CompTIA CySA+ Cybersecurity Analyst Certification All-in-One Exam Guide, Third Edition (Exam CS0-003)
Mya Heath, Fernando J. Maymi, Bobby E. Rogers, Brent Chapman
CONTENTS
Acknowledgments
Introduction
Part I Security Operations
Chapter 1 System and Network Architectures
The Importance of Logging
Logging Levels
Log Ingestion
Time Synchronization
Operating System Concepts
Windows Registry
Linux Configuration Settings
System Hardening
File Structure
System Processes
Hardware Architecture
Network Architecture
On-premises Architecture
Network Segmentation
Zero Trust
Software-Defined Networking
Secure Access Secure Edge
Cloud Service Models
Cloud Deployment Models
Hybrid Models
Cloud Access Security Broker
Infrastructure Concepts
Virtualization
Containerization
Serverless Architecture
Identity and Access Management
Multifactor Authentication
Single Sign-On
Federation
Privileged Access Management
Encryption
Symmetric Cryptography
Asymmetric Cryptography
Symmetric vs. Asymmetric Cryptography
Public Key Infrastructure
Digital Signatures
Sensitive Data Protection
Personally Identifiable Information
Personal Health Information
Cardholder Data
Data Loss Prevention
Secure Sockets Layer and Transport Layer Security
Inspection
Chapter Review
Questions
Answers
Chapter 2 Standardizing and Streamlining Security Operations
Streamlining Security Operations
Automation and Orchestration
Orchestration Playbooks
Process Standardization
Identification of Tasks Suitable for Automation
Minimizing Human Engagement
Team Coordination to Manage and Facilitate Automation
Technology and Tool Integration
Scripting
Application Programming Interface
Representational State Transfer
Automating API Calls
Webhooks
Plug-Ins
Orchestrating Threat Intelligence Data
Data Enrichment
Single Pane of Glass
Use of Automation Protocols and Standards
Security Content Automation Protocol
Chapter Review
Questions
Answers
Chapter 3 Attack Methodology Frameworks
Attack Frameworks
MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Kill Chain
Open Source Security Testing Methodology Manual
OWASP Web Security Testing Guide
Chapter Review
Questions
Answers
Chapter 4 Analyzing Potentially Malicious Activity
Network-Related Indicators
Bandwidth Consumption
Beaconing
Irregular Peer-to-Peer Communication
Rogue Devices on the Network
Scans/Sweeps
Unusual Traffic Spikes
Activity on Unexpected Ports
Network-Related Indicators Summary
Host-Related Indicators
Capacity Consumption
Unauthorized Software
Malicious Processes
Memory Contents
Unauthorized Changes
Unauthorized Privileges
Data Exfiltration
Registry Change or Anomaly
Unauthorized Scheduled Task
Application-Related Indicators
Anomalous Activity
Introduction of New Accounts
Unexpected Output
Unexpected Outbound Communication
Service Interruption
Memory Overflows
Application Logs
Other Indicators
Social Engineering
Obfuscated Links
Chapter Review
Questions
Answers
Chapter 5 Techniques for Malicious Activity Analysis
Capturing Network Traffic
Log Analysis and Correlation
Security Information and Event Management
Security Orchestration, Automation, and Response
Endpoint
Endpoint Detection and Response
Reputation Analysis
File Analysis
Static Analysis
Dynamic Analysis
File Reputation Analysis
Code Analysis
Behavior Analysis
User Behavior Analysis
Entity Behavior Analysis
Abnormal Account Activity
Impossible Travel
E-mail Analysis
Malicious Payload
DomainKeys Identified Mail
Sender Policy Framework
Domain-Based Message Authentication, Reporting, and
Conformance
Header
Phishing
Forwarding
Digital Signatures and Encryption
Embedded Links
Impersonation
Programming Languages
Extensible Markup Language
JavaScript Object Notation
Shell Scripting
Regular Expressions
PowerShell
Python
Chapter Review
Questions
Answers
Chapter 6 Tools for Malicious Activity Analysis
Network Analysis Tools
BPF
Wireshark and TShark
tcpdump
WHOIS
AbuseIPDB
File Analysis Tools
Strings
Hashing Utilities
VirusTotal
Joe Sandbox
Cuckoo Sandbox
Chapter Review
Questions
Answers
Chapter 7 Fundamentals of Threat Intelligence
Foundations of Intelligence
Threat Classification
Known Threats vs. Unknown Threats
Zero-Day
Threat Actors
Advanced Persistent Threats
Hacktivists
Organized Crime
Nation-States
Script Kiddies
Insider Threats
Supply Chain Threats
Commodity Malware
Tactics, Techniques, and Procedures
Characteristics of Intelligence Source Data
Confidence Levels
Collection Methods and Sources
Open Source
Closed Source
Threat Intelligence Sharing
Information Sharing and Analysis Communities
Managing Indicators of Compromise
Indicator Lifecycle
Structured Threat Information Expression
Trusted Automated Exchange of Indicator Information
OpenIOC
MISP and Open CTI
Intelligence Cycle
Requirements
Collection
Analysis
Dissemination
Feedback
Application of the Intelligence Cycle
Chapter Review
Questions
Answers
Chapter 8 Applying Threat Intelligence in Support of Organizational
Security
Levels of Intelligence
Threat Research
Reputational
Behavioral
Indicator of Compromise
Common Vulnerability Scoring System
Threat Modeling Methodologies
Adversary Capability
Total Attack Surface
Attack Vector
Likelihood
Impact
STRIDE
PASTA
Threat Intelligence Sharing with Supported Functions
Incident Response
Vulnerability Management
Risk Management
Security Engineering
Detection and Monitoring
Threat Hunting
Establishing a Hypothesis
Profiling Threat Actors and Activities
Threat Hunting Tactics
High-Impact TTPs
Delivering Results
Documenting the Process
Integrating Vulnerability Management with Threat
Hunting
Attack Vectors
Integrated Intelligence
Improving Detection Capabilities
Focus Areas
Chapter Review
Questions
Answers
Part II Vulnerability Management
Chapter 9 Vulnerability Scanning Methods and Concepts
Asset Discovery
Asset Mapping Scans and Fingerprinting
Industry Frameworks
Payment Card Industry Data Security Standard
Center for Internet Security Controls
Open Web Application Security Project
ISO/IEC 27000 Series
Critical Infrastructure
Industrial Control Systems and Operational Technology
Supervisory Control and Data Acquisition Systems
Vulnerability Identification and Scanning
Passive vs. Active Scanning
Scanning Parameters and Criteria
Types of Vulnerability Scans
Special Considerations for Vulnerability Scans
Risks Associated with Scanning Activities
Generating Vulnerability Management Reports
Software Vulnerability Assessment Tools and Techniques
Chapter Review
Questions
Answers
Chapter 10 Vulnerability Assessment Tools
Network Scanning and Mapping
Passive vs. Active Enumeration Techniques
Angry IP Scanner
Maltego
Web Application Scanners
Burp Suite
OWASP Zed Attack Proxy
Arachni
Nikto
Infrastructure Vulnerability Scanners
Nessus
OpenVAS
Qualys
Multipurpose Tools
nmap
hping
Metasploit Framework
Recon-ng
Wireless Assessment Tools
Aircrack-ng
Reaver
Hashcat
Debuggers
Debugger Scenario
GDB
Immunity Debugger
Cloud Infrastructure Assessment Tools
Scout Suite
Prowler
Pacu
Chapter Review
Questions
Answers
Chapter 11 Analyzing and Prioritizing Vulnerabilities
Common Vulnerability Scoring System
Base Metric Group
Temporal Metric Group
Environmental Metric Group
Validating Vulnerabilities
True Positives
False Positives
True Negatives
False Negatives
Examining True Positives
Context Awareness
Internal
External
Isolated
Exploitability and Weaponization
Asset Value
Zero-Day
Preparing for Zero-Days
Chapter Review
Questions
Answers
Chapter 12 Mitigating Vulnerabilities
Attack Types
Injection Attacks
Buffer Overflow Vulnerabilities
Broken Access Control
Cryptographic Failures
Data Poisoning
Privilege Escalation
Identification and Authentication Attacks
Local File Inclusion/Remote File Inclusion Attacks
Rootkits
Insecure Design Vulnerabilities
Improper Error Handling
Dereferencing
Insecure Object Reference
Race Condition
Sensitive Data Exposure
Insecure Components
Insufficient Logging and Monitoring
Security Misconfiguration
Use of Insecure Functions
End-of-Life or Outdated Components
Chapter Review
Questions
Answers
Chapter 13 Vulnerability Handling and Response
Vulnerability Management Governance and Policy
Control Types and Functions
Managerial
Technical
Operational
Control Functions
Patching and Configuration Management
Testing
Implementation
Rollback
Validation
Maintenance Windows
Exceptions
Prioritization and Escalation
Risk Management Principles
Elements of Risk
Risk Assessment and Analysis
Risk Appetite and Tolerance
Risk Response
Attack Surface Management
Edge and Passive Discovery
Security Controls Testing
Penetration Testing and Adversary Emulation
Bug Bounty
Attack Surface Reduction
Secure Coding Best Practices
Input Validation
Output Encoding
Session Management
Authentication
Data Protection
Parameterized Queries
Secure Software Development Lifecycle
Requirements
Development
Implementation
Operation and Maintenance
DevOps and DevSecOps
Vulnerability Management Reporting and Communication
Stakeholder Identification and Communication
Vulnerability Reports
Compliance Reports
Action Plans
Inhibitors to Remediation
Metrics and Key Performance Indicators
Chapter Review
Questions
Answers
Part III Incident Response
Chapter 14 Incident Response Procedures
Preparation
The Incident Response Plan
Establishing a Communication Process
Training
Testing
Playbooks
Documentation
Detection and Analysis
Incident Scope and Impact
Reverse Engineering
Incident Response Tools
Containment
Segmentation
Isolation
Removal
Eradication and Recovery
Remediation
Compensating Controls
Vulnerability Mitigation
Sanitization
Reconstruction
Secure Disposal
Patching
Restoration of Permissions
Validation of Permissions
Restoration of Services and Verification of Logging
Chapter Review
Questions
Answers
Chapter 15 Post-Incident Response Activities
Post-Incident Activities
Forensics
Root Cause Analysis
Change Control Process
Updates to the Incident Response Plan
Indicator of Compromise Generation
Monitoring
Incident Reporting and Communication
Stakeholder Identification and Communication
Incident Response Reporting
Lessons Learned
Metrics and Key Performance Indicators
Chapter Review
Questions
Answers
Chapter 16 Utilize Basic Digital Forensics Techniques
Phases of an Investigation
Evidence Seizure
Evidence Acquisition
Analysis
Reporting
Network
Network Tap
Hub
Switches
Endpoints
Servers
OS and Process Analysis
Mobile Device Forensics
Virtualization and the Cloud
Procedures
Building Your Forensic Kit
Cryptography Tools
Acquisition Utilities
Forensic Duplicators
Password Crackers
Hashing Utilities
Forensic Suites
File Carving
Chapter Review
Questions
Answers
Part IV Appendixes and Glossary
Appendix A Objective Map
Exam CS0-003
Appendix B About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Technical Support
Glossary
Index