[Introduction to Incident Handling and Response]
Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate
a cybersecurity incident that recently occurred in the company. While investigating the incident, he
collected evidence from the victim systems. He must present this evidence in a clear and
comprehensible manner to the members of a jury so that the evidence clarifies the facts and further
helps in obtaining an expert opinion on the incident to confirm the investigation process. In the
above scenario, which of the following characteristics of the digital evidence did Stanley attempt to
preserve?
B
Explanation:
In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner
to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion,
aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its
acceptability in a court of law, which hinges on the evidence being collected, handled, and presented
in a manner that complies with legal standards and procedures. This includes ensuring the evidence
is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the
jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that
the evidence meets the criteria for admissibility in the legal proceedings. Completeness,
believability, and authenticity are also important characteristics of digital evidence, but the context
provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence
to be considered valid in court.
Reference:The Incident Handler (ECIH v3) certification materials cover the legal aspects of incident
response, including the importance of ensuring the admissibility of evidence in legal proceedings as
a fundamental objective of the evidence collection and presentation process.
[Handling and Responding to Insider Threats]
Which of the following is a common tool used to help detect malicious internal or compromised
actors?
A
Explanation:
User Behavior Analytics (UBA) is a cybersecurity process or tool that utilizes machine learning,
algorithms, and statistical analyses to detect potentially harmful activities within an organization's
network by comparing them against established patterns of users' behavior. It is particularly effective
in identifying malicious internal actors or compromised users who may be conducting activities that
deviate from their normal behavior patterns, such as accessing unauthorized data or systems,
excessive file downloads, or unusual login times. UBA tools can flag these activities for further
investigation, often before traditional security tools detect a breach. In contrast, SOC2 compliance
reports, log forwarding, and syslog configuration are important for maintaining and auditing security
standards and for infrastructure monitoring, but they are not primarily focused on detecting
malicious behavior based on deviations from established user behavior patterns.
Reference:The Incident Handler (ECIH v3) curriculum discusses various tools and methodologies for
detecting and responding to security incidents, highlighting User Behavior Analytics as a key tool for
identifying insider threats and compromised accounts through behavioral monitoring and analysis.
[Introduction to Incident Handling and Response]
Adam is an incident handler who intends to use DBCC LOG command to analyze a database and
retrieve the active transaction log files for the specified database. The syntax of DBCC LOG command
is DBCC LOG(, ), where the output parameter specifies the level of information an incident handler
wants to retrieve. If Adam wants to retrieve the full information on each operation along with the
hex dump of a current transaction row, which of the following output parameters should Adam use?
C
Explanation:
The DBCC LOG command is used in SQL Server environments to analyze the transaction log files of a
database. It provides insights into the transactions that have occurred, which is crucial for forensic
analysis in the event of an incident. The syntaxDBCC LOG(<database_name>, <output_level>)allows
an incident handler to specify the level of detail they wish to retrieve from the log files. When an
incident handler like Adam requires the full information on each operation along with the hex dump
of the current transaction row, the output parameter should be set to 4. This level of output is the
most verbose, providing comprehensive details about each transaction, including a hex dump which
is essential for a deep forensic analysis. It helps in understanding the exact changes made by
transactions, which can be pivotal in investigating incidents involving data manipulation or other
unauthorized database activities.
Reference:EC-Council's Certified Incident Handler (ECIH v3) program emphasizes the importance of
understanding and utilizing various tools and commands for forensic analysis, including how to use
the DBCC LOG command for transaction log analysis in SQL Server environments.
[Handling and Responding to Network Security Incidents]
Which of the following is NOT a network forensic tool?
C
Explanation:
Network forensic tools are designed to capture, record, and analyze network traffic. Tools like Capsa
Network Analyzer, Tcpdump, and Wireshark are specifically designed for this purpose, providing
capabilities to capture live traffic, analyze packets, and understand network activities. Capsa Network
Analyzer is a comprehensive network monitoring tool, Tcpdump is a powerful command-line packet
analyzer, and Wireshark is a widely used network protocol analyzer that provides detailed
information about network traffic.
Advanced NTFS Journaling Parser, on the other hand, is not a network forensic tool but a tool used
for forensic analysis of NTFS file systems. It parses the NTFS journal ($LogFile), which contains a log of
changes made to files on an NTFS volume. This tool is valuable for forensic analysts who are
investigating the file system activities on a Windows system, such as file creation, modification, and
deletion times, rather than analyzing network traffic. Therefore, it does not fit the category of a
network forensic tool.
Reference:The ECIH v3 curriculum from EC-Council covers a range of tools useful for incident
handlers and forensic analysts, distinguishing between network forensic tools and those used for
other types of forensic analysis, such as file system investigation.
[Introduction to Incident Handling and Response]
Malicious downloads that result from malicious office documents being manipulated are caused by
which of the following?
D
Explanation:
Malicious downloads initiated through manipulated office documents typically involve macro abuse.
Macros are scripts that can automate tasks within documents and are embedded within Office
documents like Word, Excel, and PowerPoint files. While macros can be used for legitimate purposes,
they can also be abused by attackers to execute malicious code. When an office document with a
malicious macro is opened, and macros are enabled, the macro can run arbitrary code that leads to
malicious downloads, installing malware or performing other unauthorized actions on the victim's
system.
Macro abuse has become a common vector for cyber attacks, as it exploits the functionality of widely
used office applications. Attackers often craft phishing emails with attachments or links to documents
that contain malicious macros, tricking users into enabling macros to execute the malicious code.
This method is effective for bypassing some security measures since it relies on user interaction and
exploitation of legitimate features.
Reference:In the ECIH v3 course by EC-Council, there is a focus on various methods used by attackers
to compromise systems, including macro abuse in office documents. The curriculum stresses the
importance of understanding these attack vectors for effective incident handling and response
strategies.
[Introduction to Incident Handling and Response]
Jacob is an employee at a firm called Dolphin Investment. While he was on duty, he identified that
his computer was facing some problems, and he wanted to convey the issue to the concerned
authority in his organization. However, this organization currently does not have a ticketing system to
address such types of issues. In the above scenario, which of the following ticketing systems can be
employed by Dolphin Investment to allow Jacob to inform the concerned team about the incident?
D
Explanation:
In the scenario where Dolphin Investment needs to implement a ticketing system for employees like
Jacob to report IT-related issues, ManageEngine ServiceDesk Plus is the most suitable option among
the choices provided. ManageEngine ServiceDesk Plus is a comprehensive IT help desk software that
facilitates issue tracking, incident management, and efficient resolution of IT-related problems and
requests. It enables users to submit tickets through various channels, including email, web portal,
phone, or chat, and allows IT support teams to manage these tickets through a centralized platform.
This system is designed to streamline the process of reporting, tracking, and resolving IT issues and
incidents, making it an ideal solution for organizations looking to establish a formalized incident
reporting and resolution process. Other options like IBM X-Force Exchange, ThreatConnect, and MISP
focus more on threat intelligence sharing and security incident analysis rather than functioning as an
IT help desk or ticketing system.
Reference:Incident Handler (ECIH v3) courses and study guides often discuss the importance of
having an effective incident reporting and management system in place, and ManageEngine
ServiceDesk Plus is frequently cited as a practical solution for organizations seeking to implement
such a system.
[Introduction to Incident Handling and Response]
If the browser does not expire the session when the user fails to logout properly, which of the
following OWASP Top 10 web vulnerabilities is caused?
C
Explanation:
When a browser does not expire a session after the user fails to logout properly, it is indicative of a
vulnerability related to broken authentication. Broken authentication is a security issue where
attackers can exploit flaws in the authentication mechanism to impersonate other users or take over
their sessions. Failure to properly manage session lifetimes, such as not expiring sessions on logout,
can allow an attacker to reuse old sessions or session IDs, potentially gaining unauthorized access to
user accounts. This vulnerability is classified under A2: Broken Authentication in the OWASP Top 10,
which lists the most critical web application security risks. The OWASP Top 10 serves as a guideline
for developers and web application providers to understand and mitigate common security risks.
Reference:The OWASP Top 10 is a widely recognized standard for web application security, often
referenced in cybersecurity training and certifications, including the EC-Council's Incident Handler
(ECIH v3) curriculum, which covers identification and mitigation of various web application
vulnerabilities, including broken authentication.
[Introduction to Incident Handling and Response]
Matt is an incident handler working for one of the largest social network companies, which was
affected by malware. According to the company’s reporting timeframe guidelines, a malware
incident should be reported within 1 h of discovery/detection after its spread across the company.
Which category does this incident belong to?
A
Explanation:
In incident response protocols, incidents are categorized based on their severity, impact, and the
urgency of the response required. The categorization helps in prioritizing incident response activities
and allocating resources accordingly. A CAT 1 (Category 1) incident is typically considered the highest
priority, involving significant threats that require immediate response. Given the scenario where a
malware incident in one of the largest social network companies must be reported within 1 hour of
discovery/detection, this indicates a high-priority incident due to the potential widespread impact
and the need for a rapid response to contain and mitigate the malware's spread. The urgency of the
reporting timeframe suggests that the incident is considered critical, aligning with the characteristics
of a CAT 1 incident, which necessitates immediate action to prevent significant damage or disruption
to the company's operations and services.
Reference:The Incident Handler (ECIH v3) curriculum emphasizes the importance of incident
categorization and the establishment of clear reporting and response protocols based on the severity
and urgency of incidents. This framework enables organizations to respond effectively to incidents
like malware attacks by ensuring that high-priority threats are quickly identified and addressed.
[Incident Handling and Response Process]
Which of the following is defined as the identification of the boundaries of an IT system along with
the resources and information that constitute the system?
A
Explanation:
System characterization is the process of defining the boundaries of an IT system, which includes
identifying the resources, information, and functionality that constitute the system. This process is
crucial for understanding the scope of the system, the data it processes, and the technology it
employs. By characterizing a system, incident handlers can better understand the system's normal
operations and behaviors, which is essential for identifying anomalies that may indicate a security
incident. System characterization involves documenting the hardware, software, network
configuration, data flows, and other critical elements of the IT environment. This foundational
knowledge supports effective incident handling by providing a baseline against which suspicious
activities can be compared.
Reference:EC-Council's Certified Incident Handler (ECIH v3) courses and study guides emphasize the
importance of system characterization in the incident handling and response process. It serves as a
prerequisite for subsequent steps such as threat identification, vulnerability identification, and the
implementation of appropriate controls.
[Handling and Responding to Malware Incidents]
Malicious Micky has moved from the delivery stage to the exploitation stage of the kill chain. This
malware wants to find and report to the command center any useful services on the system. Which
of the following recon attacks is the MOST LIKELY to provide this information?
D
Explanation:
When malware moves from the delivery stage to the exploitation stage in the cyber kill chain, its
objective often shifts to identifying exploitable vulnerabilities within the targeted system. A port scan
is a technique used to discover services that are listening on ports within a system. By scanning the
system's ports, the malware can identify open ports and the services running on them, providing
valuable information about potential entry points for further exploitation. This type of
reconnaissance attack is aimed at gathering intelligence on the target system's network services,
which can then be reported back to a command and control center for further malicious activity
planning.
Port scanning is more relevant than IP range sweeps, packet sniffing, or session hijacking for
identifying useful services on a system because it directly targets the discovery of accessible network
services and their corresponding ports. While the other methods can also be part of the
reconnaissance phase, they serve different purposes: IP range sweeps aim to identify active IP
addresses, packet sniffing intercepts data packets to gather information, and session hijacking
involves taking over a valid user session. In contrast, port scanning is specifically designed to
enumerate services that could be exploited.
Reference:The ECIH v3 certification materials discuss various reconnaissance techniques used by
attackers, including port scanning, as part of the exploitation stage of the kill chain. Understanding
these techniques is crucial for incident handlers in identifying how attackers gather information and
plan their attacks.