CompTIA CySA+ (CS0-003) Study Guide PDF
Document Details
Uploaded by BuoyantStarlitSky
2024
CompTIA
Tags
Summary
This is a study guide for the CompTIA CySA+ (CS0-003) certification. It covers concepts like security operations, vulnerability management, and incident response. The guide is designed for IT and cybersecurity professionals with 3-4 years of experience. It includes exam tips, and explanations to practice questions.
Full Transcript
CompTIA CySA+ (CS0-003) (Study Notes) CompTIA CySA+ (CS0-003) Foundation Notes...
CompTIA CySA+ (CS0-003) (Study Notes) CompTIA CySA+ (CS0-003) Foundation Notes Introduction CompTIA CySA+ is an intermediate level certification for IT professionals This certification focuses on your ability to: o Capture, monitor, and respond to network traffic findings o Understand software and application security, automation, threat hunting, and IT regulatory compliance This certification is designed for: o IT or Cybersecurity professionals who already have Network+, Security+, or equivalent o For those with 3-4 years of hands-on experience o For those with hands-on experience with Cybersecurity This course is designed to serve as a full textbook replacement CompTIA CySA+ consists of 4 domains or areas of knowledge: o 33% of Security Operations o 30% of Vulnerability Management o 20% of Incident Response Management o 17% of Reporting and Communication o Questions from each domain and objective are given in random order 1 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Certification exam consists of: o Multiple-choice o Performance-based questions (PBQs) o 75 to 85 questions In order to pass the CYSA+ certification exam, you have to score at least 750 points out of 900 possible points To be able to take the exam, you will have to pay an exam fee by buying an exam voucher o You can purchase the exam voucher in store.comptia.org and buying it directly from the CompTIA store o The voucher costs somewhere around $400 for the Cybersecurity Analyst+ exam o Save 10% off your exam voucher by buying it at DionTraining.com/vouchers o Vouchers last anywhere from 11 to 12 months after purchase 4 tips for success in this course: o Closed captions are available o Control the speed o Join our FB group (facebook.com/groups/diontraining) o Download and print the study guide 2 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Exam Tips o There will be no trick questions o Pay close attention to the words in bold, italics, or all uppercase o Answer the questions based on CompTIA CySA+ knowledge ▪ When in doubt, choose the right answer that is correct for the highest number of situations o Try not to fight the exam or the test questions o Do not memorize the terms o You are expected to know the proper syntax and how to use the Nmap tool ▪ Know the tool name ▪ Know the purpose of the tool ▪ Know the output it gives during an assessment or a penetration test You are covered by our 100% Pass Guarantee o All the risk is on us as it should be. You have nothing to lose here. o This course includes videos, study guide, quizzes, hands-on labs, and practice exams ▪ You have to score at least an 80% to pass and mark it as complete ▪ At the end of the course, you will find our practice exams Understand why the answers are right or wrong Explanations are provided for every single question Please don’t try to simply memorize the questions, but take time to understand the why behind them ▪ As you go through the course, make sure that you have watched the videos, took the quizzes, did the labs, and finished the practice. 3 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ If you think you’ve done everything and still doesn’t show a 100%, please email us at [email protected] o Once you have the course completion letter, you are eligible for our 60-Day 100% Pass Guarantee o Always remember: ▪ If you have any questions throughout the course or about the content or a concept that you just don’t understand, you can always reach us at [email protected] and we’ll be more than glad to assist 4 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Identify Security Control Types Objective 2.5: Explain concepts related to vulnerability response, handling and management Cybersecurity Roles and Responsibilities o Core Cybersecurity Roles ▪ Cybersecurity Specialist / Technician is the one who will do the hands-on configuration of a system and do things under the direction of a cybersecurity 5 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cyber Crime Analyst / Investigator is the one who works a lot in the digital forensics’ realm ▪ Incident Analyst / Responder is the one who focuses on responding to a data breach or other type of cyberattack that happens across your organization 6 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cybersecurity Analyst a large overall encompassing term for a lot of the other areas, as well as a senior position inside most organization ▪ Penetration Tester is somebody who breaks into somebody's systems with their permission to identify their vulnerabilities 7 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Cybersecurity Manager / Administrator is the one responsible for observing all of the operations occurring across the network and managing the infrastructure that facilitates those operations ▪ Cybersecurity Engineer is focused on building tools and techniques and designing the entire system at a big, large level for the organization 8 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Chief Information Security Officer (CISO) is a senior-level executive who oversees an organization's information, cyber, and technology security 9 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Cybersecurity Analyst ▪ A senior position within an organization’s security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it ▪ Any device that processes or uses our information is covered by the role of a cybersecurity analyst ▪ Cybersecurity teams contain junior and senior analysts ▪ Analysts are expected to have years of experience working within IT and IT security ▪ Functions of cybersecurity analyst: Implementing and configuring security controls Working in a SOC or CSIRT Auditing security processes and procedures Conducting risk assessments, vulnerability assessments, and penetration tests Maintaining up-to-date threat intelligence ▪ Problem Solving Security Operations Center (SOC) o Security Operations Center (SOC) ▪ A location where security professionals monitor and protect critical information assets in an organization This is like a security monitoring center This is where junior analysts overseen by senior analysts are trying to find what’s known as indicator of compromise 10 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ SOCs usually exist for larger corporations, government agencies, and health care organizations ▪ Things that SOC needs in order for it to be successful: Have the authority to operate Have motivated and skilled professionals Incorporate processes into a single center Equipped to perform incident response Protect itself and the organization at large Can separate the signal from the noise Collaborate with other SOCs for data sharing ▪ The SOC should be the single point of contact for security, monitoring, and incident response Security Control Categories o We just need a basic understanding of the different security control categories o Security Control ▪ mitigates vulnerabilities and risk to ensure the confidentiality, integrity, availability, nonrepudiation, and authentication of data ▪ Security controls should be selected and deployed in a structured manner using a risk management framework o NIST Special Publication 800-53 Revision 5 ▪ This document is called the security and privacy controls for federal information systems and organizations ▪ For the exam, you're not expected to actually read this document and learn everything inside of it. But as a cybersecurity professional, you will use this document a lot when you're selecting controls. 11 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ This document has 18 families of controls to make it easier to find controls. Examples of families are: Access Control (AC) Accountability (AA) Incident Response (IR) Risk Management (RA) o ISO 27001 ▪ is an international standard and a proprietary framework o Earlier versions of the NIST SP 800-53 used classes of controls (technical, operational, and managerial) ▪ Technical (Logical) Controls A category of security control that is implemented as a system (hardware, software, or firmware) ▪ Operational Controls A category of security control that is implemented primarily by people rather than systems ▪ Managerial Controls A category of security control that provides oversight of the information system o Newer versions of NIST SP 800-53 do not use classes of controls anymore, but these are still used by the CySA+ exam objectives, so they are included here 12 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Exam Tips ▪ You don't need to read the entire 800-53 document, but it is a good thing to use as an on-the-job resource ▪ you don't need to memorize the different family designations, but you should be familiar with the basic concepts are presented inside the 800- 53 document o Security Controls Functional Types ▪ Preventative Control A control that acts to eliminate or reduce the likelihood that an attack can succeed ▪ Detective Control A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion ▪ Corrective Control A control that acts to eliminate or reduce the impact of an intrusion event o No single security control is invulnerable, so the efficiency of a control is instead measured by how long it delays an attack o In addition to preventative detective and corrective controls, there are other control types to take note of: ▪ Physical Control A type of security control that acts against in-person intrusion attempts ▪ Deterrent Control A type of security control that discourages intrusion attempts 13 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Compensating Control A type of security control that acts as a substitute for a principal control Not the top line, but gives you some protection ▪ Responsive Control System that actively monitors for potential vulnerabilities or attacks, and then takes action to mitigate them before they can cause damage o Firewall ▪ a system that monitors all incoming and outgoing network, traffic and blocks o Intrusion Prevention System (IPS) ▪ devices that can monitor network traffic for patterns that indicate an intrusion is occurring such as a repeated failed log on attempt Selecting Security Controls o How do you select the security controls you want to use? ▪ Make use of Confidentiality, Integrity, and Availability (CIA) to have proper coverage over each of those areas to make sure you're creating security for your system None of these technologies can provide CIA alone, but combined uphold the three tenets of security 14 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o How do you decide which security control you're actually going to apply? ▪ It depends on the risk o How can I mitigate this risk? ▪ Use the Confidentiality, Integrity, and Availability (CIA) ask which part or parts do you have controls for and how can you add controls for what you are missing so that you cover all of them or mitigate what can’t be covered. 15 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Threat Intelligence Objective 1.4: Compare and contrast threat-intelligence and threat-hunting concepts. Security and Threat Intelligence o Security Intelligence ▪ The process where data is generated and is then collected, processed, analyzed, and disseminated to provide insights into the security status of information systems o Cyber Threat Intelligence ▪ Investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape ▪ 2 forms of cyber threat intelligence Narrative Reports Data Feeds ▪ You don’t use narrative reports or data feeds… you use both! o Most security companies like McAfee, FireEye, Red Canary, and numerous others produce threat intelligence reports 16 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Intelligence Cycle o Security intelligence is a process o Requirements (Planning & Direction) ▪ Sets out the goals for the intelligence gathering effort ▪ What do we want to measure and collect? o Collection (& Processing) ▪ Implemented by software tools to gather data which is then processed for later analysis ▪ The processing part is where we will convert all the data into a standard format o Analysis ▪ Performed against the given use cases from the planning phase and may utilize automated analysis, AI, and machine learning ▪ Sort into three categories Known good Known bad Not sure 17 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Dissemination ▪ Publishes information produced by analysts to consumers who need to act on the insights developed Strategic Operational Tactical o Feedback ▪ Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs Lessons learned Measurable success Evolving threat issues Intelligence Sources o Factors Used to Evaluate Sources ▪ Timeliness Ensures an intelligence source is up-to-date ▪ Relevancy Ensures an intelligence source matches its intended use case 18 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Accuracy Ensures an intelligence source produces effective results ▪ Confidence Level Ensures an intelligence source produces qualified statements about reliability o Example of a scale: MISP Project codifies the use of the admiralty scale for grading data and estimative language ▪ Looks at reliability of the data and the quality of the information content https://www.misp-project.org/ 19 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o There are three general sources of information ▪ Proprietary Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee ▪ Closed-Source Data derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized ▪ Open-Source Data that’s available without subscription, which may include threat feeds, reputation lists, and malware signature databases Different sources of open-source intelligence o US-CERT o UK’s NCSC o AT&T Security (OTX) o MISP o VirusTotal o Spamhaus o SANS ISC Suspicious Domains Threat feeds o a form of explicit knowledge, but implicit knowledge from experienced practitioners is also useful 20 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Open-Source Intelligence (OSINT) o A method of obtaining information about a person or organization through public records, websites, and social media Information Sharing and Analysis Centers (ISACS) o Information Sharing and Analysis Center (ISAC) ▪ A not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members o Cyber Security Information Sharing Partnership (CISP) ▪ Similar to ISAC, but set up within the UK o ISACS exist in many areas including: ▪ Critical Infrastructure Any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these ICS, SCADA, and embedded system threats are a main focus within critical infrastructure ▪ Government Serves non-federal governments in the US, such as state, local, tribal and territorial governments 21 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Healthcare Serves healthcare providers that are targets of criminals seeking blackmail and ransom opportunities by compromising patient data records or interfering with medical devices ▪ Financial Serves the financial sector to prevent fraud and extortion of both the consumer and financial institutions ▪ Aviation Serves the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems Threat Intelligence Sharing o Risk Management ▪ Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact o Incident Response ▪ An organized approach to addressing and managing the aftermath of a security breach or cyberattack 22 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Vulnerability Management ▪ The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities o Detection and Monitoring ▪ The practice of observing activity to identify anomalous patterns for further analysis 23 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Classifying Threats Objectives: 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. 1.4 - Compare and contrast threat-intelligence and threat-hunting concepts. 2.3 - Given a scenario, analyze data to prioritize vulnerabilities. 3.1 - Explain concepts related to attack methodology frameworks. Threat Classification o Known Threats ▪ A threat that can be identified using basic signature or pattern matching o Malware ▪ Any software intentionally designed to cause damage to a computer, server, client, or computer network o Documented Exploits ▪ A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data o Unknown Threats ▪ A threat that cannot be identified using basic signature or patter o matching Zero-day Exploit ▪ An unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong 24 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Obfuscated Malware Code ▪ Malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware o Behavior-based Detection ▪ A malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior o Recycled Threats ▪ Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning o Known Unknowns ▪ A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection o Unknown Unknowns ▪ A classification of malware that contains completely new attack vectors and exploits Threat Actors o Threat Actors ▪ those who wish to harm networks or steal secure data o Hacker vs. Cracker in the media ▪ Crackers were hackers with malicious intent ▪ Hackers was the term hacker for computer enthusiast, but now media portrays them as having malicious intent as well 25 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Hat based categories ▪ Black Hat Hacker an unauthorized hacker – criminals ▪ White Hat Hacker an ethical or authorized hacker ▪ Gray Hat Hacker a semi-authorized hacker where it sometimes acts as a good or bad folk o Basic activities that hackers perform ▪ Social Media Profiling ▪ Social Engineering ▪ Network Scanning ▪ Fingerprinting ▪ Service Discovery ▪ Packet Capture o 8 main types of threat actors ▪ Script Kiddie Uses other people’s tools to conduct their attacks as they do not have the skills to make their own tools Script kiddies often don’t understand what they’re doing ▪ Insider Threat People who have authorized access to an organization’s network, policies, procedures, and business practices 26 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) To prevent an insider threat, organizations need to have policies and enforcement technologies such as Data Loss Prevention Internal Defenses SIEM Search 2 different types of insider threats Intentional ▪ An actor who deliberately seeks to cause harm Unintentional ▪ An actor who causes harm because of carelessness Solid cybersecurity strategy to counter Insider Threats include Employee Education and Training Access Controls Incident Response Plans Regular Monitoring ▪ Competitor A rogue business attempting to conduct cyber espionage against an organization ▪ Organized Crime Focused on hacking and computer fraud to achieve financial gains ▪ Hacktivist Politically-motivated hacker who targets governments or individuals to advance their political ideologies ▪ Nation-State A group of attackers with exceptional capability, funding, and organization with an intent to hack a network or system 27 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Conducts highly covert hacks over long periods of time Not all APT are nation-states, but almost all nation-states are going to be considered an APT They’re going to be inside of a victimized network for six to nine months Many nation-states tried to present themselves as a threat actor inside of the other groups, so they can maintain a plausible deniability A nation-state actor refers to a government or government affiliated group that conducts cyber attacks ▪ Advanced Persistent Threat (APT) An attacker that establishes a long-term presence on a network in order to gather sensitive information The main goal of an APT is to harvest sensitive data, intellectual property, and other sensitive information ▪ Supply Chain Threats o Key difference between Nation-state and APT threat actors ▪ Nation-state is affiliated with the government ▪ APT is a generic type of cyber attack that establishes long-term presence Malware o Commodity Malware ▪ Malicious software applications that are widely available for sale or easily obtainable and usable 28 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Targeted or custom malware is developed and deployed with a target in mind ▪ Identifying if the malware is commodity or targeted can help determine the severity of an incident o Zero-day Vulnerability ▪ A vulnerability that is discovered or exploited before the vendor can issue a patch to fix it ▪ Zero-day is usually applied to the vulnerability itself but can also refer to an attack or malware that exploits it ▪ Most adversaries will only use a zero-day vulnerability for high value attacks o Advanced Persistent Threat (APT) ▪ An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware ▪ APTs are considered a known unknown threat o Command and Control (C2) ▪ An infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets o APTs often target financial institutions, healthcare companies, and governments to get large PII data sets o Persistence ▪ The ability of a threat actor to maintain covert access to a target host or network 29 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Threat Research o Reputation Data ▪ Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains o Indicator of Compromise (IoC) ▪ A residual sign that an asset or network has been successfully attacked or is continuing to be attacked ▪ Other Indicators of Compromise Unauthorized software and files Suspicious emails Suspicious registry and file system changes Unknown port and protocol usage Excessive bandwidth usage Rogue hardware Service disruption and defacement Suspicious or unauthorized account usage ▪ An IoC is evidence that an attack was successful ▪ Indicator of Attack (IoA) A term used for evidence of an intrusion attempt that is in progress o Behavioral Threat Research ▪ A term that refers to the correlation of IoCs into attack patterns 30 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Tactics, Techniques, and Procedures (TTP) Behavior patterns that were used in historical cyberattacks and adversary actions o DDoS o Viruses or Worms o Network Reconnaissance o APTs o Data Exfiltration ▪ Port Hopping An APT’s C2 application might use any port to communicate and may jump between different ports ▪ Fast Flux DNS A technique rapidly changes the IP address associated with a domain ▪ Data Exfiltration The unauthorized transfer of data from a computer or other device Attack Frameworks o 3 different attack frameworks ▪ Lockheed Martin Kill Chain ▪ MITRE ATT&CK Framework ▪ Diamond Model of Intrusion Analysis o Lockheed Marin Kill Chain ▪ Describes the stages by which a threat actor progresses a network intrusion 31 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Steps Reconnaissance o The attacker determines what methods to use to complete the phases of the attack Weaponization o The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system Delivery o The attacker identifies a vector by which to transmit the weaponized code to the target environment Exploitation o The weaponized code is executed on the target system Installation o This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system Command & Control (C2) o The weaponized code establishes an outbound channel to a remote server that can then be used to control the 32 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) remote access tool and possibly download additional tools to progress the attack Actions on Objectives o The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives ▪ Kill Chain Analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage o MITRE ATT&CK Framework ▪ A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org) ▪ The pre-ATT&CK tactics matrix an additional matrix aligns to the reconnaissance and weaponization phases of the kill chain 33 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Diamond Model of Intrusion Analysis ▪ A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim Basic view of the Diamond Model Details of how the Diamond Model can be used 34 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) View of a tuple View of how the three models can be used individually or combined 35 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Indicator Management o Structured Threat Information eXpression (STIX) ▪ A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework ▪ STIX is expressed in JavaScript Object Notation (JSON) format that consists of attribute: value pairs ▪ STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values Observed Data Indicator Attack Pattern Campaign and Threat Actors Course of Action (COA) ▪ Exam Tip: STIX v1 used an XML-based format, but the exam only covers STIX v2 o Trusted Automated eXchange of Indicator Information (TAXII) 36 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ A protocol for supplying codified information to automate incident detection and analysis ▪ Subscribers obtain updates to the data for their analysis tools using TAXII o OpenIOC ▪ A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis o Malware Information Sharing Project (MISP) ▪ MISP provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII 37 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Threat Hunting Objectives: 1.3 - Given a scenario, use appropriate tools or techniques to determine malicious activity. 1.4 - Compare and contrast threat-intelligence and threat-hunting concepts. 2.5 - Explain concepts related to vulnerability response, handling, and management. Threat Modeling o Things to consider when determining what level of risk exists ▪ How can the attack be performed? ▪ What is the potential impact to the confidentiality, integrity, and availability of the data? ▪ How likely is the risk to occur? ▪ What mitigations are in place? o Threat Modeling ▪ the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system ▪ You need to consider both the defender’s point of view and the attacker’s point of view ▪ Threat modeling can be used against corporate networks in general at a large scale 38 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Main Areas to consider ▪ Adversary Capability a formal classification of the resources and expertise available to a threat actor Types of capabilities o Acquired and augmented o Developed o Advanced o Integrated ▪ Attack Surface the point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor Areas to consider when modeling your attack surfaces o The holistic network o Websites or cloud-services o Custom software applications ▪ Attack Vector a specific path by which a threat actor gains unauthorized access to a system Types of Attack Vectors o Cyber o Human o Physical 39 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Additional considerations ▪ Likelihood is the chance of a threat being realized which is usually expressed as a percentage ▪ Impact is the cost of a security incident or disaster scenario which is usually expressed in cost (dollars) Threat Hunting o Threat Hunting ▪ A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring ▪ It is potentially less disruptive than penetration testing o Steps ▪ Hypothesis derived from the threat modeling and is based on potential events with higher likelihood and higher impact ▪ Profiling Threat Actors and Activities Involves the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be o Threat hunting relies on the use of the tools developed for regular security monitoring and incident response o You need to assume that these existing rules have failed when you are threat hunting 40 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Example of a process for threat hunting ▪ Analyze network traffic ▪ Analyze the executable process list ▪ Analyze other infected hosts ▪ Identify how the malicious process was executed o Threat hunting consumes a lot of resources and time to conduct, but can yield a lot of benefits, like: ▪ Improve detection capabilities ▪ Integrate intelligence ▪ Reduce attack surface ▪ Block attack vectors ▪ Identify critical assets Open-Source Intelligence (OSINT) o Open-Source Intelligence (OSINT) ▪ Publicly available information plus the tools used to aggregate and search it o OSINT can allow an attacker to develop any number of strategies for compromising a target ▪ Publicly Available Information ▪ Social Media ▪ Dating Sites ▪ HTML Code ▪ Metadata 41 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Google Hacking o Google Hacking ▪ Open-source intelligence techniques that uses Google search operators to locate vulnerable web servers and applications o Methods ▪ Quotes “ ” Use double quotes to specify an exact phrase and make a search more precise ▪ NOT Use the minus sign in front of a word or quoted phrase to exclude results that contain that string ▪ AND/OR Use these logical operators to require both search terms (AND) or to require either search term (OR) ▪ Scope Different keywords that can be used to select the scope of the search, such as site, filetype, related, allintitle, allinurl, or allinanchor ▪ URL Modifier Modifiers that can be added to the results page to affect the results, such as &pws=0, &filter=0, and &tbs=li:1 o The Google Hacking Database (GHDB) provides a database of search strings optimized for locating vulnerable websites and services o Shodan (shodan.io) ▪ a search engine optimized for identifying vulnerable Internet-attached devices 42 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Profiling Techniques o Email Harvesting ▪ An Open-Source Intelligence (OSINT) technique used to gather email addresses for a domain o Once a list has been created, it can be used in social engineering attempts ▪ Pipl.com ▪ Peekyou.com ▪ Echosec.net o The Harvester ▪ a command line tool used by penetration testers Harvesting Techniques o whois ▪ A public listing of all registered domains and their registered administrators o DNS Zone Transfer ▪ a method of replicating DNS databases across a set of DNS servers that is often used during the reconnaissance phase of an attack ▪ If your DNS service is misconfigured, a DNS zone transfer could be allowed o DNS Harvesting ▪ Using Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on 43 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Website Harvesting ▪ A technique used to copy the source code of website files to analyze for information and vulnerabilities AbuseIPDB o AbuseIPDB ▪ a community-driven database that keeps track of IP addresses reported for abusive behavior o Benefits for organizations ▪ It enables the organization to take a proactive approach to its cybersecurity ▪ The database is constantly being updated with new information from a global community of users ▪ The organization can also use the AbuseIPDB to monitor their logs for any suspicious activity ▪ Individuals can also benefit by using this database o The information in the AbuseIPDB is not considered to be 100% reliable ▪ It’s important that you use the AbuseIPDB and combine it with other security measures ▪ This database is constantly being updated with new information Deep Web and Dark Web o The deep web and the dark web are both parts of the Internet that are not easily accessible through traditional search engines 44 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) o Deep Web ▪ Portion of the Internet not indexed by search engines, which includes private databases, subscription-based websites, and other content that is not publicly accessible Medical and Scientific Research University Libraries Government Databases ▪ The deep web can contain sensitive information that is not meant to be searchable by the general public ▪ Can be used as a source of information to gather intelligence on potential threat ▪ Helps gather intelligence on potential threats o Dark Web ▪ Refers to a specific part of the deep web that's used for illegal activities, such as the buying and selling of drugs, weapons, and stolen personal information, such as credit card data ▪ The dark web is considered a criminal haven and a high-risk area where hacking and illicit activities occur ▪ Accessing the dark web without proper knowledge and precautions can put the user at risk of encountering illegal activities, malware, or being targeted by cyber criminals ▪ Can be used to monitor stolen data or information related to the organization ▪ Can also be used to track the activities of known or suspected cybercriminal groups, to identify any patterns or trends in their methods and techniques 45 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Can also track the prices and availability of tools and services commonly used in cyber attacks ▪ Monitors for stolen data and tracks the activities of cybercriminals Bug Bounty o Bug Bounty ▪ a way for companies to crowdsource security testing of their software services and applications to identify and address potential security issues o Ways to participate ▪ You can participate in your own company by finding and reporting problems in your own systems ▪ You can use bug bounty to show your skills and gain recognition in the cyber security community o You should approach testing in a responsible and ethical manner, avoid causing harm or disruption to systems, applications, or services ▪ Obtain necessary permissions (legal agreements like NDAs), and use a robust system for tracking, triaging, and remediating vulnerabilities ▪ Register with the company ahead of time, otherwise you could be considered a malicious hacker 46 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Network Forensics Objective 1.3: Given a scenario, use appropriate tools or techniques to determine malicious activity. Network Forensics Tools o Network traffic must be captured and its data frames decoded before it can be analyzed o Switched Port Analyzer (SPAN) ▪ Allows for the copying of ingress and/or egress communications from one or more switch ports to another o Packet Sniffer ▪ A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device o A network sniffer should be placed inside a firewall or close to an important server o tcpdump ▪ A data-network packet analyzer computer program that runs under a command line interface ▪ It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached o Wireshark ▪ A free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education 47 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) Flow Analysis o Full Packet Capture (FPC) ▪ Captures the entire packet including the header and the payload for all traffic entering and leaving a network o Flow Collector ▪ A means of recording metadata and statistics about network traffic rather than recording each frame o Flow analysis tools provides network traffic statistics sampled by a collector ▪ NetFlow A Cisco-developed means of reporting network flow information to structured database Gathers: Network protocol interface Version and type of IP Source and destination IP Source and destination port IPs type of service NetFlow provides metadata while packet captures provide a complete record of what occurred ▪ Zeek (Bro) a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest Zeek performs normalization on the data stores data as tab-delimited or Java Script Object Notation (JSON) formatted text files 48 https://www.DionTraining.com © 2024 Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA. CompTIA ® is a registered trademark of the Computer and Computing Technology Industry Association. All rights reserved. CompTIA CySA+ (CS0-003) (Study Notes) ▪ Multi Router Traffic Grapher (MRTG) is a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using the Simple Network Management Protocol (SNMP) IP and DNS Analysis o Malware is used to be configured to contact a specific static IP or DNS name as part of its code o Known-bad IP Addresses ▪ an IP address or range of addresses that appears on one or more blacklists ▪ Reputation-based risk intelligence is used to create IP/URL block lists ▪ Attackers now use domain generation algorithms to overcome block lists o Domain Generation Algorithm (DGA) ▪ a method used by malware to evade block lists by dynamically generating domain names for C2 networks ▪ 5 Steps attackers use Attacker sets up one or more dynamic DNS (DDNS) services Malware code implements a DGA to create a list of new domain names A parallel DGA is used to create name rec
