EC-Council Intermediate

212-89v3

ECIH v3 - EC-Council Certified Incident Handler

The EC-Council Certified Incident Handler (ECIH) v3 validates expertise in handling and responding to security incidents in a systematic way. This certification covers the entire incident handling lifecycle from preparation and detection through containment, eradication, recovery, and post-incident activities. ECIH focuses on practical, hands-on incident response skills required in today's threat landscape.

The exam covers five domains: Incident Handling and Response Process (NIST, SANS frameworks, incident classification, severity assessment), Forensic Readiness and First Response (evidence collection, chain of custody, first responder procedures), Handling and Responding to Malware Incidents (malware analysis, ransomware response, APT investigation), Handling Network Security Incidents (network intrusion response, DDoS mitigation, insider threat detection), and Handling Web Application and Cloud Security Incidents (web attack response, cloud breach investigation, container security incidents).

This certification is ideal for incident handlers, incident responders, SOC analysts, security analysts, forensic investigators, threat hunters, and cybersecurity professionals responsible for detecting, analyzing, and responding to security incidents. ECIH prepares professionals to work effectively in incident response teams and security operations centers, using industry-standard tools and methodologies to minimize damage and recovery time.

Updated Aug 2023 Cybersecurity

100

Questions

Practice Tests

70%

Pass Score

Views

Total Attempts

Avg. Score

Pass Rate

Discussions

Practice Tests Flash Cards Exam Topics Cheat Sheet

€5.00

ECIH v3 Practice Exam 1

Comprehensive 50-question practice exam covering incident handling and response processes, forensic readiness, malware incident handling, network security incidents, and web application and cloud security incidents for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

€5.00

ECIH v3 Practice Exam 2

Comprehensive 50-question practice exam covering SANS IR methodology, severity assessment, volatile data acquisition, forensic imaging, malware containment, DDoS response, web application attack handling, cloud security investigation, APT response strategies, and lessons learned processes for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

€5.00

ECIH v3 Practice Exam 3

Advanced 50-question practice exam covering threat intelligence-driven incident response, SOAR automation, cloud-native IR, supply chain compromise handling, IoT security incidents, business email compromise, cryptojacking, DNS-based attacks, insider threat case studies, and regulatory breach notification for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

€5.00

ECIH v3 Practice Exam 4

Advanced 50-question practice exam covering ransomware negotiation and recovery, APT campaign investigation, zero-day exploit response, container and Kubernetes incidents, CI/CD pipeline compromise, social engineering campaign response, data exfiltration detection, ICS/SCADA incident handling, mobile device compromise, and cross-border incident coordination for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

€5.00

ECIH v3 Practice Exam 5

Advanced 50-question practice exam focusing on purple team exercises, IR maturity assessment, legal compliance in incident response, advanced malware reverse engineering, encrypted traffic analysis, third-party breach management, healthcare HIPAA incidents, financial PCI-DSS incidents, IR tool evaluation, and AI-enhanced threat detection for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

€5.00

ECIH v3 Practice Exam 6

Final comprehensive 50-question practice exam covering multi-vector attack response, IR program building, advanced forensic techniques, incident communication strategies, IR metrics and reporting, emerging threat landscape, disaster recovery integration, and career development for the EC-Council Certified Incident Handler certification.

50 Q 90 minutes 70%

Test Drive

Unlock All Content for 212-89v3

6 Practice Test(s) + Flash Cards — 3 months access

€39.99 €26.99 Save 30%

or included with Monthly subscription / Content Bundle

212-89v3 Cheat Sheet

Quick reference guide - 6 sections

Free Access

ECIH v3 (212-89v3) Exam Details

Detail	Value
Exam Code	212-89v3
Full Name	EC-Council Certified Incident Handler v3
Duration	3 hours (180 minutes)
Number of Questions	100 multiple-choice questions
Passing Score	70%
Exam Provider	EC-Council (ECC Exam Portal)
Delivery	Online proctored or ECC exam center
Prerequisites	None required (ECIH training recommended)

Domain Weight Breakdown

Domain	Weight
1. Incident Handling & Response Process	~25%
2. Forensic Readiness & First Response	~15%
3. Handling Malware Incidents	~15%
4. Handling Email & Network Incidents	~15%
5. Handling Web & Cloud Incidents	~15%
6. Handling Insider Threats & Recovery	~15%

About the ECIH Certification

The EC-Council Certified Incident Handler (ECIH) v3 certification validates a professional's ability to detect, respond to, and manage security incidents in an organization. It covers the entire incident handling and response lifecycle from preparation through lessons learned. The ECIH is designed for incident handlers, risk assessment administrators, penetration testers, cyber forensic investigators, vulnerability assessment auditors, system administrators, SOC analysts, and anyone involved in incident handling and response. The certification aligns with NIST SP 800-61, SANS, and CREST frameworks and emphasizes both technical and procedural aspects of incident response.

Tip: Focus heavily on the incident handling process phases and how to handle different incident types. At least 60% of exam questions involve scenario-based application of IR procedures and specific incident handling techniques.

What Is an Incident?

A security event is any observable occurrence in a system or network. A security incident is an event that violates security policies, acceptable use policies, or standard security practices, and that actually or potentially jeopardizes the confidentiality, integrity, or availability of information or systems. Not every event is an incident, but every incident begins as an event.

NIST SP 800-61 Incident Response Lifecycle

The NIST Computer Security Incident Handling Guide defines a four-phase lifecycle that is iterative and cyclical:

Phase	Key Activities
1. Preparation	Establish IR team, develop policies and procedures, deploy security tools (IDS/IPS, SIEM, firewalls), conduct training and exercises, prepare communication plans, build jump bags and forensic toolkits
2. Detection & Analysis	Monitor alerts from IDS/SIEM/AV/logs, identify indicators of compromise (IoCs), determine incident scope and impact, correlate events, prioritize by severity, document findings, notify appropriate personnel
3. Containment, Eradication & Recovery	Short-term containment (isolate affected systems), evidence preservation, long-term containment (apply patches, harden), eradicate root cause (remove malware, close vulnerabilities), restore systems, verify integrity, monitor for re-infection
4. Post-Incident Activity	Conduct lessons learned meetings, update IR plans and procedures, document incident timeline, calculate impact and cost, retain evidence per policy, improve detection capabilities

SANS Incident Response 6-Step Process (PICERL)

Step	Phase	Description
1	Preparation	Policies, tools, team assembly, training
2	Identification	Detect and determine if an event is an incident
3	Containment	Limit damage and prevent further spread
4	Eradication	Remove the root cause of the incident
5	Recovery	Restore systems to normal operations
6	Lessons Learned	Document findings and improve processes

Tip: Memorize the mnemonic PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Know the difference between NIST (4 phases) and SANS (6 steps) -- NIST combines Containment/Eradication/Recovery into one phase.

Incident Classification & Severity Levels

Severity	Impact	Response Time	Example
Critical (P1)	Complete system compromise, data breach, business-critical system down	Immediate (15-30 min)	Ransomware outbreak, active APT intrusion, mass data exfiltration
High (P2)	Significant damage potential, sensitive data at risk	Within 1 hour	Compromised admin account, active malware on server, DDoS on critical service
Medium (P3)	Limited impact, non-critical systems affected	Within 4 hours	Phishing campaign targeting users, malware on isolated workstation, unauthorized access attempt
Low (P4)	Minimal impact, informational	Within 24 hours	Policy violation, failed login attempts, suspicious but unconfirmed activity

Incident Response Team (IRT / CSIRT) Roles

Role	Responsibility
Incident Manager / Lead	Oversees the entire incident response process, coordinates team activities, makes escalation decisions, communicates with management
Triage Analyst	Initial assessment of alerts, determines if an event is a true incident, classifies severity, routes to appropriate handlers
Incident Handler / Responder	Performs technical analysis, containment, eradication, and recovery actions on affected systems
Forensic Analyst	Collects and preserves digital evidence, conducts forensic examination, maintains chain of custody
Threat Intelligence Analyst	Researches threat actors, IoCs, TTPs; provides context to help identify attacker methods and motives
Communications Lead	Manages internal and external communications, handles media inquiries, coordinates legal and regulatory notifications
Legal Counsel	Advises on regulatory compliance, breach notification requirements, evidence handling, law enforcement coordination

Essential IR Policies & Procedures

Incident Response Policy: High-level document defining what constitutes an incident, management commitment, authority of the IR team, and reporting requirements
Incident Response Plan: Detailed procedures for each IR phase, escalation paths, contact lists, communication templates, severity definitions
Acceptable Use Policy (AUP): Defines acceptable behavior for users on organizational systems, provides basis for identifying policy violations
Disaster Recovery Plan (DRP): Procedures for restoring IT systems and data after a major incident or disaster
Business Continuity Plan (BCP): Ensures critical business functions continue during and after a disaster
Escalation Procedures: Define when and how to escalate incidents from Tier 1 to Tier 2/3, and when to involve management or external parties

Tip: Know the difference between CSIRT (Computer Security Incident Response Team), CERT (Computer Emergency Response Team), and SOC (Security Operations Center). A SOC monitors and detects; a CSIRT/CERT responds to confirmed incidents.

Phase 1: Preparation

Preparation is the most critical phase and occurs before any incident. It establishes the foundation for effective incident response:

Build the IR Team: Define roles, responsibilities, and authority. Ensure 24/7 coverage and establish on-call rotations
Develop IR Plan: Document step-by-step procedures, escalation criteria, communication plans, and contact information
Deploy Security Tools: IDS/IPS, SIEM, EDR, firewalls, anti-malware, network monitoring, log aggregation
Prepare Jump Bag: Forensic laptop, write blockers, blank media, cables, bootable USB drives, documentation forms, chain of custody forms
Conduct Exercises: Tabletop exercises, red team/blue team drills, incident simulations to test readiness
Establish Baselines: Document normal network behavior, system configurations, and user activity patterns for anomaly detection

Phase 2: Detection & Identification

Determine whether a security event is actually an incident and assess its scope:

Detection Source	Examples
Network-Based	IDS/IPS alerts, firewall logs, NetFlow anomalies, DNS query anomalies, packet captures
Host-Based	EDR alerts, antivirus detections, OS event logs, file integrity monitoring, process anomalies
Application-Based	Web application firewall (WAF) logs, authentication failures, database audit logs, application error logs
User Reports	Help desk tickets, phishing email reports, unusual behavior observations, system performance complaints
Threat Intelligence	IoC feeds, vulnerability disclosures, industry alerts (ISACs), dark web monitoring

Common Indicators of Compromise (IoCs)

Unusual outbound network traffic (beaconing to C2 servers at regular intervals)
Anomalous privileged user account activity (off-hours access, access to unusual resources)
Geographic login irregularities (impossible travel, logins from unusual countries)
Unexpected system configuration changes (new scheduled tasks, modified startup items, registry changes)
Large volumes of data transferred to external destinations (data exfiltration)
Unusual DNS requests (DNS tunneling, requests to known malicious domains, high query volume)
Unexpected software or processes running (unknown services, renamed system utilities)
Multiple failed login attempts followed by a success (brute force or credential stuffing)
Files with mismatched extensions (e.g., .pdf.exe) or unexpected hash values

Phase 3: Containment

Type	Goal	Actions
Short-Term Containment	Stop the bleeding immediately	Isolate affected systems from network, disable compromised accounts, block malicious IPs/domains at firewall, create forensic images BEFORE changes
Long-Term Containment	Allow business operations while preparing for eradication	Apply temporary fixes, patch vulnerabilities, strengthen access controls, set up enhanced monitoring on affected segments, implement network segmentation

Tip: Always capture a forensic image of affected systems BEFORE performing containment actions that might alter evidence. The order is: image first, then isolate.

Phase 4: Eradication

Remove malware, backdoors, rootkits, and any attacker-planted tools from all affected systems
Identify and close the root cause vulnerability (patch, configuration change, access removal)
Reset compromised credentials and revoke unauthorized certificates or tokens
Rebuild compromised systems from known-good images or backups if needed
Scan all systems with updated signatures to verify complete removal
Verify Active Directory integrity if domain compromise is suspected

Phase 5: Recovery

Restore systems from clean backups in a phased approach (most critical first)
Rebuild systems from trusted media if backups are suspect
Test and validate restored systems before returning to production
Implement enhanced monitoring on recovered systems for 30-90 days
Gradually return systems to production with careful observation
Verify business operations are functioning normally

Phase 6: Lessons Learned (Post-Incident Activity)

Post-Incident Review Meeting: Conduct within 1-2 weeks of incident closure with all stakeholders
Timeline Documentation: Create detailed chronological record of events, decisions, and actions taken
Root Cause Analysis: Determine exactly how the incident occurred and what defenses failed
Gap Analysis: Identify weaknesses in detection, response, and recovery processes
Recommendations: Document specific improvements to policies, procedures, tools, and training
Metrics: Record time to detect, time to contain, time to recover, total cost, and business impact
Evidence Retention: Securely archive all evidence and documentation per retention policies (typically 3-7 years)

Tip: The lessons learned phase is often the most neglected but is essential for continuous improvement. NIST emphasizes that this phase feeds back into Preparation, making the lifecycle iterative.

Malware Incident Handling

Malware Type	Characteristics	Key Indicators
Ransomware	Encrypts files and demands payment for decryption key	Ransom note files, encrypted file extensions (.locked, .crypt), shadow copy deletion, unusual encryption process activity
Trojan	Disguised as legitimate software, provides backdoor access	Unexpected outbound connections, new listening ports, unknown processes, suspicious downloaded executables
Worm	Self-replicating, spreads without user interaction	Rapid spread across network, high bandwidth usage, multiple systems showing same symptoms simultaneously
Rootkit	Hides deep in OS, provides persistent privileged access	Discrepancies between raw disk reads and OS file listings, hidden processes, modified system binaries
Fileless Malware	Operates entirely in memory, no files written to disk	Suspicious PowerShell/WMI activity, abnormal process injection, registry-based persistence

Malware IR Steps: 1) Identify infected systems via AV/EDR alerts, 2) Isolate from network immediately, 3) Capture memory dump and disk image, 4) Analyze malware sample in sandbox, 5) Determine C2 infrastructure and block at perimeter, 6) Scan all systems with updated IoCs, 7) Remove malware and rebuild if necessary, 8) Monitor for re-infection.

Email Security Incident Handling

Email Attack Type	Description	Response Actions
Phishing	Mass emails impersonating trusted entities to steal credentials or deliver malware	Block sender domain, purge from all mailboxes, check who clicked, reset credentials of affected users
Spear Phishing	Targeted phishing aimed at specific individuals using personalized content	Analyze email headers for true origin, investigate if part of larger campaign, enhance email filtering rules
Business Email Compromise (BEC)	Impersonation of executives to authorize fraudulent wire transfers	Contact financial institution immediately, preserve emails, check for compromised accounts, implement DMARC/DKIM/SPF
Malicious Attachments	Weaponized documents (macros, exploits) or executables disguised as documents	Detonate in sandbox, extract IoCs, block hashes at email gateway, scan endpoints for payload execution

Tip: Analyze email headers thoroughly -- check Return-Path, Received headers, SPF/DKIM/DMARC results, and X-Originating-IP to trace the true source of phishing emails.

Network Attack Incident Handling (DoS/DDoS)

DDoS Type	Layer	Examples	Mitigation
Volumetric	Layer 3/4	UDP flood, ICMP flood, DNS amplification, NTP amplification	Upstream filtering, blackhole routing, CDN/DDoS protection services
Protocol	Layer 3/4	SYN flood, Ping of Death, Smurf attack, fragmented packets	SYN cookies, rate limiting, ingress filtering, anti-spoofing
Application	Layer 7	HTTP flood, Slowloris, slow POST, DNS query flood	WAF rules, CAPTCHA, rate limiting per session, behavioral analysis

Web Application Attack Handling

SQL Injection: Detect via WAF logs and database audit logs showing anomalous queries. Contain by blocking source IP, patching vulnerable code, using parameterized queries
Cross-Site Scripting (XSS): Identify via injected scripts in application input fields. Remove injected content, implement input validation and output encoding, deploy Content Security Policy (CSP) headers
Remote Code Execution (RCE): Critical severity -- immediately isolate the web server, capture forensic image, identify the exploited vulnerability, patch or take offline
Web Defacement: Restore from known-good backup, identify entry point, preserve defaced pages as evidence, patch vulnerability, implement file integrity monitoring

Insider Threat Handling

Insider Type	Motivation	Indicators
Malicious Insider	Financial gain, revenge, espionage	Accessing data outside job scope, copying large data volumes, working unusual hours, disgruntlement
Negligent Insider	Carelessness, lack of awareness	Circumventing security controls, using unauthorized devices, falling for phishing, mishandling data
Compromised Insider	Account taken over by external actor	Unusual login patterns, impossible travel, activity outside normal behavior baseline

Insider Threat IR: Coordinate with HR and Legal from the start. Use DLP (Data Loss Prevention) and UEBA (User and Entity Behavior Analytics) to gather evidence. Do not alert the suspect prematurely. Preserve evidence for potential legal proceedings.

Cloud Security Incident Handling

Shared Responsibility: Cloud provider secures infrastructure (physical, hypervisor); customer secures data, access, applications, and configurations
Common Cloud Incidents: Misconfigured storage buckets (public S3/Blob), excessive IAM permissions, exposed API keys, unauthorized resource provisioning (cryptojacking)
Cloud IR Challenges: Limited access to infrastructure logs, dynamic IP addresses, ephemeral resources (containers, serverless), multi-tenant environment, cross-jurisdiction data
Cloud IR Steps: Enable comprehensive logging (CloudTrail, Azure Monitor), snapshot affected VMs before termination, review IAM policies, check for unauthorized resource creation, coordinate with cloud provider

Tip: For every incident type, remember the pattern: Detect indicators, Contain the threat, Preserve evidence, Eradicate root cause, Recover services, Document lessons learned.

Digital Evidence Collection Principles

Identification: Recognize and identify potential evidence sources (systems, devices, logs, media)
Collection: Gather evidence using forensically sound methods that preserve integrity
Preservation: Protect evidence from alteration, damage, or destruction throughout the process
Documentation: Thoroughly record every action taken, by whom, when, and why
Analysis: Examine evidence using validated tools and methodologies
Reporting: Present findings in a clear, accurate, and legally defensible manner

Evidence Volatility Order (Most to Least Volatile)

RFC 3227 defines the order of volatility -- always collect the most volatile evidence first:

Priority	Evidence Type	Volatility	Examples / Tools
1	CPU Registers & Cache	Highest	Nanoseconds lifespan; rarely captured directly
2	RAM (Memory)	Very High	Running processes, network connections, encryption keys, passwords. Tools: FTK Imager, WinPmem, Volatility, DumpIt
3	Network State	High	Active connections, routing tables, ARP cache, DNS cache. Tools: netstat, arp, ipconfig, Wireshark
4	Running Processes	High	Process list, open handles, loaded DLLs. Tools: tasklist, Process Explorer, ps
5	Disk (File System)	Medium	Files, logs, registry, browser history, deleted files. Tools: FTK, EnCase, Autopsy, dd
6	Remote Logs	Low	SIEM logs, syslog servers, firewall logs, proxy logs, cloud audit trails
7	Archival/Backup Media	Lowest	Tape backups, offline storage, cold storage

Tip: Memorize the volatility order -- it appears frequently on the exam. The key principle: RAM before Disk, Network state before logs. Always collect volatile evidence FIRST because it disappears when the system is powered off or rebooted.

Key Forensic Tools

Tool	Purpose	Notes
FTK Imager	Disk imaging, memory capture	Creates forensic images (E01, dd), verifies with MD5/SHA1 hashes
EnCase	Comprehensive forensic analysis	Industry-standard commercial tool, court-accepted evidence format
Autopsy / Sleuth Kit	Open-source disk forensics	File recovery, timeline analysis, keyword search, registry analysis
Volatility	Memory forensics framework	Analyze RAM dumps: processes, network connections, injected code, rootkits
Wireshark	Network packet analysis	Capture and analyze network traffic, reconstruct sessions, detect anomalies
Splunk / ELK	Log analysis and SIEM	Correlate events across sources, timeline reconstruction, alerting

Chain of Custody

Chain of custody is the documented trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence. It must be maintained at all times to ensure evidence is admissible in court:

Who collected or handled the evidence (name, title, organization)
What was collected (description, serial numbers, identifiers)
When it was collected and each subsequent transfer (date and time)
Where it was collected and stored (physical location, room, safe)
Why it was collected (incident reference, case number)
How it was collected and protected (tools used, hash values, write blockers)

Hash Verification: Calculate MD5 and SHA-256 hashes of original evidence and all copies. Hashes must match at every transfer point to prove integrity. Any break in chain of custody may render evidence inadmissible.

Business Continuity & Communication Plans

Component	Purpose	Key Elements
BCP (Business Continuity Plan)	Maintain critical business functions during an incident	Business Impact Analysis (BIA), RTO/RPO definitions, alternate processing sites, communication procedures
DRP (Disaster Recovery Plan)	Restore IT systems and data after disruption	Backup strategies (3-2-1 rule), recovery procedures, hot/warm/cold sites, testing schedule
Communication Plan	Coordinate information sharing during incidents	Internal notification trees, external stakeholder contacts, media response templates, regulatory notification timelines

RTO (Recovery Time Objective): Maximum acceptable downtime before business impact becomes unacceptable
RPO (Recovery Point Objective): Maximum acceptable data loss measured in time (how old can restored data be)
MTTR (Mean Time to Repair): Average time to restore a system after failure
MTBF (Mean Time Between Failures): Average time between system failures

Legal Considerations

Breach Notification Laws: GDPR (72 hours), HIPAA (60 days), state laws vary (24 hours to 90 days). Know the most restrictive applicable regulation
Evidence Admissibility: Evidence must be relevant, authentic (hash-verified), and collected without violating rights (proper authorization)
Law Enforcement Coordination: Establish relationships before incidents occur. Know when involvement is mandatory (e.g., data breaches affecting citizens)
Data Privacy: Ensure forensic activities comply with employee privacy rights, data protection regulations, and organizational policies
Jurisdiction: Cloud incidents may span multiple legal jurisdictions; coordinate with legal counsel regarding cross-border data issues

Tip: Always involve Legal counsel early in any incident involving potential data breach. Notification timelines are strict and missing them can result in significant fines (e.g., GDPR: up to 4% of global annual turnover).

NIST vs SANS IR Framework Comparison

NIST SP 800-61 (4 Phases)	SANS PICERL (6 Steps)	Key Difference
1. Preparation	1. Preparation	Same -- establishing IR capability
2. Detection & Analysis	2. Identification	NIST emphasizes analysis depth; SANS focuses on event-to-incident determination
3. Containment, Eradication & Recovery	3. Containment	NIST groups these as one phase; SANS separates them into three distinct steps for granular control
	4. Eradication
	5. Recovery
4. Post-Incident Activity	6. Lessons Learned	Same -- review, document, improve

Incident Response Frameworks Overview

Framework	Publisher	Focus	Key Points
NIST SP 800-61 Rev 2	NIST	General IR guidance	4-phase lifecycle, iterative, widely adopted by US government and enterprises
NIST CSF (Cybersecurity Framework)	NIST	Overall cybersecurity	5 functions: Identify, Protect, Detect, Respond, Recover. IR maps to Respond and Recover
SANS Incident Handler's Handbook	SANS Institute	Practical IR	6-step PICERL model, widely used in industry training and certification (GCIH)
MITRE ATT&CK	MITRE	Adversary TTPs	Knowledge base of tactics, techniques, and procedures. 14 tactics from Reconnaissance to Impact
Cyber Kill Chain	Lockheed Martin	Attack lifecycle	7 stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives
ISO 27035	ISO/IEC	Incident management	5 phases: Plan/Prepare, Detection/Reporting, Assessment/Decision, Responses, Lessons Learned

MITRE ATT&CK Tactics (Enterprise Matrix)

#	Tactic	Description
1	Reconnaissance	Gathering information about the target (OSINT, scanning)
2	Resource Development	Establishing infrastructure (domains, accounts, tools)
3	Initial Access	Gaining entry (phishing, exploits, valid accounts)
4	Execution	Running malicious code (PowerShell, scripts, exploits)
5	Persistence	Maintaining access (registry keys, scheduled tasks, implants)
6	Privilege Escalation	Gaining higher-level permissions (exploits, token manipulation)
7	Defense Evasion	Avoiding detection (obfuscation, disabling security tools)
8	Credential Access	Stealing credentials (dumping, keylogging, brute force)
9	Discovery	Mapping the environment (network scanning, enumeration)
10	Lateral Movement	Moving through the network (RDP, SMB, pass-the-hash)
11	Collection	Gathering target data (screen capture, keylogging, data staging)
12	Command & Control	Communicating with compromised systems (C2 channels, DNS tunneling)
13	Exfiltration	Stealing data (encrypted channels, cloud storage, physical media)
14	Impact	Disrupting operations (encryption, data destruction, defacement)

Cyber Kill Chain vs MITRE ATT&CK

Aspect	Cyber Kill Chain	MITRE ATT&CK
Model Type	Linear (7-stage sequence)	Matrix (14 tactics, hundreds of techniques)
Granularity	High-level phases	Highly detailed with specific sub-techniques
Approach	Defender-centric (break the chain)	Adversary-behavior focused (understand and detect TTPs)
Best Used For	Strategic planning, executive communication	Threat detection, red teaming, gap analysis, SOC operations

Incident Handling Metrics & KPIs

Metric	Definition	Why It Matters
MTTD (Mean Time to Detect)	Average time from incident start to detection	Measures detection capability; industry average is ~200 days for breaches
MTTR (Mean Time to Respond)	Average time from detection to containment	Measures response efficiency; faster containment reduces damage
MTTC (Mean Time to Contain)	Average time from detection to full containment	Tracks how quickly the spread is stopped
Dwell Time	Total time attacker is present before detection	Lower is better; high dwell time indicates detection gaps
Incidents per Category	Count of incidents by type (malware, phishing, etc.)	Identifies most common threats for resource prioritization
Cost per Incident	Total financial impact of each incident	Justifies security investment and measures program effectiveness

Quick Reference: Incident Type to Framework Mapping

Incident Type	Primary Kill Chain Stage	Key ATT&CK Tactics	First Response Priority
Ransomware	Actions on Objectives	Execution, Impact	Isolate immediately, preserve backups
Phishing	Delivery	Initial Access	Block sender, purge emails, check who clicked
APT / Data Breach	C2, Actions on Objectives	Lateral Movement, Exfiltration	Determine scope, monitor C2, avoid tipping off attacker
DDoS	Actions on Objectives	Impact	Activate DDoS mitigation, contact ISP/CDN
Insider Threat	N/A (internal)	Collection, Exfiltration	Involve HR/Legal, monitor discreetly, preserve evidence
Web App Attack	Exploitation	Initial Access, Execution	Block source, assess data exposure, patch vulnerability

Tip: For the ECIH exam, be able to map any incident scenario to the correct IR phase, identify which framework applies, and describe the specific handling steps. Scenario-based questions will test your ability to apply frameworks to real-world situations, not just memorize definitions.

212-89v3

ECIH v3 - EC-Council Certified Incident Handler

ECIH v3 Practice Exam 1

ECIH v3 Practice Exam 2

ECIH v3 Practice Exam 3

ECIH v3 Practice Exam 4

ECIH v3 Practice Exam 5

ECIH v3 Practice Exam 6

Unlock All Content for 212-89v3

Preview (10 / 120)

Flash Cards

Available Languages

Exam Topics

212-89v3 Cheat Sheet

ECIH v3 (212-89v3) Exam Details

Domain Weight Breakdown

About the ECIH Certification

What Is an Incident?

NIST SP 800-61 Incident Response Lifecycle

SANS Incident Response 6-Step Process (PICERL)

Incident Classification & Severity Levels

Incident Response Team (IRT / CSIRT) Roles

Essential IR Policies & Procedures

Phase 1: Preparation

Phase 2: Detection & Identification

Common Indicators of Compromise (IoCs)

Phase 3: Containment

Phase 4: Eradication

Phase 5: Recovery

Phase 6: Lessons Learned (Post-Incident Activity)

Malware Incident Handling

Email Security Incident Handling

Network Attack Incident Handling (DoS/DDoS)

Web Application Attack Handling

Insider Threat Handling

Cloud Security Incident Handling

Digital Evidence Collection Principles

Evidence Volatility Order (Most to Least Volatile)

Key Forensic Tools

Chain of Custody

Business Continuity & Communication Plans

Legal Considerations

NIST vs SANS IR Framework Comparison

Incident Response Frameworks Overview

MITRE ATT&CK Tactics (Enterprise Matrix)

Cyber Kill Chain vs MITRE ATT&CK

Incident Handling Metrics & KPIs

Quick Reference: Incident Type to Framework Mapping