Detection and Preventative Measures

Building a Defense That Thinks in Layers

No single security tool stops every attack. Signature-based antivirus misses zero-day exploits. Firewalls cannot detect encrypted command-and-control traffic. IDS alerts mean nothing if nobody is reading them. The organizations that detect breaches in days rather than months are not using one better tool — they are operating multiple detection and prevention layers that compensate for each other’s blind spots.

The exam does not test whether you can configure an IDS rule. It tests whether you know which detection method fits which threat, how different technologies complement each other, and where each one fails.

This module covers CISSP exam objective 7.7: implement and support detection and preventative measures. You need to understand the operational role of each technology, its strengths, its limitations, and how a security operations manager selects and integrates them into a coherent defense.

Intrusion Detection and Prevention Systems

IDS monitors and alerts. IPS monitors, alerts, and blocks. The distinction matters for the exam because each carries different operational risks.

Detection Methods

• Signature-based (pattern matching) — Compares traffic or activity against a database of known attack signatures. High accuracy for known threats. Zero effectiveness against novel attacks. Requires constant signature updates to remain current. If the signature database is a week behind, the system is blind to everything discovered in that week.
• Anomaly-based (statistical) — Establishes a baseline of normal behavior and alerts on deviations. Can detect unknown attacks because it is not looking for specific patterns — it is looking for anything unusual. The downside is false positives. Legitimate changes in the environment (new applications, new business partners, seasonal traffic patterns) trigger alerts until the baseline is updated.
• Behavior-based (heuristic) — Analyzes the behavior of code or users to identify malicious intent. A file that attempts to modify the Windows registry, disable security tools, and establish an outbound connection exhibits malicious behavior regardless of whether its signature is in any database. More effective against zero-day threats than signature-based detection but more prone to false positives than signature matching.

Deployment Considerations

• Network-based (NIDS/NIPS) — Monitors network traffic on a segment. Effective for detecting network-level attacks. Blind to encrypted traffic unless SSL/TLS inspection is implemented. Placed at network boundaries and critical internal segments.
• Host-based (HIDS/HIPS) — Installed on individual systems. Monitors file integrity, registry changes, system calls, and local network connections. Can see inside encrypted sessions because it operates at the endpoint level. Higher management overhead because it must be deployed and maintained on every host.

The operational risk of IPS is false positive blocking — legitimate traffic being dropped because it matches a rule too broadly. This is why IPS deployments require careful tuning and typically start in detection-only mode before enabling blocking.

Firewalls in Operations

Firewalls are a prevention control, but their operational effectiveness depends on rule management, logging, and integration with the broader security architecture.

• Rule review — Firewall rules accumulate over time. Rules added for temporary projects remain long after the project ends. Annual rule reviews identify and remove obsolete rules that expand the attack surface unnecessarily.
• Logging and monitoring — Firewall logs should feed into the SIEM for correlation. Allowed traffic is often more interesting than blocked traffic from a detection standpoint — an attacker who has bypassed the firewall will generate allowed connections to unusual destinations.
• Change management — Firewall rule changes should follow the same change control process as any other configuration change. Emergency changes during incident response are permitted but must be documented and reviewed afterward.
• Next-generation firewalls (NGFW) — Combine traditional packet filtering with application-layer inspection, intrusion prevention, and threat intelligence integration. From an operations perspective, NGFWs consolidate multiple functions but require more complex management and tuning.

Sandboxing

Sandboxing isolates suspicious files or code in a controlled environment to observe their behavior without risking production systems. A file received via email is executed in a sandbox before delivery to the user. If it exhibits malicious behavior (connecting to a command-and-control server, modifying system files, encrypting data), it is quarantined.

Sandbox limitations:

• Evasion — Advanced malware detects sandbox environments (virtual machine artifacts, limited hardware, accelerated time) and remains dormant to avoid detection
• Time-delayed execution — Malware that waits hours or days before activating may escape sandbox analysis windows, which are typically minutes
• Environment-specific triggers — Malware that only activates when specific conditions are met (particular software installed, specific domain joined, certain time of day) may not trigger in the sandbox

Honeypots and Honeynets

A honeypot is a decoy system designed to attract attackers. It has no legitimate business function, so any interaction with it is suspicious by definition. This eliminates the false positive problem that plagues other detection methods.

• Low-interaction honeypots — Emulate services (open ports, login prompts) without running real operating systems. Easy to deploy and maintain but provide limited intelligence about attacker techniques.
• High-interaction honeypots — Full operating systems and applications that allow attackers to interact deeply. Provide rich intelligence on attacker tools, techniques, and objectives. Higher risk because the attacker has access to a real system that could be used as a platform for further attacks if not properly isolated.
• Honeynets — Networks of honeypots that simulate an entire environment. Used for research and advanced threat intelligence gathering.

From a management perspective, honeypots carry legal and ethical considerations. Entrapment concerns (though generally not applicable to computer systems), liability if the honeypot is used to attack others, and resource allocation for monitoring are all governance decisions.

Anti-Malware Strategies

Traditional signature-based antivirus is one layer of an anti-malware strategy, not the strategy itself.

• Signature-based scanning — The baseline: detects known malware. Requires frequent updates. Misses polymorphic malware that changes its signature with each infection.
• Heuristic analysis — Examines code behavior and structure to identify likely malware. Catches variants and polymorphic threats that evade signature matching.
• Machine learning models — Trained on millions of malware samples and benign files to classify unknown files. Effective against novel threats but can produce false positives on unusual but legitimate software.
• Application whitelisting — Only approved applications are allowed to execute. Everything else is blocked by default. This inverts the traditional model (block known bad, allow everything else) to a default-deny posture (allow known good, block everything else). Highly effective but operationally demanding to maintain as new software is introduced.
• Application blacklisting — Blocks specific known-bad applications. Easier to manage than whitelisting but only effective against identified threats.

Endpoint Detection and Response (EDR)

EDR goes beyond traditional antivirus by continuously monitoring endpoint activity, recording behavioral data, and providing investigation and response capabilities.

EDR capabilities include:

• Continuous monitoring — Recording process execution, file changes, registry modifications, network connections, and user activities on every endpoint
• Threat detection — Using behavioral analysis, machine learning, and threat intelligence to identify malicious activity that traditional antivirus would miss
• Investigation tools — Allowing analysts to query endpoint telemetry across the entire fleet: “Show me every endpoint that communicated with this IP address in the last 30 days”
• Response actions — Isolating compromised endpoints, killing malicious processes, collecting forensic data, and rolling back changes remotely

EDR transforms endpoints from passive targets into active sensors that contribute to the organization’s detection capability.

Threat Intelligence Integration

Threat intelligence is information about threats that helps the organization make better security decisions. It ranges from technical indicators (IP addresses, file hashes, domain names) to strategic analysis (threat actor motivations, industry targeting trends).

• Tactical intelligence — Indicators of compromise (IOCs) that can be loaded into SIEM, IDS, and firewall rules for immediate detection
• Operational intelligence — Details about specific campaigns: TTPs (tactics, techniques, and procedures) used by threat actors targeting your industry
• Strategic intelligence — High-level analysis of threat trends, geopolitical factors, and emerging threat categories that informs security program priorities

Integrating threat intelligence into operations means automating the consumption of IOC feeds into detection tools, using TTP information to validate detection coverage, and using strategic intelligence to guide investment decisions.

Security Orchestration, Automation, and Response (SOAR)

SOAR platforms automate repetitive security operations tasks and orchestrate responses across multiple tools.

• Playbook automation — Predefined response procedures executed automatically. A phishing alert triggers automatic email quarantine, URL analysis, IOC extraction, and affected user notification — in seconds rather than hours.
• Tool orchestration — SOAR connects to SIEM, EDR, firewalls, ticketing systems, and threat intelligence platforms. Actions that previously required an analyst to log into five different consoles are executed through a single automated workflow.
• Case management — Tracking incidents from detection through resolution with full documentation of actions taken.

SOAR addresses the operational challenge of alert volume. When an organization receives thousands of alerts daily, automating the investigation and response for common alert types frees analysts to focus on complex incidents that require human judgment.

Zero-Day Threat Mitigation

Zero-day threats exploit vulnerabilities that have no available patch. Since signature-based tools cannot detect what has not been cataloged, mitigation depends on defense-in-depth and behavior-based detection.

• Behavioral detection — Anomaly-based IDS, EDR behavioral analysis, and heuristic antimalware provide detection capability against unknown threats
• Network segmentation — Limits lateral movement even after initial compromise
• Application whitelisting — Prevents execution of unauthorized code regardless of whether it is known malware
• Least privilege — Limits the damage an exploit can cause by restricting the permissions available to compromised processes
• Sandboxing — Detonates suspicious files in isolation before they reach production endpoints
• Threat intelligence sharing — Industry peers may encounter the same zero-day, and shared indicators can speed detection across the community

Pattern Recognition

Detection and prevention questions on the CISSP follow these structures:

• Known attack not detected — Signature database is outdated. The answer involves signature updates or adding behavioral detection.
• Unknown attack not detected — Signature-based tools cannot detect novel threats. The answer involves anomaly-based detection, EDR, or behavioral analysis.
• Too many false positives — Anomaly-based systems need baseline tuning. IPS rules need refinement. The answer involves tuning, not disabling the control.
• Attacker evaded detection — Single-layer defense. The answer involves defense-in-depth: adding complementary detection methods that cover different attack stages.

Trap Patterns

Watch for these wrong answers:

• “IPS replaces the need for IDS” — IPS blocks threats but may not have the same depth of analysis and logging as a dedicated IDS. Many environments run both for defense-in-depth.
• “Antivirus is sufficient endpoint protection” — Traditional antivirus is one layer. EDR, application whitelisting, and behavioral analysis address the threats that signature-based antivirus misses.
• “Disable the anomaly detection because of false positives” — Anomaly detection needs tuning, not removal. Disabling it eliminates the only detection method capable of catching unknown threats.
• “A honeypot is a preventative control” — Honeypots are detective controls. They do not prevent attacks — they detect attacker presence and gather intelligence.

Scenario Practice

Question 1

An organization’s IDS is generating 500 alerts per day for network traffic to a cloud-based CRM system that was recently deployed. The traffic is legitimate business activity. The SOC team is spending significant time reviewing and closing these alerts.

What is the BEST approach?

A. Disable the IDS rule that triggers on the CRM traffic
B. Update the IDS baseline and rules to recognize the CRM traffic as legitimate, suppressing the specific false positive while maintaining detection for actual threats to that traffic pattern
C. Move the CRM system to a network segment that is not monitored by the IDS
D. Accept the false positive volume as a necessary cost of security monitoring

Question 2

A security architect is designing the detection strategy for a new data center. The architect proposes network-based IDS at the perimeter, host-based IDS on critical servers, and EDR on all endpoints. The CFO asks why three overlapping detection systems are necessary.

What is the BEST justification?

A. Each system is required by a different compliance regulation
B. Each detection layer covers blind spots in the others — network IDS sees traffic patterns, host IDS sees local changes, and EDR provides behavioral analysis and response capability
C. Redundancy ensures that if one system fails, the others continue detecting
D. Each system was recommended by a different vendor and they do not integrate with each other

Question 3

An organization deploys a high-interaction honeypot on an internal network segment. Within two days, the honeypot detects an internal system attempting to scan and exploit vulnerabilities on the honeypot. No external access to the honeypot is possible.

What does this finding indicate?

A. The honeypot configuration is incorrect and is generating false alerts
B. An internal system is already compromised and is conducting lateral movement within the network
C. An employee is conducting an unauthorized penetration test
D. The honeypot should be moved to the DMZ to attract external attackers instead

Key Takeaway

Detection and prevention is not about finding the single best tool — it is about building layers where each technology compensates for the others’ weaknesses. Signatures catch the known. Anomaly detection catches the unknown. Honeypots catch what is already inside. EDR provides visibility and response at the endpoint. SOAR ties it all together with automation. When the exam presents a detection failure, identify which layer was missing and what complementary technology would have caught what the existing tools missed.