Given a scenario, analyze common symptoms to select the best course of action to support incident response.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Common Network-Related Symptoms

• Bandwidth consumption: It is important to have a baseline before an incident to know what is normal on the network. Deviation from the baseline can be an indication of a security incident.
• Beaconing: Traffic from infected systems that could include DNS probes or command and control connections.
• Irregular peer-to-peer communication: Most traffic in today’s enterprise computing environment is client to server traffic. Traffic that deviates from this pattern may be an indication of a security incident.
• Rogue devices on the network: Enterprises often have a standard for devices purchased so a “rogue” device may be easy to spot by mac address or other interrogation methods.
• Scan sweeps: Pings or other scans can indicate that a bad actor is scanning the network for hosts to attack.
• Unusual traffic spikes: Increases in the amount of traffic, even low bandwidth, but high connections, can indicate an issue.

Common Host-Related Symptoms

• Processor consumption: A host with high CPU usage that is not normal can be a sign of compromise.
• Memory consumption: A host with high memory usage that is not normal can be a sign of compromise.
• Drive capacity consumption: A host with storage being used more than normal can be a sign of compromise.
• Unauthorized software: Software that is not authorized in the environment could be a sign of compromise.
• Malicious processes: Processes may show up in the process list that are known bad.
• Unauthorized changes: If a stringent change control process is in place and an unauthorized change is detected, it could signal a security incident.
• Unauthorized privileges: Changes to account permissions can signal an incident.
• Data exfiltration: The theft of data from a device. Any data missing or deleted could be a sign. There are also tools to track the movement of data to the outside (Data Loss Prevention [DLP]).

Common Application-Related Symptoms

• Anomalous Activity: an application behaving in a way that is not normal could be a sign of a security incident.
• Introduction of New Accounts: new accounts within an application’s authentication database could be a sign of a security incident.
• Unexpected Output: Strange output in an application could be a sign that the application has been altered.
• Unexpected Outbound Communication: Unexpected communication to outside hosts should be investigated.
• Service Interruption: When an application is no longer able to service requests, it may be an indication of an attack.
• Memory Overflows: When an application overflows it’s memory allocation it can indicate a buffer overflow attack.