In February of 2017, tech industry association CompTIA released the Cybersecurity Analyst certification under the moniker CSA+. In January of this year, the acronym was changed to CySA+ but the exam code (CS0-001), focus, and purpose remain the same.
This vendor-neutral certification is positioned between the Security+ and the CASP (CompTIA Advanced Security Practitioner) exam in terms of content and expectations. It is aimed at those in the profession of detecting, preventing, and combating cybersecurity threats, and it fulfills Directive 8570.01-M of the Department of Defense requirements for those working with the military.
The exam consists of 85 questions, both multiple choice and performance based, that must be answered within 165 minutes. The passing score is 750 on a scale of 100 to 900, and the standard cost is $346. While other certifications are not required, both Security+ and Network+ are recommended, as are between 3 and 4 years of hands-on work in the field.
The questions are divided into four domain areas and the following table gives the domains, weighting, and topics beneath each:
Not surprisingly, this certification includes some topics that — at one point in time — were touched on with Security+ or CASP, though not to the same extent as they are here. If you were to visualize the three exams as circles in a Venn diagram, there is still overlap on both ends and this makes the “bridge” analogy that CompTIA uses in their descriptions of the exam a good one.
Next month, we will have a Test Your Knowledge self test featuring 25 questions about topics found on the exam. First, however, let’s take a look at five topics worth explicating further:
1) The term “forensics kit” is used in the objectives and defined as containing a number of things including a workstation that can be trusted and used when there is a crisis, write blockers, cables, drive adapters, wiped removable media, camera(s), crime tape, tamper-proof seals, and documentation/forms.
Among the forms to carry with you are: chain of custody form, incident response plan, incident form, and a call/escalation list. While a number of tools can be useful in forensics, the objectives specifically spell out five forensic suites to be familiar with: EnCase, FTK, Helix, Sysinternals, and Cellebrite.
2) The term “environmental reconnaissance” is one of those that has been adapted from earlier use into the cybersecurity world. It is defined in the U.S. Army field manual 3-34.5/MCRP 4-11B (3-100.4) as: “The systematic observation and recording of site or area data collected by visual or physical means, dealing specifically with environmental conditions as they exist, and identifying areas that are environmentally sensitive or of relative environmental concern, for information and decision making purposes.”
It fits the Threat Management domain well as it focuses on collecting technical data, often involves a team, and is a precursor to deciding an approach.
3) When securing a corporate environment, one approach CompTIA tests on is the Red Team/Blue Team/White Team approach. NIST defines this approach as:
“A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
“1. The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks a) over a significant period of time, b) in a representative operational context (e.g., as part of an operational exercise), and c) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).
“2. The term Blue Team is also used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture.
“The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer’s cyber security readiness posture.
“Oftentimes a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer’s networks are as secure as possible before having the Red Team test the systems.”
4) Communication during the incident response process is one of those common sense things that can trip you up when it comes to test questions. While it is important to keep all stakeholders involved, it is also vital to limit communication and disclose to sparingly. These two approaches can be dichotomous and contradictory.
Be sure to carefully think through any scenario presented in an exam question and reason out who to include in an information loop.
5) There are quite a few tools that objective 4.5 wants to you be familiar with. Some of these are basic command line commands (ipconfig, for example), while others are a little more foreign. The exploit tools, for examples, are divided into three categories with a number of options beneath each:
Time spent looking over the list of tools beneath this particular objective and becoming acquainted with each can be considered time well spent.
Armed with knowledge and a few years of experience in the field, you should be ready to tackle the CompTIA CySA+ exam. Next month, we will look at 25 questions that can be used to test your knowledge and further evaluate your readiness.