Question 1

[Handling and Responding to Web Application Attacks]
Clark, a professional hacker, exploited the web application of a target organization by
tampering the form and parameter values. He successfully exploited the web
application and gained access to the information assets of the organization.
Identify the vulnerability in the web application exploited by the attacker.

Accepted Answer

C

Explanation: The vulnerability exploited by Clark through tampering with form and parameter values to gain unauthorized access to information assets is indicative of Broken Access Control. Broken Access Control vulnerabilities occur when a web application does not properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to access unauthorized functionality or data, such as accessing other users' accounts, viewing sensitive files, and modifying other users’ data.

Question 2

[Introduction to Incident Handling and Response]
Johnson an incident handler is working on a recent web application attack faced by the
organization. As part of this process, he performed data preprocessing in order to
analyzing and detecting the watering hole attack. He preprocessed the outbound
network traffic data collected from firewalls and proxy servers and started analyzing
the user activities within a certain time period to create time-ordered domain sequences
to perform further analysis on sequential patterns.
Identify the data-preprocessing step performed by Johnson.

Accepted Answer

D

Explanation: The data preprocessing step performed by Johnson, where he analyzes user activities within a certain time period to create time-ordered domain sequences for further analysis on sequential patterns, is known as user-specific sessionization. This process involves aggregating all user activities and requests into discrete sessions based on the individual user, allowing for a coherent analysis of user behavior over time. This is critical for identifying patterns that may indicate a watering hole attack, where attackers compromise a site frequently visited by the target group to distribute malware. User-specific sessionization helps in isolating and examining sequences of actions taken by users, making it easier to detect anomalies or patterns indicative of such an attack. Reference:The ECIH v3 certification materials discuss various data preprocessing techniques used in the analysis of cyber attacks, including the concept of sessionization to better understand user behavior and detect threats.

Question 3

[Introduction to Incident Handling and Response] Investigator Ian gives you a drive image to investigate. What type of analysis are you performing?

Accepted Answer

B

Explanation: When Investigator Ian gives you a drive image to investigate, the type of analysis you are performing is static analysis. Static analysis involves examining the contents of a drive, file, or binary without executing the system or the application. It's about analyzing the data at rest. This type of analysis is crucial for forensics investigations because it allows for the examination of files, directories, and system information without altering any state or data, thereby preserving the integrity of the evidence. Static analysis is contrasted with dynamic analysis, which involves analyzing a system in operation (real-time or live) or executing the application to observe its behavior. Reference:Incident Handler (ECIH v3) courses and study guides highlight the importance of static analysis in digital forensics, detailing methods for examining disk images, files, and other digital artifacts to gather evidence without compromising its integrity.

Question 4

[Introduction to Incident Handling and Response]
Robert is an incident handler working for Xsecurity Inc. One day, his organization
faced a massive cyberattack and all the websites related to the organization went
offline. Robert was on duty during the incident and he was responsible to handle the
incident and maintain business continuity. He immediately restored the web application
service with the help of the existing backups.
According to the scenario, which of the following stages of incident handling and
response (IH&R) process does Robert performed?

Accepted Answer

D

Explanation: An active assessment involves using automated tools to scan and probe the network actively to identify hosts, services, and vulnerabilities. This type of assessment directly interacts with the network components to gather information about the existing security posture, unlike passive assessments, which analyze traffic without sending packets to the target systems. Dickson's approach, employing automated tools to identify the network's hosts, services, and vulnerabilities, fits the definition of an active assessment. This method provides a more immediate understanding of the network's vulnerabilities, allowing for timely remediation actions. Reference:The ECIH v3 program includes discussions on vulnerability assessment techniques, highlighting the differences between active and passive assessments and their applicability in identifying network security issues.

Question 5

[Risk Assessment and Incident Recovery]
Which of the following risk mitigation strategies involves execution of controls to
reduce the risk factor and brings it to an acceptable level or accepts the potential risk
and continues operating the IT system?

Accepted Answer

A

Explanation: Risk assumption involves accepting the potential risk and continuing to operate the IT system while implementing controls to reduce the risk to an acceptable level. This strategy acknowledges that some level of risk is inevitable and focuses on managing it through mitigation measures rather than eliminating it entirely. Risk avoidance would entail taking actions to avoid the risk entirely, risk planning involves preparing for potential risks, and risk transference shifts the risk to another party, typically through insurance or outsourcing. Risk assumption is a pragmatic approach that balances the need for operational continuity with the imperative of risk management. Reference:The ECIH v3 certification program covers various risk mitigation strategies, emphasizing the selection of the appropriate approach based on the organization's risk tolerance and the specific context of the threat.

Question 6

[Introduction to Incident Handling and Response]
Robert is an incident handler working for Xsecurity Inc. One day, his organization
faced a massive cyberattack and all the websites related to the organization went
offline. Robert was on duty during the incident and he was responsible to handle the
incident and maintain business continuity. He immediately restored the web application
service with the help of the existing backups.
According to the scenario, which of the following stages of incident handling and
response (IH&R) process does Robert performed?

Accepted Answer

D

Explanation: Restoring web application services with the help of existing backups, as performed by Robert, falls under the Recovery stage of the Incident Handling and Response (IH&R) process. The Recovery stage involves actions taken to return the organization to normal operations after an incident, which includes restoring systems to their operational state using backups, patching vulnerabilities, and ensuring that all systems are clean and secure before being brought back online. This step is crucial for resuming business operations and mitigating the impact of the incident.

Question 7

[Introduction to Incident Handling and Response]
Robert is an incident handler working for Xsecurity Inc. One day, his organization
faced a massive cyberattack and all the websites related to the organization went
offline. Robert was on duty during the incident and he was responsible to handle the
incident and maintain business continuity. He immediately restored the web application
service with the help of the existing backups.
According to the scenario, which of the following stages of incident handling and
response (IH&R) process does Robert performed?

Accepted Answer

D

Explanation: Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents. Reference:The ECIH v3 certification materials discuss the stages of a forensic investigation, emphasizing the investigation phase as the point at which the incident responder analyzes evidence to draw conclusions about the incident's specifics.

Question 8

[Handling and Responding to Malware Incidents]
Malicious Micky has moved from the delivery stage to the exploitation stage of the kill chain. This
malware wants to find and report to the command center any useful services on the system. Which
of the following recon attacks is the MOST LIKELY to provide this information?

Accepted Answer

D

Explanation: When malware moves from the delivery stage to the exploitation stage in the cyber kill chain, its objective often shifts to identifying exploitable vulnerabilities within the targeted system. A port scan is a technique used to discover services that are listening on ports within a system. By scanning the system's ports, the malware can identify open ports and the services running on them, providing valuable information about potential entry points for further exploitation. This type of reconnaissance attack is aimed at gathering intelligence on the target system's network services, which can then be reported back to a command and control center for further malicious activity planning. Port scanning is more relevant than IP range sweeps, packet sniffing, or session hijacking for identifying useful services on a system because it directly targets the discovery of accessible network services and their corresponding ports. While the other methods can also be part of the reconnaissance phase, they serve different purposes: IP range sweeps aim to identify active IP addresses, packet sniffing intercepts data packets to gather information, and session hijacking involves taking over a valid user session. In contrast, port scanning is specifically designed to enumerate services that could be exploited. Reference:The ECIH v3 certification materials discuss various reconnaissance techniques used by attackers, including port scanning, as part of the exploitation stage of the kill chain. Understanding these techniques is crucial for incident handlers in identifying how attackers gather information and plan their attacks.

Question 9

[Introduction to Incident Handling and Response]
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in
the client company. He acquired the evidence data, preserved it, and started
performing analysis on acquired evidentiary data to identify the source of the crime and the culprit
behind the incident.
Identify the forensic investigation phase in which Bob is currently in.

Accepted Answer

C

Explanation: In the context of incident handling and response (IH&R), the preparation phase is the initial step where teams and resources are organized to effectively respond to potential security incidents. This phase involves building the IH&R team, developing incident response plans and policies, setting up communication channels, and ensuring that the team has the necessary tools and authority to act. James, being assigned to build an IH&R plan and organize his team, is engaging in the preparation step of the incident response process. This foundational step is crucial for ensuring a coordinated and efficient response to incidents when they occur. Reference:The importance of the preparation phase in the incident response lifecycle is emphasized in various cybersecurity frameworks and guidelines, including those covered in ECIH v3 certification materials, which detail the roles, responsibilities, and planning necessary to establish an effective incident response capability.

Question 10

[Incident Handling and Response Process]
Which of the following terms refers to vulnerable account management functions, including account
update, recovery of forgotten or lost passwords, and password reset, that might weaken valid
authentication schemes?

Accepted Answer

B

Explanation: The term "broken account management" refers to vulnerabilities in the account management functions of web applications, which can weaken valid authentication schemes. This can include issues with how accounts are created, updated, managed, and deleted, as well as how users recover forgotten passwords or perform password resets. Poorly implemented account management functions can allow attackers to bypass authentication, elevate privileges, or assume the identity of another user. This weakness is a significant security concern because it directly impacts the ability of a system to safeguard user data and maintain operational integrity. Reference:In its training materials, the ECIH v3 program addresses various web application vulnerabilities, including broken account management, emphasizing the importance of secure development practices and regular security assessments to prevent such issues.

Question 11

[Introduction to Incident Handling and Response]
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in
the client company. He acquired the evidence data, preserved it, and started
performing analysis on acquired evidentiary data to identify the source of the crime and the culprit
behind the incident.
Identify the forensic investigation phase in which Bob is currently in.

Accepted Answer

C

Explanation: Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts. Reference:The role of threat correlation in improving the efficiency of incident response activities by reducing false positives and focusing on high-priority issues is outlined in various cybersecurity frameworks and incident response guides, including those related to the ECIH v3 certification. These resources emphasize the importance of applying context and intelligence to security alerts to accurately identify and respond to genuine threats.

Question 12

[Introduction to Incident Handling and Response]
Robert is an incident handler working for Xsecurity Inc. One day, his organization
faced a massive cyberattack and all the websites related to the organization went
offline. Robert was on duty during the incident and he was responsible to handle the
incident and maintain business continuity. He immediately restored the web application
service with the help of the existing backups.
According to the scenario, which of the following stages of incident handling and
response (IH&R) process does Robert performed?

Accepted Answer

B

Explanation: Espionage, in the context of information security incidents, refers to the unauthorized access and theft of proprietary information for competitive advantage. In the scenario described, where proprietary information was stolen from Delmont's enterprise network and passed onto their competitors, this directly aligns with the definition of espionage. The incident involves deliberate targeting and extraction of sensitive business information, which is then used by competitors to gain a market advantage. Such actions not only compromise the confidentiality of business-critical information but can also significantly impact the financial stability and competitive positioning of the victim organization. Reference:The Certified Incident Handler (ECIH v3) curriculum by EC-Council discusses various information security incidents, including espionage, highlighting the need for comprehensive security measures, incident detection capabilities, and effective response strategies to protect against and respond to such threats.

Question 13

[Introduction to Incident Handling and Response]
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in
the client company. He acquired the evidence data, preserved it, and started
performing analysis on acquired evidentiary data to identify the source of the crime and the culprit
behind the incident.
Identify the forensic investigation phase in which Bob is currently in.

Accepted Answer

C

Explanation: The GPG18 and Forensic readiness planning (SPF) principles outline various guidelines to enhance an organization's readiness for forensic investigation and response. Principle 5, which suggests that organizations should adopt a scenario-based Forensic Readiness Planning approach that learns from experience gained within the business, emphasizes the importance of being prepared for a wide range of potential incidents by leveraging lessons learned from past experiences. This approach helps in continuously improving forensic readiness and response capabilities by adapting to the evolving threat landscape and organizational changes. Reference:While specific documentation from GPG18 and SPF might detail these principles, the ECIH v3 program by EC-Council covers the concept of forensic readiness planning, including adopting scenario-based approaches and learning from past incidents as a fundamental aspect of enhancing an organization's incident response and forensic capabilities.

Question 14

[Handling and Responding to Malware Incidents]
An attacker traced out and found the kind of websites a target company/individual is
frequently surfing and tested those particular websites to identify any possible
vulnerabilities. When the attacker detected vulnerabilities in the website, the attacker
started injecting malicious script/code into the web application that can redirect the
webpage and download the malware onto the victim’s machine. After infecting the
vulnerable web application, the attacker waited for the victim to access the infected web
application.
Identify the type of attack performed by the attacker.

Accepted Answer

A

Explanation: The described attack is a "Watering hole" attack. This type of attack targets specific groups of users by infecting websites they are known to frequently visit. The attacker first identifies websites that are popular with the target group, then finds vulnerabilities in those websites to inject malicious code. When the victims visit the compromised site, the code redirects them to other sites or automatically downloads malware onto their machines. This attack leverages the trust users have in regularly visited sites to distribute malware. Unlike obfuscation application, directory traversal, or cookie/session poisoning attacks, watering hole attacks specifically aim to compromise a commonly used and trusted website to target its users. Reference:The ECIH v3 certification materials discuss various cyber attack strategies, including watering hole attacks, and provide insights into how attackers exploit trusted relationships between websites and their users.

Question 15

[Introduction to Incident Handling and Response]
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in
the client company. He acquired the evidence data, preserved it, and started
performing analysis on acquired evidentiary data to identify the source of the crime and the culprit
behind the incident.
Identify the forensic investigation phase in which Bob is currently in.

Accepted Answer

B

Explanation: When Joseph, the IH&R team lead, alerted service providers, developers, and manufacturers about the affected resources, he was engaged in the Containment stage of the Incident Handling and Response (IH&R) process. Containment involves taking steps to limit the spread or impact of an incident and to isolate affected systems to prevent further damage. Alerting relevant stakeholders, including service providers and developers, is part of containment efforts to ensure that the threat does not escalate and that measures are taken to protect unaffected resources. This stage precedes eradication and recovery, focusing on immediate response actions to secure the environment. Reference:The ECIH v3 certification program outlines the IH&R process stages, explaining the roles and actions involved in containment, including communication with external and internal stakeholders to manage and mitigate the incident's effects.

Free ECcouncil 212-89 Actual Exam Questions