CompTIA CySA+ Study Guide

Introduction xxvii Assessment Test xli Chapter 1 Today’s Cybersecurity Analyst 1 Cybersecurity Objectives 2 Privacy vs. Security 3 Evaluating Security Risks 4 Identify Threats 6 Identify Vulnerabilities 8 Determine Likelihood, Impact, and Risk 8 Reviewing Controls 10 Building a Secure Network 10 Network Access Control 10 Firewalls and Network Perimeter Security 12 Network Segmentation 15 Defense Through Deception 16 Secure Endpoint Management 17 Hardening System Configurations 17 Patch Management 17 Group Policies 18 Endpoint Security Software 19 Penetration Testing 19 Planning a Penetration Test 20 Conducting Discovery 21 Executing a Penetration Test 21 Communicating Penetration Test Results 22 Training and Exercises 22 Reverse Engineering 22 Isolation and Sandboxing 23 Reverse-Engineering Software 23 Reverse-Engineering Hardware 24 The Future of Cybersecurity Analytics 25 Summary 26 Exam Essentials 26 Lab Exercises 28 Activity 1.1: Create an Inbound Firewall Rule 28 Activity 1.2: Create a Group Policy Object 28 Activity 1.3: Write a Penetration Testing Plan 30 Activity 1.4: Recognize Security Tools 30 Review Questions 30 Chapter 2 Using Threat Intelligence 35 Threat Data and Intelligence 36 Open Source Intelligence 37 Proprietary and Closed Source Intelligence 39 Assessing Threat Intelligence 39 Threat Indicator Management and Exchange 41 The Intelligence Cycle 42 The Threat Intelligence Community 43 Threat Classification 44 Threat Actors 44 Threat Classification 45 Threat Research and Modeling 46 Attack Frameworks 48 MITRE’s ATT&CK Framework 48 The Diamond Model of Intrusion Analysis 50 Lockheed Martin’s Cyber Kill Chain 51 The Unified Kill Chain 53 Common Vulnerability Scoring System (CVSS) 53 Applying Threat Intelligence Organizationwide 53 Proactive Threat Hunting 54 Summary 55 Exam Essentials 56 Lab Exercises 57 Activity 2.1: Explore the ATT&CK Framework 57 Activity 2.2: Set Up a STIX/TAXII Feed 58 Activity 2.3: Intelligence Gathering Techniques 58 Review Questions 59 Chapter 3 Reconnaissance and Intelligence Gathering 63 Mapping and Enumeration 64 Active Reconnaissance 65 Mapping Networks and Discovering Topology 65 Pinging Hosts 67 Port Scanning and Service Discovery Techniques and Tools 69 Passive Footprinting 75 Log and Configuration Analysis 76 Harvesting Data from DNS and Whois 84 Responder 91 Information Aggregation and Analysis Tools 92 Information Gathering Using Packet Capture 92 Gathering Organizational Intelligence 92 Organizational Data 93 Electronic Document Harvesting 94 Detecting, Preventing, and Responding to Reconnaissance 97 Capturing and Analyzing Data to Detect Reconnaissance 97 Preventing Reconnaissance 99 Summary 100 Exam Essentials 101 Lab Exercises 102 Activity 3.1: Port Scanning 102 Activity 3.2: Write an Intelligence Gathering Plan 102 Activity 3.3: Intelligence Gathering Techniques 103 Review Questions 103 Chapter 4 Designing a Vulnerability Management Program 109 Identifying Vulnerability Management Requirements 110 Regulatory Environment 110 Corporate Policy 114 Identifying Scan Targets 114 Determining Scan Frequency 115 Active vs. Passive Scanning 117 Configuring and Executing Vulnerability Scans 118 Scoping Vulnerability Scans 118 Configuring Vulnerability Scans 119 Scanner Maintenance 123 Developing a Remediation Workflow 126 Reporting and Communication 127 Prioritizing Remediation 129 Testing and Implementing Fixes 130 Delayed Remediation Options 131 Overcoming Risks of Vulnerability Scanning 131 Vulnerability Scanning Tools 133 Infrastructure Vulnerability Scanning 133 Web Application Scanning 133 Interception Proxies 134 Wireless Assessment Tools 136 Summary 137 Exam Essentials 138 Lab Exercises 139 Activity 4.1: Install a Vulnerability Scanner 139 Activity 4.2: Run a Vulnerability Scan 140 Review Questions 140 Chapter 5 Analyzing Vulnerability Scans 145 Reviewing and Interpreting Scan Reports 146 Understanding CVSS 148 Validating Scan Results 155 False Positives 156 Documented Exceptions 156 Understanding Informational Results 157 Reconciling Scan Results with Other Data Sources 158 Trend Analysis 158 Common Vulnerabilities 158 Server and Endpoint Vulnerabilities 159 Network Vulnerabilities 168 Virtualization Vulnerabilities 173 Internet of Things (IoT) 176 Web Application Vulnerabilities 177 Authentication Vulnerabilities 181 Summary 183 Exam Essentials 184 Lab Exercises 185 Activity 5.1: Interpret a Vulnerability Scan 185 Activity 5.2: Analyze a CVSS Vector 185 Activity 5.3: Remediate a Vulnerability 185 Review Questions 187 Chapter 6 Cloud Security 191 Understanding Cloud Environments 192 The Case for Cloud Computing 193 Cloud Service Models 194 Cloud Deployment Models 200 Operating in the Cloud 204 DevOps Strategies 205 Infrastructure as Code (IaC) 206 Application Programming Interfaces 207 Cloud Monitoring 208 Cloud Infrastructure Security 208 Cloud Infrastructure Security Tools 209 Cloud Access Security Brokers (CASB) 213 Summary 214 Exam Essentials 215 Lab Exercises 216 Activity 6.1: Run a ScoutSuite Assessment 216 Activity 6.2: Explore the Exploits Available with Pacu 216 Activity 6.3: Scan an AWS Account with Prowler 216 Review Questions 217 Chapter 7 Infrastructure Security and Controls 221 Understanding Defense-in-Depth 222 Layered Security 222 Zero Trust 223 Segmentation 224 Network Architecture 226 Physical Network Architectures 227 Software-Defined Networks 227 Virtualization 228 Asset and Change Management 229 Logging, Monitoring, and Validation 229 Encryption 230 Active Defense 231 Infrastructure Security and the Cloud 231 Improving Security by Improving Controls 233 Layered Host Security 234 Permissions 235 Whitelisting and Blacklisting 235 Technical Controls 236 Policy, Process, and Standards 238 Analyzing Security Architecture 240 Analyzing Security Requirements 240 Reviewing Architecture 241 Common Issues 242 Reviewing a Security Architecture 246 Maintaining a Security Design 248 Summary 249 Exam Essentials 249 Lab Exercises 250 Activity 7.1: Review an Application Using the OWASP Attack Surface Analysis Cheat Sheet 250 Activity 7.2: Review a NIST Security Architecture 251 Activity 7.3: Security Architecture Terminology 252 Review Questions 253 Chapter 8 Identity and Access Management Security 259 Understanding Identity 260 Identity Systems and Security Design 261 Threats to Identity and Access 269 Understanding Security Issues with Identities 269 Attacking AAA Systems and Protocols 270 Targeting Account Creation, Provisioning, and Deprovisioning 275 Preventing Common Exploits of Identity and Authorization 276 Acquiring Credentials 277 Identity as a Security Layer 280 Identity and Defense-in-Depth 280 Securing Authentication and Authorization 281 Detecting Attacks and Security Operations 288 Federation and Single Sign-On 289 Federated Identity Security Considerations 289 Federated Identity Design Choices 291 Federated Identity Technologies 293 Federation Incident Response 297 Summary 297 Exam Essentials 298 Lab Exercises 299 Activity 8.1: Federated Security Scenario 299 Activity 8.2: On-site Identity Issues Scenario 300 Activity 8.3: Identity and Access Management Terminology 301 Review Questions 303 Chapter 9 Software and Hardware Development Security 307 Software Assurance Best Practices 308 The Software Development Life Cycle 309 Software Development Phases 310 Software Development Models 311 DevSecOps and DevOps 317 Designing and Coding for Security 318 Common Software Development Security Issues 319 Security Implications of Target Platforms 321 Secure Coding Best Practices 322 API Security 325 Service-Oriented Architectures 325 Application Testing 327 Information Security and the SDLC 327 Code Review Models 328 Software Security Testing 331 Software Assessment: Testing and Analyzing Code 332 Web Application Vulnerability Scanning 335 Hardware Assurance Best Practices 337 Cryptographic Hardware 337 Firmware Security 338 Hardware Security 339 Summary 340 Exam Essentials 341 Lab Exercises 342 Activity 9.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 342 Activity 9.2: Learn About Web Application Exploits from WebGoat 342 Activity 9.3: SDLC Terminology 343 Review Questions 344 Chapter 10 Security Operations and Monitoring 349 Security Monitoring 350 Analyzing Security Data 350 Logs 351 Endpoint Data Analysis 358 Network Data Analysis 362 Protecting and Analyzing Email 365 Scripting, Searching, and Text Manipulation 369 Summary 371 Exam Essentials 371 Lab Exercises 372 Activity 10.1: Analyze a Network Capture File 372 Activity 10.2: Analyze a Phishing Email 373 Activity 10.3: Security Architecture Terminology 373 Review Questions 374 Chapter 11 Building an Incident Response Program 379 Security Incidents 380 Phases of Incident Response 381 Preparation 382 Detection and Analysis 383 Containment, Eradication, and Recovery 384 Postincident Activity 385 Building the Foundation for Incident Response 387 Policy 387 Procedures and Playbooks 387 Documenting the Incident Response Plan 388 Creating an Incident Response Team 389 Incident Response Providers 391 CSIRT Scope of Control 391 Coordination and Information Sharing 391 Internal Communications 392 External Communications 392 Classifying Incidents 393 Threat Classification 393 Severity Classification 394 Summary 398 Exam Essentials 398 Lab Exercises 399 Activity 11.1: Incident Severity Classification 399 Activity 11.2: Incident Response Phases 400 Activity 11.3: Develop an Incident Communications Plan 400 Review Questions 401 Chapter 12 Analyzing Indicators of Compromise 405 Analyzing Network Events 406 Capturing Network-Related Events 407 Network Monitoring Tools 411 Detecting Common Network Issues 413 Detecting Scans and Probes 417 Detecting Denial-of-Service and Distributed Denial-of-Service Attacks 417 Detecting Other Network Attacks 420 Detecting and Finding Rogue Devices 420 Investigating Host-Related Issues 422 System Resources 422 Malware, Malicious Processes, and Unauthorized Software 426 Unauthorized Access, Changes, and Privileges 428 Investigating Service and Application-Related Issues 430 Application and Service Monitoring 431 Application and Service Issue Response and Restoration 433 Detecting Attacks on Applications 434 Summary 435 Exam Essentials 436 Lab Exercises 436 Activity 12.1: Identify a Network Scan 436 Activity 12.2: Write a Service Issue Response Plan 437 Activity 12.3: Security Tools 438 Review Questions 439 Chapter 13 Performing Forensic Analysis and Techniques 443 Building a Forensics Capability 444 Building a Forensic Toolkit 444 Understanding Forensic Software 448 Capabilities and Application 448 Conducting Endpoint Forensics 452 Operating System, Process, and Memory Dump Analysis 452 Network Forensics 455 Cloud, Virtual, and Container Forensics 458 Conducting a Forensic Investigation 460 Forensic Procedures 460 Target Locations 462 Acquiring and Validating Drive Images 463 Imaging Live Systems 467 Acquiring Other Data 467 Forensic Investigation: An Example 471 Importing a Forensic Image 471 Analyzing the Image 473 Reporting 476 Summary 478 Exam Essentials 478 Lab Exercises 479 Activity 13.1: Create a Disk Image 479 Activity 13.2: Conduct the NIST Rhino Hunt 480 Activity 13.3: Security Tools 481 Review Questions 482 Chapter 14 Containment, Eradication, and Recovery 487 Containing the Damage 489 Segmentation 490 Isolation 492 Removal 493 Evidence Gathering and Handling 495 Identifying Attackers 495 Incident Eradication and Recovery 496 Reconstruction and Reimaging 497 Patching Systems and Applications 497 Sanitization and Secure Disposal 498 Validating the Recovery Effort 500 Wrapping Up the Response 500 Managing Change Control Processes 501 Conducting a Lessons Learned Session 501 Developing a Final Report 501 Evidence Retention 502 Summary 502 Exam Essentials 502 Lab Exercises 503 Activity 14.1: Incident Containment Options 503 Activity 14.2: Incident Response Activities 505 Activity 14.3: Sanitization and Disposal Techniques 506 Review Questions 507 Chapter 15 Risk Management 511 Analyzing Risk 512 Risk Identification 513 Risk Calculation 514 Business Impact Analysis 515 Managing Risk 518 Risk Mitigation 519 Risk Avoidance 520 Risk Transference 520 Risk Acceptance 521 Security Controls 522 Nontechnical Controls 522 Technical Controls 526 Summary 528 Exam Essentials 529 Lab Exercises 529 Activity 15.1: Risk Management Strategies 529 Activity 15.2: Risk Identification and Assessment 530 Activity 15.3: Risk Management 530 Review Questions 531 Chapter 16 Policy and Compliance 535 Understanding Policy Documents 536 Policies 536 Standards 539 Procedures 541 Guidelines 542 Exceptions and Compensating Controls 543 Complying with Laws and Regulations 545 Adopting a Standard Framework 546 NIST Cybersecurity Framework 546 Iso 27001 549 Control Objectives for Information and Related Technologies (COBIT) 550 Information Technology Infrastructure Library (ITIL) 551 Implementing Policy-Based Controls 552 Security Control Categories 552 Security Control Types 553 Security Control Verification and Quality Control 553 Summary 554 Exam Essentials 554 Lab Exercises 555 Activity 16.1: Policy Documents 555 Activity 16.2: Using a Cybersecurity Framework 556 Activity 16.3: Compliance Auditing Tools 556 Review Questions 557 Appendix 561 Appendix A Practice Exam 561 Exam Questions 562 Appendix B Answers to Review Questions and Practice Exam 581 Chapter 1: Today’s Cybersecurity Analyst 582 Chapter 2: Using Threat Intelligence 583 Chapter 3: Reconnaissance and Intelligence Gathering 585 Chapter 4: Designing a Vulnerability Management Program 587 Chapter 5: Analyzing Vulnerability Scans 589 Chapter 6: Cloud Security 590 Chapter 7: Infrastructure Security and Controls 592 Chapter 8: Identity and Access Management Security 595 Chapter 9: Software and Hardware Development Security 597 Chapter 10: Security Operations and Monitoring 599 Chapter 11: Building an Incident Response Program 601 Chapter 12: Analyzing Indicators of Compromise 603 Chapter 13: Performing Forensic Analysis and Techniques 605 Chapter 14: Containment, Eradication, and Recovery 607 Chapter 15: Risk Management 609 Chapter 16: Policy and Compliance 610 Practice Exam Answers 612 Appendix C Answers to Lab Exercises 621 Chapter 1: Today’s Cybersecurity Analyst 622 Solution to Activity 1.4: Recognize Security Tools 622 Chapter 2: Using Threat Intelligence 622 Solution to Activity 2.3: Intelligence Gathering Techniques 622 Chapter 3: Reconnaissance and Intelligence Gathering 623 Solution to Activity 3.3: Intelligence Gathering Tools 623 Chapter 5: Analyzing Vulnerability Scans 623 Solution to Activity 5.2: Analyze a CVSS Vector 623 Chapter 7: Infrastructure Security and Controls 624 Solution to Activity 7.3: Security Architecture Terminology 624 Chapter 8: Identity and Access Management Security 625 Solution to Activity 8.1: Federated Security Scenario 625 Solution to Activity 8.2: On-site Identity Issues Scenario 625 Solution to Activity 8.3: Identity and Access Management Terminology 626 Chapter 9: Software and Hardware Development Security 627 Solution to Activity 9.3: Security Tools 627 Chapter 10: Security Operations and Monitoring 627 Solution to Activity 10.3: Security Architecture Terminology 627 Chapter 11: Building an Incident Response Program 628 Solution to Activity 11.1: Incident Severity Classification 628 Solution to Activity 11.2: Incident Response Phases 629 Chapter 12: Analyzing Indicators of Compromise 629 Solution to Activity 12.3: Security Tools 629 Chapter 13: Performing Forensic Analysis and Techniques 630 Solution to Activity 13.2: Conduct the NIST Rhino Hunt 630 Solution to Activity 13.3: Security Tools 630 Chapter 14: Containment, Eradication, and Recovery 631 Solution to Activity 14.1: Incident Containment Options 631 Solution to Activity 14.2: Incident Response Activities 632 Solution to Activity 14.3: Sanitization and Disposal Techniques 633 Chapter 15: Risk Management 633 Solution to Activity 15.1: Risk Management Strategies 633 Chapter 16: Policy and Compliance 634 Solution to Activity 16.1: Policy Documents 634 Solution to Activity 16.3: Compliance Auditing Tools 634 Index 635