ECCouncil Updated 212-89 Exam Questions and Answers by andreas

Eradication is the step in the incident handling and response process where the root cause of an incident is removed, and measures are taken to close all attack vectors to prevent similar incidents in the future. After an incident has been properly contained to stop it from spreading or causing further damage, the eradication phase focuses on eliminating the source of the incident. This could involve removing malware, closing vulnerabilities, or implementing stronger security measures to address the exploitation paths used by the attacker.

In the scenario with Raven, notifying service providers and developers of affected resources is part of the actions taken to address the root cause of the incident. This ensures that any vulnerabilities or issues that contributed to the incident are fixed. By working to remove the root cause and secure the system against similar attacks, Raven is effectively implementing the eradication step of the incident handling process.

For memory dump analysis, tools like Scylla and OllyDumpEx are more suited. These tools are designed to analyze and extract information from memory dumps, which can be crucial for understanding the state of a system at the time of an incident. Scylla is used for reconstructing imports in dumped binaries, while OllyDumpEx is an OllyDbg plugin used for dumping process memory. Both tools are valuable for incident handlers like Rinni who are performing memory dump analysis to uncover evidence or understand the behavior of malicious software.

The described attack is a "Watering hole" attack. This type of attack targets specific groups of users by infecting websites they are known to frequently visit. The attacker first identifies websites that are popular with the target group, then finds vulnerabilities in those websites to inject malicious code. When the victims visit the compromised site, the code redirects them to other sites or automatically downloads malware onto their machines. This attack leverages the trust users have in regularly visited sites to distribute malware. Unlike obfuscation application, directory traversal, or cookie/session poisoning attacks, watering hole attacks specifically aim to compromise a commonly used and trusted website to target its users.

Comprehensive and Detailed Explanation (ECIH-aligned):

This scenario involves an active malware incident affecting content integrity, which directly impacts public trust and organizational credibility. According to the ECIH malware response lifecycle, the first priority is containment, not correction or recovery.

Option B is correct because network segregation and isolation prevent the malware from continuing to spread, communicating with command-and-control infrastructure, or further manipulating content. Containment stabilizes the environment and preserves evidence for forensic analysis.

Option C focuses on correction rather than stopping the attack and may allow malware persistence. Option D risks restoring infected components and destroying forensic artifacts. Option A is a communication decision that should follow containment and validation.

ECIH explicitly warns against performing remediation or rollback actions before containment, as doing so may worsen impact or obscure root cause analysis. Isolating compromised systems is therefore the correct immediate response.