CySA+ Domain #4: Incident Response
Cyber Security Analyst Plus, or CySA+, is an intermediate-level CompTIA cybersecurity analyst certification. This certification is intended for cybersecurity analysts and related professionals who have 3-4 years of hands-on experience in the field. This certification is on its second version, CS0-002. There have been some changes to the Domains of knowledge — both in content and number of Domains. This article will detail Domain #4, Incident Response, which is one of the new Domains in this cert’s common body of knowledge (CBK). It will give a high-level view of what has changed since the last exam and will explore how this domain will help you in your career and what this domain covers.
Earn your CySA+, guaranteed!
CySA+ CS0-002 – what has changed since CS0-001
CS0-002 has undergone several changes since the last exam version, with the most relevant for this article being the addition of Domain 4, Incident Response. Below is a high-level view of what has changed, followed by a comparison of the domains in CS0-001 and CS0-002.
- CS0-002 has followed the cybersecurity market trend of “going on the offense with defense” with threat hunting, an essential element of threat intelligence
- CS0-002 focuses more on software security than systems security
- Incident response has become more of a focus
- More content on the cybersecurity regulatory environment has also been added in response to the growing number of cybersecurity regulations
- These changes have amounted to some material being shifted around into other domains and an entirely new domain
- Domain 4 of CS0-002 is largely new material, and some material from the previous exam edition has been merged into this domain as well
How CySA+ Domain 4 will help you in your career
The CySA+ cert has had its domain line up changed to keep up with the ever-changing field of cybersecurity analysis. To make the certification exam material more up-to-date, the hosting organization added Incident Response as a new domain. Certification candidates and holders should see this as a great opportunity to add a strong dose of career-boosting, practical knowledge and expertise to their cybersecurity skill toolbox. Remember, the CySA+ certification has a hands-on driven approach and mastering the knowledge in this domain will make you both a more useful and more effective cybersecurity analyst going forward.
What is covered in CySA+ Domain 4?
Below is a rundown of what is covered in domain 4 of the new edition of the CySA+ (CS0-002) certification exam. It contains four objectives, with several sub-objectives included in each objective.
4.1 Explain the importance of the incident response process
- Communication plan
- Limiting communication to trusted parties
- Disclosing based on regulatory/legislative requirements
- Preventing inadvertent release of information
- Using a secure method of communication
- Reporting requirements
- Response coordination with relevant entities
- Legal
- Human resources
- Public relations
- Internal and external
- Law enforcement
- Senior leadership
- Regulatory bodies
- Factors contributing to data criticality
- Personally identifiable information (PII)
- Personal health information (PHI)
- Sensitive personal information (SPI)
- High-value asset
- Financial information
- Intellectual property
- Corporate information
4.2 Given a scenario, apply the appropriate incident response procedure
- Preparation
- Training
- Testing
- Documentation of procedures
- Detection and analysis
- Characteristics contributing to severity level classification
- Downtime
- Recovery time
- Data integrity
- Economic
- System process criticality
- Reverse engineering
- Data correlation
- Containment
- Segmentation
- Isolation
- Eradication and recovery
- Vulnerability mitigation
- Sanitization
- Reconstruction/reimaging
- Secure disposal
- Patching
- Restoration of permissions
- Reconstitution of resources
- Restoration of capabilities and services
- Verification of logging/communications to security monitoring
- Post-incident activities
- Evidence retention
- Lessons learned report
- Change control process
- Incident response plan update
- Incident summary report
- IoC generation
- Monitoring
4.2 Given an incident, analyze potential indicators of compromise
- Network-related
- Bandwidth consumption
- Beaconing
- Irregular peer-to-peer communication
- Rogue device on the network
- Scan/sweep
- Unusual Traffic spike
- Common protocol over a non-standard port
- Host-related
- Processor consumption
- Memory consumption
- Drive capacity consumption
- Unauthorized software
- Malicious process
- Unauthorized change
- Unauthorized privilege
- Data exfiltration
- Abnormal OS process behavior
- File system change or anomaly
- Unauthorized scheduled task
- Application-related
- Anomalous activity
- Introduction of new accounts
- Unexpected output
- Unexpected outbound communication
- Service interruption
- Application log
4.4 Given a scenario, utilize basic digital forensics techniques
- Network
- Wireshark
- tcpdump
- Endpoint
- Disk
- Memory
- Mobile
- Cloud
- Virtualization
- Legal hold
- Procedures
- Hashing
- Changes to binaries
- Carving
- Data acquisition
Earn your CySA+, guaranteed!
Preparing for the incident response domain
CySA+ is a certification intended for cybersecurity analysts (and related roles), which has recently debuted a new exam version, CS0-002. This new exam version introduces a new domain of knowledge — Domain #4: Incident Response. Certification holders and candidates alike will find the knowledge in this domain to be especially relevant in today’s world of cybersecurity that has been incorporating Incident Response techniques and concepts into the cybersecurity analyst role more and more lately.
Sources
- Exam Pass Guarantee
- Live expert instruction
- CySA+ exam voucher
In this Series
- CySA+ Domain #4: Incident Response
- Average CySA+ salary [2022 update]
- CompTIA CySA+ exam (CSO-003): your guide
- CySA+: Exam policies and appeal procedures [updated 2021]
- The CySA+ knowledge domains
- CySA+ Domain #1: Threat and vulnerability management
- CySA+ domain #2 Software and Systems Security - for identity and access management (IAM) [updated 2021]
- CySA+ Domain #3: Security operations and monitoring
- CySA+ Domain #5: Compliance and assessment
- CySA+: Renewal requirements
- CySA+: Resources [updated 2021]
- CySA+ salary data [Updated 2021]
- CySA+: IA levels and DoD 8570 [updated 2023]
- CySA+: Other certifications (Security+, PenTest+, CASP+) [updated 2022]
- CySA+: Earning CEUs [updated 2021]
- CySA+: Benefits for Employers [updated 2021]
- CySA+: Comparable certifications (SSCP, GSEC) [updated 2023]
- CySA+ jobs outlook [updated 2021]
- The business value of CompTIA CySA+ employee certification
- CySA+: Why become certified and what to expect from certification [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
CompTIA CySA+
CompTIA CySA+
CompTIA CySA+