[Introduction to Incident Handling and Response]
ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they
concluded that the attack is an application-layer attack. Which of the following attacks did the
attacker use?
A
Explanation:
The Slowloris attack is a type of application-layer attack that targets the web server by establishing
and maintaining many simultaneous HTTP connections to the target server. Unlike traditional
network-layer DoS/DDoS attacks such as UDP flood or SYN flood, Slowloris is designed to hold as
many connections to the target web server open for as long as possible. It does so by sending partial
requests, which are never completed, and periodically sending subsequent HTTP headers to keep the
connections open. This consumes the server's resources, leading to denial of service as legitimate
users cannot establish connections. The Slowloris attack is effective even against servers with a high
bandwidth because it targets the server's connection pool, not its network bandwidth.
Reference:Incident Handler (ECIH v3) courses and study guides particularly emphasize understanding
different types of attacks, including application-layer attacks like Slowloris, as part of the incident
handling and response process.
[Introduction to Incident Handling and Response]
Ross is an incident manager (IM) at an organization, and his team provides support to all users in the
organization who are affected by threats or attacks. David, who is the organization's internal auditor,
is also part of Ross's incident response team. Which of the following is David's responsibility?
B
Explanation:
In the context of an incident response team, the role of an internal auditor like David includes
identifying, evaluating, and reporting on information security risks and vulnerabilities within the
organization. His responsibility is to ensure that the organization's security controls are effective and
to identify any security loopholes that could be exploited by attackers. Once identified, he reports
these vulnerabilities to management so that they can take the necessary actions to mitigate the
risks. This role is critical in maintaining theorganization's overall security posture and ensuring
compliance with relevant laws, regulations, and policies.
Reference:Incident Handler (ECIH v3) courses and study guides cover the roles and responsibilities of
incident response team members, highlighting the importance of internal auditors in identifying and
addressing security vulnerabilities.
[Forensic Readiness and First Response]
Dash wants to perform a DoS attack over 256 target URLs simultaneously.
Which of the following tools can Dash employ to achieve his objective?
A
Explanation:
High Orbit Ion Cannon (HOIC) is a tool designed to perform stress testing on networks or servers. It
can launch a Distributed Denial of Service (DDoS) attack by enabling an attacker to overwhelm a
target with HTTP POST and GET requests. HOIC's distinctive feature is its ability to attack multiple
targets (up to 256 URLs simultaneously) with configurable HTTP flood attacks. This capability makes it
a preferred choice for attackers aiming to disrupt services on a large scale. Unlike tools designed for
debugging or vulnerability scanning (e.g., IDA Pro, Ollydbg, OpenVAS), HOIC is specifically crafted for
launching DoS/DDoS attacks, making it the correct answer for Dash's objective.
Reference:The Incident Handler (ECIH v3) courses and study guides delve into various cyber attack
tools, including HOIC, explaining their functionalities and potential impact as part of the
comprehensive cybersecurity threat landscape education.
[Introduction to Incident Handling and Response]
Which of the following information security personnel handles incidents from management and
technical point of view?
B
Explanation:
In the context of information security, the Incident Manager (IM) plays a crucial role in handling
incidents from both a management and technical perspective. The Incident Manager is responsible
for overseeing the entire incident response process, coordinating with relevant stakeholders,
ensuring that incidents are analyzed, contained, and eradicated efficiently, and that recovery
processes are initiated promptly. They are pivotal in ensuring communication flows smoothly
between technical teams and upper management and that all actions taken are aligned with the
organization's broader security policies and objectives. Unlike network administrators, threat
researchers, or forensic investigators who may play more specialized roles within the incident
response process, the Incident Manager has a broad oversight role that encompasses both technical
and managerial aspects to ensure a comprehensive and coordinated response to security incidents.
Reference:Incident Handler (ECIH v3) courses and study guides emphasize the role of the Incident
Manager as integral to the incident handling process, underscoring their importance in bridging the
gap between technical response actions and strategic management decisions.
[Handling and Responding to Email Security Incidents]
Francis received a spoof email asking for his bank information. He decided to use a tool to analyze
the email headers. Which of the following should he use?
B
Explanation:
MxToolbox is a comprehensive tool designed for analyzing email headers and diagnosing various
email delivery issues. When Francis received a spoofed email asking for his bank information, using
MxToolbox to analyze the email headers would be appropriate. This tool helps in examining the
source of the email, tracking the email's path across the internet from the sender to the receiver, and
identifying any signs of email spoofing or malicious activity. It provides detailed information about
the email servers encountered along the way and can help in verifying the authenticity of the email
sender. Other options like EventLog Analyzer, Email Checker, and PoliteMail are tools used for
different purposes such as analyzing system event logs, checking email address validity, and
managing email communications, respectively, and do not specifically focus on analyzing email
headers to the extent required for investigating a spoofed email incident.
Reference:The use of MxToolbox in incident handling and email security analysis is commonly
recommended in Incident Handler (ECIH v3) study materials as a practical tool for email header
analysis and spoofing investigation.
[Introduction to Incident Handling and Response]
Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the
hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the
hardware was the only solution.
Identify the type of denial-of-service attack performed on Zaimasoft.
C
Explanation:
A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that
targets hardware, causing irreversible damage to the hardware components, thereby making the
device unusable without a replacement or significant hardware intervention. In the scenario
described with Zaimasoft, the attackers' actions leading to the damage of hardware components
align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-
of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or
DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-
party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or
reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted
organization's hardware infrastructure.
Reference:Incident Handler (ECIH v3) educational resources detail various types of denial-of-service
attacks, including PDoS, highlighting the distinct nature of each attack and its implications on the
affected systems, with PDoS being noted for its physical, irreparable impact on hardware
components.
[Introduction to Incident Handling and Response]
Which of the following terms refers to the personnel that the incident handling and response (IH&R)
team must contact to report the incident and obtain the necessary permissions?
B
Explanation:
In the context of incident handling and response (IH&R), the term "Point of contact" refers to
individuals or departments within an organization that are designated to be contacted by the IH&R
team in case of an incident. These personnel are crucial for the reporting process and for obtaining
the necessary permissions to proceed with incident response activities. They serve as the liaison
between the incident response team and other parts of the organization, external agencies, or
partners involved in the incident response process. The point of contact is responsible for facilitating
communication, coordinating actions, and ensuring that the appropriate stakeholders are engaged in
the response to an incident. This role is pivotal in ensuring a swift and effective response to security
incidents, minimizing damage, and restoring operations.
Reference:Incident Handler (ECIH v3) courses and study guides typically emphasize the importance
of clearly defined roles and responsibilities within the incident response process, including the
designation of points of contact.
[Handling and Responding to Email Security Incidents]
Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to
execute the command to send emailsand Syslog to maintain logs. To validate the data within email
headers, which of the following directories should Khai check for information such as source and
destination IP addresses, dates, and timestamps?
A
Explanation:
In a Linux environment, email servers such as Sendmail log events, including details about sent and
received emails, in a specific log file. The correct directory and file for examining email logs,
particularly for Sendmail and using Syslog for logging, is /Var/log/maillog. This file contains vital
information for forensic and incident response purposes, including source and destination IP
addresses, email addresses, timestamps, and other data relevant to the email traffic handled by the
server. By analyzing this log, incident responders can gather evidence related to email-based
incidents, trace the source of malicious emails, and understand the scope of an incident. It's crucial
for individuals like Khai, who are tasked with examining logs, to know the correct log file locations
and their contents to effectively validate and analyze email header information and other relevant
data.
Reference:Incident Handler (ECIH v3) study materials often cover the logging mechanisms of
common services and applications on Linux systems, including email servers like Sendmail, and the
importance of log files like /var/log/maillog in incident investigation and response activities.
[Introduction to Incident Handling and Response]
A malicious, security-breaking program is disguised as a useful program. Such executable programs,
which are installed when a file is opened, allow others to control a user's system. What is this type of
program called?
A
Explanation:
A Trojan, short for Trojan horse, is a type of malicious software that misleads users of its true intent.
It disguises itself as a legitimate and useful program, but once executed, it allows unauthorized
access to the user's system. Unlike viruses and worms, Trojans do not replicate themselves but can
be just as destructive. They are often used to create a backdoor to a computer system, allowing an
attacker to gain access to the system or to deliver other malware. Trojans can be used for a variety of
purposes, including stealing information, downloading or uploading files, monitoring the user's
screen and keyboard, and more. The term "Trojan" comes from the Greek story of the wooden horse
that was used to sneak soldiers into the city of Troy, which is analogous to the deceptive nature of
this type of malware in cyber security.
Reference:The EC-Council's Certified Incident Handler (ECIH v3) program covers various types of
malware, including Trojans, in detail, explaining their mechanisms, how they can be identified, and
the steps to take in response to such threats.
[Forensic Readiness and First Response]
Which of the following details are included in the evidence bags?
B
Explanation:
In the practice of digital forensics and incident handling, evidence bags play a crucial role in
preserving the integrity and chain of custody of physical and digital evidence. The information
typically included in the documentation on evidence bags encompasses the date and time of seizure,
which provides a timestamp for when the evidence was collected; the exhibit number, which is a
unique identifier assigned to each piece of evidence for tracking and reference purposes; and the
name of the incident responder or individual who collected the evidence, ensuring accountability
and traceability. This documentation is essential for maintaining the chain of custody, a critical
element in legal proceedings, as it helps establish the evidence's authenticity and integrity by
detailing its handling from collection to presentation in court. Options A, B, and C describe types of
digital evidence but are not directly related to the content typically documented on evidence bags.
Reference:Incident Handler (ECIH v3) courses and study guides emphasize the importance of
accurately documenting evidence bags as part of the evidence collection and preservation process in
incident handling and digital forensics.
[Introduction to Incident Handling and Response]
Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate
a cybersecurity incident that recently occurred in the company. While investigating the incident, he
collected evidence from the victim systems. He must present this evidence in a clear and
comprehensible manner to the members of a jury so that the evidence clarifies the facts and further
helps in obtaining an expert opinion on the incident to confirm the investigation process. In the
above scenario, which of the following characteristics of the digital evidence did Stanley attempt to
preserve?
B
Explanation:
In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner
to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion,
aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its
acceptability in a court of law, which hinges on the evidence being collected, handled, and presented
in a manner that complies with legal standards and procedures. This includes ensuring the evidence
is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the
jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that
the evidence meets the criteria for admissibility in the legal proceedings. Completeness,
believability, and authenticity are also important characteristics of digital evidence, but the context
provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence
to be considered valid in court.
Reference:The Incident Handler (ECIH v3) certification materials cover the legal aspects of incident
response, including the importance of ensuring the admissibility of evidence in legal proceedings as
a fundamental objective of the evidence collection and presentation process.
[Handling and Responding to Insider Threats]
Which of the following is a common tool used to help detect malicious internal or compromised
actors?
A
Explanation:
User Behavior Analytics (UBA) is a cybersecurity process or tool that utilizes machine learning,
algorithms, and statistical analyses to detect potentially harmful activities within an organization's
network by comparing them against established patterns of users' behavior. It is particularly effective
in identifying malicious internal actors or compromised users who may be conducting activities that
deviate from their normal behavior patterns, such as accessing unauthorized data or systems,
excessive file downloads, or unusual login times. UBA tools can flag these activities for further
investigation, often before traditional security tools detect a breach. In contrast, SOC2 compliance
reports, log forwarding, and syslog configuration are important for maintaining and auditing security
standards and for infrastructure monitoring, but they are not primarily focused on detecting
malicious behavior based on deviations from established user behavior patterns.
Reference:The Incident Handler (ECIH v3) curriculum discusses various tools and methodologies for
detecting and responding to security incidents, highlighting User Behavior Analytics as a key tool for
identifying insider threats and compromised accounts through behavioral monitoring and analysis.
[Introduction to Incident Handling and Response]
Adam is an incident handler who intends to use DBCC LOG command to analyze a database and
retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command
is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler
wants to retrieve. If Adam wants to retrieve the full information on each operation along with the
hex dump of a current transaction row, which of the following output parameters should Adam use?
C
Explanation:
The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a
database. It provides insights into the transactions that have occurred, which is crucial for forensic
analysis in the event of an incident. The syntaxDBCC LOG(<database_name>, <output_level>)allows
an incident handler to specify the level of detail they wish to retrieve from the log files. When an
incident handler like Adam requires the full information on each operation along with the hex dump
of the current transaction row, the output parameter should be set to 4. This level of output is the
most verbose, providing comprehensive details about each transaction, including a hex dump which
is essential for a deep forensic analysis. It helps in understanding the exact changes made by
transactions, which can be pivotal in investigating incidents involving data manipulation or other
unauthorized database activities.
Reference:EC-Council's Certified Incident Handler (ECIH v3) program emphasizes the importance of
understanding and utilizing various tools and commands for forensic analysis, including how to use
the DBCC LOG command for transaction log analysis in SQL Server environments.
[Handling and Responding to Network Security Incidents]
Which of the following is NOT a network forensic tool?
C
Explanation:
Network forensic tools are designed to capture, record, and analyze network traffic. Tools like Capsa
Network Analyzer, Tcpdump, and Wireshark are specifically designed for this purpose, providing
capabilities to capture live traffic, analyze packets, and understand network activities. Capsa Network
Analyzer is a comprehensive network monitoring tool, Tcpdump is a powerful command-line packet
analyzer, and Wireshark is a widely used network protocol analyzer that provides detailed
information about network traffic.
Advanced NTFS Journaling Parser, on the other hand, is not a network forensic tool but a tool used
for forensic analysis of NTFS file systems. It parses the NTFS journal ($LogFile), which contains a log of
changes made to files on an NTFS volume. This tool is valuable for forensic analysts who are
investigating the file system activities on a Windows system, such as file creation, modification, and
deletion times, rather than analyzing network traffic. Therefore, it does not fit the category of a
network forensic tool.
Reference:The ECIH v3 curriculum from EC-Council covers a range of tools useful for incident
handlers and forensic analysts, distinguishing between network forensic tools and those used for
other types of forensic analysis, such as file system investigation.
[Introduction to Incident Handling and Response]
Malicious downloads that result from malicious office documents being manipulated are caused by
which of the following?
D
Explanation:
Malicious downloads initiated through manipulated office documents typically involve macro abuse.
Macros are scripts that can automate tasks within documents and are embedded within Office
documents like Word, Excel, and PowerPoint files. While macros can be used for legitimate purposes,
they can also be abused by attackers to execute malicious code. When an office document with a
malicious macro is opened, and macros are enabled, the macro can run arbitrary code that leads to
malicious downloads, installing malware or performing other unauthorized actions on the victim's
system.
Macro abuse has become a common vector for cyber attacks, as it exploits the functionality of widely
used office applications. Attackers often craft phishing emails with attachments or links to documents
that contain malicious macros, tricking users into enabling macros to execute the malicious code.
This method is effective for bypassing some security measures since it relies on user interaction and
exploitation of legitimate features.
Reference:In the ECIH v3 course by EC-Council, there is a focus on various methods used by attackers
to compromise systems, including macro abuse in office documents. The curriculum stresses the
importance of understanding these attack vectors for effective incident handling and response
strategies.