CompTIA CySA+ Study Guide

Contents

Introduction xxiii

Assessment Test xxxvii

Chapter 1 Todayâs Cybersecurity Analyst 1

Cybersecurity Objectives 2

Privacy vs. Security 3

Evaluating Security Risks 4

Identify Threats 6

Identify Vulnerabilities 9

Determine Likelihood, Impact, and Risk 9

Reviewing Controls 10

Building a Secure Network 11

Network Access Control 11

Firewalls and Network Perimeter Security 13

Network Segmentation 16

Defense Through Deception 18

Secure Endpoint Management 18

Hardening System Configurations 18

Patch Management 19

Group Policies 19

Endpoint Security Software 20

Penetration Testing 21

Planning a Penetration Test 22

Conducting Discovery 22

Executing a Penetration Test 23

Communicating Penetration Test Results 24

Training and Exercises 24

Efficiency and Process Improvement 24

Standardize Processes 25

Cybersecurity Automation 25

Technology and Tool Integration 26

Bringing Efficiency to Incident Response 27

Artificial Intelligence in Security Operations 29

AI Use Cases 29

AI Governance 30

AI Risks 31

Summary 32

Exam Essentials 33

Lab Exercises 34

Review Questions 39

Answers to Review Questions 43

Answers to Lab Exercises 46

Chapter 2 System and Network Architecture 49

Infrastructure Concepts and Design 50

Cloud-Native 51

Virtualization 52

Containerization 52

Application Programming Interfaces 53

Critical Infrastructure Concepts 54

Operating System Concepts 56

System Hardening 56

Hardening and the Windows Registry 57

File Structure and File Locations 58

System Processes 59

Logging, Logs, and Log Ingestion 60

Log Ingestion 60

Configuring logs 61

Time Synchronization 63

Log Retention 64

Ensuring Log Integrity 65

General Logging Considerations 65

Network Architecture 66

On-Premises 66

Cloud 67

Hybrid Cloud 68

Network Segmentation 68

Software-Defined Networking 69

Zero Trust Network Architecture 70

Secure Access Service Edge 71

Device Management 72

Endpoint Management 72

Mobile Device Management 73

Identity and Access Management 74

Multifactor Authentication 74

Passwordless 76

Single Sign-On 76

Federation 77

Privileged Access Management 81

Secrets Management 82

Encryption and Sensitive Data Protection 83

Encryption Techniques 83

Public Key Infrastructure 85

Data Protection 86

Exam Essentials 88

Lab Exercises 89

Review Questions 92

Answers to Review Questions 96

Answers to Lab Exercises 98

Chapter 3 Malicious Activity 99

Network-Related Indicators 101

Detecting Common Network-Related Indicators 102

Enumeration 106

Detecting Other Network Attacks 107

Detecting and Finding Rogue Devices 108

Host-Related Indicators 110

System Resources 110

Unauthorized Software and Suspicious and Rogue Processes 114

Anomalous Activity 115

Unauthorized Configuration 117

Cloud-Related Attacks 119

Social Engineering Attacks 120

Identity-Based Indicators 121

Email-Related Attacks 122

Investigating Service- and Application-Related Issues 122

Application and Service Monitoring 123

Determining Malicious Activity Using Tools and Techniques 127

Decoding and Parsing Data and Files 127

Packet Capture and Analysis 128

Logs, Log Analysis, and Correlation 130

Logs and Log Analysis 130

Threat Intelligence Platforms 135

Endpoint Security 136

DNS and IP Reputation 137

Common Techniques for Detecting Malicious Activity 139

Exam Essentials 151

Lab Exercises 153

Review Questions 155

Answers to Review Questions 158

Chapter 4 Threat Intelligence 161

Collecting Threat Data 162

Open-Source Intelligence 163

Proprietary and Closed-Source Intelligence 165

Confidence-Level Impacts: Threat Intelligence Quality 166

Threat Intelligence Sharing 167

The Intelligence Cycle 169

Threat Classification 171

Threat Actors 171

Tactics, Techniques, and Procedures 172

Threat Modeling 175

Threat Mapping 176

Applying Threat Intelligence Organization-Wide 177

Proactive Threat Hunting 177

Indicators of Compromise 178

Cyber Deception 180

Exam Essentials 180

Lab Exercises 181

Review Questions 185

Answers to Review Questions 188

Chapter 5 Reconnaissance and Intelligence Gathering 191

Mapping Scans, Enumeration, and Asset Discovery 192

Active Reconnaissance 193

Network Scanning and Mapping 194

Pinging Hosts 195

Port Scanning and Service Discovery Techniques and Tools 197

Asset Inventory 207

Exam Essentials 208

Lab Exercises 208

Review Questions 212

Answers to Review Questions 216

Answers to Lab Exercises 218

Chapter 6 Designing a Vulnerability Management Program 219

Identifying Vulnerability Management Requirements 221

Regulatory Environment 221

Corporate Policy 224

Industry Standards 224

Identifying Scan Targets 225

Scheduling Scans 226

Active vs. Passive Scanning 228

Configuring and Executing Vulnerability Scans 229

Scoping Vulnerability Scans 229

Configuring Vulnerability Scans 230

Scanner Maintenance 235

Developing a Remediation Workflow 238

Reporting and Communication 239

Prioritizing Remediation 240

Testing and Implementing Fixes 242

Delayed Remediation Options 243

Overcoming Risks of Vulnerability Scanning 243

Vulnerability Assessment Tools 245

Infrastructure Vulnerability Scanning 245

Cloud Infrastructure Assessment Tools 245

Web Application Scanning 250

Interception Proxies 250

Breach Attack Simulation (BAS) Tools 252

Exam Essentials 254

Lab Exercises 255

Review Questions 257

Answers to Review Questions 261

Chapter 7 Analyzing Vulnerability Scans 265

Reviewing and Interpreting Scan Reports 266

Understanding CVSS 269

Validating Scan Results 277

Scan Error Types 277

Documented Exceptions 278

Understanding Informational Results 278

Reconciling Scan Results with Other Data Sources 279

Trend Analysis 280

Context Awareness 280

Prioritization Criteria 281

Exploitability 281

Active Exploitation and Threat Intelligence 282

Asset Value 283

Impact 283

Patch/Remediation Availability 283

Common Vulnerabilities 284

Server and Endpoint Vulnerabilities 284

Network Vulnerabilities 290

Critical Infrastructure and Operational Technology 296

Web Application Vulnerabilities 297

Identification and Authentication Failures 303

Data Poisoning 305

Exam Essentials 305

Lab Exercises 306

Review Questions 309

Answers to Review Questions 313

Chapter 8 Managing Risk 317

Policies and Governance Controls 319

Policies 320

Standards 321

Procedures 322

Guidelines 324

Exceptions and Compensating Controls 324

Analyzing Risk 326

Risk Identification 327

Risk Calculation 327

Business Impact Analysis 328

Risk Profile and Appetite 332

Classifying Threats 333

Threat Research and Modeling 333

Managing Risk 335

Risk Mitigation 336

Risk Avoidance 337

Risk Transference 337

Risk Acceptance 337

Planning Mitigation Strategies 338

Attack Surface Management 338

Configuration and Change Management 339

Patch Management 340

Implementing Security Controls 340

Security Control Types 341

Security Control Functions 341

Secure Software Development Life Cycle (SDLC) 342

SDLC Phases 343

Designing and Coding for Security 345

Common Software Development Security Issues 345

Secure Coding Best Practices 347

Application Security Testing 347

Application Security Assessment: Testing and Analyzing Code 347

Software Assurance Maturity Model (SAMM) 352

Exam Essentials 353

Lab Exercises 356

Review Questions 358

Answers to Review Questions 362

Answers to Lab Exercises 364

Chapter 9 Building an Incident Response Program 367

Cybersecurity Incidents 368

Incident Response Process 369

Preparation 370

Detection and Analysis 371

Containment, Eradication, and Recovery 372

Post-Incident Activity 373

Building the Foundation for Incident Response 376

Policies 377

Procedures and Playbooks 378

Documenting the Incident Response Plan 379

Creating an Incident Response Team 380

CSIRT Scope of Control 381

Attack Frameworks 382

MITRE ATT&CK 382

Diamond Model of Intrusion Analysis 383

Cyber Kill Chain 385

Exam Essentials 387

Lab Exercises 388

Review Questions 391

Answers to Review Questions 395

Answers to Lab Exercises 397

Chapter 10 Evidence and Analysis 399

Evidence 400

Evidence Acquisition 400

Drive Imaging 402

Imaging Live Systems 402

Acquiring Other Data 402

Preserving Evidence 406

Preservation and Chain of Custody 407

Data Integrity Validation 407

Legal Hold 409

Evidence Analysis 410

Conducting a Forensic Analysis 410

Evidence Handling 411

Reporting and Analysis 413

Lessons Learned 414

Exam Essentials 416

Lab Exercises 416

Review Questions 420

Answers to Review Questions 424

Answers to Lab Exercises 426

Chapter 11 Containment, Eradication, and Recovery 427

Containing the Damage 428

Isolation 430

Escalation 434

Evidence Acquisition and Handling 435

Identifying Attackers 435

Incident Eradication and Recovery 436

Remediation and Reimaging 437

Patching Systems and Applications 438

Sanitization and Secure Disposal 438

Validating Data Integrity 439

Wrapping Up the Response 440

Managing Change Control Processes 440

Conducting a Lessons-Learned Session 441

Developing a Final Report 441

Evidence Retention 442

Continuous Monitoring 442

Exam Essentials 443

Lab Exercises 444

Review Questions 446

Answers to Review Questions 449

Answers to Lab Exercises 452

Chapter 12 Reporting and Communication 453

Vulnerability Management Reporting and Communication 454

Compliance Findings and Reports 455

Action Plans 456

Stakeholder Identification and Communication 458

Vulnerability Management Metrics and KPIs 459

Inhibitors to Remediation 460

Security Operations and Incident Response Reporting and Communication 461

Security Operations Communications 462

Incident Declaration and Escalation 462

Incident Response Reporting 463

Post-Incident Reporting 468

Incident Response Metrics and KPIs 471

Exam Essentials 472

Lab Exercises 473

Review Questions 476

Answers to Review Questions 480

Answers to Lab Exercises 482

Index 483