CySA+ domain #4: environmental reconnaissance techniques and analysis
What would being a cybersecurity analyst be without knowledge of environmental reconnaissance techniques and analysis? A glorified Help Desk technician? Perhaps — but all jokes aside, this is a sizeable amount of material.
This article will detail the different environmental reconnaissance techniques and analysis. It will cover the most important parts of this subdomain and based upon the sheer size of the material, you should use this article as a refresher and not your sole method of exam preparation. Sit back, strap in and get ready for some breakneck reviewing!
Procedures and common tasks
Understanding the topology of your network environment is crucial for cybersecurity analysts. This is normally performed with a network scan that helps you make an educated guess about the topology based upon the time to live (TTL) of packets. You can lay out a topology of your network based upon network addresses and TTLs. This can be performed with NMAP using a Zenmap interface.
OS fingerprinting is the identification of an OS based on the network traffic it sends. This is performed with TCP/IP stack fingerprinting technique, comparing the packets the OS sends to remote hosts.
Port scanning is a useful way to perform a service discovery on systems regarding the services they currently provide. Port scanners’ features commonly include:
- Port scanning and service identification
- Host discovery
- Service version identification
- Operating system identification
When running service discovery within Nmap, you will want to run the following command:
-# nmap -0 -P0 -sS [system IP address]
This will generate a list of ports and the services running on them. We will touch more on Nmap later.
Router/firewall ACLs review
Analyzing access control lists (ACLs) of routers and firewalls provides information about what traffic is allowed and can assist with topological mapping by showing where systems are located based upon what traffic is allowed or blocked by rules. This is made easier with the use of configuration files that are directly read by human eyes and shows how computer systems interact with that firewall.
The CySA+ certification exam covers Cisco, Palo Alto, and Checkpoint firewalls, so you will need to be comfortable with reading logs from these different vendors.
On the CySA+ certification exam, it may be helpful to rewrite firewall and router configuration files, log files and rules into a more understandable language. For example, permit tcp 10.0.0.0 0.255.255.255 any eq 22 can be rewritten as “Allow TCP traffic from 10.0.0.0 network on any source port to the destination port 22.” This will help you, especially if you do not fully understand commands.
DNS converts IP addresses to domain names and domain names to IP addresses. Nslookup can be used to this end by letting you look up information regarding the IP range that the system resides in. From this, you can gather information about the organization and its hosting service. You can also use the hostname or IP address of the system to find out more about the system.
There is a list of variables to consider regarding what would be the appropriate reconnaissance technique or process to use. These variables include:
- Wireless versus wired
- Virtual versus physical
- Internal versus external
- On-premises versus cloud
I know that for some of you, this section of the sub-domain will be the proverbial meat and potatoes of why you are reading this. The CySA+ certification exam will cover a wide range of tools, and these are the most important you will need to know; however, you should make sure that you have a solid understanding of all of those it will cover.
Nmap will, without a doubt, be one of the most covered tools on this exam. This versatile and free tool will scan your network deep and wide and let you know what hosts are on it, as well as help you identify them.
Nmap first scans your network widely and identifies all systems and devices that respond to either ICMP or UDP network pings. After live hosts are identified on the network, Nmap scans deep and interrogates the hosts as to which services the system is running, what version of server software the system is using, and in most cases, the OS that is running via fingerprinting.
Knowing this particular information will better help the cybersecurity analyst understand the specific attacks available to attackers. For example, a cybersecurity analyst will not look for Windows system-specific attacks if Nmap has determined that the host is running Apple OSX.
Netstat can be used to gather local host network information for Windows, MacOS, Linux and most Unix/Unix-like operating systems. Among some of the, pardon the pun, host of information that Netstat can uncover is:
- All active TCP/UDP connections
- Which executable file (or its process ID) created the connection
- Ethernet statistics, including how many bytes and packets were either sent or received
- Route table information (IPv4 and IPv6), including OS information, Windows version, netmask, gateway and other details
Another tool you will see on the exam is some form of a packet analyzer. A popular (and free) packet analyzer is Wireshark, which will capture all sent and received packets that a system sees on a network. This can tell you a lot about a network — for example, you can find out what kind of switch the system is attached to (LLDP) and even MAC addresses of other network systems, all based on the ARP packets that are sent.
Vulnerability scanners are tools that identify potential vulnerabilities in devices on your network, including firewalls, switches, routers, applications and servers. These tools do not exploit vulnerabilities when they are found, and they do have their limitations — including not being able to find zero-day exploits. They may have their own security vulnerabilities as well. An example of a popular (and free) vulnerability scanner is Nessus.
While not a “tool” per se, log files can be an invaluable source of information about your network. Some of the devices and appliances that can supply relevant information are:
The point of environmental reconnaissance is to turn the data gathered into information that is actionable. Some forms of analysis you will be responsible for are:
Point in time
Information gathered through this method include protocols in use, information from broadcast protocols, top talking hosts and network discoveries (including CDP and LLDP). Some examples of sources for this type of analysis include:
- Packet analyzers, including Wireshark
- Netflow analyzers, including Scrutinizer and Solarwinds
- Wireless tools, including Chanalyzer
Analyzing for baselines, trends and patterns
The more data you have about your environment, the better you will understand it and spot abnormalities.
SIEM systems are great at analyzing this data and helping you better establish baselines and general patterns. Trends analysis takes in data over a long period of time and as such requires heavier demand on system resources, including memory and disk space. Simple Network Management Protocol (SNMP) is great for presenting data for trending analysis, and tools that use this protocol are LibreNMS and Solarwind Orion.
Unlike trend analysis, anomaly analysis focuses on the abnormal – including abnormal traffic volume traffic types. This type of analysis compares point in time data with an established baseline. One issue with this type of analysis is that there is a greater possibility for false positives.
The role of cybersecurity analyst normally involves a substantial amount of environmental reconnaissance techniques and analysis which makes this subdomain all the more important on CySA+. The wide range of concepts contained will put your real-world cybersecurity analyst skills to the test — which is arguably one of the reasons why CySA+ candidates need to have three to four years of hands-on information security experience is required for this certification.
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+ Objective 1.1, Pack IT Forwarding
- CompTIA CySA+ Objective 1.2, Pack IT Forwarding