CySA+ CS0-002 Exam Guide

1.0 Threat and Vulnerability Management

1.1 Explain the importance of Threat Data and Intelligence

Intelligence Sources

• Open-Source Intelligence: Publicly available information

• Proprietary/Closed-Source Intelligence: Info with restricted access
(e.g. police record)
• Timeliness: Timely receipt/operationalization (impact > intelligence
cost)
• Relevancy: Must address a threat and allow for effective action; usable
delivery format
• Accuracy: Must save organizations more in success than
errors/mistakes

Indicator Management

• STIX (Structured Threat Information eXpression): Describes cyber

threat information (motivation, abilities, capabilities, response)

• TAXII (Trusted Automated eXchange of Indicator Information):

Describes how threat info (STIX) can be shared (hub-and-spoke;
source/subscriber; peer-to-peer); discovery, collection management,
inbox, poll

• OpenIOC: Standard format for defining/recording/sharing artifacts

Threat Classification

• Known Threat vs. Unknown Threat: External/removable media,

attrition, web, email, impersonation, improper usage, equipment
loss/theft etc.

• Zero-day: Unknown vulnerabilities that have no patches

• APT: Skilled attackers supported by extremely large resources

Threat Actors

• Nation-State: Geopolitically motivated groups with dedicated

resources/personnel, extensive planning & coordination

• Hacktivist: Ideologically motivated groups that rely on widely available

tools
 • Organized Crime: Profit-driven groups that target PII, credit cards etc.

• Insider Threat:

o Intentional: Disgruntled or profit-driven employee

stealing/damaging/exposing systems

o Unintentional: Personal negligence/poor security practices

Intelligence Cycle

• Requirements: Determine exact customer requirements (IRs), how it

should be collected

• Collection: Gather data from wide array of desired/reliable/timely

sources

• Analysis: Raw info + other sources => intelligence; assess

importance/accuracy/reliability

• Dissemination: Timely conveyance of intelligence in appropriate

format to customers

• Feedback: Solicit feedback from customer, refine existing IRs

Commodity Malware (Widely available paid/free malware used by many threat

actors)

Information Sharing and Analysis Communities

• Healthcare: H-ISAC, Healthcare Ready

• Financial: FS-ISAC

• Aviation: A-ISAC

• Government: EI-ISAC (elections), DIB-ISAC (defense), NEI (nuclear)

• Critical infrastructure: E-ISAC (electricity), ONG-ISAC (oil & gas),

PT-ISAC (public transit)

1.2 Given a scenario, utilize Threat Intelligence to support Organizational

Security

Attack Frameworks

• MITRE ATT&CK: Tactics & techniques in developing threat models

and methodologies
 • The Diamond Model of Intrusion Analysis: Intelligence on network
intrusion events using 4 elements (adversary, capability, infrastructure,
victim)

• Kill chain: Visibility into attack; reconnaissance -> weaponization ->

delivery -> exploitation -> installation -> C2 -> actions on objectives

Threat Research

• Reputational: Detects threats with IP/domain/file reputations

• Behavioral: Detects unknown threats based on their behavior

• IOC: Forensic data that identify potentially malicious activity on

systems/networks

• CVSS: Measure severity of security flaws (AV, AC, Au, C, I, A)

Threat Modeling Methodologies

• Adversary Capability: Adversarial toolsets/skillsets/evasion

techniques

• Total Attack Surface: Total of all different attack vectors an attacker

can exploit

• Attack Vector: Describes how an attack can exploit the vulnerability

• Impact: Magnitude of adverse impact on organization

• Likelihood: Likelihood that threat source will initiate risk & likelihood
that the risk has adverse effects on the organization

Threat Intelligence Sharing with Supported Functions

• Incident Response: Detect threats quicker, less disruptively prevent

attacks, respond quicker to adversaries

• Vulnerability Management: Provides context by identifying exploits

and adding to vulnerabilities list

• Risk Management: Rapidly receive and use actionable data about

latest threats

• Security Engineering: Adapt to emerging threats

• Detection and Monitoring: Update signature database, monitor/detect

new threats
1.3 Given a scenario, perform Vulnerability Management activities

Vulnerability Identification

• Asset Criticality: Impact if CIA was breached; sensitivity of data &

business criticality

• Active vs. Passive scanning: Interact with targets VS use stored data
to find info/identify targets

• Mapping/Enumeration: Host/asset/network/infrastructure/systems
discovery/mapping

Validation

• True Positive: scanner correctly identifies existing vulnerability

• False Positive: reported vulnerability that doesn't exist (verify

patch/versions, or attempt actual attack)

• True Negative: scanner correctly doesn't alert on non-existent

vulnerability

• False Negative: scanner alerts on non-existent vulnerability

Remediation/Mitigation

• Configuration Baseline: Perform anomaly analysis; provides info on

OS/apps

• Patching: Maintain current security patch levels on OS/apps (with e.g.

SCCM)

• Hardening: Disable unnecessary ports/services, centralized control,

secure config etc.

• Compensating Controls: When system can't be upgraded/patched;

isolate and place compensating controls in front

• Risk Acceptance: Don't take any action against risk (low risk; ALE <
mitigation cost)

• Verification of Mitigation: Audits (formal), assessments (informal),

patch levels, repeated vulnerability scanning

Scanning Parameters and Criteria

 • Risks associated with scanning activities: Scans consume
bandwidth and resources, and risk business process interruptions (tune
intensity & scan times)

• Vulnerability feed: SCAP (e.g. CCE [config], CPE [product names],

CVE [vulnerabilities], CVSS [severity], XCCDF [checklist results],
OVAL [testing procedures used by checklists])

• Scope: Extent of scan (included systems/networks; host discovery

methods; what tests will be conducted against active hosts)

• Credentialed vs. Non-Credentialed: Can confirm an issue by

accessing OS/database/app info vs. Chance of false
positives/negatives

• Server-Based vs. Agent-Based: Central server remotely scans hosts

VS agent installed on targets perform internal scans and report back to
the server

• Internal vs. External: Gives different perspectives; Insider Threat vs.

External Attacker

Special Considerations

• Types of Data: Health, financial, PII etc.; data classification

• Technical Constraints: Capabilities of the scanning system =>

frequency limitations

• Workflow: Remediation workflow (detection -> remediation -> testing);

• Sensitivity Levels: Minimum severity rating (low, medium, high,

critical)

• Regulatory Requirements: PCI DSS (internal & external; at least

quarterly by qualified professional or ASV); FISMA (updated scanning
tools, update vulnerability list before/after scan, some authenticated
scans, determine discoverable info and correct them)

• Segmentation: Compliance networks can be segmented to reduce

scan scope

• IPS, IDS, and Firewall Settings: Internal = Insider Threat; External =

External Attack

Inhibitors to Remediation

• MOU (Memorandum of Understanding): Non-legally binding;

customer must participate in including scanning in MOU
 • SLA (Service Level Agreement): Customer expectations of security,
performance & uptime

• Organizational Governance: May block configuration changes

needed for scanning; limited resources and support

• Business Process Interruption: Taking down systems can cause

significant interruption

• Degrading Functionality: Service degradation can lead to business

process interruption

• Legacy Systems: EoL (End of Life) unsupported systems don't get

security updates

• Proprietary Systems: Different vendors; some vendors will not have

patches/updates

1.4 Given a scenario, analyze the output from Common Vulnerability

Assessment tools

Web Application Scanner

• OWASP ZAP

• Burp suite

• Nikto

• Arachni: Evaluate web application security; scanning, scripted

audits, vulnerability scans

Infrastructure Vulnerability Scanner

• Nessus

• OpenVAS

• Qualys

Software Assessment Tools and Techniques

• Static analysis

• Dynamic analysis

• Reverse engineering
 • Fuzzing

Enumeration

• Nmap: Returns port listing, MAC address, OS/kernel version, network

distance, runtime

• Hping: Sends TCP/UDP/ICMP/RAW-IP; firewall testing, TCP/IP

auditing, network testing

• Active vs. Passive

• Responder: LLMNR/NBT-NS poisoner/rogue authentication server =>

steal NTLM hashes

Wireless Assessment Tools

• Aircrack-ng: Suite of WiFi monitoring, attacking, testing & cracking

(WEP/WPA) tools

• Reaver: Brute force against WPS PINs to recover WPA/WPA2

passphrases

• OclHashcat: GPU-based hash cracker with dictionaries, masks, rules

etc.

Cloud Infrastructure Assessment Tools

• ScoutSuite: Security posture assessment of cloud environments,

highlights risks

• Prowler: AWS security best practices assessment, auditing,

hardening, forensics

• Pacu: AWS exploitation framework; modules to exploit AWS

configuration flaws

1.5 Explain the threats and vulnerabilities associated with specialized

technology

Mobile: Malware; unpatched devices; jailbreaking; data leaks; OS vulnerabilities

IoT (Internet-of-Things): Weak passwords; insecure services; lack of security

update; outdated component use; insecure data transfer/storage; lack of
secure/physical device management

Embedded: Programming errors; web vulnerability; weak access

control/authentication
RTOS (Real-Time Operating System): RCE; DoS; information leak; improper
access control

SoC (System-on-Chip): Low-level hardware bugs (boot header modification;

partition header table parsing)

FPGA (Field Programmable Gate Array): Fault injection; hardware trojans; design
leaks; foundry fabrication

Physical Access Control: Insufficient access control; lack of training; unattended

assets

Building Automation Systems: Hardcoded secret; BOF; XSS; path traversal; auth
bypass

Vehicles and Drones

• CAN Bus: DoS; unauthorized remote access

Workflow and process automation systems: 3rd party platform vulnerabilities;

IAM issue

ICS: Improper credentials management; weak firewall rules; network design

weaknesses

SCADA (Supervisory Control and Data Acquisition)

• Modbus: Plaintext transmission; no authentication; command

injection; weak sessions

1.6 Explain the threats and vulnerabilities associated with operating in the
cloud

Cloud Service Models

• SaaS (Software-as-a-Service): Customer only chooses application;

hardware managed by provider; access control

• PaaS (Platform-as-a-Service): Configurable hardware +

software/development tools; data protection

• IaaS (Infrastructure-as-a-Service): Configurable hardware; VM

management (VM escape; virtual host patching; virtual guest issues
[patching]; virtual network issues)

Cloud deployment models

• Public: Public cloud provider sells services to consumers

• Private: Internal enterprise service to internal customers

 • Community: Several companies work on same platform

• Hybrid: Mix of on-premises, private cloud & public cloud

FaaS (Function-as-a-Service)/Serverless Architecture: Apps are hosted by 3rd

party; all server software/hardware management is done by the provider

IaC (Infrastructure-as-Code): Managing/provisioning DCs using machine-readable

files

Insecure API (Application Programming Interface): Internet-exposed

management APIs can have software vulnerabilities (e.g. anonymous access;
plaintext authentication; improper authorisations)

Improper Key Management: Unencrypted; Internet-exposed key server;

weak/reused key

Unprotected Storage: Insider threats; malicious file entry; impersonation; worm that
is auto-synced to the cloud, and spread from the cloud to other users

Logging and Monitoring

• Insufficient Logging and Monitoring: Late detection; undetected

password spraying; ignored alerts; unidentified suspicious activity

• Inability to Access: Access logs provide info about failed requests

made to cloud

1.7 Given a scenario, implement controls to mitigate attacks and software

vulnerabilities

Attack Types

• XML Attack: WAF; disable external entities; input validation; sensitive

data not serialized

• SQL Injection: WAF; input sanitisation; least privilege restrictions for

databases

Overflow attack

• Buffer: ASLR/DEP; NX bit; use secure functions; higher-level

languages; input validation

• Integer: Range checking; prefer unsigned integers; use safer code

implementations

• Heap: Higher-level languages; input validation; safe compilers;

patching
Remote Code Execution: Avoid using user input inside evaluated code; strict file
upload extensions etc.

Directory Traversal: Ensure user cannot supply entire file path; accept known-good
input

Privilege Escalation: Avoid using administrative privileges; separate privilege areas

Password Spraying: MFA; strong passwords; user training; logging/monitoring

Credential Stuffing: MFA; CAPTCHA; unpredictable usernames; check against

leaks

Impersonation: Use of session identifiers; packet filtering; DAI; encrypted protocols

Man-in-the-Middle Attack: Session encryption; ensure only valid certificates are

used

Session Hijacking: Key/cookie/link encryption; Secure & HttpOnly flags for cookies

Rootkit: Patching; layered security; heuristic analysis; antivirus

Cross-Site Scripting

• Reflected: WAF; use appropriate response headers; avoid suspicious

links

• Persistent: WAF; filter input & encode data on output; escape HTML
data on arrival

• DOM: Don't treat untrusted data as code; delimit untrusted data as

quoted strings

Vulnerabilities

• Improper Error Handling: Info leak through over-detailed error

messages => error handling policy; error logging; graceful handling of
all possible errors

• Dereferencing: Get value (NULL) in memory pointed by pointer;

process failure => higher-level programming languages; sanity-check
pointers prior to use

• Insecure Object Reference: (IDOR) Exposure of reference to internal

object => user authorization; make objects harder to enumerate (e.g.
random over increments)
 • Race Condition: Produces unexpected result when timing of actions
impact other actions => careful programming; locking (at most one
thread can modify database)

• Broken Authentication: Brute-forcing credentials; unexpired session

tokens => MFA; no default creds; password policy; delay failed
attempts; session management

• Sensitive Data Exposure: Steal keys; MITM; steal plaintext data

(server/transit/client) => data classification; secure encryption; key
management; salted hashes

• Insecure Components: Public exploits for known vulnerabilities =>

check product versions; monitor for unmaintained products (virtual
patch/WAF)

• Insufficient Logging and Monitoring: Lack of timely response; late

detection/monitoring => failure logging; centralized logs; tamper
prevention; timely incident response

• Weak or Default Configurations: Unpatched flaws; default accounts;

unprotected files => hardening; minimalistic platforms; segmentation;
review & update configurations

Use of Insecure Functions

• Strcpy: Allows BOF => input validation; use secure functions

2.0 Software and Systems Security

2.1 Given a scenario, apply security solutions for infrastructure management

Cloud vs on-premises: All managed by SP vs local physical/logical management

Asset Management

• Asset tagging: assign labels including classification; unique ID;

asset tracking system

Segmentation
• Physical: placing network devices to control access => new
hardware + additional costs

• Virtual: VLANs/subnets on top of existing infrastructure => no new

hardware/costs
 • Jumpbox: intermediary connection point from untrusted to trusted
network

• System Isolation

o Air gap: Isolate system other networks/Internet; physical

isolation (transfer with USBs)

Network architecture

• Physical: Defense-in-Depth security appliance; segmentation; physical

security

• Software-Defined: TLS; secure tunnelling; SDN controller hardening;

access control

• VPC (Virtual Private Cloud): Traffic/anomaly monitoring;

ingress/egress traffic control; secure VPC connections

• VPN (Virtual Private Network): Strong authentication; avoid DNS

leaks; use a kill switch (drop Internet if VPN fails)

• Serverless: Log monitoring; IAM; secured secrets; input validation;

secure libraries

Change Management: Change identification -> request -> request review ->
prioritization -> evaluation/impact analysis -> approval/rejection -> testing ->
implementation -> review

Virtualization

• VDI (Virtual Desktop Infrastructure): Desktop OS on central server;

centralized management, easy patching, antivirus

Containerization: Isolate from host OS; monitoring; VA process; patch base & app
image

Identity and Access Management

• Privilege management: Least privilege; privileged account usage

monitoring; prevent privilege creep; role-based authorization

• MFA: Multiple authentication methods (knowledge; possession; biometric;

location)

• SSO: Authenticate once to use multiple systems; reduces password

reuse/resets/support
 • Federation: Sharing of customer info to SPs; trust relationship between
IdP, SP and user

• Role-Based: Access decision is based on roles; permissions assigned to

roles not users

• Attribute-based: Based on context (e.g. time, location, access frequency,

behavior)

• Mandatory: End users cannot modify security permissions set by

administrators

• Manual review: Review of access change logs, alerts, employee profiles,

procedures

CASB (Cloud Access Security Broker): Policy enforcement/data protection point

between consumers and SP (place organizational policies on users accessing 3rd
party, uncontrolled cloud services)

Honeypot: Intentionally vulnerable system that monitors attackers for intentions &
blacklists the IP address

Monitoring and logging: SIEM; privileged use/change/grant, account

creation/modification, terminated account usage, account lifecycle events, separation
of duty

Encryption: Salted hashes; encrypted traffic; encrypted keys/data/session identifiers

Certificate management: Creation -> storage -> dissemination -> suspension ->
revocation

Active Defense: IdP notifies account owners/SPs; SPs respond to IdP/authorization

system/account compromise

2.2 Explain software assurance best practices

Platforms

• Mobile
• Web application
• Client/server
• Embedded
• SoC (System-on-Chip)
• Firmware

SDLC (Software Development Lifecycle) integration: Requirements/criteria

definition; secure design; static analysis and peer code review; testing & analysis +
user acceptance testing
DevSecOps: Identify vulnerabilities; find & prioritize risk remediation; secure
workflow

Software Assessment Methods

• User Acceptance Testing: Ensures software users are satisfied with the
functionalities

• Stress Test Application: Ensure application availability and scalability;

maximum load

• Security Regression Testing: Ensure no new

vulnerabilities/misconfigurations are introduced by patches/updates (e.g.
change control, VCS, SCM)

• Code Review: Pair programming; over-the-shoulder; pass-around; tool-

assisted

Secure Coding Best Practices

• Input Validation: Validate all untrusted data; specify character sets + data
types/length; whitelist allowed characters; additional controls for hazardous
characters

• Output Encoding: Encode all unsafe characters; sanitise SQL, XML queries
& OS CMDs

• Session Management: Short session inactivity timeout; new session

identifier generation; logout available from any authorized page; secure
session ID algorithms

• Authentication: Central, segregated authentication; POST requests;

unspecific error codes; encrypted & securely stored (salted hash) credentials

• Data Protection: Least privilege; protect/purge sensitive caches; secure

encryption; no plaintext password storage; disable client-side caching; access
controls for sensitive data

• Parameterized Queries: Use placeholders to separate query and data =>

prevents SQL query altering (SQLi)

Static Analysis Tools: Thorough white-box code review to identify programming

errors

Dynamic Analysis Tools: Test inputs during code execution for complex
vulnerabilities

Formal Methods for Verification of Critical Software: Fagan inspection (planning

-> overview -> preparation -> meeting -> rework -> follow-up)
Service-Oriented Architecture

• SAML (Security Assertions Markup Language): Message confidentiality &

integrity (TLS); validate protocol, signatures etc.

• SOAP (Simple Object Access Protocol): Exchange structured info for web
services (extensibility [extensions] + neutrality [over any app/transport layer
protocol] + independence [any programming model]) - Token-based/digest
authentication; validate digital signatures; encrypt data with keys

• REST (Representational State Transfer): Access & manipulate textual

representations of web resources with HTTP
o HTTPS; access control; API keys; whitelist HTTP methods; input
validation

• Microservices: App is a collection of loosely coupled services; lightweight

protocols - IAM with OAuth; defense in depth; use open source crypto
libraries; automatic security updates; distributed monitoring/scanning; single
point of entry (API gateway)

2.3 Explain hardware assurance best practices

Hardware root of trust

• TPM: Generates/stores cryptographic keys; full disk encryption; keeps

hardware locked until authentication is complete; motherboard-embedded
chip

• HSM: Manage/generate/store cryptographic keys; removeable/external device

eFuse: Manufacturer can change circuits on a chip while it is in operation

UEFI (Unified Extensible Firmware Interface): Secure boot (only signed apps used
at boot; OS needs recognized key to boot)

Trusted foundry: DoD program to secure supply chain of hardware for military

Secure processing

• Trusted execution: Assures OS trust using TPM; prevents system/BIOS

code corruption or platform configuration modification from stealing sensitive
data (Intel)

• Secure enclave: Separately booted microkernel to store private decryption

keys; apps never have direct access to the keys (Apple)

• Processor security extensions: Core can switch to secure state (only

trusted code can run; can access secure memory; strict security state entry
control) (ARM)
 • Atomic execution: Cannot be interrupted by other threads; thread locking;
shared data is always valid => thread safety

Anti-tamper: Unusual screws/bolts; secure crypto-processors; zeroize when

tampered; chips can't be accessed externally; fracture when interfered

Self-encrypting drive: User password to decrypt media; encrypt as data is written

and decrypt as data is retrieved; encryption is invisible to user (can't be turned off)

Trusted firmware updates: Copy images from non-secure to secure memory;

image identification/authentication (Intel)

Measured boot and attestation: Object signature hashes are recorded in TPM
(measured boot); host reliably authenticates hardware/software config to remote
server to determine level of trust in platform (remote attestation)

Bus encryption: Encrypted instructions in data bus; executed by crypto-processor

3.0 Security Operations and Monitoring

3.1 Given a scenario, analyze data as part of security monitoring activities

Heuristics: Detects unknown (no signature) threats based on their behavior

Trend analysis: Identifies unexpected changes that don't match expected growth
rates; predicts behaviors based on existing data (e.g. network congestion based on
bandwidth)

Endpoint

• Malware: Malware is any software intentionally designed to cause damage

to a computer, server, client, or computer network

o Reverse engineering: Sandboxing; code detonation; software

fingerprinting to compare malware against existing hashes;
decompilers/disassemblers

• Memory: Monitor process memory consumption & set thresholds; prevent

BOF/insufficient memory allocation & memory leaks (causes app/system
crash)

• System and Application Behavior

o Known-Good Behavior: Establish baselines to compare against for

anomalies

o Anomalous Behavior: Suspicious activity that deviates from the

baseline model
 o Exploit techniques: Memory overflows; DoS; beaconing (botnet);
data exfiltration; privilege escalation; new accounts etc.

• File system: FIM; file creation/modification/deletion; prevent drive capacity

outage

• UEBA: Pattern-based user activity anomaly detection (for insider threats;

detecting if attacker has compromised system/breaches/brute-forces/super-
user creations)

Network

• URL (Uniformed Resource Locator) and DNS (Domain Name System)

Analysis:

o Dynamically generated algorithms: Malware creates a large

number of domain names to connect to C2 servers => harder
botnet control; uses datetime, words etc.

• Flow Analysis: Monitor bandwidth, flow sources, utilization, endpoints,

applications

• Packet and Protocol Analysis:

o Malware: Check destination IP address/port, protocols, flag fields,

sequence no. etc.

Log Review

• Event logs: Logins, service start/stop, file activity, rights usage; Windows
(application logs, security logs, setup logs, system logs, Forwarded Events
logs)

• Syslog: 8 log levels (EACEWNID); event notification (facility [log generator] +

severity)

• Firewall logs: Successful/blocked traffic characteristics; threat attempts;

bandwidth use

• WAF (Web Application Firewall): Web traffic; scalability thresholds; detailed

requests log (e.g. status, header info)

• Proxy: User/app requests; user agents; HTTP methods; response length;

resource access

• IDS (Intrusion Detection System)/IPS (Intrusion Prevention System):

Attack attempts alert; attack types/sources, target devices; trends
Impact analysis

• Organization Impact vs. Localized Impact: Threat has organizational scope

vs local scope

• Immediate vs. Total: Impact of threat when activated vs until resolved

SIEM (Security Information and Event Management) Review

• Rule Writing: Take action (e.g. trigger alert) if event occurs => quick incident
response

• Known-Bad IP: Global blacklists of suspected malicious IPs/URLs; reputation

analysis

• Dashboard: Overview of aggregated info; customise to include important

events, graphs

Query Writing

• String search: Searches in (specified) columns & tables for string

(wildcards/conditions)

• Script: Use languages to query for items from event logs (according to e.g.
time, severity)

• Piping: Redirects output as input to following command for

filtering/sorting/aggregating

E-mail Analysis

• Malicious payload: Antivirus + email gateway (ML + real-time IP reputation)

+ attachment scanning (sandboxing; behavior-based analysis)

• DKIM (Domain Keys Identified Mail): Receiver checks that domain owner
indeed sent/authorized the email + assures message/attachments weren't
modified (encrypted signature)

• DMARC (Domain-based Message, Authentication, Reporting, and

Conformance): Prevents spam/spoofing/phishing through DMARC policies;
defines email authentication, actions on failed emails, reporting (XML
statistics; message copies)

• SPF (Sender Policy Framework): Prevents spammers sending emails on

behalf of domain; publishes authorized mail servers (allowed to send on
behalf of domain); gives receivers trust info on email origin
 • Phishing: Source IP; URLs; attachments; typo-squatting; sending domains
(SPF)
• Forwarding: Compromised inbox automatically forwards received email to
attacker

• Digital signature: Ensures sender authenticity + prevents message

tampering (unique)

• E-mail signature block: Customizable text at bottom of email (not unique)

• Embedded links: URL analysis to identify known spam/threat against

blacklist

• Impersonation: Prevent spoofing (SPF/DKIM/DMARC) + user education

(check address)

• Header: Fields (e.g. Received, Reply-To, Return-Path, SPF, X-Mailer, X-

Distribution)

3.2 Given a scenario, implement configuration changes to existing controls to

improve security

Permissions: DAC (end users can delegate/control permissions); MAC (end users
cannot modify permissions); RBAC (rights granted to roles) => limits
access/functions

Whitelisting: Only allows specific IP/MAC addresses, apps, files, emails (more
strict)

Blacklisting: Prevents specific IP/MAC addresses, apps, files, emails (simple, less
secure)

Firewall: Add stateful filtering rules/ACLs; prevent traffic based on 5-tuple or L7

content

IPS rules: Connection-based block; rules to identify known attack signatures =>
action

DLP (Data Loss Prevention): Detects/prevents sensitive data exfiltration;

compliance; data tracking/visibility

EDR (Endpoint Detection and Response): Detects endpoint activities/events for

visibility (signature-based/behavioral analysis) + context with threat intelligence =>
quick incident response

NAC (Network Access Control): 802.1x; agent-based (requesting devices needs

special software) or agentless (web browser authentication); in-band (dedicated
appliances) or out-of-band (existing network infrastructure)
Sink-holing: DNS server responds with IP address of sinkhole system which
remediates botnet-infected system looking for C2 server

Malware Signatures

• Development/Rule Writing: Record malware identifiers (e.g. unique strings,

malware families, resources within malware, called function bytes)

• Sandboxing: Detects unknown malware based on behaviors, not signatures

• Port security: Restricts source MAC addresses that can connect to port;
static or dynamic filtering (e.g. maximum no. of MAC addresses, MAC
address moved to different port)

3.3 Explain the importance of Proactive Threat Hunting

Establishing a Hypothesis: Intelligence-driven (TTPs through IOCs); awareness-

driven (network changes, most important assets); analytics-driven (models to avoid
bias)

Profiling Threat Actors and Activities: Motivations, objectives, targets,

geolocations, languages, budget, technical skills => relevancy to organisation &
threat severity

Threat Hunting Tactics

• Executable Process Analysis: Behavior anomaly analysis (execution

path, parent name)

Reducing the Attack Surface Area: Eliminate complexity; attack simulation;

endpoint visibility + network policies; network segmentation; assessments & traffic
analysis

Bundling Critical Assets: Assets grouped together for ease of management &
control

Attack Vectors: How attacker compromises systems through exploiting

vulnerabilities

Integrated Intelligence: Knowledge + info + collaboration => rapid actionable

intelligence

Improved Detection Capabilities: Detect unidentified threat activity based on TTP

analysis

3.4 Compare and Contrast Automation Concepts and Technologies

Workflow Orchestration: Scalable cloud resource provisioning to achieve business

targets
• Security Orchestration, Automation, and Response
Scripting: Programming languages to automatically manage tasks, e.g. configure
devices

API Integration: Controller interaction with systems; seamless connectivity between

apps

Automated Malware Signature Creation: Inbound unknown file monitoring for file
behavior & content classifiers; signature generated based on malware classification

Data Enrichment: Add context to data (e.g. asset inventory tools, 3rd party
databases) => meaningful insights + threat prioritization + quick investigation/action

Threat Feed Combination: Combine machine data from many sources to SIEM,
UEBA

Machine Learning: Finds patterns in data; threat anomaly monitoring; detects

unidentified malware; analysis of encrypted traffic; make predictions based on
activity

Use of Automation Protocols and Standards

• SCAP (Security Content Automation Protocol): security automation with

languages (OVAL), enumeration (CVE, CPE, CCE), metrics (CVSS),
integrity (TMSAD for authentication & traceability of security data)

Continuous Integration: Frequent code commits; automatic code testing; master

code branch remains production-ready

Continuous Deployment/Delivery: Deliver & deploy ASAP; identical development

+ test + production environment configuration

4.0 Incident Response

4.1 Explain the importance of the Incident Response process

Communication plan

• Limiting communication to trusted parties: Law enforcement,

information sharing partners (ISAC), vendors/manufacturers,
actual/potential victims, media <= policies

• Disclosing based on regulatory/legislative requirements: Data breach

notification laws

• Preventing inadvertent release of information: Always consult legal

counsel/public relations before communicating with law enforcement,
media, public etc. <= controls
 • Using a secure method of communication: Security-tested messaging
platforms; message retention/monitoring/response

• Reporting Requirements: Regulations;

classification/storage/retention/expiration policies

Response Coordination with Relevant Entities

• Legal: Ensures team complies with laws/policies/regulations + leader

compliance advice

• Human Resources: Investigates potential employee malfeasance

• Public relations: Coordinate communications with the media & the public

• Internal and External: Within team for rapid response + externally for
advice/regulatory

• Law Enforcement: When incident has criminal nature => investigation

cooperation

• Senior Leadership: Makes critical business decisions; allocates budget &

staff; comms

• Regulatory Bodies: Provides advice/guidance on regulatory/legal

compliance

Factors contributing to Data Criticality

• PII (Personally Identifiable Information): Info which can distinguish an

individual's identity, e.g. name, SSN, DoB, addresses

• PHI (Personal Health Information): HIPAA-regulated individuals' health info,

e.g. medical records, health conditions

• SPI (Special Protected Information): Doesn't identify individual, but is

private/can harm person if made public

• High value asset: Critical info; serious impact to organisation's

business/mission ability

• Financial information: Private info about assets, payments, cards, accounts

etc.

• Intellectual property: Proprietary product development plans, formulae, trade

secrets

• Corporate information: Sensitive info, e.g. corporate accounting,

merger/acquisition
4.2 Given a scenario, apply the appropriate incident response procedure

Preparation

• Training: Appropriate training on roles & responsibilities; incident preparation

• Testing: Incident response drill scenarios, mock data breaches => IR plan
evaluation

• Documentation of procedures: Tactical details prepared & used during

incidents

Detection and Analysis

• Characteristics contributing to severity level classification: Functional

impact, economic impact, recoverability effort, data (information) impact rating

• Downtime: Amount of time that service is unavailable; time until recovery

• Recovery time: Possibility/predictability of recovery time; resource

requirements

• Data integrity: Modification or deletion of

sensitive/proprietary/regulatory/legal info

• Economic: Financial losses classified according to thresholds

• System process criticality: Prioritize systems based on how vital it is to

operation

• Reverse engineering: Analyze malware, identify how it works => establish

IOCs for rules

• Data correlation: info from multiple sources => centrally analyze to identify
attacks

Containment

• Segmentation: Network segmentation with firewalls; isolate attacker to

quarantine network (strictly controlled VLAN for compromised host analysis)

• Isolation: Allow attacker access to systems (quarantine network via Internet)

but restrict access to other systems, e.g. sandbox, honeypot

Eradication and Recovery

• Vulnerability mitigation: Perform vulnerability scans; protect systems

against future attacks
 • Sanitization: Clear (sanitize against simple recovery, factory reset); purge
(prevent even laboratory recovery, e.g. degaussing); destroy (unable for re-
use, e.g. melting)

• Reconstruction/Reimaging: All compromised hosts should be rebuilt from

scratch/known trusted backup; ensure backups don't re-introduce the
vulnerability

• Secure Disposal: Encrypt/delete => physically destroy media => 3rd party
collector

• Patching: Patch directly involved systems -> indirectly involved systems ->
other systems

• Restoration of Permissions: perform account review; check for principle of

least privilege violations; ensure only authorized user accounts exist on every
system

• Reconstitution of Resources: Rebuild systems and apply updates and

patches

• Restoration of Capabilities and Services: Bring affected systems back into

production

• Verification of Logging/Communication to Security Monitoring:

Configured to meet logging policy requirements; check centralized log receipt;
log automation

Post-Incident Activities

• Evidence Retention: Follow retention policies (no court use); consult legal
counsel before discarding (prosecution); US government agencies must retain
records for 3 years

• Lessons Learned report: Evaluates how incident response was performed;

suggest improvements in the future; evaluate plan/procedure effectiveness

• Change control process: Document emergency changes that bypassed

normal configuration management/change control process (return to them
post-incident)

• Incident Response plan update: Find plan deficiencies; make changes to IR

plan

• Incident summary report: Useful in new security control

development/training; legal record; previously undetected deficiencies; event
timeline + root cause + evidences + actions & their reasons + validation
results + lessons learned
 • IOC (Indicator of Compromise) generation: IOCs based on network/host
artifacts, addresses, hashes, tools, TTPs

• Monitoring: Full network visibility; continuous monitoring for future persistent

attack

4.3 Given an incident, analyze potential indicators of compromise

Network-Related

• Bandwidth Consumption: Causes service outages/disruptions => flow data

tools, threshold-based alarms, real-time graphs, SNMP device-level load
monitoring

• Beaconing: HTTP/S traffic sent to C2 server from a botnet system => IDPS
with known C2 server rules, behavior-based analysis, outbound traffic
analysis

• Irregular peer-to-peer communication: P2P botnets => DNS lookup

anomaly detection

• Rogue device on the network: Wired/wireless rogues => validate MAC

addresses to whitelist, OUI checking, network scans, site surveys, traffic
analysis, port security/NAC

• Scan/Sweep: Port scanning, repeated requests etc. => IDPS + SIEM (attack
correlation)

• Unusual Traffic Spike: Scan/attack traffic => anomaly/heuristics detect;

protocol analysis

• Common protocol over non-standard port: Exploit/exfil route or vulnerable

service

Host-Related

• Processor Consumption: new software/process or DoS => CPU

utilization/processes using CPU/process runtime/spike monitoring

• Memory Consumption: insufficient memory allocation/memory leaks (->

crash) => memory consumption/processes monitoring, thresholds & alarms,
periodic restarts

• Drive Capacity Consumption: outage => real-time disk utilization monitoring

(e.g. SCOM, Nagios), daily reports (SCCM)

• Unauthorized Software: SCCM (central installation management/reporting),

antimalware, file blacklisting/app whitelisting (limit installations)
 • Malicious Process: Compromised host => antimalware, process monitoring

• Unauthorized Change: File creation, setting changes => logs, SIM/SIEM,

FIM, monitoring

• Unauthorized Privilege: Privilege use attempts, escalation => SIM/SIEM, log

+ analysis

• Data Exfiltration: Big outbound comms => anomaly detection, outbound

IDPS rules, DLP

• Abnormal OS process behavior: Unusual process/command execution =>

attacker use of system (for e.g. data exfiltration/privilege escalation/remote
execution/enumeration)

• File system change or anomaly: New/removed/modified files (e.g. malware)

=> FIM

• Registry change or anomaly: Persistence (auto-start) => RegMon, registry

monitoring

• Unauthorized scheduled task: Adware, persistence => Task

Scheduler/event monitoring

Application-Related

• Anomalous activity: Log analysis, baseline anomaly detection, FIM, user

training

• Introduction of new accounts: Admin account creation approvals & change

management workflows, user creation logs, granted privileges tracking

• Unexpected output: Improper output/errors/issues => output validation by

admin

• Unexpected outbound communication: Beaconing, data exfiltration =>

network monitoring, outbound IDPS rules, pattern-based behavior analysis

• Service interruption: App/server restart, DoS => app/service status

monitoring

• Application log: Windows app log (SCOM), /var/log, transactional logs, error
messages

4.4 Given a scenario, utilize basic digital forensics techniques

Network

• Wireshark: GUI tool to apply filters, reassemble streams, search captured

packets

• Tcpdump: CLI tool for capturing & analysing PCAP traffic + advanced header
filtering

Endpoint

• Disk: Registry, autorun keys, MFT, event logs, INDX files, change logs,
volume shadow copies, user artifacts, Recycle Bin, hibernation files/memory
dumps, temporary directories, app logs, removable devices

• Memory: Linux kernel extensions fmem & LiME (access to physical memory
and copy data); Windows DumpIt (copy physical memory to USB) & crash
dump (%SystemRoot%\MEMORY.DMP, live memory); Volatility Framework
(extract encryption keys, user activity/rootkit analysis)

Mobile: Physical (acquire SIM card, memory cards, backups); logical (image of
logical storage volumes); manual access (review/record unlocked phone); filesystem
(deleted files & existing files details [e.g. search histories, messages, call records])

Cloud: determine contract info regarding investigations -> legal recourse with vendor
-> identify data & their availability -> work with vendor

Virtualization: Easy disk/memory images with snapshots; dead vs live analysis

Legal hold: Obligation to preserve electronic data for legal investigation

Procedures: Form problem statement -> determine required data & their locations
-> document & review plan -> acquire & preserve evidence -> initial analysis & track
actions -> deeper investigation & review missing/additional data -> report on findings

Hashing

• Changes to binaries: Compare hashes (MD5/SHA1) to ensure integrity

(chain of custody)

Carving: Extract files from unallocated space with magic numbers; cluster-based
(file start near FAT/NTFS cluster boundary), sector-based (de-clustered files), byte-
based (file in file)

Data acquisition: Copies all (used, slack, unallocated) spaces; dd/FTK Imager +
write blocker; forensic copy devices (duplicate) => compare both hashes, chain of
custody
5.0 Compliance and Assessment

5.1 Understand the importance of data privacy and protection

Privacy vs. Security: Personal data collection/sharing vs protect data against illegal
access

Non-Technical Controls

• Classification: Classification schema based on risk after breach (e.g. secret,

sensitive)

• Ownership: Ownership of info created/used by organisation; owner must

protect data

• Retention: What info is maintained; length of time data categories are

retained for

• Data types: Regulatory (PII, PHI, cards), intellectual property, corporate

confidential info

• Retention standards: According to law/regulation/industry category, global

compliance

• Confidentiality: Prevent unauthorized access/disclosure/theft of privacy

information

• Legal requirements: Privacy Act, FERPA, HIPAA, PCI DSS, GLBA, SOX,
notification laws

• Data sovereignty: Privacy data in another country that is subject to local laws

• Data minimisation: Collected data shouldn't be held/used unless clearly

stated (GDPR)

• Purpose limitation: Data collected for specified, legitimate, explicit purposes

& no further processed in a way not compatible with the purposes (GDPR)

• NDA (Non-Disclosure Agreement): Legal contract that prevents sharing

confidential data (e.g. IP) with 3rd parties

Technical Controls

• Encryption: Symmetric/public-key encryption, secure key management, key

size

• DLP: Detects/prevents sensitive data exfiltration; compliance; data

tracking/visibility
 • Data masking: Structurally similar but inauthentic version of data; for
testing/training

• Deidentification: Separate PII from PHI; deidentified data can be HIPAA non-
compliant

• Tokenization: Swap sensitive data (cloud vault) with random numbers (and
swap back)

• DRM (Digital Rights Management):

o Watermarking: Steganographically in video/audio; integrity,

ownership, licensed user

• Geographic Access Requirements: Checks geolocation with system/IP

address or GPS

• Access Controls: A&A, logging, least privilege, MFA, MAC/DAC/RBAC etc.

5.2 Given a scenario, apply security concepts in support of organizational risk

mitigation

Business impact analysis: Identify critical technologies/processes, prioritization,

recovery time objectives, financial/operational/legal impact, requirements for
recovery

Risk identification process: Determine/document/communicate potential risks

Risk calculation

• Probability: Likelihood that threat will execute attack + risk having adverse
effects

• Magnitude: The adversity of the impact the risk has on the organisation

Communication of Risk Factors: Consult stakeholders; decision makers avoid

risky practice

Risk Prioritization

• Security controls: Prioritize upon manageability (risk control vs risk

occurrence time)

• Engineering trade-offs: Risk mitigation costs vs ALE; based on risk appetite

Systems assessment: Prioritize assets, identify vulnerabilities, assess control &

impact

Documented compensating controls: Mitigates risk for noncompliant exceptions

Training and Exercises

• Red team: Attacker that attempts to gain access to protected network

• Blue team: Secure target environment and keep red team out

• White team: Coordinate/maintain/referee the wargame, and monitor results

• Tabletop exercise: Role/responsibility/response discussions in emergency

simulations

Supply Chain Assessment

• Vendor due diligence: evaluate risks involved in partnership with potential

vendor

• Hardware source authenticity: NSA certified Trusted Foundry secure

production OEMs

5.3 Explain the importance of frameworks, policies, procedures, and controls

Frameworks

• Risk-based: Controls designed around specific risks => flexibility,

unaddressed risks

• Prescriptive: Single requirement list that must be addressed =>

standardisation, costly

Policies and Procedures

• Code of conduct/ethics: employee accountable for own behavior; support

values, principles, standards; ethical/legal decision making; restricted info
disclosure

• AUP (Acceptable Use Policy): clear directions on permissible uses of

resources

• Password Policy: password length/complexity requirements, reuse limitation

• Data ownership: states the ownership of the info created/used by the

organization

• Data retention: what info is maintained & length of time categories are
retained for

• Account management: account lifecycle (provision => active use =>

decommission)
 • Continuous monitoring: how monitoring is performed; monitoring technology
usage

• Work product retention: review/retention period/destruction for documents

Category Types

• Managerial: Security assessment, planning, risk identification, evaluation of

controls

• Operational: Practices and procedures that follow security requirements

• Technical: Systems/devices/software/settings etc. that enforce CIA

requirements

Control Types

• Preventative: Proactive measures to prevent incidents, e.g. firewalls, training

• Detective: Detects and captures information on incidents, e.g. alarms,

notifications

• Responsive: Responds to breach and restores initial behaviors of systems,

e.g. backups

• Corrective: Remediates incident or limits damage, e.g. patching, antimalware

• Deterrent: Anything intended to warn a would-be attacker that they should not
attack

• Compensating: Also called an alternative control, is a mechanism that is put

in place to satisfy the requirement for a security measure that is deemed too
difficult or impractical to implement at the present time

• Physical: Include guards, fences, motion detectors, etc.

Audits and Assessments

• Regulatory: PCI DSS (internal & external vulnerability scanning by

professional or ASV)

• Compliance: HIPAA, GLBA, SOX, FERPA, FISMA, data breach notification

laws