212-89 Exam Dumps : EC Council Certified Incident Handler (ECIH v3)

Michael's activities, which involve analyzing file systems, slack spaces, and metadata of storage units to find hidden malware and evidence of malice, indicate that he is handling a storage-related cloud security incident. This type of incident pertains to unauthorized access, alteration, or exfiltration of data stored in cloud environments. By focusing on the storage aspects such as file systems and metadata, Michael is looking for signs of compromise that specifically affect the storage of data, which is indicative of a storage-related security incident in the cloud.

Threat correlation is a method used by incident responders to analyze and associate various indicators of compromise (IoCs) and alerts to identify genuine threats. By correlating data from multiple sources and applying intelligence to distinguish between unrelated events and coordinated attack patterns, responders can significantly reduce the rate of false-positive alerts. This enables teams to prioritize their efforts on the most critical and likely threats, thereby reducing potential risks and corporate liabilities. Effective threat correlation involves the use of sophisticated security information and event management (SIEM) systems, threat intelligence platforms, and analytical techniques to identify relationships between seemingly disparate security events and alerts.

This scenario describes a SYN flood attack, a classic protocol-level Denial-of-Service technique covered in the ECIH Network Security Incidents module. In a SYN flood, attackers send a large volume of TCP SYN packets but never complete the three-way handshake, leaving the server waiting for responses and exhausting connection resources.

Option D is correct because incomplete TCP handshakes, half-open connections, and resource exhaustion are defining characteristics of SYN flood attacks. The presence of multiple source IPs further suggests a distributed attack.

Option A involves taking over an existing session, not exhausting resources. Option B applies to UDP-based amplification attacks. Option C affects DNS resolution, not TCP handshakes.

ECIH stresses that early identification of SYN floods allows defenders to deploy SYN cookies, rate limiting, and upstream filtering. Recognizing handshake anomalies is therefore critical in protecting service availability.