ECCouncil Updated 212-89 Exam Questions and Answers by julian

Comprehensive and Detailed Explanation (ECIH-aligned):

ECIH email incident response guidance emphasizes email header analysis as the primary validation technique for suspected spoofing or impersonation attacks.

Option A is correct because headers reveal sender IPs, routing paths, and authentication results (SPF, DKIM, DMARC). This evidence directly confirms whether the email originated from a legitimate source.

Options B, C, and D are supplementary actions but do not provide authoritative validation.

ISO/IEC 27002 is a standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMSs). It covers areas such as risk assessment, human resource security, operational security, and communications security, among others, providing a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. ISO/IEC 27035 pertains to information security incident management, PCI DSS (Payment Card Industry Data Security Standard) deals with the security of cardholder data, and RFC 2196 is a guide for computer security incident response teams (CSIRTs), not a standard for implementing ISMSs.

James is working on the post-incident activities stage of the Incident Handling and Response (IH&R) process. After containing the spread of the infection and removing the malware, the focus shifts to assessing the impact of the incident on the organization and preparing a detailed report. This phase involves analyzing the extent of the damage, determining the cost of the attack, evaluating how well the incident was managed, and identifying lessons learned to improve future response efforts. The objective is to restore systems to normal operation, ensure no remnants of the threat remain, and implement measures to prevent recurrence.

Comprehensive and Detailed Explanation (ECIH-aligned):

This incident is a textbook example of whaling, a specialized form of phishing that targets senior executives or impersonates them to exploit authority and trust. According to the ECIH Email Security module, whaling attacks often focus on financial fraud, such as wire transfer requests or invoice manipulation, and are designed to bypass normal controls through urgency and executive impersonation.

Option A is correct because the attacker impersonated the CEO and targeted employees responsible for financial actions. The minor domain alteration and authoritative language are classic whaling indicators.

Option B refers to overwhelming inboxes with large volumes of mail. Option C involves automated credential testing. Option D targets mobile messaging platforms.

Jason’s response—header analysis, identity verification, firewall blocking, financial alerting, and organization-wide notification—aligns with ECIH best practices for handling executive impersonation attacks. Recognizing the attack type correctly is critical for appropriate escalation and mitigation, making Option A the correct answer.