ECCouncil Updated 312-50v13 Exam Questions and Answers by reina

Reconnaissance is the correct phase because the scenario explicitly states Sarah starts by gathering publicly available information about employees and infrastructure. In the Cyber Kill Chain, reconnaissance is the first phase where an attacker collects intelligence to understand the target and identify the most effective paths for compromise. In CEH-aligned methodology, this includes open-source intelligence activities such as discovering employee names, roles, emails, technology stack clues, exposed services, and organizational patterns that help craft realistic and convincing attack lures.

The question mentions that Sarah plans to craft a mock phishing email and later deploy a harmless payload. Those actions map to later kill chain phases: delivery is when the phishing email or malicious link is sent to the target, and exploitation is when a vulnerability is triggered to execute code or gain access. Weaponization is the step where an attacker prepares the malicious artifact, such as packaging an exploit with a payload or preparing a document or link to deliver. However, the key wording is that Sarah “begins” by collecting public information and is asked which phase she should prioritize to simulate the adversary’s approach effectively. That is reconnaissance, because effective phishing and subsequent steps depend on accurate target profiling, believable pretexts, and identifying likely weak points based on what is learned during intelligence gathering.

Therefore, to match the described starting point and the kill chain sequence, the prioritized phase is Reconnaissance.

OSINT-based reconnaissance includes using search engines to identify publicly exposed cloud assets. CEH highlights Google dorking as a passive method to reveal S3 buckets indexed in search engines through patterns such as site:s3.amazonaws.com or keyword-based queries.

In CEH-aligned cloud security discussions, protecting data across its lifecycle is a primary requirement, and a major risk area is how data moves between clients, applications, and cloud services. The scenario states the exposure occurred because there was no encryption during transmission between user devices and cloud storage. That maps directly to the Service and Data Integration risk area because it focuses on the security controls applied when cloud services exchange data with users and with other services, including secure communication channels, API protection, and proper cryptographic enforcement for data in transit.

When data is transmitted without TLS or with weak or misconfigured TLS, it becomes vulnerable to interception and manipulation through man in the middle attacks, traffic sniffing, SSL stripping, or downgrade attacks. In regulated environments such as healthcare, HIPAA expectations strongly align with implementing strong encryption in transit and ensuring secure session establishment, certificate validation, and modern cipher suites. This is not primarily a multi tenancy or physical security issue, which relates to isolation between tenants and the provider’s datacenter controls. It is also not primarily an incident analysis and forensic support issue, which concerns detection, logging, evidence collection, and investigative capability after events occur. Infrastructure security is broader and can include network protections, but the question is specifically about preventing exposure during transmission, which is most precisely addressed by service and data integration controls.

Correct remediation typically includes enforcing HTTPS with modern TLS, enabling HSTS, disabling legacy protocols and weak ciphers, ensuring correct certificate management, using mutual TLS where appropriate, and securing cloud storage access through authenticated, encrypted endpoints and properly secured APIs.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.