Exam CISSP topic 1 question 237 discussion

IDS can give a false positive alert, hence not always the strongest evidence of intrusion. Any intrusion on the honeypot is a strong evidence of intrusion. Also, IDS can be deployed to detect the intrusion on honeypot

B is correct. Honeypots - Honeypot gives administrators an opportunity to observe an attacker’s activity without compromising the live environment. In some cases, the honeypot is designed to delay an intruder long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible. IDS is for confirming the detection, honeypot is just to observe and learn or give a false impression of system vulnerability/divert the efforts of attacker.

The keyword here is "successful", which means the attack has happened.

Are we suggesting that HoneyPots should be deployed to procution networks. if the Honeypot is properly set up on a non prodcution network , would this scenario be a sucessful network breech or a sucessful diversion and delay of the attacker. A sucessful network attack against a honey pot is like a sucessful carjacking of a car with no gas. Furthermore , the Honeypot is pretty much useless without an IDS.

C can tell you if a breach has possibly occured. Malware making its way to the honeypot server tells you it bypassed the 2 other 2 best answers... IDS and IPS. C is correct.

with a strong level of confidence = honeypot. No one else would access it.

A honeypot is not on the same network; therefore, there is no strong level of confidence that the network has been breached. This is what the question is asking

IDS = MOST effective at discovering a successful network breach. IDS will provide evidence of breach. Honeypot = to entice the attackers. It does not mean that network is breached.

IF IDS was the answer, IPS is just as good so its the Honeypot

C. Deploying a honeypot A honeypot is a security mechanism that is intentionally set up to mimic a target system or network, designed to lure attackers. When an attacker breaches a honeypot, it is a strong indicator that a network breach has occurred because there is no legitimate reason for anyone to access the honeypot system or network. Honeypots are designed to be highly monitored and have no legitimate traffic, so any activity in them is suspicious. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) primarily focus on detecting and preventing known attacks or suspicious traffic patterns, and they may not always provide the same level of confidence in identifying a successful breach as honeypots do.

IDS is a system primarily for the detection of network threats. I would say that IDS makes more sense than a honeypot.

B is my answer. Attackers already breached the network, honeypot is useless at that point.

The question says that the attackers have already breached the network, so they are already established and not necessarily will move to the honeypot. Analysing network traffic with an IDS might be the best option for this case.

CISSP CBK prefers option "C" (Honeypot), emphasizing that honeypots should be deployed appropriately. From a practical perspective, however, it's important to note that honeypots are not always effective at detecting all types of attacks, and they can also be risky to deploy as they create a potential target for attackers. In the context of the original question, an intrusion detection system (IDS) would still be the most effective solution for discovering successful network breaches, as it can detect both known and unknown threats by analyzing network traffic for signs of suspicious activity. Additionally, IDS systems can be configured to generate alerts and notifications to security personnel when suspicious activity is detected, allowing for immediate action to be taken to prevent or mitigate the impact of a breach. But we should be in limits of the official ISC2 CBK, so that's why we chose option C (Honeypot).

An attacker might not go for the honeypot. But an IDS will always see if there is an intrusion, with or without a honeypot

I thought it was a honeypot but it seems an IDS is the better answer: "The breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts)." https://www.securitymetrics.com/learn/how-to-effectively-manage-a-data-breach Also, a honeypot would be in the DMZ and therefore your network is not breached. The question clearly states that the network breach has been successful. So I am going with IDS.

Honeypot is the correct answer.