ECCouncil Updated 212-89 Exam Questions and Answers by angel

Michael's activities, which involve analyzing file systems, slack spaces, and metadata of storage units to find hidden malware and evidence of malice, indicate that he is handling a storage-related cloud security incident. This type of incident pertains to unauthorized access, alteration, or exfiltration of data stored in cloud environments. By focusing on the storage aspects such as file systems and metadata, Michael is looking for signs of compromise that specifically affect the storage of data, which is indicative of a storage-related security incident in the cloud.

Comprehensive and Detailed Explanation (ECIH-aligned):

This incident involves malware embedded within third-party modifications, affecting financial data and game integrity. The ECIH malware handling framework prioritizes rapid containment to prevent further exploitation before analysis or public communication.

Option B is correct because disabling all mods immediately stops the malicious mod from continuing to operate, preventing additional data theft and financial abuse. This action contains the threat across the entire user base quickly and uniformly.

Option A focuses on detection and removal but may miss distributed instances already in use. Option C is a communication step that should follow containment. Option D delays action and allows continued exploitation.

ECIH stresses that when malware is actively impacting users at scale, containment actions that reduce attack surface globally are preferred. Disabling all mods is the fastest and safest initial containment measure, making Option B correct.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario highlights a preparation phase improvement. ECIH strongly emphasizes the importance of out-of-band communication during incidents, especially when primary systems are compromised.

Option D is correct because VOIP and SMS reporting channels allow incident reporting even when email systems are unavailable or under attack. ECIH identifies out-of-band communication as critical for maintaining coordination and timely escalation during incidents.

Options A–C do not address the reporting failure described.

Establishing alternate communication channels strengthens incident readiness and response resilience, aligning directly with ECIH best practices.

Explanation (cloud triage at scale):

Cloud environments generate massive telemetry across services, accounts, regions, and tenants. The limiting factor is not “more logs,” but correlation and prioritization: connecting identity events, network flows, workload behaviors, API calls, and configuration changes into a coherent incident timeline and severity assessment. Automation/orchestration (A) supports rapid triage by correlating alerts, deduplicating noise, enriching with context (asset criticality, ownership, exposure), and driving consistent playbook actions (ticket creation, isolation steps, snapshotting, token revocation) with approvals.

(B) may be overbroad and can create major outages and contractual harm; it’s containment without validated scope. (C) is premature; customer communication should be accurate and proportional, usually after initial scoping and legal review. (D) is the opposite of best practice—third-party logs can be essential (EDR, CASB, SIEM, SaaS audit logs).

So (A) is the best first step because it makes triage fast, consistent, and scalable, which is exactly what you need when log volume is the main operational barrier.