CompTIA CySA+ Objective 3.4

Photo by from Pexels

Given a scenario, analyze common symptoms to select the best course of action to support incident response.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Common Network-Related Symptoms

  • Bandwidth consumption: It is important to have a baseline before an incident to know what is normal on the network. Deviation from the baseline can be an indication of a security incident.
  • Beaconing: Traffic from infected systems that could include DNS probes or command and control connections.
  • Irregular peer-to-peer communication: Most traffic in today’s enterprise computing environment is  to server traffic. Traffic that deviates from this pattern may be an indication of a security incident.
  • Rogue devices on the network: Enterprises often have a standard for devices purchased so a “rogue” device may be easy to spot by mac address or other interrogation methods.
  • Scan sweeps: Pings or other scans can indicate that a bad actor is scanning the network for hosts to attack.
  • Unusual traffic spikes: Increases in the amount of traffic, even low bandwidth, but high connections, can indicate an issue.

Common Host-Related Symptoms

  • Processor consumption: A host with high CPU usage that is not normal can be a sign of compromise.
  • Memory consumption: A host with high memory usage that is not normal can be a sign of compromise.
  • Drive capacity consumption: A host with storage being used more than normal can be a sign of compromise.
  • Unauthorized software: Software that is not authorized in the environment could be a sign of compromise.
  • Malicious processes: Processes may show up in the process list that known bad.
  • Unauthorized changes: If a stringent change control process is in place and an unauthorized change is detected, it could signal a security incident.
  • Unauthorized privileges: Changes to account permissions can signal an incident.
  • Data exfiltration: The theft of data from a device. Any data missing or deleted could be a sign. There are also tools to track the movement of data to the outside (Data Loss Prevention [DLP]).

Common Application-Related Symptoms

  • Anomalous Activity: an application behaving in a way that is not normal could be a sign of a security incident.
  • Introduction of New Accounts: new accounts within an application’s authentication database could be a sign of a security incident.
  • Unexpected Output: Strange output in an application could be a sign that the application has been altered.
  • Unexpected Outbound Communication: Unexpected communication to outside hosts should be investigated.
  • Service Interruption: When an application is no longer able to service requests, it may be an indication of an attack.
  • Memory Overflows: When an application overflows memory allocation it can indicate a buffer overflow attack.