Exam CISSP topic 1 question 237 discussion

IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion. Also, IDS can be deployed to detect the intrusion on honeypot

B is correct. Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible. IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.

C can tell you if a breach has possibly occured. Malware making its way to the honeypot server tells you it bypassed the 2 other 2 best answers... IDS and IPS. C is correct.

with a strong level of confidence = honeypot. No one else would access it.

A honeypot is not on the same network; therefore, there is no strong level of confidence that the network has been breached. This is what the question is asking

IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach. Honeypot = to entice the attackers. It does not mean that network is breached.

IF IDS was the answer, IPS is just as good so its the Honeypot

C. Deploying a honeypot A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.

IDS is a system primarily for the detection of network threats. I would say that IDS makes more sense than a honeypot.

B is my answer. Attackers already breached the network, honeypot is useless at that point.

The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot. Analysing network traffic with an IDS might be the best option for this case.

CISSP CBK prefers option "C" (Honeypot), emphasizing that honeypots should be deployed appropriately. From a practical perspective, however, it's important to note that honeypots are not always effective at detecting all types of attacks, and they can also be risky to deploy as they create a potential target for attackers. In the context of the original question, an intrusion detection system (IDS) would still be the most effective solution for discovering successful network breaches, as it can detect both known and unknown threats by analyzing network traffic for signs of suspicious activity. Additionally, IDS systems can be configured to generate alerts and notifications to security personnel when suspicious activity is detected, allowing for immediate action to be taken to prevent or mitigate the impact of a breach. But we should be in limits of the official ISC2 CBK, so that's why we chose option C (Honeypot).

An attacker might not go for the honeypot. But an IDS will always see if there is an intrusion, with or without a honeypot

I thought it was a honeypot but it seems an IDS is the better answer: "The breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts)." https://www.securitymetrics.com/learn/how-to-effectively-manage-a-data-breach Also, a honeypot would be in the DMZ and therefore your network is not breached. The question clearly states that the network breach has been successful. So I am going with IDS.

Honeypot is the correct answer.

C. Deploying a honeypot is most effective at discovering a successful network breach. A honeypot is a security mechanism that is used to detect, deflect, or study attempts to penetrate a computer system. It is a decoy system that is set up to attract and identify potential attackers, and to understand their methods and techniques. Honeypots are useful for identifying suspicious activity on a network, such as unauthorized access or data exfiltration, which can indicate a successful network breach.

Sometimes security isn’t exactly intuitive. Eventually, stricter firewall and IDS placements will add cost and hurt usability without reducing risk. A more active form of security is to lay traps in your network that can deceive attackers who have already infiltrated the network, making it easier for you to detect or disrupt their activities. One example is a honeypot system designed to be open to attack, like a server with plausibly flawed or inadequate security controls. In truth, it’s a decoy: the honeypot has no valuable resources, and it’s isolated from the rest of the network (in a DMZ, for example) so that compromising it won’t even be useful for lateral movement.