01

Average Incident Response Time :

A Growing Problem

277 days
Average time to identify and contain a data breach.

49 days
Ransomware breaches took 49 days longer than average to identify and contain.

303 Days
Average time to identify and contain a supply chain compromise.

Why Organizations
Need Incident Response?
1. Organizations Invested in buying expensive security products?
> YES

2. Did they over rely on the deployed security products?

> Yes

3. Hire Individuals or teams to configure those security products?

> Not Often

4. Were they successful in evading security incidents?

> No

5. Did they predict the possibilities of the attack and its impact?
> No

6. Did they have a structured incident handling and response plan

in-place to tackle potential security incidents?
> NO
 02

What is Incident
Response?

1. A Process That Allows organizations To Handle And Respond To

Various Security Incidents Instantly

2. A Process That Enables organizations To Detect, Validate, Contain,

And Eradicate Various Security Incidents

3. A Process That Ensures Safe And Systematic Recovery Of All The

Organizational Assets From The Impact Of Security Incidents

4. A Process That Assures organizations are Well Prepared For

Handling the most common Security Incidents

In short, Organizations need

Incident Handling and Response Plan/Process

Organizations needs

EC-Council Certified Incident Handler

 03

E|CIH Program Overview

What is E|CIH?
EC-Council's Certified Incident Handler program equips students with the knowledge,
skills, and abilities to effectively prepare for, deal with, and eradicate threats and
threat actors in an incident.

This program provides the entire process of incident handling and response and
hands-on labs that teach the tactical procedures and techniques required to
effectively plan, record, triage, notify and contain. Students will learn the handling of
various types of incidents, risk assessment methodologies, as well as laws and
policies related to incident handling. After attending the course, students will be able
to create IH&R policies and deal with different types of security incidents such as
malware, email security, network security, web application security, cloud security,
and insider threat-related incidents.

The E|CIH (EC-Council Certified Incident Handler) also covers post incident activities
such as containment, eradication, evidence gathering and forensic analysis, leading
to prosecution or countermeasures to ensure the incident is not repeated.

The E|CIH is a method-driven course that provides a holistic approach covering vast
concepts related to organizational IH&R, from preparing/planning the incident
handling response process to recovering organizational assets from the impact of
security incidents. These concepts are essential for handling and responding to
security incidents to protect organizations from future threats or attacks.

With over 95 advanced labs, 800 tools covered, and exposure to incident handling
activities on many different operating systems, E|CIH provides a well-rounded, but
tactical approach to planning for and dealing with cyber incidents.

The E|CIH program addresses all stages involved in the IH&R process, and this
attention toward a realistic and futuristic approach makes E|CIH one of the most
comprehensive IH&R-related certifications in the market today.
E|CIH Course Modules:

MODULE 01: INTRODUCTION TO INCIDENT HANDLING AND RESPONSE

• Understand Information Security Threats and Attack Vectors
• Explain Various Attack and Defense Frameworks
• Understand Information Security Concepts
• Understand Information Security Incidents
• Understand the Incident Management Process
•
• Understand Incident Response Automation and Orchestration
• Describe Various Incident Handling and Response Best Practices
• Explain Various Standards Related to Incident Handling and Response
• Explain Various Cybersecurity Frameworks
• Understand Incident Handling Laws and Legal Compliance

MODULE 02: INCIDENT HANDLING AND RESPONSE PROCESS

• Understand Incident Handling and Response (IH&R) Process
• Explain Preparation Steps for Incident Handling and Response
• Understand Incident Recording and Assignment
• Understand Incident Triage
• Explain the Process of Notification
• Understand the Process of Containment
• Describe Evidence Gathering and Forensics Analysis
• Explain the Process of Eradication
• Understand the Process of Recovery
• Describe Various Post-Incident Activities
• Explain the Importance of Information Sharing Activities

MODULE 03: FIRST RESPONSE

• Explain the Concept of First Response
• Understand the Process of Securing and Documenting the Crime Scene
• Understand the Process of Collecting Evidence at the Crime Scene
• Explain the Process for Preserving, Packaging, and Transporting Evidence

MODULE 04: HANDLING AND RESPONDING TO MALWARE INCIDENTS

• Understand the Handling of Malware Incidents
• Explain Preparation for Handling Malware Incidents
• Understand Detection of Malware Incidents
• Explain Containment of Malware Incidents
• Describe How to Perform Malware Analysis
• Understand Eradication of Malware Incidents
• Explain Recovery after Malware Incidents
• Understand the Handling of Malware Incidents - Case Study
• Describe Best Practices against Malware Incidents
E|CIH Course Modules:

MODULE 05: HANDLING AND RESPONDING TO EMAIL SECURITY INCIDENTS

• Understand Email Security Incidents
• Explain Preparation Steps for Handling Email Security Incidents
• Understand Detection and Containment of Email Security Incidents
• Understand Analysis of Email Security Incidents
• Explain Eradication of Email Security Incidents
• Understand the Process of Recovery after Email Security Incidents
• Understand the Handling of Email Security Incidents - Case Study
• Explain Best Practices against Email Security Incidents

MODULE 06: HANDLING AND RESPONDING TO NETWORK SECURITY

INCIDENTS
• Understand the Handling of Network Security Incidents
• Prepare to Handle Network Security Incidents
• Understand Detection and Validation of Network Security Incidents
• Understand the Handling of Unauthorized Access Incidents
• Understand the Handling of Inappropriate Usage Incidents
• Understand the Handling of Denial-of-Service Incidents
• Understand the Handling of Wireless Network Security Incidents
• Understand the Handling of Network Security Incidents - Case Study
• Describe Best Practices against Network Security Incidents

MODULE 07: HANDLING AND RESPONDING TO WEB APPLICATION SECURITY

INCIDENTS
• Understand the Handling of Web Application Incidents
• Explain Preparation for Handling Web Application Security Incidents
• Understand Detection and Containment of Web Application Security Incidents
• Explain Analysis of Web Application Security Incidents
• Understand Eradication of Web Application Security Incidents
• Explain Recovery after Web Application Security Incidents
• Understand the Handling of Web Application Security Incidents - Case Study
• Describe Best Practices for Securing Web Applications
E|CIH Course Modules:

MODULE 08: HANDLING AND RESPONDING TO CLOUD SECURITY

INCIDENTS
• Understand the Handling of Cloud Security Incidents
• Explain Various Steps Involved in Handling Cloud Security Incidents
• Understand How to Handle Azure Security Incidents
•
• Understand How to Handle AWS Security Incidents
• Understand How to Handle Google Cloud Security Incidents
• Understand the Handling of Cloud Security Incidents - Case Study
• Explain Best Practices against Cloud Security Incidents

MODULE 09: HANDLING AND RESPONDING TO INSIDER THREATS

• Understand the Handling of Insider Threats
• Explain Preparation Steps for Handling Insider Threats
• Understand Detection and Containment of Insider Threats
• Explain Analysis of Insider Threats
• Understand Eradication of Insider Threats
• Understand the Process of Recovery after Insider Attacks
• Understand the Handling of Insider Threats - Case Study
• Describe Best Practices against Insider Threats

MODULE 10: HANDLING AND RESPONDING TO ENDPOINT SECURITY

INCIDENTS
• Understand the Handling of Endpoint Security Incidents
• Explain the Handling of Mobile-based Security Incidents
• Explain the Handling of IoT-based Security Incidents
• Explain the Handling of OT-based Security Incidents
• Understand the Handling of Endpoint Security Incidents - Case Study
 07

What Do You
Learn from E|CIH ?

Key issues plaguing the information security world.

Various types of cyber security threats, attack vectors, threat actors, and
their motives, goals, and objectives of cyber security attacks

Various attack and defense frameworks (Cyber Kill Chain Methodology,

MITRE ATT&CK Framework, etc.)

Fundamentals of information security concepts (Vulnerability assessment,

risk management, cyber threat intelligence, threat modeling, and threat
hunting)

Fundamentals of incident management (information security incidents,

signs and costs of an incident, incident handling and response, and incident
response automation and orchestration)

Different incident handling and response best practices, standards,

cybersecurity frameworks, laws, acts, and regulations

Various steps involved in planning incident handling and response program

(Planning, recording and assignment, triage, notification, containment,
evidence gathering and forensic analysis, eradication, recovery, and
post-incident activities)

Importance of first response and first response procedure (Evidence

collection, documentation, preservation, packaging, and transportation)

How to handle and respond to different types of cybersecurity incidents in a

systematic way (malware incidents, email security incidents, network
security incidents, web application security incidents, cloud security
incidents, insider threat-related incidents, and endpoint security incidents)
 08

Learn the 9 Stages of Incident

Handling & Response (IH & R) Process

1 2 3

Planning Recording & Triage

Assignment

4 5 6

Notification Containment Post Incident

Activities

7 8 9

Recovery Eradication Evidence

Gathering &
Forensics Analysis
 09

Key Features & Critical

Components of E|CIH Program

1600+ 800+ 780+

Pages of the Incident handling Illustrated
comprehensive and response tools instructor slides
student manual

125 95 10+
Incident handling Labs environment Incident handling
templates, checklists, simulates a real-time playbooks and runbooks
and toolkits environment
(Covered in 22 Scenario-based Labs)

100% 100%
Compliance to compliance with
NICE 2.0 Framework CREST CCIM

• Based on a Comprehensive Industry-wide Job Task Analysis (JTA)

• Structured approach for performing incident handling and response process.

• Focus on developing skills in handling different types of cybersecurity incidents.

Covers Latest & Collection of

Incident Handling Incident Handling Incident Handling

Templates Playbooks and Runbooks Checklists and Toolkits

Incident Handling Incident Handling & Incident Handling & Response

Cheat Sheets Response Tools/Platforms Frameworks

Incident Handling Real-time Case studies

Standards, Laws, and on Handling and Responding
Legal Compliance to Cybersecurity Incidents
 10

Unique Benefits of E|CIH

Advanced Labs

01 02 03

Lab setup Every learning Lab-intensive

simulates Real-time objective is Program
Environment with demonstrated using (Demonstration of
real-life networks and Complex and Various Cybersecurity
platforms advanced labs Incidents via
Scenario-based Labs)

04 05 06

Hands-on Latest Ubuntu,

Program Patched Parrot Security,
(Dedication of 50% of Windows operating Pfsense Firewall,
Training Time to Labs) systems OSSIM Server, And
Android for
Performing Labs.

07 08 09

Advanced Latest Latest

Forensic Software Threat Intelligence Network Monitoring
Platforms Solutions
Scenario-based labs

10 11

Learn Understand
to handle and Detect & analyze
respond to various modern attack TTPs
types of security using various incident
incidents on a handling tools
real-time
organizational
network.
E|CIH Is Built to Remediate
Modern Cyber Threats

Key Benefits / Critical Components of E|CIH Course Explained:

1) 100% Compliance with NICE Special Publication 800-181

Cybersecurity Workforce Framework

E|CIH fully maps to the National Initiative for Cybersecurity Education (NICE) in the
Protect and Defend (PR) category and Incident Response (CIR) specialty area
handling deals with investigating, analyzing, and responding to cyber incidents within
a network environment or enclave.

2) 100% Compliance with CREST Certified Incident Manager

(CCIM) Frameworks
E|CIH fully maps to the CREST Certified Incident Manager (CCIM), which is a
broad-based scheme focused on maintaining an appropriate standard for incident
response, managed by an industry professional body, delivered by the industry, and
endorsed by CESG and CPNI. The CCIM scheme, currently administered by CREST, is
also known as CREST Certified Incident Response Scheme (CSIR).
 12

3) Based on a Comprehensive Industry-wide Job Task Analysis

The E|CIH program was developed after intensive analysis of all possible
combinations of Task, Knowledge, Skill, and Ability (TKSA) from relevant job postings of
various multinational companies.

4) Focus on a Structured Approach for IH&R

This process includes various stages such as IH&R preparation, incident recording and
assignment, incident triage and notification, incident containment, evidence
gathering and forensic analysis, incident eradication, system recovery, and
post-incident activities.

5) Large Collection of Incident Handling Templates, Checklists, and

Toolkits
This vast collection of documentation material enables incident handlers to
effectively accomplish incident-related documentation in their organization within a
reasonable timeframe. Incident handling templates help incident handlers to draft
comprehensive reports based on the target audience and incidents, thus providing
wider options to students and incident handlers than any other program in the
market.

6) Large Collection of Incident Handling Playbooks and Runbooks

When used together, playbooks and runbooks can guide incident handlers in
orchestrating various security processes based on the type of incident. Ready-to-use
playbooks and runbooks help the IH&R team to automate common cyber-attacks
such as phishing, malware, and denial-of-service.

7) Focus on Developing Skills to Handle Various Cybersecurity

Incidents
This program systematically demonstrates the complete IH&R process for various
types of cybersecurity incidents, including malware, email security, network security,
web application security, cloud security, insider threat, mobile-based security,
IoT-based security, and OT-based security incidents. Covering the end-to-end IH&R
process making E|CIH a unique program in the market.
 13

8) Emphasis on Forensic Readiness and First Response Procedures

A lack of forensic readiness or the first response process to incidents can cause
drastic and disastrous damage to organizations. The E|CIH program focuses on how
an organization should be prepared and equipped to tackle any type of cyber
incident, along with the steps to be taken by the first responder to record or deal with
incidents.

9) Lab-intensive Program (Demonstration of Various

Cybersecurity Incidents via Scenario-based Labs)
The E|CIH program demonstrates real-time security incidents using scenario-based
labs with respect to various incident-handling phases. This helps students and
incident handlers to gain in-depth knowledge and skills in IH&R preparation, incident
recording and assignment, incident triage and notification, incident containment,
evidence gathering and forensic analysis, incident eradication, system recovery, and
post-incident activities.

10) Hands-On Program (Dedication of 50% of Training Time to Labs)

The theory-to-practice ratio in the E|CIH program is 50:50, providing students with
real-time experience in IH&R scenarios and hands-on practice with the latest tools,
techniques, methodologies, and frameworks.

11) Lab Environment Simulates post-breach Environment

The lab environment simulates a real-time situation for incident handlers, and this
experience can help in effectively dealing with incidents in organizations.

12) Covers Latest IH&R Tools/Platforms and Frameworks

The E|CIH course includes a library of tools, platforms, and frameworks across different
operating platforms required by incident handlers and responders to effectively
handle and respond to various organizational threats and incidents.

13) Covers Latest Real-time Case studies on Handling and

Responding to Cybersecurity Incidents
These case studies are specific to incidents reported by organizations or users,
including incident handling procedures, from the detection phase to recovery, as well
as lessons learned.
 14

Exam
Details:

Exam Title:

EC-Council Certified Incident Handler

Exam Code: Number of Questions: Duration:

212-89 100 3 hours

Exam Availability: Test Format:

ECC Exam Portal Multiple Choice

Passing Score: Refer https://cert.eccouncil.org/faq.html

Training Details:
Training: 3 Days

Training Options:
iLearn (Self-Study) iWeek (Live Online) Training Partner
(In Person)
This solution is an This solution is an online,
asynchronous, self-study live training course led by This solution offers
environment in a an instructor. in-person training so
video-streaming format. that you can get the
benefit of collaborating
with your peers.
 15

Job Roles
Mapped to E|CIH:

1 Incident Handler

2 Incident Responder

Incident Response Consultant/Associate /Analyst/Engineer/

3
Specialist/ Expert/Manager

4 CSIRT Analyst/Engineer/Manager

5 Information Security Associate/Analyst/Engineer/Specialist/Manager

6 Cyber Defense Security Consultant/Associate/Analyst

7 IT Security Operations Center Analyst (SOC Analyst/Engineer)

8 Cyber Forensic Investigator/Consultant/Analyst/Manager

9 Digital Forensic Analyst

10 Cyber Risk Vulnerability Analyst/Manager

11 Cyber Intelligence Analyst and Cyber Security Threat Analyst/Specialist

12 Cyber Security Incident Response Team Lead

13 Penetration Tester
 16

Who Can apply for E|CIH:

• Any mid-level to high-level cyber security professionals with a minimum of 3

years of experience

• Individuals from the information security profession and who want to enrich their
skills and knowledge in the field of incident handling and response.

• Individuals interested in preventing cyber threats.

 17

Top Tools, Playbooks

and more in E|CIH course

Top 10 Popular or Top 5 Playbooks Top Latest

Latest Tools: and Runbooks: Methodologies &
Framework:
• Cyber Triage • DDoS Incident • DDoS Incident
• KeepNote Response Playbook Response Playbook
• IDA and OllyDbg • Phishing Incident • Phishing Incident
• Wireshark Response Playbook Response Playbook
• MxToolbox • Insider Threat • Insider Threat
• Rmail Incident Response Incident Response
• AlienVault OSSIM Playbook Playbook
• RdpGuard • Ransomware • Ransomware
• Nessus Incident Incident
• dotDefender Response Playbook Response Playbook
• MalwareBytes • DDoS Incident • DDoS Incident
• ManageEngine Response Runbook Response Runbook
Endpoint Central

Top: Latest Templates,

Checklists, and Toolkits:
• Digital Forensics • Incident Handler Checklist
eadiness Policy Document Template
• Incident Responder Toolkit
• Incident Handling and Response Plan Requirements
Template
• Forensics Investigative Analysis
• Incident Handling and Response Policy Report Recognition /
and Procedure Document Template Endorsement / Mapping
 18

Recognition / Endorsement / Mapping

E|CIHv3 Is the Most Desirable Program According

to the Top Incident Handling Professionals Globally

The E|CIH is the most comprehensive program and provided tools and
methodologies applicable to any industry. Helped me a lot to develop
my job, so I can offer my organization the best practices and best ways
to identify

Pedro Pachon
Cybersecurity Chief
Falabela Bank (Columbia)

E|CIH course helps us to analyze the risk and before that also to
respond to any incident. How precautions one should take and to
protect an organization from breaches, and more on data
protection as well.

Elysha Esaivani
Problem Manager
 The E|CIH helps to respond to any cyber incidents or espionage
incidents that will happen to any organization, and this really helps us
to contain as soon as possible. E|CIH course enables me to
understand from where the attack initiates and until where we can
contain or control it and get everything back online.

Mathimohan Daniel Raja

Associate Analyst

This course is very useful for companies because you learn how to create
a successful incident response path. Furthermore this program gives you
the right approach when facing an incident, giving you the correct and
adequate solutions. This also includes legal aspects. More than giving you
the right approach, the program also teaches you the basic techniques
in incident handling so that we can work on them.

Giovanni Miglionico
IT Security Manager

As a cybersecurity team member, my purpose is to know how the team

should react to malicious attackers perform some malicious activity on
their network or the physical security. So, which this course my
knowledge on how initial response team can react and perform some
action is very useful to improve my skill and mindset when I do some
operation.

Edoardo Rosa
Cybersecurity Specialist

The E|CIH program provides a technical vision with many labs and tools
to be used in the cybersecurity field. And gives you the standards and
protocols which are essential in incident handling. E|CIH is very useful
and gave me a base on which I can proceed in my cybersecurity
career.”

Lorenzo Pomanti
System Engineer
 About EC-Council
EC-Council invented the Certified Ethical Hacker. Founded in 2001 in response to 9/11, EC-Council's mission
is to provide the training and certifications apprentice and experienced cyber security professionals
need to keep corporations, government agencies, and others who employ them safe from attack.

Best known for its Certified Ethical Hacker program, EC-Council today offers 200 different training
programs, certifications, and degrees in everything from Computer Forensic Investigation and Security
Analysis to Threat Intelligence and Information Security. An ISO/IEC 17024 Accredited Organization
recognized under the US Defense Department Directive 8140/8570 and many other authoritative
cybersecurity bodies worldwide, the company has certified over 350,000 professionals across the globe.
Trusted by seven of the Fortune 10, half of the Fortune 100, and the various agencies public and private
across 140 nations, EC-Council is the gold standard in cybersecurity education and certification.

A truly global organization with a driving belief in bringing diversity, equity, and inclusion to the modern
cybersecurity workforce, EC-Council maintains 11 offices in the U.S., the UK, India, Malaysia, Singapore, and
Indonesia.

www.eccouncil.org