ECCouncil Updated 212-89 Exam Questions and Answers by dalton

Comprehensive and Detailed Explanation (ECIH-aligned):

The ECIH Risk Assessment and Recovery module stresses that recovery must not reintroduce threats. When backups may be compromised, validating their integrity is critical.

Option A is correct because scanning backups with updated signatures and heuristic analysis ensures that latent malware is detected before restoration. ECIH emphasizes that restoring infected backups can trigger reinfection and negate eradication efforts.

Option D is excessive and disruptive. Option B is a containment control, not a recovery safeguard. Option C risks reintroducing compromised data.

Therefore, validating backups before restoration is the priority recovery action.

During the incident handling and response (IH&R) process, the stage of "Evidence gathering and forensics analysis" involves the collection of evidence, forensic analysis, and detailed investigation to uncover the root cause of the incident. This stage is crucial for understanding how the incident occurred, identifying the threat actors involved, the methods they used (threat vectors), and the extent of the impact. By analyzing evidence, incident responders can reconstruct the sequence of events, identify the vulnerabilities exploited, and determine the scope of the incident. This information is vital for resolving the incident effectively and taking steps to prevent future occurrences.

Comprehensive and Detailed Explanation (ECIH-aligned):

This incident indicates credential compromise, a common cloud security issue addressed in the ECIH Cloud Incident Handling module. When credentials are suspected to be compromised, the immediate priority is to stop unauthorized access and determine the scope of misuse.

Option B is correct because resetting the compromised credentials immediately cuts off the attacker’s access. Reviewing recent access logs allows responders to validate what actions were taken, which data was accessed, and whether additional accounts were affected. ECIH emphasizes immediate credential revocation as a first-response action in identity-based cloud incidents.

Option D (enabling MFA) is a critical hardening measure but does not immediately revoke compromised credentials. Option A is a recovery step that may not stop ongoing access. Option C may be necessary later but should not delay immediate containment.

Therefore, resetting credentials and reviewing logs is the most effective first action, fully aligned with ECIH guidance.

Thenetstat -abcommand is useful in Windows operating systems for displaying all connections and listening ports, along with the executable involved in creating each connection or listening port. This can be particularly valuable for an incident responder like James when attempting to determine which processes are running on a system and how they are communicating over the network. This information can help identify malicious processes, unauthorized connections, or other signs of compromise on the system. Whilenetstat -abdoes not exclusively list executable files for running processes, it ties processes to network activity, which is a critical part of collecting volatile information during a cybersecurity incident investigation.