CySA+ domain #9: Analyzing common symptoms
Trying to secure a network without the right skills and tools is not possible, especially when you’re dealing with cybercriminals that make a living from breaching networks and compromising systems. CompTIA’s CySA+ is designed to help you to learn all of the technical and procedural steps that will enable you to work as a cybersecurity analyst.
This article will tackle the basics of Objective 3.4 and will show you what is required of you as a starting point towards your studies. After reading through this article, you should have a better understanding of what you will need to study in order to pass your exam. This isn’t a very long section, but it has enough detail in it to warrant careful consideration and studying while working towards your CySA+ certification.
Common network-related symptoms
The following selection of objectives are required for passing the CySA+. You need to have a firm understanding of how to identify the symptoms, what they mean and how you could approach the task of resolving them.
In any investigation relating to bandwidth consumption, you need a baseline from before the issue first appeared. A comparative analysis will show you when the bandwidth consumption first spiked, as well as the responsible devices and protocols that could be causing it. Any extreme changes in bandwidth consumption could be a sign of an incident.
If you have an infected or compromised system on the network, then it could be trying to make contact with servers over the internet so that it can receive updates or further instructions. Other telltale signs of a beaconing system on your network includes DNS probes and command-and-control connections.
Irregular peer-to-peer communication
In a secure environment, there should not be any peer-to-peer connections such as torrents and file-sharing sites. Peer-to-peer connections could also be a sign of infection or malware on the network. Any communications that differ from the baseline could be symptoms of a potential network issue.
Rogue devices on the network
Modern organizations have set standards when it comes to hardware devices. If anything comes up in a network sweep that is not part of the company’s assets, this could potentially lead to an incident. Luckily, there are safeguards in place that make identifying such hardware quite straightforward in most cases (SNMP, MAC filtering, scan sweeps).
ICMP (ping) requests are the simplest form of scan sweeping to perform, so having the ability to detect such activity is important for a cybersecurity analyst. If a threat is posed towards your organization, then it is important to act on such findings sooner rather than later.
Unusual traffic spikes
Bandwidth usage and traffic spikes are two separate issues. A traffic spike could have a very low bandwidth usage but, at the same time, have many concurrent connections that cause latency and availability issues.
Common host-related issues
Sometimes an attack can be traced back to a single desktop computer in an unsecured segment of the network. If proper monitoring and alerts are in place, then suspicious activity can be identified and corrected before it becomes a problem. The CySA+ seeks to test the candidate’s knowledge of host-related issues such as:
- Processor consumption: Any host that is exhibiting signs of higher-than-usual CPU usage should be cause for concern, especially if it is occurring at unexpected times when no CPU loads should be processed. If a system has been compromised, then an attacker could be pivoting to another vector on the network, and unexpected high CPU usage could be a sign that they are running tools or scripts to attack the network
- Memory consumption: Again, any unexpected usage of system resources such as system memory could be a sign that a system has been compromised
- Drive capacity consumption: Unexpected space issues could be a result of malware or other malicious activity
- Unauthorized software: Software that is installed by third parties or users without permission could be a sign of a system compromise. If the software has been altered or injected with malware, then just its presence alone is a sign that there could be a security issue on the network
- Malicious processes: Known threats that manifest as specific processes in an infected host are a sign of a compromised system
- Unauthorized changes: If a change control has been ignored or defeated, then there is the potential for a breach. Change controls are in place to monitor and record changes to the hardware, software and activity within the organization
- Unauthorized privileges: Changes with user account privileges can lead to unauthorized access and could be an incident
- Data exfiltration: Any sensitive or confidential data or information taken from equipment and then used outside of the organization
Common application-related symptoms
- Anomalous activity: If an application is behaving differently than expected, then this could either be a sign of a potential breach or an active incident
- Introduction of new accounts: If new users are being created on applications that have not been authorized, then there is a potential breach
- Unexpected output: If suspicious or unexpected output is being generated by an application, then the program could have been interfered with and could signal a potential incident
- Unexpected outbound communication: Any unexpected outbound communications should be looked at and mitigated as soon as possible if they are found to be malicious
- Service interruption: If an application’s availability is affected and it can no longer function as intended, then it could be a sign of an incident
- Memory overflows: Certain attacks such as a buffer overflow attack can generate such errors. If this is detected, then it needs to be dealt with to prevent any further damage or disruption to the organization
There are so many potential attack vectors within an organization that it is impossible to list every single one of them. The CySA+ does a very good job of going through some of the most common symptoms that could indicate that a system on your network might have been compromised.
There’s a lot of material to go through in this domain, but if you use the exam objectives as your guide, then you will be able to work through them one by one. This article should act as a basic starting point to help you gauge the level of detail that the exam expects. Good luck!