The security organization is looking for a solution that could help them determine with a strong level of confidence that attackers have breached their network. Which solution is MOST effective at discovering a successful network breach?
A.
Developing a sandbox
B.
Installing an intrusion detection system (IDS)
C.
Deploying a honeypot
D.
Installing an intrusion prevention system (IPS)
IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion.
Also, IDS can be deployed to detect the intrusion on honeypot
B is correct.
Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible.
IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.
the question says "successful network breach" the honeypot can be left untouched and my network breached.
by other side, IDS will see the patterns on traffic and notice the breach
A honeypot is a decoy system intentionally designed to attract attackers by simulating vulnerable services or assets. IDS helps detect known attack patterns and anomalies but can generate false positives and may not detect low-and-slow intrusions.
Are we suggesting that HoneyPots should be deployed to procution networks. if the Honeypot is properly set up on a non prodcution network , would this scenario be a sucessful network breech or a sucessful diversion and delay of the attacker. A sucessful network attack against a honey pot is like a sucessful carjacking of a car with no gas. Furthermore , the Honeypot is pretty much useless without an IDS.
C can tell you if a breach has possibly occured. Malware making its way to the honeypot server tells you it bypassed the 2 other 2 best answers... IDS and IPS.
C is correct.
A honeypot is not on the same network; therefore, there is no strong level of confidence that the network has been breached. This is what the question is asking
IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach.
Honeypot = to entice the attackers. It does not mean that network is breached.
C. Deploying a honeypot
A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious.
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.
The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot.
Analysing network traffic with an IDS might be the best option for this case.
CISSP CBK prefers option "C" (Honeypot), emphasizing that honeypots should be deployed appropriately. From a practical perspective, however, it's important to note that honeypots are not always effective at detecting all types of attacks, and they can also be risky to deploy as they create a potential target for attackers. In the context of the original question, an intrusion detection system (IDS) would still be the most effective solution for discovering successful network breaches, as it can detect both known and unknown threats by analyzing network traffic for signs of suspicious activity. Additionally, IDS systems can be configured to generate alerts and notifications to security personnel when suspicious activity is detected, allowing for immediate action to be taken to prevent or mitigate the impact of a breach.
But we should be in limits of the official ISC2 CBK, so that's why we chose option C (Honeypot).
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AJohn1
Highly Voted 2 years, 10 months agojackdryan
2 years, 3 months agohomeysl
1 year, 10 months agosec_007
Highly Voted 2 years, 9 months agodjedwards
Most Recent 2 months agobassfunk
2 months, 2 weeks agoHarkonMoseley
2 months, 3 weeks agoBigITGuy
4 months, 3 weeks agoMaggieeeee
7 months, 2 weeks agostack120566
8 months, 2 weeks agoCCNPWILL
1 year, 2 months agoTheManiac
1 year, 3 months agoYokota
1 year, 3 months agosbear123
1 year, 5 months agoSoleandheel
1 year, 8 months agodekoren
1 year, 9 months agohomeysl
1 year, 10 months agorsantunes
1 year, 10 months ago74gjd_37
1 year, 11 months ago