EC-Council Certified Incident Handler (212-89) Practice Exam
What is the EC-Council Certified Incident Handler (212-89) Exam?
The EC-Council Certified Incident Handler (ECIH) exam (212-89) is a globally recognized certification designed for cybersecurity professionals who specialize in managing and responding to security incidents. This exam validates your ability to identify, analyze, contain, eradicate, and recover from cybersecurity threats and incidents efficiently. It tests practical skills in incident handling methodologies, digital forensics, threat intelligence, and risk management.
What Will You Learn?
Preparing for the ECIH exam with Exam Sage will equip you with essential incident handling expertise, including:
Understanding incident response lifecycle and phases
Techniques for identifying and analyzing security incidents
Methods for containing and eradicating threats
Performing digital forensic investigations and evidence handling
Applying recovery strategies and post-incident activities
Implementing best practices in incident documentation and communication
Familiarity with regulatory compliance and legal considerations
Key Topics Covered:
Incident Response Planning and Preparation
Detection and Analysis of Security Incidents
Containment, Eradication, and Recovery Techniques
Digital Forensics Fundamentals
Malware Analysis and Threat Intelligence
Incident Handling Tools and Automation
Security Policies, Standards, and Compliance
Reporting and Documentation
Why Choose Exam Sage for Your ECIH Exam Preparation?
Exam Sage provides a comprehensive and up-to-date practice exam that mirrors the official EC-Council 212-89 test format. Our expertly crafted multiple-choice questions come with detailed explanations to deepen your understanding and help you master key concepts. With Exam Sage, you get:
Realistic practice tests that simulate the actual exam environment
In-depth answer explanations for effective learning
User-friendly interface accessible anytime, anywhere
Regularly updated questions to reflect current industry standards
Trusted by cybersecurity professionals worldwide
Whether you are an aspiring incident handler or a cybersecurity professional seeking to validate your skills, Exam Sage’s ECIH practice exam is your ultimate study companion for success.
Start your journey to becoming a certified incident handler today with Exam Sage — your trusted partner in cybersecurity exam preparation.
Sample Questions and Answers
1. Which phase of the incident handling process focuses on identifying the root cause of the incident?
A) Preparation
B) Identification
C) Containment
D) Eradication
Answer: D) Eradication
Explanation: The eradication phase aims to identify and eliminate the root cause of the incident to prevent recurrence.
2. What is the primary goal of the Preparation phase in incident handling?
A) To recover systems after an incident
B) To establish and train the incident response team and create policies
C) To detect malicious activities on the network
D) To report the incident to management
Answer: B) To establish and train the incident response team and create policies
Explanation: Preparation involves establishing policies, procedures, and training to ensure effective incident response readiness.
3. During the Identification phase, which of the following tools is most commonly used?
A) SIEM (Security Information and Event Management)
B) Vulnerability Scanner
C) Encryption Software
D) Backup Software
Answer: A) SIEM (Security Information and Event Management)
Explanation: SIEM tools aggregate and analyze security event data to detect potential incidents during the identification phase.
4. What is the first step in the Containment phase?
A) Notify law enforcement
B) Disconnect affected systems from the network
C) Eradicate malware
D) Perform a forensic analysis
Answer: B) Disconnect affected systems from the network
Explanation: Initial containment involves isolating affected systems to prevent the spread of the incident.
5. Which of the following is NOT a type of incident that an Incident Handler typically deals with?
A) Malware infection
B) Unauthorized access
C) Hardware failure due to wear and tear
D) Data breach
Answer: C) Hardware failure due to wear and tear
Explanation: Incident handling focuses on security incidents, not routine hardware failures.
6. What is the primary purpose of the Recovery phase?
A) To remove vulnerabilities from the system
B) To restore and validate system functionality after an incident
C) To monitor systems for new threats
D) To train staff on new policies
Answer: B) To restore and validate system functionality after an incident
Explanation: Recovery ensures that systems are securely restored to normal operations.
7. Which of the following is considered a preventive control in incident handling?
A) Incident detection systems
B) Firewalls and access controls
C) Incident response team formation
D) Evidence collection
Answer: B) Firewalls and access controls
Explanation: Preventive controls stop incidents before they occur by restricting access and filtering traffic.
8. What type of evidence is generally considered the most volatile during an incident?
A) Network logs
B) Memory (RAM)
C) Hard disk files
D) Archived backups
Answer: B) Memory (RAM)
Explanation: RAM contains transient data and is lost when a system is powered off, making it the most volatile form of evidence.
9. What is a “chain of custody” in incident handling?
A) The list of affected users in an incident
B) A formal process documenting the handling of evidence
C) The order in which incidents are handled
D) The network path data takes during an attack
Answer: B) A formal process documenting the handling of evidence
Explanation: Chain of custody ensures evidence integrity by documenting who collected, handled, or transferred evidence.
10. Which law enforcement agency is typically contacted in case of a cybercrime incident in the United States?
A) FBI
B) CIA
C) NSA
D) EPA
Answer: A) FBI
Explanation: The FBI handles cybercrime investigations within the U.S.
11. What is the main benefit of creating an incident response plan?
A) To avoid any security incidents altogether
B) To standardize the response process and reduce response time
C) To increase IT budget
D) To replace antivirus software
Answer: B) To standardize the response process and reduce response time
Explanation: An incident response plan helps ensure a consistent, efficient reaction to security incidents.
12. Which of the following is an example of an Advanced Persistent Threat (APT)?
A) A one-time phishing email
B) A state-sponsored, prolonged cyber-espionage campaign
C) A malware causing a DoS attack for a few hours
D) Random spam emails
Answer: B) A state-sponsored, prolonged cyber-espionage campaign
Explanation: APTs are highly sophisticated, long-term attacks often linked to nation-state actors.
13. During which incident response phase should lessons learned be documented?
A) Identification
B) Recovery
C) Post-Incident Activity
D) Containment
Answer: C) Post-Incident Activity
Explanation: Lessons learned help improve future responses by analyzing what went well or poorly.
14. What is the difference between a false positive and a false negative in incident detection?
A) False positive means a real threat detected; false negative means a non-threat detected
B) False positive means a non-threat is detected as a threat; false negative means a threat is not detected
C) False positive and false negative mean the same thing
D) False positive means detection failed; false negative means detection succeeded
Answer: B) False positive means a non-threat is detected as a threat; false negative means a threat is not detected
Explanation: False positives waste resources; false negatives allow threats to go unnoticed.
15. What is the purpose of applying the “least privilege” principle?
A) To minimize system uptime
B) To restrict user access to only what is necessary
C) To maximize user privileges for efficiency
D) To allow administrative rights to all users
Answer: B) To restrict user access to only what is necessary
Explanation: Limiting access reduces the attack surface and potential damage.
16. Which type of malware is designed to replicate itself and spread to other systems?
A) Trojan horse
B) Worm
C) Ransomware
D) Spyware
Answer: B) Worm
Explanation: Worms self-replicate and propagate across networks without user intervention.
17. What is the first step when an incident is detected?
A) Eradicate the threat
B) Inform upper management
C) Identify and confirm the incident
D) Restore systems
Answer: C) Identify and confirm the incident
Explanation: Confirming the incident ensures that resources are allocated appropriately.
18. What is the main objective of forensic analysis in incident handling?
A) To destroy the attacker’s infrastructure
B) To gather and preserve evidence for potential legal action
C) To immediately fix vulnerabilities
D) To monitor user activity
Answer: B) To gather and preserve evidence for potential legal action
Explanation: Forensics supports legal processes and helps understand attack details.
19. Which protocol is most commonly used for securely transferring files during incident response?
A) FTP
B) Telnet
C) SCP (Secure Copy Protocol)
D) HTTP
Answer: C) SCP (Secure Copy Protocol)
Explanation: SCP encrypts data during transfer, ensuring confidentiality and integrity.
20. What is a “kill chain” in cybersecurity?
A) A series of physical locks on a data center
B) The sequence of stages attackers follow to achieve their objectives
C) The process of removing malware
D) A type of firewall configuration
Answer: B) The sequence of stages attackers follow to achieve their objectives
Explanation: Understanding the kill chain helps defenders disrupt attacks effectively.
21. Which of the following is NOT a typical responsibility of an Incident Handler?
A) Detecting incidents
B) Developing malware
C) Containing incidents
D) Reporting incidents
Answer: B) Developing malware
Explanation: Incident Handlers respond to threats; they do not create malware.
22. What is the best approach to secure volatile evidence?
A) Power down the system immediately
B) Capture a memory dump before shutting down
C) Delete unnecessary files
D) Format the hard drive
Answer: B) Capture a memory dump before shutting down
Explanation: Capturing memory preserves volatile data critical for investigations.
23. Which method is most effective for preventing insider threats?
A) Regularly updating antivirus software
B) Implementing access controls and continuous monitoring
C) Conducting penetration tests
D) Disabling user accounts during business hours
Answer: B) Implementing access controls and continuous monitoring
Explanation: Insider threats are mitigated by strict access policies and monitoring.
24. What is the purpose of a sandbox in incident response?
A) To block network traffic
B) To safely analyze suspicious files or code in isolation
C) To store backups
D) To perform user training
Answer: B) To safely analyze suspicious files or code in isolation
Explanation: Sandboxes provide a controlled environment for malware analysis.
25. Which of the following is a key indicator of a phishing attack?
A) An unexpected email requesting confidential information
B) A scheduled system update notification
C) A backup completion alert
D) A message from the IT helpdesk
Answer: A) An unexpected email requesting confidential information
Explanation: Phishing attempts often use deceptive emails to trick users into disclosing data.
26. Which best describes a zero-day vulnerability?
A) A vulnerability publicly known for over a year
B) A vulnerability without any known patch or fix at the time of discovery
C) A vulnerability discovered and patched before exploitation
D) A vulnerability unrelated to software
Answer: B) A vulnerability without any known patch or fix at the time of discovery
Explanation: Zero-day vulnerabilities are unknown to vendors and pose high risk.
27. What does the term “pivoting” mean in penetration testing or incident response?
A) Switching from one attack method to another
B) Using a compromised system to attack other systems on the network
C) Blocking incoming network traffic
D) Restarting a compromised system
Answer: B) Using a compromised system to attack other systems on the network
Explanation: Pivoting allows attackers or responders to reach deeper network segments.
28. What is the primary purpose of a log management system in incident handling?
A) To prevent malware infections
B) To collect, store, and analyze log data for detecting and investigating incidents
C) To perform backups
D) To block network ports
Answer: B) To collect, store, and analyze log data for detecting and investigating incidents
Explanation: Logs provide crucial information for incident detection and analysis.
29. Which of the following best describes ransomware?
A) Software that monitors user behavior
B) Software that encrypts data and demands payment for decryption
C) Software that replicates itself
D) Software used for system backups
Answer: B) Software that encrypts data and demands payment for decryption
Explanation: Ransomware holds data hostage until the victim pays a ransom.
30. What should be included in an incident report?
A) Detailed description of the incident, timeline, impact, and actions taken
B) Only the system logs
C) Only the names of affected users
D) Only financial losses
Answer: A) Detailed description of the incident, timeline, impact, and actions taken
Explanation: A comprehensive incident report supports understanding, communication, and legal needs.
31. What type of backup strategy is best suited to quickly restore systems after an incident?
A) Full backup
B) Differential backup
C) Incremental backup
D) Snapshot backup
Answer: A) Full backup
Explanation: Full backups contain all data and allow for the quickest restoration, critical in incident recovery.
32. Which of the following is a characteristic of a Distributed Denial of Service (DDoS) attack?
A) Exploits software vulnerabilities silently
B) Overwhelms system resources with traffic from multiple sources
C) Installs ransomware on victim systems
D) Steals sensitive information without detection
Answer: B) Overwhelms system resources with traffic from multiple sources
Explanation: DDoS attacks flood targets with traffic from many compromised machines, causing service disruption.
33. What is the primary goal of digital forensics during incident handling?
A) To identify system administrators
B) To collect and analyze data to support legal or disciplinary actions
C) To remove malware from systems
D) To upgrade security tools
Answer: B) To collect and analyze data to support legal or disciplinary actions
Explanation: Forensics preserves evidence to ensure it’s admissible and useful in investigations.
34. Which document defines the roles and responsibilities of the Incident Response Team?
A) Service Level Agreement (SLA)
B) Incident Response Policy
C) Business Continuity Plan (BCP)
D) Network Architecture Diagram
Answer: B) Incident Response Policy
Explanation: The policy outlines team roles, responsibilities, and procedures for incident handling.
35. What is the difference between eradication and recovery phases?
A) Eradication removes the threat; recovery restores normal operations
B) Eradication restores operations; recovery removes the threat
C) Both are the same
D) Recovery includes policy creation; eradication does not
Answer: A) Eradication removes the threat; recovery restores normal operations
Explanation: Eradication focuses on removing the cause, while recovery focuses on system restoration.
36. What is a key advantage of network segmentation in incident containment?
A) It increases network speed
B) It limits the spread of an attack to isolated segments
C) It reduces hardware costs
D) It improves user authentication
Answer: B) It limits the spread of an attack to isolated segments
Explanation: Segmentation confines attackers to smaller network areas, minimizing damage.
37. What is the best practice for communicating with stakeholders during an incident?
A) Provide detailed technical jargon only
B) Share timely, accurate, and clear information tailored to the audience
C) Avoid communicating until the incident is fully resolved
D) Delegate all communication to external consultants
Answer: B) Share timely, accurate, and clear information tailored to the audience
Explanation: Effective communication builds trust and ensures coordinated response.
38. What does the acronym “IOC” stand for in incident handling?
A) Incident Operations Center
B) Indicator of Compromise
C) Internal Operations Command
D) Internet of Computers
Answer: B) Indicator of Compromise
Explanation: IOCs are signs or artifacts suggesting a system has been breached.
39. Which of the following is the MOST important factor when preserving digital evidence?
A) Encrypting the evidence
B) Maintaining the integrity and chain of custody
C) Compressing the evidence to save space
D) Sharing evidence with all employees
Answer: B) Maintaining the integrity and chain of custody
Explanation: Preserving integrity ensures the evidence is admissible and trustworthy.
40. Which type of attack exploits software bugs to execute arbitrary code remotely?
A) Cross-site scripting (XSS)
B) Remote Code Execution (RCE)
C) Man-in-the-middle
D) Brute force
Answer: B) Remote Code Execution (RCE)
Explanation: RCE allows attackers to run malicious code on the target system remotely.
41. What is the primary purpose of a honeypot in cybersecurity?
A) To increase network throughput
B) To lure attackers and analyze their tactics
C) To encrypt sensitive data
D) To backup important files
Answer: B) To lure attackers and analyze their tactics
Explanation: Honeypots serve as decoys to gather intelligence on attack methods.
42. During incident handling, when should evidence be collected?
A) Immediately after incident detection and confirmation
B) After systems are restored to normal
C) Only when requested by management
D) At the end of the investigation
Answer: A) Immediately after incident detection and confirmation
Explanation: Early evidence collection preserves volatile and relevant data before it is lost.
43. What is “pivoting” in the context of incident response?
A) Changing the incident response plan mid-way
B) Using a compromised host to access other systems within the network
C) Switching from one antivirus to another
D) Restoring backups after an incident
Answer: B) Using a compromised host to access other systems within the network
Explanation: Pivoting allows attackers or defenders to move laterally across the network.
44. Which protocol is commonly used for remote secure login?
A) Telnet
B) SSH (Secure Shell)
C) FTP
D) SMTP
Answer: B) SSH (Secure Shell)
Explanation: SSH encrypts remote login sessions, securing communications.
45. What is the key purpose of an Incident Response Retainer?
A) To permanently hire incident response staff
B) To have a contract with an external incident response team for rapid assistance
C) To purchase new hardware for incident handling
D) To conduct penetration testing regularly
Answer: B) To have a contract with an external incident response team for rapid assistance
Explanation: Retainers ensure expert support is quickly available when needed.
46. Which of the following is an example of a technical control?
A) Security policy
B) Firewall
C) Security awareness training
D) Risk assessment
Answer: B) Firewall
Explanation: Technical controls include hardware and software mechanisms that enforce security.
47. What does the term “pivot table” mean in incident reporting?
A) A summary table highlighting key incident metrics and trends
B) A tool for data encryption
C) A network segmentation method
D) A type of firewall configuration
Answer: A) A summary table highlighting key incident metrics and trends
Explanation: Pivot tables help visualize data for incident analysis.
48. Which of the following is considered a physical security control?
A) Antivirus software
B) CCTV surveillance
C) Password policies
D) Firewalls
Answer: B) CCTV surveillance
Explanation: Physical controls protect physical assets and restrict unauthorized access.
49. What is the best way to test the effectiveness of an Incident Response Plan?
A) Conduct tabletop exercises and simulation drills
B) Wait for a real incident
C) Review it annually without testing
D) Send the plan to all employees only
Answer: A) Conduct tabletop exercises and simulation drills
Explanation: Regular testing identifies gaps and ensures preparedness.
50. Which of the following is a reason to escalate an incident to management?
A) When the incident impacts critical business operations
B) For every minor malware alert
C) Only after the incident is resolved
D) When user complaints are received
Answer: A) When the incident impacts critical business operations
Explanation: Critical incidents require management awareness for strategic decisions.
51. What is the role of SIEM in incident handling?
A) It prevents malware infections
B) It collects and correlates security events to detect incidents
C) It backs up user data
D) It updates antivirus definitions
Answer: B) It collects and correlates security events to detect incidents
Explanation: SIEM systems help identify suspicious activity by analyzing logs from multiple sources.
52. What is meant by “time to detect” in incident response metrics?
A) The time taken to recover from an incident
B) The time elapsed from attack start to detection by the security team
C) The time spent writing the incident report
D) The duration of user training sessions
Answer: B) The time elapsed from attack start to detection by the security team
Explanation: Faster detection reduces damage and recovery costs.
53. Why is it important to isolate affected systems during containment?
A) To improve network speed
B) To prevent the attacker from spreading to other systems
C) To backup user data
D) To reduce electricity consumption
Answer: B) To prevent the attacker from spreading to other systems
Explanation: Isolation limits attacker movement and damage within the network.
54. Which tool is best suited for analyzing network traffic during an incident?
A) Wireshark
B) Notepad
C) Word processor
D) Antivirus software
Answer: A) Wireshark
Explanation: Wireshark captures and analyzes network packets to identify anomalies.
55. What is the main difference between qualitative and quantitative risk assessments?
A) Qualitative assigns numerical values; quantitative uses descriptive categories
B) Quantitative assigns numerical values; qualitative uses descriptive categories
C) Both are the same
D) Quantitative is only used for financial risks
Answer: B) Quantitative assigns numerical values; qualitative uses descriptive categories
Explanation: Quantitative assessments use numbers, while qualitative assessments rely on subjective judgments.
56. Which of the following best describes an Incident Handler’s priority?
A) Minimizing damage, protecting data, and restoring operations
B) Maximizing user privileges
C) Disabling all security controls
D) Ignoring incidents unless critical
Answer: A) Minimizing damage, protecting data, and restoring operations
Explanation: The primary role is to contain damage and resume normal business.
57. What is the importance of “evidence integrity” during forensic investigations?
A) Ensuring evidence is only handled by one person
B) Preventing unauthorized modification or tampering with evidence
C) Encrypting evidence files only
D) Sharing evidence immediately
Answer: B) Preventing unauthorized modification or tampering with evidence
Explanation: Integrity ensures evidence is trustworthy for legal proceedings.
58. What is the primary function of a firewall in incident prevention?
A) Blocking unauthorized network traffic
B) Encrypting emails
C) Managing user passwords
D) Backing up data
Answer: A) Blocking unauthorized network traffic
Explanation: Firewalls filter traffic based on rules to prevent attacks.
59. What is the significance of “log correlation” in security monitoring?
A) It compresses log files
B) It identifies patterns across multiple logs to detect complex attacks
C) It deletes irrelevant logs
D) It stores logs offline only
Answer: B) It identifies patterns across multiple logs to detect complex attacks
Explanation: Correlation helps reveal coordinated attack activities.
60. What is the most important action after completing an incident response?
A) Documenting lessons learned and updating response plans
B) Ignoring the incident
C) Immediately firing employees involved
D) Restarting all systems
Answer: A) Documenting lessons learned and updating response plans
Explanation: Reviewing incidents improves preparedness for future events.
