Comptia CySA+ Cyber Security Analyst

Objective

• CySA+ focuses on the candidates ability to not only proactively capture, monitor, and respond to network traffic findings, but also emphasizes software and application security, automation, threat hunting, and IT regulatory compliance, which affects the daily work of security analysts.
• CySA+ covers the most up-to-date core security analyst skills and upcoming job skills used by threat intelligence analysts, application security analysts, compliance analysts, incident responders/handlers, and threat hunters, bringing new techniques for combating threats inside and outside of the Security Operations Center (SOC)

Course Outcome

CompTIA CySA+ applies behavioral analytics to networks to improve the overall state of security through identifying and combating malware and advanced persistent threats (APTs), resulting in an enhanced threat visibility across a broad attack surface. It will validate an IT professionals ability to proactively defend and continuously improve the security of an organization.

• Leverage intelligence and threat detection techniques
•     - Analyze and interpret data
•     - Identify and address vulnerabilities
•     - Suggest preventative measures
•     - Effectively respond to and recover from incidents
•     - CompTIA CySA+ meets the ISO 17024 standard and is approved by U.S. Department of Defense

Contents Outline

• Threat Management
•  - Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes.
•  - Procedures/common tasks - Topology discovery - OS fingerprinting - Service discovery - Packet capture - Log review
     - Router/firewall ACLs review - Email harvesting - Social media profiling - Social engineering - DNS harvesting
     - Phishing Variables - Wireless vs. wired - Virtual vs. physical - Internal vs. external - On-premises vs. cloud - Tools - NMAP
     - Host scanning - Network mapping - NETSTAT - Packet analyzer - IDS/IPS - HIDS/NIDS - Firewall rule-based and logs
     - Syslog - Vulnerability scanner


• Given a scenario, analyze the results of a network reconnaissance.
•   - Point-in-time data analysis - Packet analysis - Protocol analysis - Traffic analysis - Netflow analysis - Wireless analysis
     - Data correlation and analytics - Anomaly analysis - Trend analysis - Availability analysis - Heuristic analysis
     - Behavioral analysis - Data output - Firewall logs - Packet captures - NMAP scan results - Event logs
     - Syslogs - IDS report - Tools - SIEM - Packet analyzer - IDS - Resource monitoring tool - Netflow analyzer
• Given a network-based threat, implement or recommend the appropriate response and countermeasure.
•   - Network segmentation - System isolation - Jump box -Honeypot - Endpoint security - Group policies - ACLs
     - Sinkhole - Hardening - Mandatory Access Control (MAC) - Compensating controls - Blocking unused ports/services
     - Patching - Network Access Control (NAC) - Time-based - Rule-based - Role-based - Location-based


• Explain the purpose of practices used to secure a corporate environment.
•   - Penetration testing - Rules of engagement - Timing - Scope - Authorization - Exploitation
     - Communication - Reporting - Reverse engineering - Isolation/sandboxing - Hardware - Source authenticity of hardware
     - Trusted foundry - OEM documentation - Software/malware - Fingerprinting/hashing
     - Decomposition - Training and exercises - Red team - Blue team - White team
     - Risk evaluation - Technical control review - Operational control review
     - Technical impact and likelihood - High - Medium - Low


• Vulnerability Management
•   - Identification of requirements - Regulatory environments - Corporate policy - Data classification - Asset inventory
     - Critical - Non-critical - Establish scanning frequency - Risk appetite - Regulatory requirements
     - Technical constraints - Workflow - Configure tools to perform scans according to specification - Determine scanning criteria
     - Sensitivity levels - Vulnerability feed - Scope - Credentialed vs. non-credentialed
     - Types of data - Server-based vs. agent-based - Tool updates/plug-ins - SCAP - Permissions and access
     - Execute scanning - Generate reports - Automated vs. manual distribution - Remediation - Prioritizing
     - Criticality - Difficulty of implementation - Communication/change control - Sandboxing/testing
     - Inhibitors to remediation - MOUs - SLAs - Organizational governance - Business process interruption
     - Degrading functionality - Ongoing scanning and continuous monitoring


• Cyber Incident Response
•     - Given a scenario, distinguish threat data or behavior to determine the impact of an incident.
•     - Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation.
•     - Explain the importance of communication during the incident response process.
•     - Given a scenario, analyze common symptoms to select the best course of action to support incident response.
•     - Summarize the incident recovery and post-incident response process


• Given a scenario, analyze the output resulting from a vulnerability scan
•   - Analyze reports from a vulnerability scan - Review and interpret scan results - Identify false positives - Identify exceptions
     - Prioritize response actions - Validate results and correlate other data points
     - Compare to best practices or compliance - Reconcile results
     - Review related logs and/ or other data sources - Determine trends


• Compare and contrast common vulnerabilities found in the following targets within an organization.
•    - Servers - Endpoints - Network infrastructure - Network appliances - Virtual infrastructure - Virtual hosts - Virtual networks
      - Management interface - Mobile devices - Interconnected networks - Virtual Private Networks (VPNs)
      - Industrial Control Systems (ICSs) - SCADA devices


• Security Architecture and Tool Sets
•     - Explain the relationship between frameworks, common policies, controls, and procedures.
•     - Given a scenario, use data to recommend remediation of security issues related to identity and access management.
•     - Given a scenario, review security architecture and make recommendations to implement compensating controls.
•     - Given a scenario, use application security best practices while participating in the Software Development Life Cycle.
•     - Compare and contrast the general purpose and reasons for using various cybersecurity tools and technologies.