CySA+ Domain #1: Threat and vulnerability management
The Cybersecurity Analyst (CySA+) certification is an intermediate-level career credential administered by CompTIA (Computing Technology Industry Association). It focuses on the core cybersecurity skills necessary for professionals to apply behavioral analytics to networks, allowing them to identify and address threats such as malware and APTs that might elude technical tools like firewalls and anti-virus software.
Successful certification holders can prove they can apply threat detection techniques as well as analyze the output generated by automated vulnerability assessment tools in order to identify issues and swiftly correct vulnerabilities and address attacks.
The CySA+ certification has received the ISO/ANSI 17024 accreditation, is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements, and is in high demand worldwide. It is suitable for professionals interested in information security, and in particular, in technical and/or analysis-intensive roles. It can be particularly valuable for security analysts, security engineers, threat intelligence analysts and application security analysts, as well as compliance analysts and incident responders.
About the CySA+ exam
The CySA+ exam has recently been updated to address industry changes. According to CompTIA, it now covers the knowledge and skills required to leverage intelligence and threat detection techniques, analyze and interpret data, identify and address vulnerabilities, suggest preventive measures, and effectively respond to and recover from incidents.
The new Cybersecurity Analyst (CySA+) CS0-002 certification, which has been active since April 21, 2020, will enable you to stay current with new and evolving technologies, plus use threat detection tools to prevent, detect and combat cybersecurity threats.
The CySA+ exam has been updated to address the following domains:
- 1.0 Threat and vulnerability management (22%)
- 2.0 Software and systems security (18%)
- 3.0 Security operations and monitoring (25%)
- 4.0 Incident response (22%)
- 5.0 Compliance and assessment (13%)
Domain #1: Threat and vulnerability management (22%)
What can you expect from the first CySA+ domain? As per the CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, candidates will need to be familiar with the importance of threat data and intelligence, have knowledge that can utilize threat intelligence to support organizational security, perform vulnerability management activities, analyze the output from common vulnerability assessment tools, explain the threats and vulnerabilities associated with specialized technology and with operating in the cloud, implement controls to mitigate attacks and software vulnerabilities.
In particular, the domain will address the following concepts:
Explain the importance of threat data and intelligence
In this section, candidates will be tested on topics like where to gather intelligence as well as indicator management like STIX (language and serialization format used to exchange cyber threat intelligence, CTI) and TAXII (an application protocol for exchanging CTI over HTTPS).
Other topics addressed are threat classification (from APTs to the difference between known and unknown threats) to possible threat actors (hacktivists, nations, malicious hacker organizations), targets (sectors like government, financial and healthcare) and the intelligence cycle with its phases: planning and requirements understanding, collection of data and analysis, dissemination and feedback.
Given a scenario, utilize threat intelligence to support organizational security
This section covers attack frameworks like the Diamond Model with its four features of an attack (adversary, capability, infrastructure and victim), the MITRE Attack knowledge base with its collection of cyber adversary tactics and techniques and the Kill Chain, the phased approach to end-to-end cyber-attack detection and prevention created by Lockheed Martin scientists.
It also addresses threat research through Behavioral Indicator of Compromise or the use of the Common Vulnerability Scoring System (CVSS) as well as threat modeling methodologies to determine the risk given by specific threats (total attack surface, adversary capability etc.).
Given a scenario, perform vulnerability management activities
This section is about ways to identify vulnerabilities, true or false positives and negatives, remediation through patching or hardening, risk acceptance, vulnerability management tools (IDS, IPS, firewalls) and the role of MOUs and SLAs, as well as the need to keep business operating when evaluation the available options for remediation.
Given a scenario, analyze the output from common vulnerability assessment tools
This section addresses an important part of the job of anyone tasked with the protection of systems: the analysis of logs produced by vulnerability assessment tools. Questions might cover penetration testing tools like Nikto or Arachni, infrastructure scanners like Nessus, enumeration through Nmap or hping, wireless penetration testing options like Reaver and tools for the Cloud such as Prowler and Pacu. Important techniques like reverse engineering, static and dynamic analysis, as well as fuzzing, are also covered here.
Explain the threats and vulnerabilities associated with specialized technology
This section is important as it addresses vulnerabilities associated with the technologies most used today, from IoT to mobile options. System-on-Chip (SoC) and RTOS are also covered as well as process automation systems, SCADA and industrial control systems.
Explain the threats and vulnerabilities associated with operating in the cloud
This section goes into more detail about the threats associated with the spreading use of clouds. It covers concepts like cloud service (SaaS, PaaS, IaaS) and deployment (Public/private/hybrid) models as well serverless architecture, IaC (Infrastructure as Code), improper key management and unprotected storage and monitoring.
Given a scenario, implement controls to mitigate attacks and software vulnerabilities
This section covers knowledge of the possible attacks a professional might be facing. Questions address various types (overflow, remote code execution, XML attacks, session hijacking and cross-site scripting) as well as vulnerabilities like improper error handling and broken authentication.
The value of CySA+ certification
If you currently plan to be a cybersecurity analyst and do not yet have a certification, you may want to consider CySA+, which is currently on its second certification exam version (CS0-002). This is an intermediate-level, vendor-neutral credential that can help prove to organizations that you have the knowledge and skills needed to deliver proactive, actionable threat intelligence and analysis of potential impacts.
The role of cybersecurity analyst varies: from carrying out vulnerability assessments, threat detection, and incident response to mitigating the damage caused by cyberattacks. A security analyst — much like a threat intelligence analyst or vulnerability analyst — works to identify flaws in systems and proactively develop solutions.
With thousands of open information security analyst jobs in the United States today, a job outlook of 31% (much faster than average) from 2019-29, according to the Bureau of Labor Statistics, there’s no better time to jump into your cybersecurity career than now.
- CompTIA, Cybersecurity Analyst
- BLS, Information Security Analysts