Jake, a senior incident responder in a financial institution's SOC, receives a high-severity alert from...

The EC-Council Incident Handler (ECIH) curriculum states that during the detection and analysis phase, responders must validate the incident before taking disruptive containment actions. In suspected DoS attacks, traffic analysis is critical to confirm attack patterns such as SYN floods characterized by numerous half-open TCP connections.

Inspecting network traffic using packet captures, firewall logs, and IDS telemetry allows responders to confirm the nature of the attack, identify source IP behavior, and determine whether IP spoofing or distributed sources are involved. This ensures appropriate mitigation such as SYN cookies, rate limiting, or upstream filtering.

Option A is unrelated. Option B may disrupt business operations prematurely. Option D (rebooting) does not address the attack and may temporarily relieve symptoms without mitigation.

ECIH emphasizes evidence preservation, traffic validation, and controlled response during DoS incidents. Therefore, the first step is to inspect network traffic to confirm the attack pattern and verify source behavior.