An organization thinks that its network has active, malicious activity on it. Which of the following capabilities would BEST help to expose the adversary?
An organization thinks that its network has active, malicious activity on it. Which of the following capabilities would BEST help to expose the adversary?
When an organization suspects active malicious activity within its network, the most effective approach to expose the adversary is to proactively search for them. Expanding SOC (Security Operations Center) functions to include threat hunting involves actively and iteratively searching through the network to detect and isolate advanced threats that may have evaded existing security solutions. This method allows for thorough investigation and analysis, increasing the chances of identifying and responding to malicious activity. Unlike honeypots and decoys, which are more passive and reactive, threat hunting is a dynamic and continuous approach better suited for exposing adversaries already operating within the network.
Best answer feels like Honeypot and Decoys, as their primary purpose is to expose or trap adversaries. I am unsure how B could be the answer.
Honeypots may cause a threat actor to fall for the bait and expose themselves but it's not as comprehensive as pouring through SOC data from all systems to hunt for an active threat. I'd compare it to trying to find a bandit in the woods. Which would be better? Setting up some traps and hoping the bandit wanders across them and takes the bait, or sending out a large search party and looking over the entire area?
If you think you have threats you need to go hunting.
The capability that would best help to expose the adversary is B. Expanding SOC (Security Operations Center) functions to include hunting. Threat hunting involves proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. In this context, expanding SOC functions to include hunting would mean actively looking for signs of malicious activity within an organization’s network to detect threats that automated systems may have missed. Therefore, the correct answer is B. Expanding SOC functions to include hunting.
Originally thought A, but A is passive while B is active. Going hunting is an active way to find the threat rather than waiting for the honeypot to get something
This is certainly B. Deception/honey pot is to monitor or observe an attackers techniques, not to detect malicious codes. hunting is a continuous, proactive approach that aims to detect adversaries that have managed to bypass initial security measures. It involves actively seeking out signs of malicious activity and investigating them further to determine if they pose a real threat.
I think you're overthinking this question. It says that the org already suspects that there is active malicious activity in its network. The question asks what is best to "expose" the adversary, not detect malicious codes. So if they set up a honeypot and it gets attacked, then they now know what they're dealing with and can act accordingly--observe, mitigate, etc.
Installing a honeypot and other decoys, is also a valid approach to detecting malicious activity on a network. A honeypot is a security mechanism that is used to detect, deflect, or counteract attempts at unauthorized use of information systems. It is a decoy system that is intended to be attacked or compromised to divert attackers from valuable targets. Honeypots can be used to collect information about attackers’ methods and tools, and to learn how to better protect real systems. However, while honeypots and other decoys can be effective at detecting certain types of attacks, they may not be as effective at exposing an active adversary that is already present on the network. Expanding SOC functions to include hunting (Option B) is a more proactive approach that can help the organization actively search for signs of malicious activity and take steps to expose the threat.
Installing a honeypot and other decoys can attract adversaries and help in studying their behavior, but it's more reactive than proactive and may not expose existing malicious activity. On the other hand, expanding SOC functions to include threat hunting (Option B) is a proactive and continuous approach to actively search for signs of malicious activity within the network. This approach aims to uncover adversaries who may have evaded detection and are currently operating within the network. It involves ongoing investigation and analysis to identify hidden threats.
The capability that would BEST help expose the adversary in a network suspected of having active malicious activity is: B. Expanding SOC functions to include hunting Explanation: Installing a honeypot and other decoys (Option A): Honeypots and decoys can attract and detect malicious activity by mimicking real systems or services. However, they are passive in nature and might not expose an adversary actively operating within the network.
I concur. Honey pots are passive while threat hunting is active
Too much extraneous discussion regarding active/passive whatever. Honeypots are a good idea BEFORE you suspect active, malicious activity. Once you suspect active, malicious activity, a honeypot is not the best move. Question states: [...organization thinks that its network has active, malicious activity...] SOC needs to go hunting. Which of the following capabilities would BEST help to expose the adversary? B. Expanding SOC functions to include hunting
B. Expanding SOC functions to include hunting Expanding the Security Operations Center (SOC) functions to include hunting would be the best option for exposing the adversary in this scenario. Here's a brief explanation for each option: A. Installing a honeypot and other decoys: While honeypots and decoys can attract and monitor malicious activity, they may not always directly expose the adversary's true identity or methods. It can provide valuable information, but it might not be the most effective way to directly expose the adversary. B. Expanding SOC functions to include hunting: This involves proactive searching for threats, anomalies, and indicators of compromise within an organization's network. It allows for a more dynamic and continuous approach to identifying and responding to threats. This can be highly effective in exposing active, malicious activity.
Honeypots and Decoys: Honeypots are intentionally deployed systems or networks designed to lure attackers. They appear as valuable targets for attackers but are isolated and closely monitored. By deploying honeypots and decoys, organizations can attract and engage potential adversaries, allowing security teams to closely monitor their activities, gather intelligence, and gain insights into the attacker's tactics, techniques, and procedures (TTPs). This can be an effective way to expose malicious activity and gather valuable threat intelligence.
When thinking about the word "expose", it leads me to think about "gather evidence", which is something a honeypot would do. However, if the word "Active", or other action words, would have been in this question, I'd choose threat hunt.
"Active", or other similar action words**** (track, hunt, pursue, find, investigate, etc) Clarifying, as expose is also an action word.
The answer is A
Going with honeypot because the threat is active. Set a trap then expand SOC to go hunting.
Although the AI chatbots say B - i disagree since an SOC is not in the scenario and the keywords "...to EXSPOSE the adversary"
A: Honeypots and Decoys are the best method to expose malicious actors/activity. They are specifically implemented to bait attackers. Threat Hunting is not intended to expose active malicious activity. Threat Hunting or Hunt Teaming is a proactive measure in Incident Detection where the team is proactively looking for vulnerabilities BEFORE they are exploited. Source: Sybex CASP+ Study Guide, Ch. 4 - Proactive Detection, pg. 153-154
A. Installing a honeypot and other decoys: While honeypots can attract and deceive attackers, they are passive in nature and may not actively expose adversaries already present in the network. SOC hunting involves more active detection and response capabilities.