Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
The security organization is looking for a solution that could help them determine with a strong level of confidence that attackers have breached their network. Which solution is MOST effective at discovering a successful network breach?
A.
Developing a sandbox
B.
Installing an intrusion detection system (IDS)
C.
Deploying a honeypot
D.
Installing an intrusion prevention system (IPS)
IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion.
Also, IDS can be deployed to detect the intrusion on honeypot
B is correct.
Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible.
IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.
IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach.
Honeypot = to entice the attackers. It does not mean that network is breached.
C. Deploying a honeypot
A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious.
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.
The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot.
Analysing network traffic with an IDS might be the best option for this case.
CISSP CBK prefers option "C" (Honeypot), emphasizing that honeypots should be deployed appropriately. From a practical perspective, however, it's important to note that honeypots are not always effective at detecting all types of attacks, and they can also be risky to deploy as they create a potential target for attackers. In the context of the original question, an intrusion detection system (IDS) would still be the most effective solution for discovering successful network breaches, as it can detect both known and unknown threats by analyzing network traffic for signs of suspicious activity. Additionally, IDS systems can be configured to generate alerts and notifications to security personnel when suspicious activity is detected, allowing for immediate action to be taken to prevent or mitigate the impact of a breach.
But we should be in limits of the official ISC2 CBK, so that's why we chose option C (Honeypot).
I thought it was a honeypot but it seems an IDS is the better answer:
"The breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts)."
https://www.securitymetrics.com/learn/how-to-effectively-manage-a-data-breach
Also, a honeypot would be in the DMZ and therefore your network is not breached. The question clearly states that the network breach has been successful. So I am going with IDS.
C. Deploying a honeypot is most effective at discovering a successful network breach. A honeypot is a security mechanism that is used to detect, deflect, or study attempts to penetrate a computer system. It is a decoy system that is set up to attract and identify potential attackers, and to understand their methods and techniques. Honeypots are useful for identifying suspicious activity on a network, such as unauthorized access or data exfiltration, which can indicate a successful network breach.
Sometimes security isn’t exactly intuitive. Eventually, stricter firewall and IDS placements will add cost and hurt usability without reducing risk. A more active form of security is to lay traps in your network that can deceive attackers who have already infiltrated the network, making it easier for you to detect or disrupt their activities.
One example is a honeypot system designed to be open to attack, like a server with plausibly flawed or inadequate security controls. In truth, it’s a decoy: the honeypot has no valuable resources, and it’s isolated from the rest of the network (in a DMZ, for example) so that compromising it won’t even be useful for lateral movement.
Answer is C. Key word is "MOST effective at discovering a successful network breach". Remember, the intention is not to have the production IPS and IDP systems breached. If that's the case then replace them.
Honeypot is for this purpose so the data can be examined and actioned upon.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AJohn1
Highly Voted 1 year, 6 months agojackdryan
11 months, 1 week agohomeysl
6 months agosec_007
Highly Voted 1 year, 5 months agosbear123
Most Recent 3 weeks, 6 days agoharold1967
1 month, 4 weeks agoSoleandheel
4 months, 1 week agodekoren
5 months agohomeysl
6 months agorsantunes
6 months ago74gjd_37
6 months, 3 weeks agodumdada
10 months, 2 weeks agoHughJassole
10 months, 2 weeks agosyyt
1 year agoDJOEK
1 year, 3 months agoDelab202
1 year, 3 months agoringoru
1 year, 4 months agoMann0302
1 year, 4 months agosphenixfire
1 year, 4 months ago