• Prepare for and pass the Cybersecurity Analyst (CySA+) exam
• Threat and Vulnerability Management
• Software and Systems Security
• Security Operations and Monitoring
• Incident Response
• Compliance and Assessment

1.0 Threat and Vulnerability Management

1.1 Explain the importance of threat data and intelligence.

Intelligence sources

• Open-source intelligence
• Proprietary/closed-source intelligence
• Timeliness
• Relevancy
• Accuracy

Indicator management

• Structured Threat Information eXpression (STIX)
• Trusted Automated eXchange of Indicator Information (TAXII)
• OpenIoC

Threat classification

• Known threat vs. unknown threat
• Zero-day
• Advanced persistent threat

Threat actors

• Nation-state
• Hacktivist
• Organised crime
• Insider threat
• Intentional
• Unintentional

Intelligence cycle

• Requirements
• Collection
• Analysis
• Dissemination
• Feedback

Commodity malware
Information sharing and analysis communities

• Healthcare
• Financial
• Aviation
• Government
• Critical infrastructure

1.2 Given a scenario, utilise threat intelligence to support organisational security.

Attack frameworks

• MITRE ATT&CK
• The Diamond Model of Intrusion Analysis
• Kill chain

Threat research

• Reputational
• Behavioral
• Indicator of compromise (IoC)
• Common vulnerability scoring system (CVSS)

Threat modelling methodologies

• Adversary capability
• Total attack surface
• Attack vector
• Impact
• Liklihood

Threat intelligence sharing with supported functions

• Incident response
• Vulnerability management
• Risk management
• Security engineering
• Detection and monitoring

1.3 Given a scenario, perform vulnerability management activities.

Vulnerability identification

• Asset criticality
• Active vs. passive scanning
• Mapping/enumeration

Validation

• True positive
• False positive – True negative
• False negative

Remediation/mitigation

• Configuration baseline
• Patching
• Hardening
• Compensating controls
• Risk acceptance
• Verification of mitigation

Scanning parameters and criteria

• Risks associated with scanning activities
• Vulnerability feed
• Scope
• Credentialed vs. non-credentialed
• Server-based vs. agent-based
• Internal vs. external
• Special considerations
• Types of data
• Technical constraints
• Workflow
• Sensitivity levels
• Regulatory requirements
• Segmentation
• Intrusion prevention system (IPS), intrusion detection system (IDS), and firewall settings

Inhibitors to remediation

• Memorandum of understanding (MOU)
• Service-level agreement (SLA)
• Organisational governance
• Business process interruption
• Degrading functionality
• Legacy systems

1.4 Given a scenario, analyse the output from common vulnerability assessment tools.

Web application scanner

• OWASP Zed Attack Proxy (ZAP)
• Burp suite
• Nikto
• Arachni

Infrastructure vulnerability scanner

• Nessus
• OpenVAS
• Qualys

Software assessment tools and techniques

• Static analysis
• Dynamic analysis
• Reverse engineering
• Fuzzing

Enumeration

• Nmap
• hping
• Active vs. passive
• Responder

Wireless assessment tools

• Aircrack-ng
• Reaver
• oclHashcat

Cloud Infrastructure assessment tools

• ScoutSuite
• Prowler
• Pacu

1.5 Explain the threats and vulnerabilities associated with specialised technology.

Mobile

Internet of Things (IoT)

Embedded

Real-time operating system (RTOS)

System-on-Chip (SoC)

Field programmable gate array (FPGA)

Physical access control

Busiling automation systems

Vehicles and drones

• CAN bus

Workflow and process automation systems

Industrial control system

Supervisory control and data acquisition (SCADA)

• Modbus

1.6 Explain the threats and vulnerabilities associated with operating in the cloud.

Cloud service models

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)

Cloud deployment models

• Public
• Private
• Community
• Hybrid

Function as a Service (FaaS)/ serverless architecture

Infrastructure as code (IaC)

Insecure application programming interface (API)

Improper key management

Unprotected storage

Logging and monitoring

• Insufficient logging and monitoring
• Inability to access

1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Attack types

• Extensible markup language (XML) attack
• Structured query language (SQL) injection
• Overflow attack
  • Buffer
  • Integer
  • Heap

• Remote code execution
• Directory traversal
• Privilege escalation
• Password spraying
• Credential stuffing
• Impersonation
• Man-in-the-middle attack
• Session hijacking
• Rootkit
• Cross-site scripting
  • Reflected
  • Persistent
  • Document object model (DOM)

Vulnerabilities

• Improper error handling
• Dereferencing
• Insecure object reference
• Race condition
• Broken authentication
• Sensitive data exposure
• Insecure components – Insufficient logging and monitoring – Weak or default configurations – Use of insecure functions – strcpy

2.0 Software and Systems Security

2.1 Given a scenario, apply security solutions for infrastructure management.

• Cloud vs. on-premises
• Asset management
  • Asset tagging

• Segmentation
  • Physical
  • Virtual
  • Jumpbox
  • System isolation
  • Air gap

• Network architecture
  • Physical
  • Software-define
  • Virtual private cloud (VPC)
  • Virtual private network (VPN)
  • Serverless

• Change management
• Virtualisation
  • Virtual desktop infrastructure (VDI)

• Containerization
• Identity and access management
  • Privilege management
  • Multifactor authentication (MFA)
  • Single sign-on (SSO)
  • Federation
  • Role-based
  • Attribute-based
  • Mandatory
  • Manual review

• Cloud access security broker (CASB)
• Honeypot
• Monitoring and logging
• Encryption
• Certificate management
• Active defence

2.2 Explain software assurance best practises.

• Platforms
  • Mobile
  • Web application
  • Client/server
  • Embedded
  • System-on-chip (SoC)
  • Firmware

• Software development life cycle (SDLC) integration
• DevSecOps
• Software assessment methods
  • User acceptance testing
  • Stress test application
  • Security regression testing
  • Code review

• Secure coding best practises
  • Input validation
  • Output encoding
  • Session management
  • Authentication
  • Data protection
  • Parameterized queries

• Static analysis tools
• Dynamic analysis tools
• Formal methods for verification of critical software
• Service-oriented architecture
  • Security Assertions Markup Language (SAML)
  • Simple Object Access Protocol (SOAP)
  • Representational State Transfer (REST)
  • Microservices

2.3 Explain hardware assurance best practises.

• Hardware root of trust
  • Trusted platform module (TPM)
  • Hardware security module (HSM)

• eFuse
• Unified Extensible Firmware Interface (UEFI)
• Trusted foundry
• Secure processing
  • Trusted execution
  • Secure enclave
  • Processor security extensions
  • Atomic execution

• Anti-tamper
• Self-encrypting drive
• Trusted firmware updates
• Measured boot and attestation
• Bus encryption

3.0 Security Operations and Monitoring

3.1 Given a scenario, analyse data as part of security monitoring activities

• Heuristics
• Trend analysis
• Endpoint
  • Malware
  • Reverse engineering
  • Memory
  • System and application behaviour
  • Known-good behaviour
  • Anomalous behaviour
  • Exploit techniques
  • File system
  • User and entity behaviour analytics (UEBA)

• Network
  • Uniform Resource Locator (URL) and domain name system (DNS) analysis
  • Domain generation algorithm
  • Flow analysis
  • Packet and protocol analysis
  • Malware

• Log review
  • Event logs
  • Syslog
  • Firewall logs
  • Web application firewall (WAF)
  • Proxy
  • Intrusion detection system (IDS)/ Intrusion prevention system (IPS)

• Impact analysis
  • Organisation impact vs. localised impact
  • Immediate vs. total

• Security information and event management (SIEM) review
  • Rule writing
  • Known-bad Internet protocol (IP)
  • Dashboard

• Query writing
  • String search
  • Script
  • Piping

• E-mail analysis
  • Malicious payload
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • Phishing
  • Forwarding
  • Digital signature
  • E-mail signature block
  • Embedded links
  • Impersonation
  • Header

3.2 Given a scenario, implement configuration changes to existing controls to improve security.

• Permissions
• Whitelisting
• Blacklisting
• Firewall
• Intrusion prevention system (IPS) rules
• Data loss prevention (DLP)
• Endpoint detection and response (EDR)
• Network access control (NAC)
• Sinkholing
• Malware signatures
  • Development/rule writing

• Sandboxing
• Port security

3.3 Explain the importance of proactive threat hunting

• Establishing a hypothesis
• Profiling threat actors and activities
• Threat hunting tactics
  • Executable process analysis

• Reducing the attack surface area
• Bundling critical assets
• Attack vectors
• Integrated intelligence
• Improving detection capabilities

3.4 Compare and contrast automation concepts and technologies.

• Workflow orchestration
  • Security Orchestration, Automation, and Response (SOAR)

• Scripting
• Application programming interface (API) integration
• Automated malware signature creation
• Data enrichment
• Threat feed combination
• Machine learning
• Use of automation protocols and standards
  • Security Content Automation Protocol (SCAP)

• Continuous integration
• Continuous deployment/delivery

4.0 Incident Response

4.1 Explain the importance of the incident response process.

• Communication plan
  • Limiting communication to trusted parties
  • Disclosing based on regulatory/ legislative requirements
  • Preventing inadvertent release of information
  • Using a secure method of communication
  • Reporting requirements

• Response coordination with relevant entities
  • Legal Human resources
  • Public relations
  • Internal and external
  • Law enforcement
  • Senior leadership
  • Regulatory bodies

• Factors contributing to data criticality
  • Personally identifiable information (PII)
  • Personal health information (PHI)
  • Sensitive personal information (SPI)
  • High value asset
  • Financial information
  • Intellectual property
  • Corporate information

4.2 Given a scenario, apply the appropriate incident response procedure.

• Preparation
  • Training
  • Testing
  • Documentation of procedures

• Detection and analysis
  • Characteristics contributing to severity level classification
  • Downtime
  • Recovery time
  • Data integrity
  • Economic
  • System process criticality
  • Reverse engineering
  • Data correlation

• Containment
  • Segmentation
  • Isolation

• Eradication and recovery
  • Vulnerability mitigation
  • Sanitization
  • Reconstruction/reimaging
  • Secure disposal
  • Patching
  • Restoration of permissions
  • Reconstitution of resources
  • Restoration of capabilities and services
  • Verification of logging/ communication to security monitoring

• Post-incident activities
  • Evidence retention
  • Lessons learned report
  • Change control process
  • Incident response plan update
  • Incident summary report
  • IoC generation
  • Monitoring

4.3 Given an incident, analyse potential indicators of compromise.

• Network-related
  • Bandwidth consumption
  • Beaconing
  • Irregular peer-to-peer communication
  • Rogue device on the network
  • Scan/sweep
  • Unusual traffic spike
  • Common protocol over non-standard port

• Host-related
  • Processor consumption
  • Memory consumption
  • Drive capacity consumption
  • Unauthorised software
  • Malicious process
  • Unauthorised change
  • Unauthorised privilege
  • Data exfiltration
  • Abnormal OS process behaviour
  • File system change or anomaly
  • Registry change or anomaly
  • Unauthorised scheduled task

• Application-related
  • Anomalous activity
  • Introduction of new accounts
  • Unexpected output
  • Unexpected outbound communication
  • Service interruption
  • Application log

4.4 Given a scenario, utilise basic digital forensics techniques.

• Network
  • Wireshark
  • tcpdump

• Endpoint
  • Disk
  • Memory

• Mobile
• Cloud
• Virtualisation
• Legal hold
• Procedures
• Hashing
  • Changes to binaries

• Carving
• Data acquisition

5.0 Compliance and Assessment

5.1 Understand the importance of data privacy and protection.

• Privacy vs. security
• Non-technical controls
  • Classification
  • Ownership
  • Retention
  • Data types
  • Retention standards
  • Confidentiality
  • Legal requirements
  • Data sovereignty
  • Data minimization
  • Purpose limitation
  • Non-disclosure agreement (NDA)

• Technical controls
  • Encryption
  • Data loss prevention (DLP)
  • Data masking
  • Deidentification
  • Tokenization
  • Digital rights management (DRM) ?
  • Watermarking
  • Geographic access requirements
  • Access controls

5.2 Given a scenario, apply security concepts in support of organisational risk mitigation.

• Business impact analysis
• Risk identification process
• Risk calculation
  • Probability
  • Magnitude

• Communication of risk factors
• Risk prioritisation
  • Security controls
  • Engineering tradeoffs

• Systems assessment
• Documented compensating controls
• Training and exercises
  • Red team
  • Blue team
  • White team
  • Tabletop exercise

• Supply chain assessment
  • Vendor due diligence
  • Hardware source authenticity

5.3 Explain the importance of frameworks, policies, procedures, and controls.

• Frameworks
  • Risk-based
  • Prescriptive

• Policies and procedures
  • Code of conduct/ethics
  • Acceptable use policy (AUP)
  • Password policy
  • Data ownership
  • Data retention
  • Account management
  • Continuous monitoring
  • Work product retention

• Category
  • Managerial
  • Operational
  • Technical

• Control type
  • Preventative
  • Detective
  • Corrective
  • Deterrent
  • Compensating
  • Physical

• Audits and assessments
  • Regulatory
  • Compliance

• Knowledge of basic network terminology and functions (such as OSI Model, Topology, Ethernet, Wi-Fi, switches, routers)
• Understanding of TCP/IP addressing, core protocols, and troubleshooting tools
• Network attack strategies and defences
• Knowledge of the technologies and uses of cryptographic standards and products
• Network- and host-based security technologies and practices
• Standards and products used to enforce security on web and communications technologies