CompTIA CySA+ CompTIA CySA+, Exams of Computer Security

CompTIA CySA+ CompTIA CySA+ CompTIA CySA+

Typology: Exams

2024/2025

Available from 01/20/2025

DrShirley
DrShirley 🇺🇸

3.3

(4)

4.6K documents

1 / 71

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CompTIA CySA+
1. Technical—The control is implemented as a system (hardware, software, or firmware). For
example, firewalls, anti-virus software, and OS access control models are technical controls.
Technical controls may also be described as logical controls.
2. Operational—The control is implemented primarily by people rather than systems. For
example, security guards and training programs are operational controls rather than technical
controls.
3. Managerial—The control gives oversight of the information system. Examples could
include risk identification or a tool allowing the evaluation and selection of other security
controls.
4. Compensating: this acts as a substitute for a principal control, but must give the same level
of security assurance as the control it is replacing, e.g. a physical barrier blocking a section of
open fence, or developing a workaround for an embedded OS which cannot be patched or
updated -
What are the four types of Security Control Categories?
- Security Intelligence
- CTI (Cyber Threat Intelligence)
1. Narrative reports—Analysis of certain adversary groups or a malware sample provided as a
written document. These provide valuable information and knowledge, but in a format that
must be assimilated manually by analysts. This is most useful at providing strategic
intelligence to influence security control selection and configuration
2. Data feeds—Lists of known bad indicators, such as domain names or IP addresses
associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit
code. This provides tactical or operational intelligence that can be used within an automated
system to inform real-time decisions and analysis as part of incident response or digital
forensics. -
- This is looking inward at the process through which data generated in the ongoing
use of information systems is collected, processed, integrated, evaluated, analyzed, and
interpreted to provide insights into the security status of those systems. For example: this
could reveal a DDoS attack has taken place based on logs and traffic data
- This is looking outward and providing data about the external threat landscape, such as
active hacker groups, malware outbreaks, zero-day exploits, and so on.
- What are two formats the second thing above is typically produced in?
1. Requirements (Planning & Direction): sets goals for intelligence gathering effort. Shows
how intelligence will support business goals. May also create use cases here. Consider special
factors & constraints such as regulations
2. Collection and Processing: usually implemented by software suites such as SIEM. Data is
put into a consistent format so analysis tools can operate on it. Scripting or manual processing
may be required. Data must be kept secure.
3. Analysis: after data has been captured and normalized, anomalies are identified. Use cases,
AI, and machine learning are useful here.
4. Dissemination: publishing information from analysis to consumers who need to act on it.
Has many forms from status alerts to analyst reports. Should be tailored for the audience.
This occurs at strategic, operational, and tactical levels.
5. Feedback: goal is to improve all other phases. Would include lessons learned, measurable -
1 | P a g e
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47

Partial preview of the text

Download CompTIA CySA+ CompTIA CySA+ and more Exams Computer Security in PDF only on Docsity!

CompTIA CySA+

  1. Technical—The control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
  2. Operational—The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
  3. Managerial—The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
  4. Compensating: this acts as a substitute for a principal control, but must give the same level of security assurance as the control it is replacing, e.g. a physical barrier blocking a section of open fence, or developing a workaround for an embedded OS which cannot be patched or updated - What are the four types of Security Control Categories?
  • Security Intelligence
  • CTI (Cyber Threat Intelligence)
  1. Narrative reports—Analysis of certain adversary groups or a malware sample provided as a written document. These provide valuable information and knowledge, but in a format that must be assimilated manually by analysts. This is most useful at providing strategic intelligence to influence security control selection and configuration
  2. Data feeds—Lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code. This provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions and analysis as part of incident response or digital forensics. -
    • This is looking inward at the process through which data generated in the ongoing use of information systems is collected, processed, integrated, evaluated, analyzed, and interpreted to provide insights into the security status of those systems. For example: this could reveal a DDoS attack has taken place based on logs and traffic data
  • This is looking outward and providing data about the external threat landscape, such as active hacker groups, malware outbreaks, zero-day exploits, and so on.
  • What are two formats the second thing above is typically produced in?
  1. Requirements (Planning & Direction): sets goals for intelligence gathering effort. Shows how intelligence will support business goals. May also create use cases here. Consider special factors & constraints such as regulations
  2. Collection and Processing: usually implemented by software suites such as SIEM. Data is put into a consistent format so analysis tools can operate on it. Scripting or manual processing may be required. Data must be kept secure.
  3. Analysis: after data has been captured and normalized, anomalies are identified. Use cases, AI, and machine learning are useful here.
  4. Dissemination: publishing information from analysis to consumers who need to act on it. Has many forms from status alerts to analyst reports. Should be tailored for the audience. This occurs at strategic, operational, and tactical levels.
  5. Feedback: goal is to improve all other phases. Would include lessons learned, measurable -

What are the five phases of the Security Intelligence Lifecycle?

  1. Strategic intelligence: addresses broad themes and objectives, affecting projects and business priorities over weeks and months.
  2. Operational intelligence: addresses the day-to-day priorities of managers and specialists.
  3. Tactical intelligence: informs the real-time decisions made by staff as they encounter alerts and status indicators. - What three levels does intelligence distribution or dissemination occur at?
  4. Implementing and configuring security controls
  5. Working in a SOC (Security Operations Center) or CSIRT (Computer Security Incident Response Team)
  6. Auditing security processes and procedures
  7. Conducting risk & vulnerability assessments & pentesting
  8. Maintaining up to date threat intelligence - What are five roles & responsibilities of a Cybersecurity Analyst?
  • NIST 800-
  • ISO 27001
  • NIST 800-
  • NIST 800-
  • NIST 800-63B
  • NIST 800-82 -
    • What document covers security and privacy controls for U.S. Federal information systems and organizations?
  • What is an international, proprietary framework which is similar?
  • What document covers computer security incident handling?
  • What document covers the overall risk management process?
  • What document covers digital identity guidelines for tings like IAM (Identity Access Management) and passwords?
  • What document covers Industrial Systems (ICS) security?
  1. Timeliness: ensures the intelligence source is up to date
  2. Relevancy: ensures the intelligence source matches the use case intended for it. E.g, info about attacks against Mac OS will not be relevant if you are using Windows or Linux
  3. Accuracy: ensures that an intelligence source produces effective results. Information needs to be valid and true, eliminate false positives, etc
  4. Confidence Level: ensures the intelligence source produces qualified statements about reliability; a grade of how good overall we think the information is based on the other factors
  • What are four factors you can use to weigh the value of intelligence sources?
  • MISP Project
  • It breaks down into evaluation of source reliability and information content.
  • Source Reliability is given a letter grade A (No Doubt of authenticity & trustworthiness; highest grade) through F (Cannot Be Judged, lowest grade)
  • Information Content is given a number 1 (Confirmed, highest rank) through 6 (Cannot Be Judged, lowest rank) -
    • This codifies the use of the admiralty scale for grading data and estimative language and can be used to help establish a Confidence Level for intelligence sources
  1. Risk Management: identifies and prioritizes threats and vulnerabilities to reduce their negative impact. This is usually grouped with Security Engineering b/c you use the information in Risk Management to design your systems based on the threats you've identified and prioritized
  2. Incident Response: organized approach to addressing and managing the aftermath of a cybersecurity attack or security breach. Tactical level intelligence is most useful here b/c you need to know what IP address are they coming from, what are they doing in the network, etc
  3. Vulnerability Management: identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Use this with threat analysis to find vulnerabilities you hadn't even thought of for example, doing an updated vulnerability scan when WannaCry came out
  4. Detection and Monitoring: observing activity to identify anomalous patterns for further analy -
    • What are four ways you can perform threat analysis sharing as part of the Dissemination phase of the Security Intelligence Lifecycle? Data Enrichment - This automatically combines multiple disparate sources of information together to form a complete picture of events for analysts to use during an incident response or when threat hunting
  • Obfuscated Malware Code
  • Recycled Threats -
    • This is malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit attempts to statically analyze the malware
  • This refers to the process of combining and modifying parts of multiple existing exploit & malware codes to create new threats that are not as easily identified by automated scanning
  • Known Unknowns
  • Unknown Unknowns -
    • A classification of malware that contains obfuscation techniques to circumvent signature matching and detection
  • A classification of malware that contains completely new attack vectors and exploits
  • Johari Window
  1. Open: known to self and known to others
  2. Hidden: known to self, but not known to others
  3. Blind: not known to self, but known to others
  4. Unknown: not know either to self or others
  • The goal is for everyone to reach the "Open" level as far as new threats, malware, etc are concerned -
    • A model that describes the relationship between self-disclosure and self-awareness; based on the known-knowns, known-unknowns, etc.
  • What are the four sectors of this?
  • How does this relate to cybersecurity? Shadow IT - Computer hardware, software, or services used on a private network without authorization from the system owner. Something which is not sanctioned and has not gone

through change management process, such as someone setting up a rogue access point in their office.

  1. Commodity Malware: malicious software that is widely available for sale or easily obtainable and usable
  2. Zero-day Malware: something new with no recorded signature which typically exploits a zero-day vulnerability
  3. APT (Advanced Persistent Threat): can refer to nation-state threat actors, but can also refer to an attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware
  4. C2 Node (Command & Control): aka a "Botmaster" controlling a botnet; an infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets
  • What are four different types of malware?
  • Reputation Data
  • Behavioral Threat Research
  • TTP (Tactics, Techniques, and Procedures) -
    • What is another term for blacklists of known threat sources such as malware signatures, IP address ranges, and DNS domains?
  • This term refers to the correlation of IoCs into attack patterns. For example, analysis of previous hacks and intrusions produces definitions of the tactics, techniques, and procedures (TTP) used to perform attacks.
  • These are behavior patterns that were used in historical cyber attacks
  1. Unauthorized software & files
  2. Suspicious emails
  3. Suspicious registry and file system changes
  4. Unknown port and protocol usage
  5. Excessive bandwidth usage
  6. Rogue hardware
  7. Service disruption and defacement
  8. Suspicious or unauthorized account usage - An IOC (Indicator Of Compromise) is a sign that an initial attack was successful. What are eight types of IoCs? IOA (Indicator of Attack) - What is similar to an IOC (Indicator Of Compromise) but is an indication that an attack is in progress, rather than an indication that an attack was successful?
  9. Port Hopping: an APT is able to switch ports to communicate to avoid detection
  10. Fast Flux DNS: a technique that rapidly changes the IP address associated with a domain
  • Endpoint Forensics: APTs are usually very sneaky and good at hiding their activity, so a deep forensic dive focusing on endpoints is usually the best way to catch them -
    • What are two common mechanisms that APTs use to hide their presence in a network?
  • What is typically the best method of detecting an APT?
  1. Lockheed Martin Kill Chain: describes the stages by which a threat actor progresses a network intrusion. This is a very linear model
  1. Adversary Capability: do they have acquired and augmented tools (commodity)? Do they have Developed capability (zero-day)?
  2. Attack Surface: holistic network (routers, switches, etc), websites or cloud services, custom software applications (APIs)
  3. Attack Vector: cyber, human (social engineering), physical (on premises) - What are three main areas of consideration when doing Threat Modeling?
  4. Analyze network traffic: look for anything suspicious like connections to a C2 node
  5. Analyze the executable process list: look for any strange or invalid processes running
  6. Analyze other infected hosts: look for similarities, how they are hiding/persisting, if they are all running similar processes
  7. Identify how the malicious process was executed: what allowed it to start up? Is there a way we can block it? - What are four things you can do when threat hunting?
  • Google Hacking
  • GHDB (Google Hacking Database)
  • Google Dorks
  1. Quotes: double quotes "" specify an exact phrase and make a search more precise
  2. NOT: uses minus sign "-" in front of a word to remove search results which include that string
  3. AND/OR: "AND" will require both search terms while "OR" will require either search term
  4. Scope: use different keywords to select the scope of the search. For example: "Filetype: PDF" will return only PDF file results containing the search terms
  5. URL Modifiers -
    • This is manipulating a search string with additional specific operators to search for vulnerabilities or very specific information.
  • What is a repository of many different pre-run search strings?
  • What is a nickname for one of these pre-run strings?
  • What are five different ways you can manually create a string? Shodan - This is a search engine optimized for identifying vulnerable internet-attached devices such as thermostats, webcams, and other IoT devices
  • Data submitted via a URL is delimited by the "?" character
  • The "%3A" is actually the hex code for a colon or ":" so remember that when analyzing
  • Someone performed a search to find all xls (Excel spreadhseet) files containing the words "password" and are hosted on the site diontraining.com
  • It is the hex code for "@". If you see something like "*%40diontraining.com" it could mean someone was searching for all email addresses ending in "@diontraining.com" -
    • What information could you glean from the following search string if you found it in your proxy logs: https://www.google.com/search?&q=filetype%3Axls+password+site %3Adiontraining.com
  • What does %40 mean in hex code?
  • Pipl.com
  • Peekyou.com
  • Echosec.net -
  • What are three OSINT aggregation sites?
  • To find out who works for an organization and attempt to match up their names with job roles through social media or the company's website
  • The Harvester
  • whois -
  • What is the purpose of email harvesting?
  • What is a linux tool used by pentesters to gather subdomain information and email addresses for an organization?
  • This is a public listing of all registered domains and their registered administrators. In other words, you can look up a website and find out who owns it
  • DNS Zone Transfer
  • DNS Harvesting
  • Windows: nslookup, then "set type=any" (which says tell me all the records you know on this DNS server), then "ls-d websitename.com". If the target server is misconfigured, you can download all of their information from their DNS to your machine
  • Linux: dig axfr (the command for a zone transfer) targetwebsite.com attackerdestinationwebsite.com. If the server is vulnerable, it would copy over all the DNS entries over to the attacker's designated destination site
  • Attackers can go through this info and get things like IP addresses for servers, subdomains, etc -
  • The process of replicating the databases containing the DNS data across a set of DNS servers. Often used during the reconnaissance phase of an attack
  • What is the name for an attack like this which uses OSINT to gather information about a domain such as subdomains, the hosting provider, admin contacts, etc?
  • What Windows or Linux commands can this be done with?
  • Website Harvesting
  • Old or forgotten webpages, pages with weak code, etc
  • Sparse Attack: this favors patient attackers. For example: if very large organizations have a million different endpoints, one attacker doing one bad thing in a month may not be caught. -
  • A technique used to copy the source code of website files to analyze for information and vulnerabilities
  • What sort of vulnerabilities might you find with this?
  • This is a technique where attackers attempt to bury their activity inside of the "network noise"
  • SPAN (Switched Port Analyzer)
  • Packet Sniffer
  • Packet sniffers should be placed inside the firewall and as close to important servers as possible. That way, the firewall will block most of the traffic and you can sniff what's left -
  • This allows for the copying of ingress and/or egress communications from one or more switch ports to another. It essentially makes a copy of everything coming in or out of a port, then puts that on a duplicate port so you can monitor it
  • This is a piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or TAP (Test Access Port) device
  • Where should this second type of device/software be placed in your network?

finish with "DNS_PROBE_FINISHED_NXDOMAIN". It means your system tried looking up a domain name and couldn't figure it out. The DNS resolver can't resolve it for you

  • Use a Secure Recursive DNS Resolver: this allows one trusted DNS server to communicate with several other trusted DNS servers to hunt down the IP address and return it to the client. Do not use a generic DNS server -
    • A method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using DGAs (Domain Generation Algorithms)
  • What are some ways you might be able to detect this activity?
  • How can you mitigate this activity?
  • URL Analysis
  1. Resolving Percent Encoding, which is a mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding. A URL can contain unreserved (letters and numbers as well as - (dash), _ (underscore), period, and ~(tilde)) and reserved characters (colon, /, ?, #, @, !, $, etc) from the ASCII set
  2. Assessing Redirection of the URL
  3. Showing Source Code for Scripts in URL -
    • This activity is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it
  • What are three activities performed as a part of this?
  • HTTP Methods
  1. GET: principal method used with HTTP and is used to retrieve a resource
  2. POST: used to send data to the server for processing by the requested resource
  3. PUT: creates or replaces the requested resource
  4. DELETE: removes the requested resource
  5. HEAD: retrieves the headers for a resource only and ignores the body. NOTE: this is often used in pentesting when doing a banner grab b/c all you want to know is information about the server and the page, like the page title -
    • These are a set of request methods to indicate the desired action to be performed for a given resource (a resource is just something on a server). Includes commands such as GET and POST that are transmitted between Web servers and clients using the HTTP protocol.
  • What are five types of HTTP Methods?
  • HTTP Response Codes: these codes are usually three digits that will tell you some information that the server wants you to know. NOTE: individual codes do not need to be memorized for the exam.
  • A code 200 indicates a successful GET or POST request (OK). Code 201 indicates where a PUT request has succeeded in creating a resource
  • Any code in the 3xx range, such as 301, indicates that a redirect has occurred by the server
  • Any code in the 4xx range indicates an error in the client request. Code 400 indicates a request could not be parsed by the server. Code 401 indicates a request did not supply authentication credentials. Code 403 indicates insufficient permissions. Code 404 is very common and means a client has requested a non-existent resource
  • Codes in the 5xx range indicate a server-side issue. Code 500 indicates a general error on server-side of application. Code 502 is a bad gateway when server is acting -
    • This is the header value returned by a server when a client requests a URL
  • What are a few examples?
  1. Connections that are permitted or denied
  2. Port and protocol usage in the network
  3. Bandwidth utilization with the duration and volume of usage
  4. An audit log of the address translations (NAT/PAT) that occurred
  • They will be in vendor specific formats
  • From top to bottom; the most important rules should placed at the top. If traffic meets the criteria for that rule, it proceeds to the next one. -
    • What are four types of useful data that firewall logs can provide?
  • What format are firewall logs typically in?
  • In what order do the rules in a firewall's ACL process?
  • 0: Emergency; system is unusable
  • 1: Alert; action must be taken immediately
  • 2: Critical; critical conditions
  • 3: Error; error conditions
  • 4: Warning; warning conditions
  • 5: Notice; normal but significant condition
  • 6: Informational
  • 7: Debug - What are the Syslog message codes?
  • iptables
  • Windows Firewall (easier to read because they put comment lines above it which start with hashtags #)
  • Blinding Attack -
    • This is a Linux-based firewall which uses the Syslog format for its logs
  • This is a Windows-based firewall which uses the W3C extended log file format
  • This occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
  1. Block incoming requests from internal or private, loopback, and multicast IP address ranges
  2. Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
  3. Configure IPv6 to either block all IPv6 traffic or allow it to authorized hosts and ports only. This is b/c many organizations still run IPv4 but do not bother configuring security for IPv6 -
    • What are three basic principles for configuring firewalls ACLs?
  • Dropping traffic makes it harder for an adversary to identify port states accurately. A deny rule will send a rejection message back to the adversary giving them information they can use.
  • Firewalking
  • An attacker finds an open port on the firewall, sends a packet with TTL (Time To Live) of one past the firewall to find its hosts
  • By using NAT to prevent the attacker from identifying the address space behind the router, and blocking outgoing ICMP status messages -
    • What is the difference in a firewall dropping vs. rejecting traffic?
  • What is a technique to enumerate firewall configurations and hosts behind it?
  • What format do many of these use to store their logs?
  1. Snort: open-source software available for Windows and some Linux distros which can operate in IDS or IPS mode
  2. Zeek: open-source IDS for Linux that contains a scripting engine which can be used to act on significant events by generating an alert or implementing a shunning mechanism
  3. Security Onion: open-source Linux platform which bundles many tools including Snort, Zeek, Suricata, Wireshark, and Network Miner with log management & incident management tools
  • Oinkcode -
    • What are three examples of an IDS/IPS?
  • What is a paid subscription service which gives you updated malware signatures?
  • IBM X-Force Exchange
  • FireEye
  • Recorded Future - What are three examples of Closed-Source or Proprietary Intelligence?
  1. Unified Output: machine readable binary file, cannot be read by humans.
  2. Syslog: can be integrated with SIEMs or read directly
  3. CSV: common data format which uses commas to delimit fields; can be imported into 3rd party app, parsed with regular expressions, or opened as a spreadsheet
  4. Tcpdump (pcap): very useful b/c it captures all packets underlying the event
  5. Input directly into a SIEM - What are five types of output formats for IDS/IPS logs?
  • Action field: usually set to Alert, but other options include log, pass (ignore), drop, and reject
  • Protocol
  • Source IP and Source Port #: usually set to a keyword (any) or variable ($EXTERNAL_NET or %HOME_NET) but can also be a static value
  • Direction: can be unidirectional "->" or bi-directional "<>"
  • Destination IP and Destination Port #
  • Customizable Rule Options will follow the above rules - What is the Snort Rule format for logs?
  1. Msg: text which informs the responder what triggered the rule, basically like a comment
  2. Flow: will match a new or existing TCP connection or match regardless of the TCP connection state
  3. Flags: will tell you whether to match flags in the packet such as the TCP SYN, FIN, REST, etc
  4. Track: applies a rate limiter to the rule, only triggering if the threshold of events pass over a certain duration. For example: if a bad guy comes in once every minute, flag it, but if it's only once every hour, ignore it.
  5. Reference: can match an entry to an attack database.
  6. Classtype: will categorize the attack. For example: is this brute force, DoS, etc?
  7. Sid and Rev: a Snort ID (S+I+D...get it?), and it may include the revision number of that rule with is the Rev - What are seven types of rule options you can set up with Snort rules?
  • Port Security
  1. Physical Port Security: controls physical access to hardware
  2. MAC Filtering: ACL which only allows approved MAC addresses to connect to the network
  3. NAC (Network Access Control): collected protocols, policies, and hardware which authenticate and authorize access to a network
  • Disable any web administrative interfaces and use SSH shells instead for increased security. The web admin front ends may be vulnerable to XSS and other web-based attacks, allowing threat actors to access the systems -
    • This is disabling unused application/service ports on hosts and firewalls to reduce the number of threat vectors.
  • What are three different types of this?
  • What is a best practice for getting around the fact that many appliances (including IPS and IDS systems, firewalls, switches, etc) run on embedded OSs which may have patching and update limitations?
  1. Use ACLs to restrict access to designated host devices. This means there should be a limited number of laptops or desktops which have the authorization to go into the management area on these devices, and they should only be able to do it from certain places.
  2. Monitor the number of designated interfaces. E.g. are you going to allow anyone to connect over any port, or will there be only five ports in your office that have that connection back to those firewalls and network appliances?
  3. Deny internet access to remote management. The switches and firewalls should not be completely cut off from the internet, only the management side of them should be. Connecting via secure VPN should be required for remote management. Port security very important here to prevent rogue devices accessing your network. - What are several best practices to secure network appliances such as IPS/IDS, firewalls, and switches?
  • NAC (Network Access Control)
  • 802.1x -
    • This provides the means to authenticate users and evaluate device integrity before a network connection is permitted
  • The above relies upon this standard for encapsulating EAP (Extensible Authorization Protocol) communications over a LAN and provides port-based authentication
  1. Posture Assessment: process of assessing the endpoint for compliance with the health policy; basically checks a supplicant to see if the device meets standards for allowing a connection to the network. The health policy is a list of things we're going to check to see if the device has, such as firmware or OS patch level.
  2. Remediation: process and procedures that occur if a device does not meet the minimum security profile.
  3. Pre-and Post-admission Control: the point at which client devices are granted or denied access based on their compliance with a health policy. May perform periodic checks on a device after admission to the network has been granted -
    • What are three key features of a NAC solution?
  4. Time-based: define access periods for given hosts
  5. Location-based: geolocation
  1. Maintain access: at this point, a second stage downloader starts which can download something like a RAT (trojan) to give C2 control over the machine to the attacker
  2. Strengthen access: using the remote access tool from step 2, they will look around the network and start infecting other systems, find high value targets, and gain additional privileges.
  3. Actions on objectives: they start performing their planned attack
  4. Concealment: maintain persistence but cover tracks by deleting logs, etc to avoid detection.
    • APTs frequently use Fileless Malware which uses shells. What five steps does this typically entail?
  1. Code Injection: malicious code is inserted into otherwise legitimate files or data transmissions.
  2. Masquerading: dropper replaces a genuine executable with a malicious one
  3. DLL Injection: dropper forces a process to load as part of a DLL so that the DLL and the malicious code get loaded
  4. DLL Sideloading: dropper exploits a vulnerability in a legitimate program's manifest to load a malicious DLL at runtime
  5. Process Hollowing: dropper starts a process in a suspended state and rewrites the memory locations containing the process code with the malware code. It essentially takes over some place in memory and puts malicious code in there. -
    • What are five methods that a dropper can use to run and eventually install malware? Living Off The Land -
    • These are exploit techniques that use standard system tools and packages to perform intrusions; something which was already installed by an admin or came with the OS. This makes detection of intruders much more difficult. For example: using the system's native PowerShell or Bash Shell to execute code. This is frequently done these days by pentesters and attackers
  • Sysinternals
  • Process Explorer
  • autoruns: this allows to save a baseline file, then you can run it again if you believe your system has become infected with malware, and it gives you an option to compare the two files to see any differences -
    • This is a tool suite which can help with behavioral analysis. It is designed to assist with troubleshooting issues with Windows. They help to build up a baseline to identify what "normal" is.
  • This tool helps filter out legitimate activity (known-good) to find anomalous behavior
  • This tool can help with developing a good known baseline
  1. System Idle (PID 0) and System (PID 4): kernel-level binaries that are the parent of the first user-mode process (Session Manager SubSystem - ssms.exe)
  2. Client Server Runtime SubSystem (csrss.exe): manages low-level Windows functions and it is normal to see several of these running (as long as they are launched from %SystemRoot %\System32 and have no parent). If they have a parent, it may be malware trying to masquerade as this process.
  3. WININIT (wininit.exe): manages drivers and services and should only have a single instance running as a process
  1. Services.exe: hosts nonboot drivers and background services. This process should only have one instance of services.exe running as a child of wininit.exe with other service processes showing a child of services.exe or svchost.exe. Malware frequently tries to masqerade as this so look closely
  2. Local Security Authority SubSystem (lsass.exe): handles authentication -
    • What are eight legitimate processes you will always see running on a normal Windows system through the Process Explorer tool?
  • Why is it important to be aware of these?
  • Services should be started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts. If a service is started by someone who has a username, it is probably malicious. -
    • What should Windows services be started by to help determine if they are legitimate or perhaps malware trying to masquerade a service?
  1. Any process name that you don't recognize. Doesn't automatically mean it's bad, but you should look online at Microsoft's support site to double check it
  2. Any process name that is similar to a legitimate system process. For example: "scvhost" instead of the legitimate "svchost". Or, any names which look scrambled or randomly generated.
  3. Process that appear without an icon, version information, description, or company name.
  4. Processes that are unsigned, especially if from a well-known company like Microsoft
  5. Any process whose digital signature doesn't match the identified publisher. They may have stolen the developer's private key.
  6. Any process that does not have a parent/child relationship with a principal Windows process
  7. Any processes hosted by Windows utilities like Explorer, Notepad, Task Manager, etc
  8. Any process that is packed (compressed), highlighted purple in Process Explorer -
    • What are eight signs of a suspicious Windows process?
  9. How does the process interact with the Registry and file system? As it is launched, what is it doing? E.g. changing the Registry, putting files on the system, etc.
  10. How is the process launched? Did the user launch it, did some service launch it, a scheduled task, etc? This will help you eliminate it if you need to turn it off
  11. Is the image file located in the system folder or a temp folder? Many times, malware is launched from a temp folder.
  12. What files are being manipulated by the process? When this launches, what is it touching? Does it just read files, change files, etc?
  13. Does the process restore itself upon reboot after deletion? If so, that is an indicator of malware.
  14. Does a system privilege or service get blocked if you delete the process? If so, this is another strong indicator of malware.
  15. Is the process interacting with the network? Look for any communication going in and out, such as to a -
    • What are seven questions you need to answer when a suspicious Windows process is found?
  • Floss; it will go through and find anything which looks like an ASCII character and pipe it into a .txt file for reading
  • IDA; this may not be useful if the malware is encrypted
  • This is an impersonation attack in which the attacker gains control of an employee's account and uses it to convince other employees to perform fraudulent actions.
  • This is when a phishing email is formatted to appear as if it is part of a reply chain. Usually done by compromising the account of a lower-level employee to try and pretend instructions in the fake email thread have come from someone higher up
  • Email Internet Header
  • MUA (Mail User Agent)
  • MDA (Mail Delivery Agent): will ensure the sender is authorized to send a message from that domain. Can be done via digital certificates or username/PW
  • MTA (Mail Transfer Agent): routes email to recipient using DNS
  • SMTP -
  • This is a record of the email servers involved in transferring an email message from a sender to a recipient. Usually hidden from display clients
  • This is your email client, where you create or receive your emails
  • Where is the first place an email goes after you send it and what does this do?
  • Where does the email go if it has to be sent to a recipient on a different server/domain?
  • What protocol is used during this process?
  1. Display From: this can be edited to say whatever you want. You have to look underneath to see the true email address.
  2. Envelope From: if the email is rejected by a server, it will send it back to whatever is here. This can also be edited to anything you want. It is hidden from display clients
  3. Received From/By: List of the MTAs (Mail Transfer Agents) which processed that email. Every time an MTA touches this email along it route through various servers from sender to destination, there is a chance the Received By could be changed.
  • Message Header Analysis tool found at TestConnectivity.microsoft.com. It allows you to copy and paste your email headers and breaks it down. -
  • What are the three sender address fields in emails which attackers commonly try to exploit because they are not displayed in clients but are inside headers?
  • What is an example of a tool which can help analyze email headers as opposed to manually reading through all of the text?
  • X-Headers -
  • These indicate custom headers that are controlled by SMTP server administrators
  • MIME (Multipurpose Internet Mail Extensions): these allow a body of an email to support different formats such as HTML, rich text, binary data encoded as Base64 ASCII characters, and attachments. This is not bad in and of itself since MIME is what allows you to bold text, add images, etc in email, but it can be exploited to deliver attack payloads.
  • S/MIME
  • An Exploit is when message data contains scripts or objects that target a vulnerability in the mail client. An Attachment is when the message contains a file attachment in the hope that a user will open it
  • Embedded Link. To safeguard against this, never click on links from an email. Instead, copy it and paste it directly into your browser to see the full, actual URL. -
  • What extensions do attackers use to craft payloads for email attacks?
  • What version of this adds digital signatures and public key cryptography to these extensions?
  • What is the difference between an exploit and an attachment?
  • What is it called when attackers will type a friendly looking URL to try and get people to click on it, but it goes somewhere other than what the text says? How can you get around this?
  1. SPF (Sender Policy Framework): DNS record identifies hosts authorized to send mail for the domain, with only one SPF statement being allowed per domain. While you can only have one SPF statement, you can authorize multiple servers in that statement.
  2. DKIM (DomainKeys Identified Mail): provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record. It can replace or supplement SPF. When you send an email, your MTA calculates a hash value of the message headers, then signs the hash with its private key. It's like a digital signature for emails, but it verifies that the server sent the message, not that the individual person sent the message.
  3. DMARC (Domain-Based Message Authentication, Reporting, and Conformance): framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record. It can use either SPF or DKIM, or even both. It spe -
    • What are three authentication methods you can use to configure your servers to help prevent email spoofing attacks?
  • Cousin Domains: this is a DNS domain that looks similar to another name when rendered by a MUA (Mail User Agent). For example, if the legit address is "diontraining.com", a cousin domain could be "diontraiMing.com" (swapped the N for an M) or "diontraning.com" (dropped the first I in Training). -
    • What is a problem which may not be solved by SPF, DKIM, or DMARC
  • Code 220: indicates the server is ready
  • Code 250: indicates the message is accepted. If you send a message to an SMTP server, it will send this back
  • Code 421: indicates the service is not available. You can get this if the server is down or turned off when you try to send an email
  • Code 450: indicates that the server cannot access the mailbox to deliver the message. Can happen if it lacks permissions or if the mailbox doesn't exist due to a typo.
  • Code 451: indicates the local server aborted the action due to a processing error.
  • Code 452: indicates the local server has insufficient storage space available -
    • What are codes you should know for SMTP email log analysis?
  1. Splunk: market-leading big data information gathering and analysis tool. Can import machine-generated data via a connector or visibility add-on. Very good at connecting different data systems. Has a user-friendly dashboard UI and can be installed locally or in the cloud.
  2. ELK/Elastic Stack: collection of free and open-source SIEM tools that provides storage, search, and analysis functions. Is made up of four parts. Local install or cloud-based
  3. ArcSight: a SIEM log management and analytics software that can be used for compliance reporting for legislation and regulations such as SOX, HIPPA, and PCI DSS. Has a UI dashboard
  4. QRadar: a SIEM log management, analytics, and compliance reporting platform created by IBM. Also has a dashboard.
  5. Alien Vault and OSSIM (Open-Source Security Information Management): a SIEM solution originally developed by Alien Vault, now owned by AT&T and rebranded as AT&T Cybersecuri -