ECCouncil Updated 312-50v13 Exam Questions and Answers by samson

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

According to CEH v13 Network Scanning and Enumeration, ICMP Echo Requests (ping) are commonly filtered by firewalls and intrusion prevention systems to reduce network reconnaissance exposure. When ICMP Echo Replies are not returned but other services remain operational, the most likely explanation is ICMP filtering rather than host unavailability or compromise.

CEH v13 explicitly states that many organizations configure firewalls to block ICMP Echo Requests while allowing other ICMP types or higher-layer protocols. This practice helps prevent attackers from easily mapping live hosts during the reconnaissance phase.

The other options are incorrect because:

Unused IPs would not necessarily have active services.

A breach would typically present additional symptoms.

Network congestion would affect multiple protocols, not just ICMP.

Thus, blocked ICMP is the correct interpretation.

String concatenation is the best match because the technique described is breaking a recognizable SQL keyword or payload into separate pieces so a signature-based WAF rule does not see the full malicious token in one continuous pattern. In CEH-aligned web application testing, many WAF detections rely on matching known strings such as UNION SELECT, OR 1=1, and other classic patterns. If an attacker can cause the database parser to interpret the same meaning while the input appears different at the inspection layer, the WAF may fail to match its rule and the payload can reach the backend.

The prompt explicitly says you “split the query into multiple parts” to avoid detection as “a single signature.” That is the core idea of concatenation-based evasion: represent the same instruction through separated fragments that are recombined or tolerated by the SQL parser, depending on the database and application behavior. This differs from in-line comments, which would typically insert comment markers inside keywords to break signatures while preserving parsing, and differs from hex encoding, which replaces characters or strings with hexadecimal representations. A null byte technique is usually associated with string-termination tricks in older contexts and does not align with splitting SQL keywords for WAF bypass.

Defensively, CEH guidance emphasizes that relying on WAF signatures alone is insufficient. Strong prevention requires parameterized queries, strict server-side input validation, least-privilege database accounts, and monitoring for anomalous query patterns and error behaviors even when obvious signatures are not present.

According to CEH v13, black box testing refers to a testing approach where the ethical hacker has no prior knowledge of the internal structure, source code, or configuration of the system.

The attacker simulates a real-world external attacker, relying solely on discovery and exploitation techniques.

White box testing = full knowledge

Gray box testing = partial knowledge