🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
212-89
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
212-89 EC-Council Coming Soon

ECCouncil ECIH

The ECIH certification exam validates professionals' ability to detect, triage, and respond to malware, email, and network security incidents, applying industry‑standard incident handling processes to protect enterprise assets.

180
Minutes
100
Questions
70/100
Passing Score
$999
Exam Cost

Who Should Take This

Cybersecurity analysts, incident responders, and network engineers with at least two years of hands‑on experience in threat detection and mitigation are ideal candidates. They seek to formalize their expertise, meet employer expectations, and enhance career prospects by earning the EC‑Council Certified Incident Handler credential.

What's Covered

1 Incident Handling and Response Overview
2 Incident Detection and Triage
3 Handling Malware Incidents
4 Handling Email Security Incidents
5 Handling Network Security Incidents
6 Handling Web Application Incidents
7 Handling Cloud Security Incidents
8 Handling Insider Threats
9 Containment Eradication and Recovery
10 Forensic Readiness and Evidence Handling
11 Post-Incident Activities
12 Regulatory Compliance and Communication

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Incident Handling and Response Overview
2 topics

Incident handling fundamentals

  • Apply incident classification frameworks to categorize security events by type severity and business impact using standardized taxonomies.
  • Analyze the incident handling lifecycle phases including preparation detection analysis containment eradication recovery and lessons learned.
  • Apply NIST SP 800-61 and SANS incident response frameworks to establish standardized response procedures across the organization.
  • Analyze the relationship between incident handling and risk management to align response priorities with organizational risk appetite.

Incident response team structure

  • Design incident response team structures including CSIRT CERT and virtual team models with defined roles responsibilities and escalation paths.
  • Apply incident response plan development including playbook creation communication templates and stakeholder notification procedures.
  • Analyze incident response readiness through tabletop exercises red team simulations and gap analysis to identify capability deficiencies.
2 Incident Detection and Triage
2 topics

Detection mechanisms

  • Apply SIEM correlation rules IDS/IPS alerts and EDR telemetry to detect indicators of compromise across network endpoint and application layers.
  • Apply threat intelligence feeds STIX/TAXII indicators and IOC matching to correlate external threat data with internal security events.
  • Analyze anomalous user behavior network traffic patterns and system events to distinguish true incidents from false positives and benign anomalies.
  • Apply automated detection tools including honeypots deception technologies and canary tokens to identify unauthorized access attempts and lateral movement.

Incident triage and prioritization

  • Apply triage procedures to assess incident severity business impact affected systems and data sensitivity for response prioritization.
  • Analyze initial incident indicators to determine attack vectors compromised assets and potential lateral movement for scope assessment.
  • Apply first responder procedures including volatile evidence capture system isolation and initial documentation while preserving forensic integrity.
  • Design triage workflows incorporating automated severity scoring asset criticality mapping and dynamic escalation rules for SOC integration.
3 Handling Malware Incidents
1 topic

Malware incident response

  • Apply malware incident detection using antivirus alerts behavioral analysis sandboxing results and network traffic anomalies to identify active infections.
  • Apply malware containment procedures including network isolation process termination DNS sinkholing and endpoint quarantine to stop propagation.
  • Analyze malware artifacts including persistence mechanisms C2 communication patterns and payload behavior to determine incident scope and attribution.
  • Apply ransomware incident response including encrypted file identification payment assessment backup restoration and decryption tool evaluation.
  • Analyze fileless malware attacks leveraging PowerShell WMI and LOLBins to identify memory-resident threats that evade traditional detection.
4 Handling Email Security Incidents
1 topic

Email incident response

  • Apply phishing incident analysis including header examination URL deobfuscation attachment sandboxing and sender authentication verification using SPF DKIM DMARC.
  • Apply business email compromise response including account lockout credential reset affected transaction review and communication channel verification.
  • Analyze email-based attack campaigns to identify targeted users delivery patterns and social engineering techniques for organizational awareness improvement.
  • Apply email threat remediation including mailbox search message clawback URL rewriting and attachment stripping across enterprise email platforms.
5 Handling Network Security Incidents
2 topics

Network intrusion response

  • Apply network intrusion detection analysis using packet captures IDS alerts and NetFlow data to identify unauthorized access and lateral movement.
  • Apply network containment techniques including VLAN isolation firewall rule injection port shutdown and DNS redirect to limit attacker movement.
  • Analyze network attack patterns including DDoS man-in-the-middle ARP poisoning and DNS hijacking to determine attack methodology and attribution.

Wireless and DoS incident handling

  • Apply wireless security incident response including rogue AP identification evil twin detection deauthentication attack mitigation and client isolation.
  • Apply DDoS incident response including traffic analysis upstream filtering rate limiting CDN activation and ISP coordination for volumetric attack mitigation.
  • Analyze DoS and DDoS attack traffic to identify amplification vectors botnet C2 patterns and reflection sources for attack characterization.
6 Handling Web Application Incidents
1 topic

Web application incident response

  • Apply web application incident detection using WAF alerts server logs and application error analysis to identify SQL injection XSS and CSRF attacks.
  • Apply web application containment including IP blocking virtual patching session invalidation and service isolation to stop active exploitation.
  • Analyze web application attack patterns including injection payloads session hijacking techniques and API abuse to determine data exposure and remediation needs.
  • Apply web shell detection and removal including file integrity monitoring webroot analysis and persistence mechanism identification on compromised web servers.
7 Handling Cloud Security Incidents
1 topic

Cloud incident response

  • Apply cloud incident detection using CloudTrail Azure Monitor and GCP audit logs to identify unauthorized access data exfiltration and configuration tampering.
  • Apply cloud containment techniques including IAM policy revocation security group lockdown resource isolation and API key rotation in multi-cloud environments.
  • Analyze cloud security incidents to identify privilege escalation paths misconfigured storage exposed secrets and cross-account compromise indicators.
  • Design cloud-specific incident response procedures addressing shared responsibility evidence collection across provider boundaries and automated remediation workflows.
8 Handling Insider Threats
1 topic

Insider threat detection and response

  • Apply insider threat detection using UEBA DLP alerts access pattern analysis and privileged user monitoring to identify malicious or negligent insiders.
  • Apply insider threat investigation procedures including digital evidence collection interview coordination HR legal liaison and access revocation workflows.
  • Analyze insider threat indicators including data hoarding unusual access patterns after-hours activity and policy violations to assess risk levels.
  • Design insider threat programs incorporating technical controls behavioral analytics organizational policies and cross-department coordination frameworks.
9 Containment Eradication and Recovery
2 topics

Containment strategies

  • Apply short-term containment techniques including network segmentation account disabling and temporary firewall rules while preserving evidence for analysis.
  • Apply long-term containment procedures including system rebuilds credential rotation vulnerability patching and enhanced monitoring of affected segments.
  • Analyze containment effectiveness to verify threat neutralization confirm no residual access and validate that business operations can safely resume.

Eradication and recovery

  • Apply eradication procedures including malware removal backdoor elimination root cause remediation and vulnerability closure across all affected systems.
  • Apply recovery procedures including system restoration service validation data integrity verification and phased return to production operations.
  • Design recovery strategies incorporating prioritized system restoration communication plans stakeholder updates and business continuity integration.
10 Forensic Readiness and Evidence Handling
1 topic

Evidence collection and preservation

  • Apply evidence collection procedures including volatile data capture memory dumps disk imaging and network traffic preservation following chain of custody requirements.
  • Apply forensic readiness planning including log retention policies evidence storage infrastructure and pre-approved collection procedures for rapid incident response.
  • Analyze digital evidence integrity using hash verification timestamps and documentation to ensure admissibility and maintain chain of custody standards.
  • Design forensic readiness programs that integrate evidence collection capabilities into enterprise infrastructure monitoring and backup systems.
11 Post-Incident Activities
1 topic

Lessons learned and reporting

  • Apply post-incident review processes including lessons learned sessions root cause analysis timeline documentation and recommendation development.
  • Apply incident reporting including executive summaries technical reports regulatory notifications and law enforcement liaison per applicable requirements.
  • Analyze incident metrics including mean time to detect mean time to respond incident recurrence rates and resolution costs to measure program effectiveness.
  • Design incident response improvement programs incorporating automation enhancements playbook updates tool evaluations and team training based on lessons learned.
12 Regulatory Compliance and Communication
1 topic

Legal and regulatory requirements

  • Apply breach notification requirements under GDPR HIPAA PCI-DSS and state breach notification laws to determine reporting obligations and timelines.
  • Analyze regulatory requirements to determine data breach scope notification obligations affected party identification and remediation commitments.
  • Design incident communication strategies addressing media relations customer notifications regulatory filings and internal stakeholder updates during crisis situations.
  • Apply law enforcement coordination procedures including evidence sharing legal hold management and investigative support while protecting organizational interests.

Scope

Included Topics

  • All domains in EC-Council ECIH covering incident handling and response lifecycle including preparation detection classification containment eradication recovery and post-incident activities.
  • Incident handling process including first responder actions evidence preservation triage prioritization and escalation procedures for cybersecurity incidents.
  • Handling specific incident types including malware incidents email security incidents network security incidents web application incidents cloud incidents and insider threats.
  • Forensic readiness and evidence handling including volatile data collection log preservation chain of custody and integration with digital forensics teams.
  • Incident communication and coordination including stakeholder notification regulatory reporting cross-team collaboration and post-incident review processes.

Not Covered

  • Advanced penetration testing and exploitation techniques covered by CEH and CPENT.
  • In-depth digital forensic analysis disk imaging and malware reverse engineering covered by CHFI.
  • SOC operations SIEM platform management and continuous threat monitoring covered by CSA.
  • Enterprise security program governance budgeting and board-level risk communication covered by CCISO.
  • Network defense architecture firewall deployment and perimeter security design covered by CND.

Official Exam Page

Learn more at EC-Council

Visit

212-89 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

EC-Council®, CEH®, and all EC-Council certification marks are registered trademarks of the International Council of Electronic Commerce Consultants. EC-Council does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.