DiPiazza

Where I break stuff, then write about it.

CompTIA CySA+ (CS0-003) Study Notes

Comprehensive study guide for the Cybersecurity Analyst certification

Table of Contents - 4 Exam Domains

Domain 1: Security Operations (33%) Domain 2: Vulnerability Management (30%) Domain 3: Incident Response (20%) Domain 4: Reporting (17%)

Domain 1: Security Operations (33%)

Logging & Monitoring

  • Log ingestion: Collecting/processing log data into centralized platform (SIEM).
  • Time synchronization: NTP ensures same time across systems for log correlation.
  • Logging levels: DEBUG, INFO, WARNING, ERROR, CRITICAL for filtering.

Operating System Concepts

  • Windows Registry: Hierarchical DB storing configs; malware target.
  • System hardening: Reduce attack surface (disable services, patches).
  • Config locations: Linux: /etc, ~/.config | Windows: C:\ProgramData, AppData
  • System processes: Background programs; monitor for anomalies.

Infrastructure

  • Serverless: Cloud provider manages infrastructure (AWS Lambda).
  • Virtualization: Multiple VMs on one host (VMware, Hyper-V).
  • Containerization: Isolated app units (Docker).

Network Architecture

  • On-premises/Cloud/Hybrid: Physical site / Off-site / Mix.
  • Network segmentation: Divide into zones for security.
  • Zero Trust: No default trust; verify all access.
  • SASE: Cloud networking + security (SD-WAN + CASB + FWaaS).
  • SDN: Decoupled control/data planes.

Identity & Access Management

  • MFA: 2+ auth factors. SSO: One login, multiple systems.
  • Federation: Cross-org trust. PAM: Control elevated accounts.
  • Passwordless: Biometrics/tokens. CASB: Cloud security enforcement.

Encryption & Data Protection

  • PKI: Key management via certificates. SSL inspection: Decrypt/inspect traffic.
  • DLP: Prevent unauthorized data transfer.
  • PII: Names, SSNs (special handling). CHD: Card data (PCI-DSS).

Network Indicators

  • Bandwidth consumption: Excessive use (exfiltration). Beaconing: C2 comms.
  • Irregular P2P: Unauthorized connections. Rogue devices: Unapproved on network.
  • Scans/sweeps: Port probing. Traffic spikes: DoS/breach. Unexpected ports.

Host Indicators

  • Resource consumption: CPU/memory/disk. Unauthorized software/changes/privileges.
  • Malicious processes: Keyloggers, backdoors. Data exfiltration.
  • Abnormal OS behavior. File system/registry anomalies. Unauthorized scheduled tasks.

Application Indicators & Social Engineering

  • Anomalous activity. New accounts (backdoors). Unexpected output/comms.
  • Service interruption. Application logs.
  • Social engineering: Phishing, pretexting. Obfuscated links.

Security Tools

Packet: Wireshark (GUI), tcpdump (CLI) | Log: SIEM (centralize), SOAR (automate) | Endpoint: EDR (CrowdStrike) | Reputation: WHOIS, AbuseIPDB | File: Strings, VirusTotal | Sandbox: Joe, Cuckoo

Analysis Techniques

Pattern: C2 beaconing | Commands: sudo, encoded PowerShell
Email: Header analysis, DKIM/DMARC/SPF, impersonation, embedded links
File: SHA-256/MD5 hashing | Behavior: Abnormal activity, impossible travel

Programming & Scripting

  • JSON/XML: Data formats. Python: Automation. PowerShell: Windows (abused).
  • Shell script: Bash. Regex: Pattern matching.

Threat Actors & TTPs

  • APT: Sophisticated/prolonged. Nation-state: Gov espionage. Organized crime: Ransomware.
  • Hacktivists: Political. Script kiddie: Unskilled. Insider: Intentional/unintentional.
  • Supply chain. TTP: Tactics, Techniques, Procedures.
  • Confidence: Timeliness, Relevancy, Accuracy.

Threat Intel Sources & Hunting

Open: Social media, blogs, gov bulletins, CERT/CSIRT, dark web
Closed: Paid feeds, ISACs, internal
Hunting: IoC collection/analysis/application. Focus: misconfigs, isolated networks, critical assets.
Active defense: Deception, disruption. Honeypot: Decoy system.

Automation & Efficiency

Standardize: Identify repeatable tasks, team coordination
Streamline: SOAR, data enrichment, threat feed combo, minimize human engagement
Integration: API, webhooks, plugins | Single pane of glass

Domain 2: Vulnerability Management (30%)

Asset Discovery & Considerations

  • Map scans: Identify devices/ports. Device fingerprinting: ID via traffic.
  • Considerations: Scheduling (non-peak), operations (coordinate), performance, sensitivity, segmentation, regulatory (PCI DSS, HIPAA).

Scanning Types & Techniques

  • Internal/External. Agent/Agentless. Credentialed/Non-credentialed.
  • Passive/Active. Static/Dynamic.
  • Reverse engineering: Analyze design. Fuzzing: Malformed data for flaws.
  • OT/ICS/SCADA: Industrial control systems.

Frameworks

  • Security baseline: Check against benchmarks.
  • PCI DSS: Card data. CIS: Config best practices. OWASP: Web app. ISO 27000: InfoSec mgmt.

Assessment Tools

Network: Angry IP, Maltego, Nmap | Web: Burp, ZAP, Arachni, Nikto
Vuln scanners: Nessus, OpenVAS | Debuggers: Immunity, GDB
Multipurpose: Metasploit, Recon-ng | Cloud: Scout Suite, Prowler, Pacu

CVSS & Prioritization

  • CVSS: Attack vector/complexity, privileges, user interaction, scope, impact (CIA).
  • Validation: True/false positives/negatives.
  • Context: Internal/external/isolated. Exploitability/weaponization.
  • Asset value. Zero-day: No vendor knowledge/patch.

Common Vulnerabilities

  • XSS: Reflected/persistent. Overflow: Buffer/integer/heap/stack.
  • Data poisoning. Broken access control. Cryptographic failures. Injection flaws.
  • CSRF. Directory traversal. Insecure design. Security misconfiguration.
  • EOL components. Auth failures. SSRF. RCE. Privilege escalation. LFI/RFI.

Response & Management

Compensating control: Alternative when ideal unavailable
Control types: Managerial/Operational/Technical, Preventative/Detective/Responsive/Corrective
Risk: Accept/Transfer/Avoid/Mitigate | Patching: Test→Implement→Rollback→Validate
Attack surface mgmt: Edge/passive discovery, pentesting, bug bounty
Secure coding: Input validation, output encoding, parameterized queries, session mgmt

Domain 3: Incident Response & Management (20%)

Attack Methodology Frameworks

  • Cyber Kill Chain: Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions.
  • Diamond Model: Adversary, Infrastructure, Capability, Victim relationships.
  • MITRE ATT&CK: Knowledge base of adversary TTPs by attack phase.
  • OSSTMM: Peer-reviewed security testing methodology.
  • OWASP Testing Guide: Web app security testing (Top 10 vulns).

Detection & Analysis

  • IoC: Artifacts indicating breach (traffic, hashes, IPs, domains).
  • Evidence acquisition:
    • Chain of custody: Document who handled evidence.
    • Data integrity: Hashing to confirm no alteration.
    • Preservation: Store without modification.
    • Legal hold: Preserve for potential litigation.
  • Data/log analysis: Parse systems, network data, security tools.

Containment, Eradication, Recovery

  • Scope: Breadth (systems/users/data affected).
  • Impact: Severity and consequences (financial, data, downtime).
  • Isolation: Remove infected systems from network.
  • Remediation: Fix root issue (patches, config updates).
  • Re-imaging: Wipe and reinstall OS for clean recovery.
  • Compensating controls: Temporary measures while fixing.

Preparation

  • Incident response plan: Documented detect/respond/recover process.
  • Tools: SIEMs, EDRs, forensic software, sandboxes, ticketing.
  • Playbooks: Predefined workflows for common incidents.
  • Tabletop exercises: Simulated scenarios to test readiness.
  • Training: Keep staff aware of roles/tools/procedures.
  • BC/DR: Ensure critical functions continue or restore quickly.

Post-Incident Activity

  • Forensic analysis: In-depth investigation of how attack occurred.
  • Root cause analysis: Identify fundamental issue that allowed incident.
  • Lessons learned: Formal review of what went right/wrong, process improvements.

Domain 4: Reporting & Communication (17%)

Vulnerability Management Reporting

  • Vulnerabilities: Known security weaknesses (outdated software, misconfigs).
  • Affected hosts: Devices/systems impacted.
  • Risk score: Numeric value from exploitability/impact (CVSS).
  • Mitigation: Actions to reduce severity/likelihood.
  • Recurrence: Same vuln reappearing (patching issues).
  • Prioritization: Rank by risk, asset criticality, business impact.
  • Compliance reports: Prove alignment with regulations (PCI-DSS, HIPAA).

Action Plans & Inhibitors

Action Plans: Config mgmt, Patching, Compensating controls, Training, Changing business requirements
Inhibitors: MOU (agreements limit actions), SLA (uptime restrictions), Org governance, Business interruption, Degrading functionality, Legacy/proprietary systems

Metrics & KPIs

  • Trends: Patterns over time. Top 10: Most frequent/severe vulns.
  • Critical vulns & zero-days. SLOs: Specific targets (e.g., patch within 48hrs).
  • Stakeholder ID/communication: Tailor for technical vs executive audiences.

Incident Response Reporting

  • Executive summary: High-level overview for leadership.
  • Who/What/When/Where/Why: Essential facts.
  • Recommendations: Steps to prevent recurrence.
  • Timeline: Chronology from detection to recovery.
  • Impact: Data, services, operations, revenue affected.
  • Scope: Systems/departments involved.
  • Evidence: Logs, screenshots, memory dumps for forensics/legal.

Communications & Escalation

  • Stakeholders: IT, mgmt, legal, PR, compliance.
  • Incident declaration/escalation: Recognize event is incident, escalate properly.
  • Legal: Reports follow laws/policies.
  • PR: Customer communication, media management.
  • Regulatory reporting: GDPR, HIPAA requirements.
  • Law enforcement: Criminal activity cooperation.

Incident Metrics & Analysis

  • MTTD: Mean time to detect.
  • MTTR: Mean time to respond.
  • MTTM: Mean time to remediate.
  • Alert volume: Total alerts (workload/tuning metric).
  • Root cause analysis: Find original reason incident occurred.
  • Lessons learned: Post-incident review for improvements.

Get in Touch

Email LinkedIn GitHub