IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion. Also, IDS can be deployed to detect the intrusion on honeypot

B is correct. Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible. IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.

IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach. Honeypot = to entice the attackers. It does not mean that network is breached.

IF IDS was the answer, IPS is just as good so its the Honeypot

C. Deploying a honeypot A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.

IDS is a system primarily for the detection of network threats. I would say that IDS makes more sense than a honeypot.

B is my answer. Attackers already breached the network, honeypot is useless at that point.

The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot. Analysing network traffic with an IDS might be the best option for this case.

CISSP CBK prefers option "C" (Honeypot), emphasizing that honeypots should be deployed appropriately. From a practical perspective, however, it's important to note that honeypots are not always effective at detecting all types of attacks, and they can also be risky to deploy as they create a potential target for attackers. In the context of the original question, an intrusion detection system (IDS) would still be the most effective solution for discovering successful network breaches, as it can detect both known and unknown threats by analyzing network traffic for signs of suspicious activity. Additionally, IDS systems can be configured to generate alerts and notifications to security personnel when suspicious activity is detected, allowing for immediate action to be taken to prevent or mitigate the impact of a breach. But we should be in limits of the official ISC2 CBK, so that's why we chose option C (Honeypot).

An attacker might not go for the honeypot. But an IDS will always see if there is an intrusion, with or without a honeypot

I thought it was a honeypot but it seems an IDS is the better answer: "The breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts)." https://www.securitymetrics.com/learn/how-to-effectively-manage-a-data-breach Also, a honeypot would be in the DMZ and therefore your network is not breached. The question clearly states that the network breach has been successful. So I am going with IDS.

Honeypot is the correct answer.

C. Deploying a honeypot is most effective at discovering a successful network breach. A honeypot is a security mechanism that is used to detect, deflect, or study attempts to penetrate a computer system. It is a decoy system that is set up to attract and identify potential attackers, and to understand their methods and techniques. Honeypots are useful for identifying suspicious activity on a network, such as unauthorized access or data exfiltration, which can indicate a successful network breach.

Sometimes security isn’t exactly intuitive. Eventually, stricter firewall and IDS placements will add cost and hurt usability without reducing risk. A more active form of security is to lay traps in your network that can deceive attackers who have already infiltrated the network, making it easier for you to detect or disrupt their activities. One example is a honeypot system designed to be open to attack, like a server with plausibly flawed or inadequate security controls. In truth, it’s a decoy: the honeypot has no valuable resources, and it’s isolated from the rest of the network (in a DMZ, for example) so that compromising it won’t even be useful for lateral movement.

Answer is C. Key word is "MOST effective at discovering a successful network breach". Remember, the intention is not to have the production IPS and IDP systems breached. If that's the case then replace them. Honeypot is for this purpose so the data can be examined and actioned upon.

B fits the scenario, especially looking at the first sentence. It seems to be a live network instead of a network just setup to entice intruders.

"successful network breach", therefore B