ECCouncil Updated 212-89 Exam Questions and Answers by olly

When a corporate network's servers are sending huge amounts of traffic to a specific website, as detected by the network's Intrusion Prevention System (IPS), this behavior is indicative of a Botnet attack. A Botnet is a network of compromised computers, often referred to as "bots," that are controlled remotely by an attacker, typically without the knowledge of the owners of the computers. The attacker can command these bots to execute distributed denial-of-service (DDoS) attacks, send spam, or conduct other malicious activities. In this scenario, the servers behaving as bots and targeting a website with large volumes of traffic suggests that they have been co-opted into a Botnet to potentially perform a DDoS attack on the website abc.xyz.

This incident involves malware actively impacting medical devices, posing patient safety risks. According to ECIH malware incident handling principles, the first priority is containment and eradication at the endpoint level.

Option D is correct because deploying endpoint protection directly detects and halts malware execution on the MRI machines, stopping both manipulation of results and further malicious activity. Endpoint containment is essential before network-level or recovery actions.

Option B addresses communication but does not stop local manipulation. Option C alters system state without containment. Option A is a regulatory step that follows validation.

ECIH emphasizes that in critical infrastructure and healthcare environments, immediate endpoint containment is essential to protect safety and data integrity.

The EC-Council Incident Handler (ECIH) curriculum identifies email spoofing as a common technique in business email compromise (BEC) attacks. Attackers exploit weak or misconfigured DNS-based email authentication controls to forge sender identities.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are DNS-based mechanisms that validate legitimate email senders and prevent spoofing. Proper configuration ensures that receiving mail servers can verify message authenticity and reject forged communications.

In this scenario, unsecured DNS entries enabled identity relay spoofing. Strengthening SPF, DKIM, and DMARC directly addresses the root cause and prevents recurring forged message injections. This is a clear eradication measure aimed at eliminating the exploitation pathway.

Options A and B relate to review and analysis phases. Option C supports threat intelligence sharing but does not remediate the internal DNS weakness.

Therefore, strengthening SPF, DKIM, and DMARC configurations is the appropriate eradication strategy.

The EC-Council Incident Handler (ECIH) curriculum classifies social engineering as a human-based attack technique that manipulates individuals into disclosing confidential information without exploiting technical vulnerabilities. In this scenario, the attackers first gathered publicly available information—also known as Open-Source Intelligence (OSINT)—by mining executive digital footprints, analyzing online publications, and reviewing external mentions. This reconnaissance phase aligns directly with OSINT-based profiling.

The adversaries then conducted scripted interviews under fabricated personas to extract additional identifiers. This behavior is characteristic of pretexting, a specific social engineering technique where attackers create a false scenario to persuade victims to provide sensitive information. ECIH explains that pretexting often involves impersonation and carefully constructed narratives to build credibility and trust.

The absence of malware infection or system-level compromise further confirms that this was not a technical exploit such as phishing with malicious macros (Option A) or pharming (Option C). Additionally, skimming (Option D) is a physical data theft technique unrelated to executive impersonation or digital profiling.

ECIH emphasizes that insider threat and financial fraud investigations frequently reveal social engineering campaigns leveraging OSINT, impersonation, and psychological manipulation rather than malware. Preventive controls include executive awareness training, strict identity verification for financial change requests, multi-factor authentication, and callback verification procedures.

Therefore, the technique that best aligns with the adversary’s method is social engineering using open-source intelligence followed by pretexting.