CompTIA CASP+ (CAS-003) — Question 197

A security engineer is investigating a compromise that occurred between two internal computers. The engineer has determined during the investigation that one computer infected another. While reviewing the IDS logs, the engineer can view the outbound callback traffic, but sees no traffic between the two computers.
Which of the following would BEST address the IDS visibility gap?

Answer options

• A. Install network taps at the edge of the network.
• B. Send syslog from the IDS into the SIEM.
• C. Install HIDS on each computer.
• D. SPAN traffic form the network core into the IDS.

Correct answer: C

Explanation

Installing HIDS on each computer would be the best way to ensure visibility into the activities occurring on those machines, as it can monitor local events and detect malicious behavior directly. The other options either focus on network-level monitoring or logging that may not capture the internal traffic between the two compromised machines, which is crucial for a complete investigation.