Pass Your CompTIA CySA+ Certification Easy!

Prepare with top-notch CompTIA CySA+ certification practice test questions and answers, vce exam dumps, study guide, video training course from ExamCollection. All CompTIA CySA+ certification exam dumps & practice test questions and answers are uploaded by users who have passed the exam themselves and formatted them into vce file format.

Threat Hunting

6. Profiling Techniques (OBJ 1.1)

Profiling techniques. When we talk about profiling techniques, our goal here is to identify who works at a particular company. We can do this a lot of different ways, including gathering all those different emails that are out there on the internet as well as looking at social media. Let's first talk about emails. Email harvesting is an open-source intelligence or ostensible technique that's used to gather email addresses from a given domain. So for example, if I want to find all the people who worked at Deontraining, I can start by finding email addresses online by searching for @ Deontraining.com, and based on those addresses, I might be able to start gathering information about who else works at that company and use that information to build my list as I start trying to profile the people at this organization. For example, if I find Jason at Deon training, I can start figuring out a couple of things. One, Jason works there, and two, the format of those email addresses People's first names at Diontraining, or what if I found one at Deontaining that was JDON? Well, that tells me they're probably using the first letter of the first name and then their last name as part of their email address. And based on that, I can start guessing about other people that work there. Maybe I have one that's Jason Dion at Deontraining that tells me its first and last name. And, once again, I can begin guessing those addresses because, if I know the CEO's name is John Smith, then his email address is most likely John Dot Smith@deiontraining.com. And I can start attacking that person with some kind of social engineering campaign. Now that some businesses are aware of this, they are creating very confusing email addresses such as JD 1234@deontraining.com. Based on that, it would be very hard for me to start guessing who works there. I wouldn't know if the guy's name was John or Jason or Joey, but I know it's JD. and that's probably some initials. And then this number is just randomized, and so that makes it very hard to figure out who it is. Now most companies aren't doing this, though. Why? Because this makes it harder for their employees to email each other too, because they don't know each other's names then, right? And so there is usually a standard convention like a first name, a last name, a first letter, and a last name, or a first name, a last name, or something of that nature. Now there are some other things you can look at when you start looking at these different emailsare some other ways that they're done.For instance, our company uses support@deontrain.com, and you know, that's a valid address that goes to lots of different people. But if you emailed something like operations@deontrain.com, that might work too, and it might get to my operations team, or you might have an instructor at Deontraining and you guess things based on the person's position, so that might be something that's there. Or if you have things like that, you might guess that the COO or the CEO has the email address coo@deiontraining.com for your chief operating officer. And by guessing these things, you can start building up your campaigns and figuring things out. There are many other ways to gather email addresses when doing email harvesting than just sitting there and guessing them like I was doing. We can go and buy them from spammers or legitimate sites as sales leads, and we would get a list of 100 emails for $20, and then we can start going through those. Or we might go to Google and start searching for things like I said before. For example, you could use Google to search for Star@deontraining.com to see if we have an @deontraining.com email address listed on any website, social media platform, or other place. Or you can actually test these emails by checking if they're going to bounce back by going through them and using an email dossier. As I do pen tests, I love to use the central ops network. I can put in an email address here and it will actually test that email and tell me if it's valid before I ever send an email to that server. This allows me to plan my attacks during the reconnaissance and weaponization phases before moving on to delivery. Now, once the attacker has this list created, they can start using it in social engineering attempts, and there are lots of different ways you can do this as well. For example, I might take some of those email addresses and use them to find you on social media. Now that I have you on social media, I can build up a friendship and trust and then conduct additional social engineering attempts against you there. By using this information that I've gathered from this email harvesting, it gives me a foothold and access into your organisation to be able to start finding out more details about you, about the people you employ, and what weaknesses you may have. Another option is to start collecting information from social media sites and using OSINT software to collect it all for us because this can be very time-consuming. Otherwise, we want to have a way to aggregate and process all that data from all these different sites to create this detailed picture of the user's interests, their habits, their geographic location, and other things like that. And just three of those sites are used by attackers: pipel.com, pq.com, and Echoesect net.All of these are open source intelligence tools that do the aggregation for you so that you can find out about and build profiles on those users for a specific company. Now, the last one I want to talk about is The Harvester, and The Harvester is one you'll actually talk about and learn about inside Pentest. Plus, this is a command line tool used by penetration testers to gather subdomain information and email addresses across an organisation as they're trying to do their pen test to gather information for a follow-on social engineering attack. Now, for the exam, everything I covered in this lesson is not really going to be tested. You're not going to get a lot of questions about them. But you should be thinking about this as you rebuild your profiles and your scenarios as part of threat hunting and threat modeling, because these are ways and attack vectors that could be used by an attacker to target your organization.

7. Harvesting Techniques (OBJ 1.1)

Harvesting techniques. The last harvesting techniques I want to talk about are DNS and website harvesting techniques. First, let's start with DNS, and when we do that, we need to talk about who is Now, there is a public listing of all the registered domains and all the registered administrators. This is a place we can go to lookdeontrain.com and find out who owns that domain, what's their address, what's their phone number, and what's their email. We can also get other information about them from this public database. Now. If your DNS service is misconfigured, you can have the possibility of a DNS zone transfer being allowed against your system. Now if you have a DNS service that's misconfigured within your network, a DNS zone transfer could be allowed, and this is another way that DNS information could be harvested from you A DNS zone transfer is a method of replicating DNS database entries across a set of DNS servers, and this is usually used as a legitimate thing, but it can also be used as part of the reconnaissance phase of an attack. Now. There are two ways to do this, and you can see them here on your screen: on the top, you'll see the Windows version, and on the bottom, you'll see the Mac or Linux version. On the top, we're using Windows, and this is going to use the NS lookup command, you're going to enter interactive mode to be able to attempt your zone transfer. You'll then type Set Space type equals any, which says, "Tell me all the records you know on this DNS server," and then you'll type LSD and then the website you want to zone transfer from; if their server is misconfigured, you'll be able to download all of their information from their DNS to your machine." Now if you try this on our server, it's going to ou try thBecause we're not misconfigured. Now, on the bottom, you see that I'm doing this from a Mac The same command is used by Linux and Linux Machine; it is called dig. Now Dig is going to use Dig space AXFR, which is the command for a transfer, a zone transfer, and then we're going to use the nameserver and the target. So I want to go from nameserver deontrain.com to nameserverattacker.com, and if I were vulnerable to this attack, it would copy all of those DNS entries over to my attacker's name server so they could go through it and obtain things like your IP addresses for your servers, subdomains, and other information like that. This is known as "DNS harvesting," and DNS harvesting uses open source intelligence to gather information about a domain, such as your subdomains. the hosting provider. You can now harvest the administrator's contacts and other information by doing web harvesting, and when you do web harvesting, you'll use a website harvesting technique that copies the source code of the website files. so that way you can analyse it later for information and vulnerabilities. You can use a website copier or website ripper, and this will allow you to actually download it to your local machine and take your time offline to go through and look at that application. If you're going to be doing an analysis of an application, like a static analysis, you can actually use it to your benefit to download all that code and then go through it. As you're doing that, you'll find things that might have old or forgotten pages, things that have weak code, and things of that nature that you can collect as part of your reconnaissance efforts as well. Now, again, a quick exam tip for the exam. You do not need to know how to do this zone transfer, but you need to know the concept of a zone transfer. And the idea is that a zone transfer can be used to collect DNS information about your servers and give it to an attacker so they can plan further attacks. But you don't need to actually be able to perform the zone transfer and memorise the NS lookup commands or the Dig commands to perform them.

Network Forensics

1. Network Forensics (Introduction)

In this section of the course, we're going to cover network forensics. Now, our focus in this section is going to continue to be in domain three, but we're going to move into objective three one.We're also going to introduce domain four and focus on objective four Four.Now, objective three states that given a scenario, you have to be able to analyse data as part of a security monitoring activity, and then it goes on to list a whole bunch of different areas. In this particular section, we're going to focus on the network-based data listed in that objective, and we'll turn to this objective several times throughout our time together as we go through the next few sections of the course, as we start reviewing things like endpoints and logs and seams and emails and much more. Now, we're also going to look at objective four, which states that given a scenario, you must be able to utilise basic digital forensic techniques. Again, in this section, we'll concentrate solely on network forensics, such as wireshark and TCP dump. But we will return to Objective 4 again later as we go back in this course and look at other things like endpoints, mobile, cloud, virtualization, and other forensic techniques. Now, as we progress through this section, we'll begin by describing how to use TCP dump and Wireshark to conduct network forensics. Then I'm going to demonstrate how to use both of these tools with hands-on demonstrations. After that, we're going to explore the different tools and techniques used to conduct flow analyses of our networks. Then we'll learn how to conduct IP address and DNS analysis as part of our security monitoring activities. After we do that, we'll conduct URL analysis as part of those monitoring activities too. And then we'll head back into a demonstration, where I'm going to show you how to analyse output from our network security monitoring tools by conducting packet analysis. After all, so many of the attacks facing your system come from over the network, so it's really important to learn how to use these tools to identify these attacks. It's helpful not just for the exam, but also to determine if your own network is coming under attack.

2. Network Forensic Tools (OBJ 3.1)

network forensic tools. Network-related indicators of compromise can be gathered from packet captures, traffic flow, data logs, and alerts. As a cybersecurity analyst, you need to know how to analyse this information in order to identify abnormal activity. Now, network traffic must be captured and its data frames decoded before you can analyse it. To help with this, we use something called a switched port analyzer, or a Span. Now, a span port or a mirror port allows for the copying of ingress or egress communications from one or more switch ports to another. Essentially, it copies everything that comes in or out of a port and places it on a duplicate port so that you can monitor it. This can be done using your switch or router's configuration, as you see here on the screen. Now, for the exam, you do not need to know how to set this up, but in the real world, this is something you're going to have to do, and your network technicians who run your routers and switches can help you do that. Now, once you have a span port configured, you're going to have to enable packet sniffing, and you do this with a packet sniffer. Now, a "packet sniffer" is any piece of hardware or software that records data from frames as they pass over the network media using methods such as a mirrored port, like a span port, or a tap device. Now, these tap devices, what we call network taps," could be something that looks like a hardware device like this. This example is a hardware port. There are now both passive and active versions of these devices that can collect data going over the network from any network cable segment if you use a hardware device or software connecting it through a span port. Now, another thing you have to think about when you start dealing with these network sniffers is where you're going to place them in your network. Generally, you want to make sure your network sniffer is placed inside the firewall or as close to an important server as possible. The reason for this is that you want to be able to identify malicious traffic, specifically traffic that enters your firewall. So if you put the sniffer on the inside of the firewall, the firewall will also block most of the traffic coming in, and then you can just look and sniff at what's left. If you put it outside the firewall, you'll quickly become overwhelmed by the amount of data that's coming at your network. And so it is much better to place it inside the firewall, where a lot of that data has already been blocked by the firewall ACLs. Now, another thing to keep in mind when you're dealing with a sniffer is that you don't have to have just one sniffer. You can put multiple sniffers on your network at different positions. For instance, you may have one that's right behind your firewall or your router that is going to collect the bulk of the information for the network. But if you have a single device that you're really worried about, you can put a sniffer right in front of that device. For instance, maybe your database server. And that would give you additional monitoring that has much less data because you're looking at just what's going to and from that database server. And so it will be a smaller sniffer, allowing you to look at it much more closely. Again, the exact deployment is going to be up to you as a cyber security analyst to decide. But you do want to be able to figure out where it's going to do you the most good based on what you care about. And this goes back to your threat modelling that we talked about in the last section. Now, there are two tools that we use a lot inside of network analysis. These are TCP.DUMP and wireshark. Now, both of these can perform an asniffer function to perform live packet capturing. When discussing TCP Dump, you can also use them later to analyse the PCAP data that you've been saving from all of that packet capture. This is a data network packet analysing computer programme that runs under a command-line interface and allows the user to display TCP, IP, and other packets being transmitted or received over the network to which the computer is attached. You can then dump all that information into a file called a PCAP file or packet capture file for later analysis. Another tool we use a lot is Wireshark. And Wireshark is a free and open source GUI-based packet analyzer that is used for network troubleshooting analysis, software and communication protocol development, and further education. Now, in the next two lessons, I'll take you into my lab environment and show you how to use TCP Dump and Wire to perform your job functions as a Cyber Security Analyst. So let's go ahead and get started.

3. tcpdump (OBJ 4.4)

TCP dump. In this lesson, I'm going to show you a little bit about how to use TCP dump. Now, by the end of the lesson, you're not going to be an expert in it, but that's OK, because for the exam you don't need to know how to actually use TCP dump. But you should be familiar with the fact that TCP Dump and Wireshark are often used together as a way to capture packets and then analyse packets. TCP dump, unlike wireshark, is a text-based programme that you use from the command line. Now, what I'm going to do here is first I'm going to start using TCP Dump inside my Mac OS X environment. It is pre-installed on both Mac and Linux systems. If you're going to use TCP dump, you need to know what interface you're connected to the network on. In my case, it's zero. So to use it, I'm going to do sudo because you must be running this with administrative permissions to be able to turn your card into promiscuous mode and then TCP dump I and then your interface enzero. If you're on a Mac or a Linux machine, it should be ETH zero. So I'll go ahead and hit ENTER and type in Enzero and hit Enter.Now at this point I'm putting my card into promiscuous mode, and I'm starting to look at everything that's going across the network. And here you see information going across the screen, showing me all sorts of different connections that are happening on this network, both from my computer and other computers on the network. This isn't nearly as useful as being able to look at things slowly or by filtering them, but that's okay because we can do that as well with TCP dump. Instead of displaying it to the screen, I'm going to go ahead and hit Control C, and that's going to pause that and cancel my collection. And now I can see a couple of things here. If we start at the top, you'll see that my IP address is 10:128, 1130. The first line there is actually going from my computer over port 57963 to that particular website that you see, which is one e-100 dot net. It's doing this over https, which is port 4, 4, 3, There was no flag in that packet. There was an acknowledgement that was received. You can see the windowing, the options and the value. That is one packet with one timestamp; then you go to the next one; there's another one, and the next one; there's another one, and there's lots of information here. Now, let's say instead of looking at data from all different things on the network, I only want to see things that came from my computer. Could I do that? Well, certainly. What I can do is clear my screen, and then I will use sudo, TCP dump, and I will type insource, which is the IP I want to collect from. And in my case, it's going to be 10, 128, dot, one, dot, 130, and then I will hit Enter. Now all you're going to see here is traffic going from the 130, my host, to somewhere else on the network. And right now there's not much going on because I'm sitting here talking to you and not browsing the Internet. But if I was browsing the internet and making other connections, those would all be showing up here. What you're seeing here is a lot of different beaconing and keep-alive traffic for different programmes I have on my computer. And that's what we're seeing here. Now the next thing we want to do is go ahead and hit Control C. And this is also helpful, but again, it's not extremely helpful because if I had this running on a large enterprise network, there would be so much data whizzing by my screen, I wouldn't be able to read it all. So we would want to write that to a file. How do we do that? Well, again, I'm going to clear my screen so I can go to the top, and I'll bring up the last command I did. If we want to do this and write it to his file, we can just type in "W" and the file name that we want. And so in my case, I'm going to call it Host 130 PCAP and then hit Enter. Now that information is going to go into a file that's going to be captured on my hard drive, and as it's sitting there listening, it's taking up any traffic that's going from that source. Ten, 128, 1130, and it's writing it to the file host 130 PCAP. Now once we have enough of that, we can hit Control C. In this case, we captured 161 packets of information. Again, it's very little information right now because it's basically background tasks on this computer because I'm not actively running things because I'm not sitting there browsing the Internet. Now if I want to be able to see that information, I can do that by doing sudo, TCP, dump, and then R, and then the file that I did, host 130 PCAP. When I hit Enter, I'm going to see all 161 packets from that file and display them on the screen. Here's the first bunch, and it's going to keep reading them and displaying them on the screen. Now again, that's a lot of information, and I only did that for about five or 10 seconds. If I had this running all day, that'd be way too much information to go through. So instead, we would want to start filtering that information, and we can do that based on a lot of different things. For instance, if I look at this particular packet right here, you can see that it is going from the host at 130 over port 5475, and it's going out to the broadcast of the network at 255 255 over port 5474. If I just want to see every time that there is a beacon that is going out like that, I can do that. And so what I'll do is hit a home run. I would type in pseudo-TCP dump, source SRC, and then port the port I want to see. In this case, that was 5475. And then again, I need to read it from the file. Dash R thus has 130 PCAP. If I don't put the RHOS 130 PCAP, what it's going to do is look at the live traffic, and any time it sees a source port of 5475, it will display it on the screen. But in this case, I want to go through and analyse what I already captured. So as I did that, you can see here a handful of times that that happened. Now, if this was malware, it was beaconing out. I can see exactly when that happened. In this case, this particular package is being sent out every second. Now this is just the header we're seeing. And we can see this is a UDP packet that's being sent out with a length of five. Well, what if you want to look inside this packet and see what was actually sent? Can you do that? Well, sure you can. We can do the exact same thing we just did and then add the command X, which will show the packet's contents in both Hex and ASCII. So let me go ahead and clear my screen, and then go here and addx. Now I see all those packets again, done by time.And here I see the IP address, where it's going, and UDP length five. Then you're seeing those five bytes of data. Notice that we see it in hexadecimal first, and then we see it in ASCII on the righthand side. This will allow us to go through and see what was being sent. This can be extremely helpful if somebody's using something like FTP or HTTP where things are being sent in the clear. Now, as I said, what I did here was just a very, very quick demonstration to show you some of the capabilities of this tool. If you want to learn more, I recommend you go into the man pages for TCP dump and just type in Man TCP dump and hit Enter. This will bring up the manual, and you can see all of the different options and all of the different ways you can filter down content. Remember, you can filter during collection, or you can filter after you've collected. When you're reading things, why would you want to do one over the other? Well, again, let's say I was running a big, large enterprise network at one of the organisations I work for. We ran a network with tens of thousands of computers. And so if I said, "Show me everything that's coming from this particular IP address or this particular port or is beaconing out to a known bad actor command and control server," that could be a tonne of information. So we would want to just filter down on the collection because we're only interested in what we're looking for instead of every single packet sent across the network internally or out to the Internet. As a result, it's critical that you consider what you're attempting to collect and filter it down on the collection to reduce its size. On the other hand, if you're not sure what you're trying to collect yet and you're still trying to identify the indicators of compromise, you may collect everything, which can take up tonnes of space, and then filter it down as you start reading through and going through those logs.

ExamCollection provides the complete prep materials in vce files format which include CompTIA CySA+ certification exam dumps, practice test questions and answers, video training course and study guide which help the exam candidates to pass the exams quickly. Fast updates to CompTIA CySA+ certification exam dumps, practice test questions and accurate answers vce verified by industry experts are taken from the latest pool of questions.