Pass Your CompTIA CySA+ CS0-002 Exam Easy!

CompTIA CS0-002 CompTIA CySA+ Certification Exam (CS0-002) exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. CompTIA CS0-002 CompTIA CySA+ Certification Exam (CS0-002) exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the CompTIA CySA+ CS0-002 certification exam dumps & CompTIA CySA+ CS0-002 practice test questions in vce format.

Threat Hunting

1. Threat Hunting (Introduction)

In this section of the course, we're going to cover threat hunting. Now, our focus in this section is going to continue to be on domain one and objectives one and two. And we'll also begin to discuss Domain Three. Objective three: Objective One states that you have to be able to explain the importance of threat data and intelligence. Objectives one and two state that given a scenario, you have to be able to utilise threat intelligence to support organisational security. Now, objective number three is a new one for us. This states that you have to be able to explain the importance of proactive threat hunting. As we move through this section, we're going to start off by describing the key factors used in threat modeling, such as the adversary capability, the total attack surface, the attack vector, the impact, and the likelihood of this attack occurring against a given system or network. Then we're going to discuss the importance of threat hunting and how it should be performed inside our organizations. After that, we'll start our coverage of various sources of open source intelligence. This includes things like Google hacking, Showdown, email and social media profiling, and DNS and website harvesting techniques. You're going to be amazed at just how much information is out there and available for us to collect and analyse as we start to experiment with these techniques inside of open source intelligence.

2. Threat Modeling (OBJ 1.2)

As a cyber security analyst, it's your responsibility to understand the risks to an enterprise and its information technology systems. Now, you must always analyse the systems to understand how they support the business workflow and how the confidentiality, integrity, and availability of these systems could be threatened by an attacker. You need to be thinking about a few things when trying to determine what level of risk exists. For instance, how can an attack be performed? For example, can this attack be performed against your current network in its current situation and security status? And are the assets even accessible to the outside world? How about the potential impact on the confidentiality, integrity, and availability of the data? When you're putting things in place to protect the confidentiality, integrity, and reliability of the data, you're going to do that based on the potential impact. Also, you need to consider how likely it is that the risk will actually occur. How exploitable is this flaw? How bad is this vulnerability? Is this just something theoretical? Or is there a working exploit out in the wild that people are using every day? This is going to determine how likely this thing is to occur. Finally, you need to think about what mitigations you already have in place. For example, if you have some mitigations in place that will prevent a certain vulnerability from being exploited, then that vulnerability is effectively mitigated and controlled, and you don't have to worry as much about it when you're doing these types of things. You also need to think about how long it takes to put additional controls in place to help bring those mitigations up if needed and whether adding additional protections is even going to be cost-effective for you. To help you do all of this, we use a concept known as threat modeling. Threat modelling is the process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an application, a network, or other systems. When you're evaluating the system, you need to do it both from an inside-out perspective and an outside-in perspective. That means you need to consider both the defender's point of view and the attacker's point of view. By doing this, you can start seeing where your systems are vulnerable and what type of mitigations you need to put in place. Threat modelling can be used against your corporate networks in general at a large scale, or you can look at specific targets like a certain website or an application that you're deploying. Both of these are very important to do. Now, when you do threat modeling, this is a cooperative area. You need to get input from a variety of stakeholders. You need to have your cybersecurity experts there with their knowledge on the relevant threat intelligence and research, as well as non-experts such as the users and customers, the people from the business side, human resources, legal, and other areas of your business. By working together, we can best model the threat and understand the likelihood and impact if something bad happens. When you're conducting threat modeling, there are three main areas you need to consider. You need to think about the adversary capability, the attack surface, and the attack vector. When we talk about an adversary's capability, we're talking about a formal classification of the resources and expertise available to that particular threat actor. For example, do they use acquired and augmented tools, which means they're basically using commodity malware and open source tools and techniques? Or do they have a developed skill? If they have a developed capability, this means they can identify and exploit zero-day vulnerabilities and deploy significant human and financial resources to attack planning and execution. Maybe they're advanced. This means they can exploit things like supply chains and introduce vulnerabilities way back in the cycle where you won't even know they're there inside your systems. This is especially true when you're dealing with a nation-state because they use an integrated approach where they're using cyber and non-cyber methods to achieve their goals. The second area we have to consider is our attack surface. Now, the attack surface is the point at which a networked application receives external connections, inputs, and outputs that are potential vectors to be exploited by a thread actor. Every network has some form of attack surface out there, and you have to determine what it is for your network. For example, when you go to my website to access your course, there is an attack surface there because you're accessing our servers and our network through your web browser. And that means we could be attacked using that as part of your attack vector going in through that attack surface. Now, to determine your attack surface, you have to inventory your assets and figure out what's on your network. Because if you know what's there, you can then defend what's there. Now, there are three areas that you should consider when you're doing your threat modeling. In terms of attack surface, you need to think about the network holistically. This would be things like the switches, the routers, the computers—all those things that make up your corporate data network. The second area is any websites or cloud services you have, because these are all things that could be attacked by an end user, either through the web, front end, or programmatically through an API. The third area is any custom software applications you may have if you have some sort of form or control on the user interface or if you have some kind of software that has been deployed that uses an API or file or data imports, all of which introduce vulnerabilities to the host and the platform. As a result, you must consider these custom applications as you consider the various locations because they are part of your total attack surface. Now, the third main area you have to consider is your attack vector. Now an attack vector is a specific path by which a hacker gains unauthorised access to a system. Now an attack vector can be one of three things. It could be cyber, which means you're using hardware or software against an information technology system. It can be human, which means you're using social engineering to conduct your attack through coercion, impersonation, or even force. Or it can be physical, which means you're trying to take over local access by being on premise and touching the thing to do your attack. These are the three ways that you can think about attack vectors: either cyber, human, or physical. So now that we've talked about the three main areas of threat modeling, which consist of the adversary capability, the attack surface, and the attack vector, we need to think about the likelihood and the impact that are involved with some kind of attack. Remember, there are thousands or even millions of threat actors and adversary groups out there. Some of them are script kiddies, and they have very low capabilities, and some are nation states and APTs, and they have very high capabilities. Depending on who you're dealing with, you're going to have a larger impact or a smaller impact, and you're going to be more or less likely to have an attack. All this comes down to risk, and risk is assessed by factoring in the likelihood of an event and the impact of that event. When I talk about likelihood, this is the chance of a threat being realized, which is usually going to be expressed as a percentage. For instance, if I have a nation-state trying to go after my company, the chances are that they have a high likelihood of being able to break in. They probably have an 80 or 90% chance because they have such sophistication and have access to zero-day exploits and other things like that. Now, on the other hand, if we consider the impact, this is going to be the cost of a security incident or disaster scenario, which is usually going to be expressed in dollars. So let's say I had some sort of event that happened, and it was something like it was going to take my server down for five minutes. What is the impact of that? Well, it probably has a very small cost for me because if my server is down for five minutes, you as a student will probably just try to come back in five minutes and then make your purchase. So we had very little or no impact financially. Now, on the other hand, if I were a credit card processing agency processing all of the world's credit card transactions like Visa or Mastercard and you took me down for five minutes, that's going to cost me thousands or hundreds of thousands of dollars in processing fees that we're not able to take because the cards aren't going to be working. So there'll be a much higher impact if they're down for five minutes than if I'm down for five minutes. So it all comes down to whether a risk exists and how risk can be calculated. And again, this comes down to your likelihood and your impact. And we use these percentages and these dollar amounts to come up with some final calculations. Now, when we talk about risk later on in this course, we're going to determine your actual threat's annual rate of occurrence, the ARO, and how much it really does cost you if this incident happens. But for now, I just want to cover the basic concepts of the fact that we have to consider our likelihood and impact as we do our threat modeling.

3. Threat Hunting (OBJ 3.3)

Threat hunting. What is threat hunting? Well, threat hunting is a cyber-security technique that's designed to detect the presence of threats that have not been discovered by normal security monitoring. Essentially, threat hunting is proactive as opposed to being reactive, like you are, with an incident response. The idea here is that we are going out and hunting, or looking for those threats within our network, instead of waiting for them to attack. Now, when you're doing a penetration test, oftentimes you're trying to break into your system to demonstrate a weakness. But with threat hunting, we're not doing that. Instead, we're trying to analyse data within the systems we already have. So because of this, threat hunting is potentially less disruptive than a penetration test. To do threat hunting, we start out by establishing a hypothesis. Now, when we establish a hypothesis, we're going to derive that from the threat modelling we've done. And it's going to be based on potential events with a higher likelihood and higher impact if they were to occur. So essentially, we're going to sit around and we're going to think about who might want to harm us, who might want to break into our networks, and how they might be able to do that. And by going through our threat intelligence, we can create a good hypothesis about what type of campaign or what type of adversary group might want to do us harm. Then we're going to move into profiling threat actors and activities. At this point, we're really going to be relying on that threat intelligence. We're going to start creating scenarios that show how a perspective attacker might attempt an intrusion and what their objectives might be. Again, we're going to sit back and think to ourselves, what TTPs might they use? Who wants to harm us? Are they an insider, a hacktivist, a nation state, or an AP? And based on that, we're going to start determining what their objectives might be and what systems they might be going after. At that point, we're going to start our threat hunting, and we're going to use different tactics to do this. Now, remember, threat hunting is going to rely on the use of tools developed for regular security monitoring and incident response. We're going to be analysing logs, process information, and file system and registry changes from all the different hosts. Generally, all that information is going to be consolidated for us inside a seam. By being inside a security information and event management system, we're going to be able to correlate that data quicker and do better threat hunting, instead of having to go to each of those systems individually. Now, one of the keys to remember with threat hunting is that we have to assume that the existing rules have failed when we're threat hunting. And what I mean by that is that you already have monitoring systems in place that are detecting and monitoring things across your networks. And if they were working properly, you'd already have found this bad guy. So when we do threat hunting, we look for things that aren't being detected, things that have gotten around the rules, and things where the query isn't returning the data we expected it to. That is, after all, the crux of threat hunting. These tactics are developed around the awareness that the adversary is smart and has good tactics to try to avoid detection. And now we're going out and trying to detect them anyway. So that's the thing you have to remember when you're doing threat hunting: that it is challenging and very difficult, but it is worth it. Let's take a quick example here. Let's say that we had threat intelligence that told us that Windows desktops and a lot of different companies have been infected with a new type of malware that's out there, and there are not any current malware definitions for it. Well, we can start threat hunting based on that threat information. What might we do? We might start with analysing network traffic to determine if there's any outgoing traffic to some sort of suspicious domain or some kind of C2 server. Based on our threat research and reputational databases that we talked about previously, this will give us a list of different hosts that we might want to investigate further because they're the ones sending that traffic there. Then when we look at those hosts, we might analyse the executable process list on those hosts, seeing what programmes and services are being run and which ones were opening that network connection. Were these valid connections, or is this something that's suspicious? That needs to be investigated further. If it is, we're going to move on to analysing other infected hosts. And as we look at all these different infected hosts, we can start to see if there are any similarities between them. Are they all running the same malicious process, or are they using different things to avoid detection? And then finally, we might start identifying the method by which that malicious process on those different hosts was actually executed. What allowed it to start up? Is there a way we can block the attack vector against future compromises? Maybe we can move to a whitelisting system, or we can blacklist that vulnerable application until a patch has been developed. All of these are things to consider as we go through the threat hunting process. And so that's the idea of threat hunting, as we take this needle in a haystack based on the information we have and how we can better protect our systems and try to find the bad guy if they made it in through our automated defences by using additional tactical-level resources. Now, one of the big things you have to remember with threat hunting is that it does consume a lot of resources and a lot of time for you to conduct it, but it can give you a lot of great benefits. For instance, it can help you improve your detection capabilities. Because when a threat hunter finds a way that these bad guys have gotten in and bypassed your detection, you can then feed that back into the detection plan so you can rewrite the rule sets, you can rewrite the detection algorithms, and you can make sure that you use additional scripting and customizations to detect things more accurately. This way, your results from threat hunting can be used to improve your signature-based detection and prevent future infections. Another thing you can do is have it integrated with your intelligence. Threat hunting is a great use case for correlating that external threat intelligence you've been getting with what you're seeing in your internal logs and other sources. By putting those two things together, you now have actionable intelligence. The third benefit you can get is that your attack surface area will be smaller. The benefit here is that as you're doing your threat hunting, you're able to identify the entire attack surface and where a bad guy may have gotten into your network. Based on that, you can go back and reduce that attack surface. This can also help you block attack vectors because you now understand the various attack vectors and TTPs used by that bad guy. And you can then add additional security controls to try to block those different ports or interfaces and prevent them from getting into your network. And finally, it's going to help you identify critical assets. This is really important because as you're doing your threat hunting, you're going to start seeing what things people tend to go after, and you're going to end up figuring out what are the best defensive options for those critical systems and data assets. One of the things we tend to do is bundle those assets together with a certain layer of security controls around those important assets to improve the monitoring and prevention capabilities around them even further. Because we see that they are continually going after those targets, we want to make them an even harder target for the adversary to get into.

4. Open-source Intelligence (OBJ 1.1)

open source intelligence, or OCENT. What is OS? OS is the ability to use publicly available information, plus the tools used to aggregate and search that information. Now, there are a lot of different ways to collect open-source intelligence out there. Now, many companies and individuals work for organisations that have a tonne of information published on the Internet about them. For instance, my small little company has a lot of information about us. You can go online to the Web or social media sites and find lots of information about us. This is all open source intelligence. And if you're trying to target and attack us, you could use this to cyber-stalk us and determine all sorts of information about us using things like Google, Bing, DuckDuckGo, and many other tools out there all over the web to collect this data and build a whole dossier on me or my company. Now, attackers use OSINT all the time because OSINT can allow an attacker to develop a number of strategies for compromising a target. For instance, if you're an attacker, you might find an employee that works for a company on a dating website and strike up a conversation with them, get them interested in you, and then start asking them for details about their company's security procedures. Maybe this is a great way to start getting information out of them using social engineering. Or you might put them in a compromising situation and then use that for blackmail or entrapment. There are lots of different ways that Osink can be used in the real world as an attacker going after people in your company. So it's something to keep in mind. Now, when we talk about OS, what are some of the sources of OS?Well, we have publicly available information. This is information that any attacker can harvest from public repositories or Web searches. For instance, if you wanted to find my company's physical address, you could Google that and figure out where we are in San Juan, Puerto Rico. This data is publicly available. Also, you can use social media. Social media is great because you can go on Facebook or LinkedIn and start friending and liking people, making a connection, and then use that for additional attacks such as social engineering. You might also use HTML code. If you search the HTML code of an organization's Web page, you can find lots of information in there, like IP addresses, names of web servers, what operating system version they're using, and what file paths. There are names of people who work there as developers, admins, and all sorts of other stuff. Again, by looking through code, you can find a lot of information about an organization, their capabilities, their practices, and their security posture. And finally, you can also look at metadata, because metadata is open-source intelligence. If you publish a Word document or an Excel spreadsheet to your website, there's metadata inside of that. And by going through that metadata, we can start collecting a lot of information and start fingerprinting you and understanding exactly what documents belong to your company as we do a wider search across the Internet. Now, one quick tip about OC for the Cyst Plus exam. On the older version of the Cyst Plus exam, they actually asked you to do a lot more with OS and be able to search for information on your own company. But in version two of the exam, that doesn't exist anymore. Instead, when they talk about Ocean, they're referring specifically to open source threat data and intelligence sources, and it's not going to be focused on your ability to actually conduct Ocin. Now. in this course. We'll do a little bit of Ocean and play around in that reconnaissance world as we go through and learn about Google hacking, search tools, and things like Show Dan. This is all good information for a cyber security analyst to know and understand in the real world. But you won't have to know it in depth for the exam.

5. Google Hacking (OBJ 1.1)

Google Hacking. Now when I talk about Google hacking, I'm not talking about hacking Google servers. That's not really what we mean here, and this often gets students confused. Google hacking is a form of open-source intelligence. It's an open source intelligence agent technique that uses Google search operators to locate vulnerable web servers and applications. Basically, we can do advanced searches using Google to find all sorts of information because Google is one of the best search engines out there. Now there are lots of different things that we can do when we're doing these advanced operations. Quotes, notand, and scope and URL modifiers are all options. Let's talk about each of these really quickly. First we have quotes. When you use double quotes, you get to specify the exact phrase and make a search much more precise. For example, if I wanted to have the word "Jason" and "Dion," if I just typed them into the Google search with "Jason Space Deon," you're going to end up finding everything that relates to Jason, Dion, or both. But if you put "quote Jason Dion" and "quote," you're only going to find words that have Jason Dion together like that. And that's kind of a silly example. But you can see how this could be very useful as you're trying to narrow down the results for a specific phrase or term that you're looking for. The next thing we want to talk about is the operator. The not operator now uses the minus sign in front of a word or quoted phrase to remove it from your search results so you don't see it. For example, if I wanted to find all ofthe examples of cyst but I didn't want anythingfrom Dion training, I could type in cypace Diontraining and that will give me all the cysresults without any of the Dion training results. The next thing we want to talk about is and Ors.These are logical operators, and they're used to require both search terms if you use the and or either search term if you use the or, much like I said, "Jason Dion in quotes gave me Jason and Dion." That would give it to me if they were right next to each other. But what if I wanted every result out there that had Jason and Deon in it, but I didn't want them necessarily together? For instance, maybe I wanted Jason's middle name to be Deon or something like that. So I could just put Jasonthe and a symbol before Dion. Or if I wanted to use the or and getJSON or Deon, I could use Jason for or and then Dion, or I could use the pipe character, the upanddown, which is also the character for or. The next advanced search term we want to talk about is defining your scope. Now you can have different keywords that are used to select the scope of the search, like site, file type related, all in title, all in URL, or all in anchor. Based on these, you'll put in the word like filetype, a colon, and then the file type you want. For example, if I wanted to search for just PDF files, I could type file type, colon, PDF, and then whatever my search term was, and I would get only results that had PDFs containing that search term. Lastly, we can use a URL modifier. Now these modifiers can be added to the results page to affect your results. These are things like and PWS equals zero, which means don't give me personalised results; and filter equals zero, which says don't filter the results; or TBS equals li, which says do not auto-correct my search terms; search for it exactly as I typed it. All of these are different ways to modify your URL. Now another thing we need to talk about when we talk about search hacking and Google hacking is the Google Hacking Database, or GHDB. Now the Google Hacking Database provides a database of different search strings that you can use that are already optimised for locating vulnerable websites and services. This site is maintained by offensive security, and it contains an entire database of different searchstrings that you can use that are prerun. We like to call these Google dorks. You can see here on the screen a couple of examples, and notice they're basically giving you information that you can use. For example, if you have an entitle WebView login for Alcatel Lucent, that could be something to identify Alcatel Lucent switches and routers that have an online login page. Or maybe we have something like entitleindex in the WP security audit log. That may be something that provides us with interesting results if we're a penetration tester or a bad actor. So let's put all this information together with a quick example. Here on the screen, you can see a Google search that I'm running using some of these advanced characteristics. For example, you see Google.com search and then this big, long list. Let's break those down individually, one at a time. First we have the file type. The file type is one of those advanced operators that said I was only looking for this type of file. And then you see percent three Axls, which tells me percent three A is the colon but written in this format. And then XLS says, I want an Excel spreadsheet file, so whatever I'm searching for, it better come back as a spreadsheet." Next you see I have the word "password." That's what I'm searching for. This is my search term. Then you notice I have a website. This is the next modifier. I only want to find things at a particular website. And then again I have percentthree colondontraining.com is a deontraining.com. So, if I put all of this together, it tells me to look for any files with the file type XLS, an Excel spreadsheet, that contain the password and are hosted on the site deiontraining.com. Now, if you run this search, you're going to come back with zero results, and that's a good thing. It means I and my staff are not hosting any Excel spreadsheets with the word password on our website. But again, this is a silly example to show you how you can break down these different things. Now, as a cybersecurity analyst, do you need to know how to do this? Well, yes and no. You don't necessarily need to be able to create these yourself because you're not trying to attack somebody; you're not trying to find out information about them. But if you see these types of things in your proxy logs, you should be able to know what that insider is trying to do and what they're searching for because you could be held responsible as a company for their operations. The next area we want to talk about is Shodan. Now, Shodan is found at Showdown IO, and it is a search engine that's optimised for identifying vulnerable Internet-attached devices. Basically, Shodan is a website that allows you to do a search for all sorts of different devices out there. They can search for things like thermostats and webcams, ICS and SCADA devices, and any other kind of device that's out there. And the way they do this is they go out routinely and they start scanning the entire Internet, and they conduct banner grabbing to identify the types of devices, the firmware, the operating system, and the applications that are in use. And if those are vulnerable, we now have a starting point from which to attack people. Now, again, we're not pen testers and we're not hackers, so we're not going to be using it in that manner. But as a cybersecurity analyst, you could go on Showdown and start searching across your devices to see if any of yours have been found to be vulnerable, such as your IP addresses, your host names, your geographic location, or any of your different devices that are connected to the Internet. Again, when you have an Internet of things, these are vulnerable, and Showdown is one of the ways to find those vulnerabilities. Now, let me give you a couple of quick exam tips. When it comes to the exam, what do you need to know from this lesson? Well, as a cybersecurity analyst, you do not need to put these queries together yourself. But if I give you a search string like that Google search I gave you earlier, you should be able to read that and then pick the results you would expect based on that. This is just a basic level of analysis that you should be able to do. If you're going through a proxy log and you see somebody doing a Google search

Go to testing centre with ease on our mind when you use CompTIA CySA+ CS0-002 vce exam dumps, practice test questions and answers. CompTIA CS0-002 CompTIA CySA+ Certification Exam (CS0-002) certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using CompTIA CySA+ CS0-002 exam dumps & practice test questions and answers vce from ExamCollection.