Exam CAS-004 topic 1 question 276 discussion

Best answer feels like Honeypot and Decoys, as their primary purpose is to expose or trap adversaries. I am unsure how B could be the answer.

If you think you have threats you need to go hunting.

If you are a CISO for a company, and you recommend spending more money into expanding SOC functions just because you THINK there are malicious activities on the network, consider the consequences when it turns out there is no actual malicious activity, and you hired extra people for no reason.

o Threat hunting: is a proactive approach where security teams actively search for potential threats within the network, rather than passively waiting for alerts to trigger. This allows them to identify malicious activity early on when the attacker is still establishing a foothold. o Honeypots: While useful for collecting information on attacker behavior and techniques, they are primarily designed to attract attackers. They might not reveal existing malicious activity already present on the network.

Installing a honeypot and other decoys: While honeypots can attract adversaries and gather intelligence, they are passive and may not expose threats that do not interact with them.

A. Installing a honeypot and other decoys: While honeypots can attract and deceive attackers, they are passive in nature and may not actively expose adversaries already present in the network. SOC hunting involves more active detection and response capabilities.

A: Honeypots and Decoys are the best method to expose malicious actors/activity. They are specifically implemented to bait attackers. Threat Hunting is not intended to expose active malicious activity. Threat Hunting or Hunt Teaming is a proactive measure in Incident Detection where the team is proactively looking for vulnerabilities BEFORE they are exploited. Source: Sybex CASP+ Study Guide, Ch. 4 - Proactive Detection, pg. 153-154

Too much extraneous discussion regarding active/passive whatever. Honeypots are a good idea BEFORE you suspect active, malicious activity. Once you suspect active, malicious activity, a honeypot is not the best move. Question states: [...organization thinks that its network has active, malicious activity...] SOC needs to go hunting. Which of the following capabilities would BEST help to expose the adversary? B. Expanding SOC functions to include hunting

Although the AI chatbots say B - i disagree since an SOC is not in the scenario and the keywords "...to EXSPOSE the adversary"

Originally thought A, but A is passive while B is active. Going hunting is an active way to find the threat rather than waiting for the honeypot to get something

Going with honeypot because the threat is active. Set a trap then expand SOC to go hunting.

The capability that would best help to expose the adversary is B. Expanding SOC (Security Operations Center) functions to include hunting. Threat hunting involves proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. In this context, expanding SOC functions to include hunting would mean actively looking for signs of malicious activity within an organization’s network to detect threats that automated systems may have missed. Therefore, the correct answer is B. Expanding SOC functions to include hunting.

The capability that would BEST help expose the adversary in a network suspected of having active malicious activity is: B. Expanding SOC functions to include hunting Explanation: Installing a honeypot and other decoys (Option A): Honeypots and decoys can attract and detect malicious activity by mimicking real systems or services. However, they are passive in nature and might not expose an adversary actively operating within the network.

The answer is A

Installing a honeypot and other decoys can attract adversaries and help in studying their behavior, but it's more reactive than proactive and may not expose existing malicious activity. On the other hand, expanding SOC functions to include threat hunting (Option B) is a proactive and continuous approach to actively search for signs of malicious activity within the network. This approach aims to uncover adversaries who may have evaded detection and are currently operating within the network. It involves ongoing investigation and analysis to identify hidden threats.

Honeypots may cause a threat actor to fall for the bait and expose themselves but it's not as comprehensive as pouring through SOC data from all systems to hunt for an active threat. I'd compare it to trying to find a bandit in the woods. Which would be better? Setting up some traps and hoping the bandit wanders across them and takes the bait, or sending out a large search party and looking over the entire area?

When thinking about the word "expose", it leads me to think about "gather evidence", which is something a honeypot would do. However, if the word "Active", or other action words, would have been in this question, I'd choose threat hunt.