The Cyber Kill Chain is an attack framework model that defines and describes the seven stages of a cyberattack. The stages of cyberattack include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The stages of this framework help analysts better understand the potential strategies, techniques, and procedures that cyberattackers use. The framework is presented from the perspective of actions an attacker would take and then used by analysts for review and understanding. It draws inspiration from the kill chain military tactic, which has five stages – intelligence gathering, planning and weaponization, execution, establishment of control, and mission objectives.

Figure 2.1 shows the seven stages of the model.

Figure 2.1: The Cyber Kill Chain

The following list describes each stage of the Cyber Kill Chain:

1. Reconnaissance stage: The attacker collects information...

The Diamond Model of Intrusion Analysis is a framework used to analyze cyberattacks by establishing relationships between key components of an intrusion. It is widely applied in threat intelligence, incident response, and intrusion analysis to provide a structured way of understanding adversary behaviors and attack patterns. The model’s purpose is to help analysts detect trends, uncover links between different attacks, and predict future threats. By mapping out the interactions between an adversary, their methods, and the victim, the Diamond Model provides a comprehensive view of an attack, making it an essential tool to defend against APTs.

As seen in Figure 2.2, the main structure is formed as a diamond, with four core features – adversary, infrastructure, capabilities, and victim.

Figure 2.2: A diamond event

This model helps in identifying patterns, trends, and correlations across cyberattacks. When...

MITRE ATT&CK is a very well-recognized, freely available framework created by the non-profit MITRE Corporation. It defines a standardized way to use real-world observations for cyber threat analysis. It is organized into matrices and further refined to specific technologies, such as Windows, Linux, and iOS. The main matrices are enterprise, mobile, and industrial control systems (ICSs). There is also a new draft matrix specific to AI technologies called ATLAS.

The main components defined within the model are tactics, techniques, and sub-techniques. These are organized into a hierarchical structure, with tactics at the top and sub-techniques at the bottom. Tactics are the primary objectives of an attacker and are organized at the highest level of the model. Tactics include reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, C2, exfiltration...

For this exercise, you will utilize the MITRE ATT&CK framework to analyze a recent breach. You can select any recent breach you have seen in the news or one that you are aware of from an organization you are currently working with or have worked at. If you need an example, you can use the 2023 MGM breach, as you can find a lot of information and data on the internet about the breach.

Research into breach is part of this exercise, by gathering threat intelligence. You want to learn about key elements of the breach, such as the initial access vector, lateral movement and/or persistence mechanisms, and data exfiltration vectors:

1. List all you know about the compromise or exploit. Be sure to include details about what occurred, how it occurred (including the tools used), and the threat actor. Collect as many details as you can find.
2. Match your list of details to the headings within the ATT&CK Enterprise matrix. You may find...

The Unified Kill Chain is not a CySA+ exam objective, so feel free to skip this section. It is being shared as it is an additional valuable model for cybersecurity analysts’ usage. Overall, it combines elements and setups from various other models, such as the Cyber Kill Chain and MITRE ATT&CK models. This serves to create a more comprehensive model of the entire cyber threat life cycle.

It has three main cycles that feed into each other. These cycles are in, through, and out. The “in” cycle is the initial access stage of the attack, which includes these steps – reconnaissance, resource development, delivery, social engineering, exploitation, persistence, defense evasion, and C2. Next is the “through” cycle, where attackers begin to move past the initial target, which includes these steps – pivoting, discovery, privilege escalation, execution, credential access, and lateral movement. The model ends with the...

As a security analyst, you will spend some of your time testing and verifying a system’s current security. This is a proactive step as part of a comprehensive security approach. The OSS TMM is a well-known and extensive standard for carrying out security testing and analysis. It offers a methodical and standardized way to assess how secure networks and information systems are. The Institute for Security and Open Methodologies (ISECOM) is responsible for the development and upkeep of the OSS TMM.

The OSS TMM offers thorough testing procedures, ideas, and methods to evaluate security. It has five main security testing focus areas:

• Human security testing: This focuses on assessing the vulnerabilities related to human behavior and interactions. This area examines how human factors such as social engineering, training, and awareness impact overall security. Here are some examples:
  • Phishing simulations: Conducting simulated phishing attacks to test employee awareness...

The Open Web Application Security Project (OWASP) is a community-driven security organization. OWASP is a leading authority in security, with a particular focus on web application security. It produces many forms of content to assist the overall community in learning, awareness, and enhancing security. Some examples of its content include Metasploitable, Web Goat, Juice Shop, Top Ten, and SamuraiWTF.

The OWASP Testing Guide is a specific CySA+ exam objective, which provides testing guidance specific to web applications. The guide, much like most of the OWASP content, is driven by community involvement, allowing it to be up to date and comprehensive with regular updates. It encourages testing at every phase of the software development life cycle (SDLC), with a philosophy of testing early and often where possible through automation. It includes testing for people, processes, and technologies, much like the OSS TMM.

The testing is done through four main techniques...

The objective of this exercise is to introduce you to the OWASP Testing Guide and provide a basic overview of web application security testing.

You will need access to the OWASP Testing Guide, a web browser, and a sample web application (a simple web page is sufficient). In this case, it is suggested that you use the OWASP WebGoat project. Never conduct testing against an entity without written permission. If you have written permission from the owner of other websites or web applications, feel free to use those instead if you wish.

These are the prerequisites for this activity:

• Installation of GitHub Desktop (or an alternative) to gather components
• Installation of Java JDK or JRE (JDK is recommended)

Task 1: GitHub Desktop Installation

The following steps will help you load and work with GitHub repos on a Windows machine:

1. Navigate to https://desktop.github.com/download/.
2. As shown in Figure 2.9, click...

This section does not map directly to any CySA+ exam objectives. You can feel free to skip it in your preparation. It is included to give you some pertinent information on the near-future state of related concepts to this section. Here, you will learn some about MITRE ATLAS and OWASP AI Security and Privacy Guide.

Artificial intelligence (AI) is the latest disruptor in the cybersecurity space. Two of the organizations discussed in this chapter, MITRE and OWASP, have been working hard to keep up with the pace of innovation around AI. New threats and methods continue to be shaped by AI, and old threats have started to evolve as well. Deepfake technology (using AI to create realistic but fake audio or video content, leading to misinformation and fraud) is an example of a new threat. AI-enhanced malware, which uses AI to adapt and evade detection by learning from its environment and altering its behavior, is an example of a threat that has evolved with AI.

MITRE Adversarial...

In this chapter, you learned about various frameworks and methodologies that cybersecurity analysts use to understand and address cyberattacks. The Cyber Kill Chain applies the kill chain military principles to cybersecurity attacks across seven stages. The Diamond Model of Intrusion Analysis helps you understand individual security events across four components – adversary, infrastructure, capability, and victim. These events are then mapped back to the seven stages of the Cyber Kill Chain. The MITRE ATT&CK framework delves deeper into the understanding and attribution of specific TTPs. These attack frameworks aid an analyst in many ways, including understanding threats and threat actor actions. This understanding can translate into many benefits for an organization, including attack surface management, threat intelligence usage and creation, and creating informed strategies for proactive defenses.

As controls are put in place, informed by these frameworks, they...

Cyber Kill Chain: Be sure to understand the flow and names of all seven stages. Be aware of a few example items that would be found in each stage, as well as use cases for this framework.

Diamond Model of Intrusion Analysis: List and understand the elements of the diamond, core, and meta-features. Ensure that you can map these elements based on threat intelligence. Be aware of the use case application of this framework, including mapping events to the Cyber Kill Chain such as activity threads.

MITRE ATT&CK: Understand the structure of the MITRE ATT&CK Enterprise matrix. Know how to map an attack to the matrix and gain advice on additional factors related to an attack. Understand the main elements of tactics, techniques, and sub-techniques.

OSS TMM: Understand the main use case of this guide – to test open-source technology. Be able to list the seven testing phases. Remember the main elements of testing – the human element, the process...

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

HOW TO GET STARTED

• Open the link or scan the QR code at the bottom of this page
• If you have unlocked the practice resources already, log in to your registered account. If you haven’t, follow the instructions in Chapter 16 and come back to this page.
• Once you log in, click the START button to start a quiz
• We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.
• You can use the...