ECCouncil Updated 312-50v13 Exam Questions and Answers by osman

The correct answer is C because network segmentation most directly disrupts the spread of ransomware across an organization. Ransomware encrypts or locks systems and demands payment for recovery; examples such as WannaCry are commonly discussed because they spread through vulnerable systems and network services. In the retrieved CEH-aligned material, WannaCry spread via SMB by scanning from an infected computer for other vulnerable systems and then executing against the next machine. Network segmentation reduces this risk by dividing the network into separate zones or VLANs and restricting unnecessary east-west communication between departments, servers, workstations, and critical systems. If one endpoint is infected, segmentation can prevent the malware from reaching file servers, domain controllers, backups, and other endpoints. Backups are extremely important for recovery, but they do not stop spread. IDS may detect suspicious activity, and AV may block known malware, but segmentation is the defense that most directly limits ransomware propagation.

Covert channel communication is one of the most sophisticated evasion techniques described in CEH v13 Evasion Techniques. By embedding malicious data within unused or rarely inspected protocol fields (such as IP headers), attackers can bypass firewalls, IDS, and IPS systems entirely.

Unlike polymorphic malware (Option C), which can still be detected using behavior analysis, covert channels blend seamlessly into legitimate traffic. Packet fragmentation (Option D) is well-known and often mitigated. Honeypot spoofing (Option B) is rare and defensive in nature.

CEH v13 emphasizes that covert channels are difficult because:

They do not violate protocol specifications

They evade signature-based and stateful inspection

They appear as normal traffic

Detecting covert channels often requires deep protocol analysis and statistical traffic inspection, making them extremely challenging to mitigate.

Thus, Option A is the correct answer.

An HTTP GET POST attack is the most likely answer because the key indicator in the scenario is the measurement unit and behavior: 398 million requests per second. In CEH-aligned DoS and DDoS coverage, volumetric network-layer attacks like SYN floods are typically discussed in packets per second or bits per second, and they primarily exhaust connection tables or bandwidth at Layer 3 and Layer 4. By contrast, an HTTP flood targets Layer 7 and is commonly measured in requests per second because the attacker is sending large volumes of seemingly valid web requests. This overwhelms web servers, application stacks, and upstream components such as reverse proxies, load balancers, and API gateways, leading to degraded performance and dropped sessions, exactly as described when “active connections drop unexpectedly.”

The mention of “customer-facing platforms” and “numerous compromised devices” also matches typical botnet-driven application-layer flooding, where many distributed sources generate massive HTTP request rates to evade simple IP-based blocking. A TCP SACK panic attack is a vulnerability-triggered crash condition related to TCP handling, not a request-rate spike scenario. An RST attack involves sending TCP reset packets to tear down sessions, which would not normally present as an extreme requests-per-second event in server logs.

Therefore, the evidence most strongly supports an application-layer DDoS: an HTTP GET POST flood designed to exhaust server and application resources and cause intermittent service disruption.

According to CEH v13 Mobile, IoT, and OT Hacking, Advanced Persistent Threat (APT) groups prioritize stealth, persistence, and long-term control. In IoT environments, the most attractive and effective entry point is firmware-level zero-day vulnerabilities.

IoT devices often:

Run outdated or proprietary firmware

Lack regular patching mechanisms

Operate with high privileges

Have minimal monitoring

Exploiting a zero-day vulnerability in firmware allows attackers to gain deep, persistent access that survives reboots and avoids traditional security controls. This aligns directly with APT objectives.

Credential theft (Option B) is common but less reliable for IoT systems. Encrypted MitM (Option C) is complex and less persistent. DDoS (Option D) disrupts services but does not provide control.

CEH v13 explicitly identifies firmware exploitation as the primary APT vector in IoT and OT environments. Therefore, Option A is correct.