CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Pentesting and Active Defense

  • Pentest+, CEH, OSCP

  • Hunting vs Pentesting

    • Threat hunting

      • Less disruptive, “look but don’t touch”

      • Based on observation, analysis

      • Shortens detection time for threats

    • Pentesting

      • “Let’s see how we could be attacked”

      • A process to identify vulnerabilities

      • Actively attempts to break security

      • Disruptive

      • Provides an “outside” perspective on security (attacker’s PoV)

  • Purpose is to identify vulnerabilities

  • Rules of engagement

    • Authorization is a must!

    • Time-bound: When? How long?

    • Scope: What? (don’t give in to “scope creep”)

    • Are you in the right country?

    • Type: web, WLAN, social engineering, etc

    • Tools and techniques

    • White/Grey/Black box?

    • Engage staff or not?

    • Reporting

  • Wargames – a “team” exercise

    • Red team – pentesters

    • Blue team – incident responders

    • White team – Control the game

    • Purple team – Ensure communication between red and blue

  • Active Defense

    • Decoy tactics – throw off the attackers. Nonstandard ports/user accounts/obfuscation.

      • Honeypots/Honeynets

      • OpenCanary

    • Annoyance tactics

    • Counterattacks

  • Blacklist / Blocklist approach

    • Specify what is not allowed

    • Can be used during incident response

    • Careful with excessive blocking

    • Careful with too little blocking.

  • Whitelist approach

    • Specify what is allowed

    • Can also be used during incident response

    • Requires more admin work

  • Execution control

    • Part of endpoint protection solutions

    • Allow/deny installation and execution of software

    • Can either be blocklist or whitelist

    • Examples: software restriction policies (group policy), AppLocker, Windows Defender Application Control

    • Linux: AppArmor, SELinux

PreviousNetwork Traffic, Packet, and Protocol AnalysisNextFirewalls

Last updated 2 years ago