212-89 ECCouncil EC Council Certified Incident Handler (ECIH v3) Free Practice Exam Questions (2026 Updated)

Disabling security options such as two-factor authentication (2FA) and CAPTCHA is not a countermeasure to eradicate cloud security incidents. In fact, it is contrary to best security practices. 2FA adds an additional layer of security by requiring two forms of verification before granting access to an account or system. CAPTCHA helps prevent automated attacks by ensuring that the entity accessing the service is human. Both are important security measures that protect against unauthorized access and automated attacks, thereby enhancing cloud security.

In the risk assessment process, "System characterization" is the initial step where the scope of the assessment is defined. This involves identifying and documenting the boundaries of the IT systems under review, the resources (hardware, software, data, and personnel) that constitute these systems, and any relevant information about their operation and environment. This foundational step is essential for understanding what needs to be protected and forms the basis for subsequent analysis, including identifying vulnerabilities, assessing potential threats, and determining the impact of risks to the organization.

The regular expression/exec(\s|\+)+(s|x)p\w+/ixis designed to match patterns that resemble SQL injection attempts, specifically targeting MS SQL Server. This expression looks for the use of theexeccommand followed by one or more spaces or plus signs, and then patterns that start withsporxp, which are prefixes commonly used in SQL Server stored procedures and extended stored procedures. These are often targeted in SQL injection attacks to execute malicious SQL statements. The regular expression provided is a tool used by incident responders like Tibson to identify and analyze potential SQL injection attempts by looking for suspicious patterns in SQL queries.

This scenario involves a high-privilege insider threat, one of the most difficult risks to detect. ECIH emphasizes that senior executives often have broad access, making role-based restrictions impractical.

Option A is correct because advanced employee monitoring and behavioral analytics can detect abnormal access patterns, data exfiltration trends, and deviations from established baselines—even for executives. These tools operate within legal and policy frameworks while providing actionable alerts.

Options B and C reduce efficiency and are easily bypassed. Option D is intrusive and ineffective for digital exfiltration.

ECIH identifies behavioral monitoring as the most effective control for detecting malicious insiders with legitimate access, making Option A correct.

In Wireshark, to identify ICMP ping sweep attempts, the filtericmp.type == 8 or icmp.type ==0is used. This filter captures ICMP echo requests and echo replies, which are indicative of ping commands. Type 8 represents an echo request used when a source sends a ping, and type 0 represents an echo reply, which is the response from the target. By filtering for these ICMP types, Miko can detect a surge in ping requests across the network, which could indicate a ping sweep attempt—an exploratory activity often used by attackers to discover active hosts on a network by sending ping requests to multiple addresses.

The EC-Council Incident Handler (ECIH) curriculum defines Post-Incident Activity as the phase focused on lessons learned, root cause analysis, and process improvement. Conducting a formal retrospective with cross-functional stakeholders to reconstruct timelines, evaluate decision-making, and identify coordination gaps aligns directly with a structured postmortem analysis.

ECIH emphasizes that post-incident reviews should promote a no-blame culture to encourage transparency and honest feedback. The objective is continuous improvement of incident response playbooks, communication protocols, escalation procedures, and overall organizational readiness. Root cause analysis (RCA) is a key component, ensuring that both technical and procedural weaknesses are identified and corrected.

Option B (reclassification) is an administrative adjustment, not a comprehensive review. Option C (vendor notification) relates to external communication. Option D (checklist updates) may result from the review but does not describe the primary activity being executed.

Therefore, the organization is performing a formal postmortem to analyze root causes and operational effectiveness.

In the ECIH email incident response framework, eradication extends beyond internal cleanup and includes threat intelligence sharing. Option B is correct because sharing phishing indicators with trusted security communities helps disrupt attacker infrastructure and prevents reuse of the same campaign against other organizations.

Option A is unrelated. Option C is ineffective against phishing. Option D is overly destructive and unnecessary.

ECIH promotes collaborative defense as part of post-detection eradication and prevention.

Omnipeek is a network analyzer tool that allows for the capture and analysis of data packets transmitted across a network. It is designed to provide deep insights into network traffic, enabling users to examine various aspects of the data packets, including network protocols, ports, devices, and potential issues in network transmission. This tool would be ideal for Chandler, who is targeting the Technote organization with the intent of intercepting and analyzing network traffic to obtain sensitive organizational information. Omnipeek's capabilities in packet analysis make it suitable for such activities, offering detailed visibility into the network's operation and data flows.

As of my last update, the most recent NIST standard for incident response was NIST Special Publication 800-61 Revision 2 (800-61r2), titled "Computer Security Incident Handling Guide." This document provides guidelines for establishing an effective incident response program, including preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.

The ECIH incident validation phase emphasizes the importance of direct evidence when confirming unauthorized access. Log entries that show access to sensitive or restricted files provide concrete proof that an attacker successfully breached controls.

Option B is correct because access logs tied to critical resources confirm both authentication success and unauthorized activity. Failed logins or system performance issues alone do not confirm compromise.

Option A, C, and D are indirect indicators that may signal suspicious behavior but cannot independently confirm unauthorized access.

Therefore, verified log evidence is the strongest indicator, aligning with ECIH incident triage and validation principles.