Exam CISSP topic 1 question 237 discussion

IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion. Also, IDS can be deployed to detect the intrusion on honeypot

B is correct. Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible. IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.

The question asks "Most Effective" so I will go with B.

Even if they breach the network, they don't have to fall for the honeypot. I'd go with B.

the question says "successful network breach" the honeypot can be left untouched and my network breached. by other side, IDS will see the patterns on traffic and notice the breach

A honeypot is a decoy system intentionally designed to attract attackers by simulating vulnerable services or assets. IDS helps detect known attack patterns and anomalies but can generate false positives and may not detect low-and-slow intrusions.

The keyword here is "successful", which means the attack has happened.

Are we suggesting that HoneyPots should be deployed to procution networks. if the Honeypot is properly set up on a non prodcution network , would this scenario be a sucessful network breech or a sucessful diversion and delay of the attacker. A sucessful network attack against a honey pot is like a sucessful carjacking of a car with no gas. Furthermore , the Honeypot is pretty much useless without an IDS.

C can tell you if a breach has possibly occured. Malware making its way to the honeypot server tells you it bypassed the 2 other 2 best answers... IDS and IPS. C is correct.

with a strong level of confidence = honeypot. No one else would access it.

A honeypot is not on the same network; therefore, there is no strong level of confidence that the network has been breached. This is what the question is asking

IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach. Honeypot = to entice the attackers. It does not mean that network is breached.

IF IDS was the answer, IPS is just as good so its the Honeypot

C. Deploying a honeypot A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.

IDS is a system primarily for the detection of network threats. I would say that IDS makes more sense than a honeypot.

B is my answer. Attackers already breached the network, honeypot is useless at that point.

The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot. Analysing network traffic with an IDS might be the best option for this case.