replicate themselves, or worms, which can spread across networks on their own, Trojans rely on the guise of legitimacy to trick users into initiating their execution. In this case, the user believed they were downloading and installing genuine software, but the reality was that the application contained a Trojan. The malicious code executed upon installation provided unauthorized remote access to the user's computer, which could be used by an attacker to control the system, steal data, install additional malware, or carry out other malicious activities. ECCouncil - 212-89 Pass Guaranteed 6 of 8 Only Solution2Pass for Any Exam A. B. C. D. A. B. Trojans can come in many forms and can be used to achieve a wide range of malicious objectives, making them a versatile and dangerous type of cyber threat. The deceptive nature of Trojans, exploiting the trust users have in what appears to be legitimate software, is what makes them particularly effective and widespread. References:The ECIH v3 curriculum from EC-Council thoroughly covers different types of malware, including Trojans, and emphasizes understanding their behavior, methods of infection, and strategies for prevention and response. Question #:8 - [Introduction to Incident Handling and Response] Ren is assigned to handle a security incident of an organization. He is tasked with forensics investigation to find the evidence needed by the management. Which of the following steps falls under the investigation phase of the computer forensics investigation process? Secure the evidence Risk assessment Setup a computer forensics lab Evidence assessment Answer: D Explanation Evidence assessment is a critical step in the investigation phase of the computer forensics process. This step involves evaluating the evidence collected to determine its relevance and significance to the case at hand. It includes analyzing the secured data to identify what information can be used as evidence, its integrity, and how it can be related to the security incident. This phase is pivotal as it helps in building a coherent understanding of the incident and in establishing facts that can be presented in management reports or legal proceedings. References:The Certified Incident Handler (ECIH v3) by EC-Council includes a comprehensive discussion on the computer forensics investigation process, detailing steps from securing evidence to analyzing and assessing it within the context of an investigation. Question #:9 - [Introduction to Incident Handling and Response] Otis is an incident handler working in an organization called Delmont. Recently, the organization faced several setbacks in business, whereby its revenues are decreasing. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found traces of an attack through which proprietary information was stolen from the enterprise network and passed onto their competitors. Which of the following information security incidents did Delmont face? Network and resource abuses Espionage ECCouncil - 212-89 Pass Guaranteed 7 of 8 Only Solution2Pass for Any Exam C. D. A. B. C. D. Email-based abuse Unauthorized access Answer: B Explanation Espionage, in the context of information security incidents, refers to the unauthorized access and theft of proprietary information for competitive advantage. In the scenario described, where proprietary information was stolen from Delmont's enterprise network and passed onto their competitors, this directly aligns with the definition of espionage. The incident involves deliberate targeting and extraction of sensitive business information, which is then used by competitors to gain a market advantage. Such actions not only compromise the confidentiality of business-critical information but can also significantly impact the financial stability and competitive positioning of the victim organization. References:The Certified Incident Handler (ECIH v3) curriculum by EC-Council discusses various information security incidents, including espionage, highlighting the need for comprehensive security measures, incident detection capabilities, and effective response strategies to protect against and respond to such threats. Question #:10 - [Introduction to Incident Handling and Response] Miko was hired as an incident handler in XYZ company. His first task was to identify the PING sweep attempts inside the network. For this purpose, he used Wireshark to analyze the traffic. What filter did he use to identify ICMP ping sweep attempts? tcp.typc == icmp icrrip.lype == icmp icmp.type == 8 or icmp.type ==0 udp.lype — 7 Answer: C Explanation In Wireshark, to identify ICMP ping sweep attempts, the filter is used. This icmp.type == 8 or icmp.type ==0 filter captures ICMP echo requests and echo replies, which are indicative of ping commands. Type 8 represents an echo request used when a source sends a ping, and type 0 represents an echo reply, which is the response from the target. By filtering for these ICMP types, Miko can detect a surge in ping requests across the network, which could indicate a ping sweep attempt—an exploratory activity often used by attackers to discover active hosts on a network by sending ping requests to multiple addresses. References:Incident Handler (ECIH v3) courses and study guides often incorporate training on using network analysis tools like Wireshark, including how to use filters to detect specific types of network activities and potential threats. ECCouncil - 212-89 Pass Guaranteed 8 of 8 Only Solution2Pass for Any Exam About solution2pass.com solution2pass.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam Questions, Study Guides, Practice Tests. We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on. View list of all certification exams: All vendors We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed below. Sales: sales@solution2pass.com Feedback: feedback@solution2pass.com Support: support@solution2pass.com Any problems about IT certification or our products, You can write us back and we will get back to you within 24 hours.