A security engineer is investigating a compromise that occurred between two internal computers. The engineer has determined during the investigation that one computer infected another. While reviewing the IDS logs, the engineer can view the outbound callback traffic, but sees no traffic between the two computers.
Which of the following would BEST address the IDS visibility gap?
A. Install network taps at the edge of the network.
B. Send syslog from the IDS into the SIEM.
C. Install HIDS on each computer.
D. SPAN traffic form the network core into the IDS.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
The breach already occurred. Installing an HIDS would not recovered what already happened.
The question does not pertain to what you’re suggesting. It is asking about reducing visibility gap and not whether or not you can retrieve the info about what had already happened.
C –
SPANNING traffic from the core to the IDS is going to dump a whole lot of traffic back to your IDS unnecessarily and dump duplicate communications toward the IDS and tax your bandwidth. The threat is already inside. computer to computer communication on the same subnet may or may not go back through the core. HIDS is the sensible, logical solution
D
But why? The issue is a lack of viability from the IDS standpoint of these two internal computers communicating. Likely the IDS is to far on a network border or the computers are on the same LAN and do not pass a network barrier such as a router. This to me suggest a need for a host base solution such as C. Maybe both computers flow through the core or maybe not, but a HIDS most definitely give us the viability we need.
Agree to notarobot, the dubious malware communication might not traverse to the core if it is in local LAN.