ECCouncil 212-89 - EC Council Certified Incident Handler (ECIH v3)

This scenario describes a SYN flood attack, a classic protocol-level Denial-of-Service technique covered in the ECIH Network Security Incidents module. In a SYN flood, attackers send a large volume of TCP SYN packets but never complete the three-way handshake, leaving the server waiting for responses and exhausting connection resources.

Option D is correct because incomplete TCP handshakes, half-open connections, and resource exhaustion are defining characteristics of SYN flood attacks. The presence of multiple source IPs further suggests a distributed attack.

Option A involves taking over an existing session, not exhausting resources. Option B applies to UDP-based amplification attacks. Option C affects DNS resolution, not TCP handshakes.

ECIH stresses that early identification of SYN floods allows defenders to deploy SYN cookies, rate limiting, and upstream filtering. Recognizing handshake anomalies is therefore critical in protecting service availability.

Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents.

A negligent insider is an individual within an organization who, due to a lack of knowledge on security threats or in an attempt to increase workplace efficiency, inadvertently bypasses security procedures or makes errors that compromise security. This type of insider threat is not malicious in intent; rather, it stems from carelessness, oversight, or a lack of proper security training. Such insiders might click on phishing links, mishandle sensitive information, or use unsecured networks for work-related tasks, thereby exposing the organization to potential security breaches. This contrasts with compromised insiders (who are manipulated by external parties), professional insiders (who misuse their access for personal gain), and malicious insiders (who intentionally aim to harm the organization).

The ECIH Endpoint Security module stresses that modern endpoint incidents require advanced detection capabilities beyond traditional antivirus or manual inspection. Intellectual property theft often involves stealthy techniques that evade basic controls.

Option C is correct because an Endpoint Detection and Response (EDR) solution provides deep visibility into endpoint behavior, including process execution, memory activity, file changes, and lateral movement. EDR enables analysts to detect, investigate, and validate incidents efficiently across multiple endpoints.

Option B is slow and error-prone. Option A is premature without validation. Option D identifies vulnerabilities, not active compromise.

ECIH highlights EDR as a cornerstone technology for endpoint incident detection and validation, especially in high-value environments such as R&D networks.

This incident involves malware actively impacting medical devices, posing patient safety risks. According to ECIH malware incident handling principles, the first priority is containment and eradication at the endpoint level.

Option D is correct because deploying endpoint protection directly detects and halts malware execution on the MRI machines, stopping both manipulation of results and further malicious activity. Endpoint containment is essential before network-level or recovery actions.

Option B addresses communication but does not stop local manipulation. Option C alters system state without containment. Option A is a regulatory step that follows validation.

ECIH emphasizes that in critical infrastructure and healthcare environments, immediate endpoint containment is essential to protect safety and data integrity.

James's activities, including creating anonymous access to cloud services to carry out attacks such as password and key cracking, hosting malicious data, and conducting DDoS attacks, exemplify the abuse and nefarious use of cloud services. This threat involves exploiting cloud computing resources to conduct malicious activities, which can impact the cloud service provider as well as other users of the cloud services. This abuse ranges from using the cloud platform's resources for computationally intensive tasks like cracking passwords or encryption keys to conducting DDoS attacks that can disrupt services for legitimate users.

The responsibility of first responders does not include shutting down or rebooting the victim’s computer as a measure to preserve temporary and fragile evidence. In fact, such actions can potentially alter or destroy volatile data that could be crucial for the investigation. The primary responsibilities of first responders include protecting and identifying the crime scene, and ensuring the preservation of evidence in its original state as much as possible, which may involve isolating affected systems from the network but not necessarily shutting them down or rebooting them without proper forensic readiness and consideration.

The most effective eradication and prevention control in this scenario is the implementation of the Principle of Least Privilege (PoLP) through strict access controls. According to the EC-Council Incident Handler (ECIH) curriculum under Insider Threat Management and Incident Prevention, organizations must ensure that users are granted only the minimum level of access required to perform their job functions. Excessive privileges significantly increase the risk of intentional or accidental misuse of critical systems and data.

In this case, employees were granted administrative access to sensitive systems without a business justification. Administrative privileges typically allow access to restricted financial data and the ability to modify audit logs. ECIH emphasizes that improper privilege management is a primary enabling factor in insider threats. If role-based access control (RBAC) aligned with PoLP had been properly enforced, these employees would not have had the capability to access restricted financial records or alter audit logs.

While User and Entity Behavior Analytics (UEBA) can detect anomalous behavior, it is primarily a detective control rather than a preventive eradication measure. Enhanced password policies strengthen authentication but do not address excessive authorization rights. Network segmentation limits lateral movement but does not directly prevent misuse of over-privileged accounts within authorized segments.

ECIH guidelines strongly recommend periodic access reviews, separation of duties, privilege auditing, and strict RBAC enforcement as part of insider threat mitigation and eradication strategies. By implementing PoLP and continuously reviewing administrative privileges, organizations can significantly reduce the attack surface and prevent privilege abuse before an insider can exploit sensitive systems.

In the ECIH email incident response framework, eradication extends beyond internal cleanup and includes threat intelligence sharing. Option B is correct because sharing phishing indicators with trusted security communities helps disrupt attacker infrastructure and prevents reuse of the same campaign against other organizations.

Option A is unrelated. Option C is ineffective against phishing. Option D is overly destructive and unnecessary.

ECIH promotes collaborative defense as part of post-detection eradication and prevention.