Coding 4 Bread
CompTIA Cybersecurity Analyst (CySA+)

CompTIA Cybersecurity Analyst (CySA+) Fundamentals — Quiz 1

CompTIA Cybersecurity Analyst (CySA+) Fundamentals — Quiz 1 — Study Guide

CompTIA CySA+ Fundamentals — Threat Intelligence Study Guide

Cybersecurity is no longer just about building walls — it's about understanding *who* is trying to break them down, *how* they operate, and *why*. Threat intelligence transforms raw data into actionable knowledge, helping security teams stay one step ahead of attackers. This guide covers the foundational concepts you need to ace Quiz 1 and, more importantly, to think like a cybersecurity analyst.

What Is Threat Intelligence?

Threat intelligence is the process of collecting, analyzing, and applying information about current and potential attacks. The primary goal is to enable informed, proactive security decisions — not just reacting to breaches, but anticipating them.

Think of it like weather forecasting: raw sensor data becomes a forecast that helps you decide whether to carry an umbrella. Similarly, raw logs and reports become intelligence that helps defenders prioritize risks.

Types of Threat Intelligence

TypeAudienceExample
StrategicExecutives, board membersNation-state actors targeting financial sector
OperationalSecurity managersCampaign details of a phishing group
TacticalSOC analystsMalware TTPs (Tactics, Techniques, Procedures)
TechnicalIncident respondersSpecific IP addresses, file hashes
Strategic threat intelligence focuses on high-level trends and business risk — it answers "Should we invest more in endpoint security?" rather than "Block this IP."

Key Terminology

Threat Actor

A threat actor is any individual or group that poses a threat to an organization's security. Categories include:

  • Script kiddies — Low-skill attackers using pre-built tools
  • Hacktivists — Politically motivated groups (e.g., Anonymous)
  • Cybercriminals — Financially motivated
  • APT (Advanced Persistent Threat) — Sophisticated, often nation-state-sponsored groups that maintain long-term, stealthy access to target networks

    • APT Example: APT29 (Cozy Bear), linked to Russian intelligence, is known for slow, methodical intrusions into government and defense targets.

    IOC — Indicator of Compromise

    IOC stands for Indicator of Compromise. These are forensic artifacts that suggest a system has been breached or attacked.

    Common IOC examples:

  • Suspicious IP addresses or domains
  • Unusual file hashes (MD5, SHA-256)
  • Registry key changes
  • Abnormal outbound traffic patterns

    • IOC Example:
  File Hash: d41d8cd98f00b204e9800998ecf8427e
  Domain:    malicious-update.ru
  IP:        192.168.1.105 → 45.33.32.156 (known C2 server)

    Vulnerability vs. Threat

  • A vulnerability is a weakness in a system (e.g., unpatched software).
  • A threat is the potential for harm — an actor or event that could exploit a vulnerability.
  • Risk = Threat × Vulnerability × Impact

    • Threat Intelligence Sources

    OSINT (Open Source Intelligence)

    OSINT refers to intelligence gathered from publicly available sources:
  • News articles and security blogs
  • Social media
  • Government advisories (CISA, US-CERT)
  • Shodan, VirusTotal, Pastebin

    • Other Sources

  • Commercial feeds — Paid threat intel subscriptions
  • ISACs — Information Sharing and Analysis Centers (sector-specific)
  • Dark web monitoring
  • Internal telemetry — Your own SIEM logs and endpoint data

    • Sharing Threat Intelligence

    Why Share?

    Sharing threat intelligence benefits the entire security community by:
  • Faster identification of widespread campaigns
  • Reducing duplicate investigative effort
  • Strengthening collective defenses

    • STIX and TAXII

    Two key standards power automated threat sharing:

    StandardPurpose
    STIX (Structured Threat Information eXpression)A *language* for describing threat data in a structured, machine-readable format
    TAXII (Trusted Automated eXchange of Indicator Information)A *transport protocol* for sharing STIX data between organizations
    Analogy: STIX is the language (like JSON), TAXII is the postal service that delivers it.

    CTA — Cyber Threat Alliance

    The CTA (Cyber Threat Alliance) is a nonprofit organization where member cybersecurity companies share threat intelligence to improve collective defenses. Members include Palo Alto Networks, Fortinet, and others.

    Frameworks and Models

    MITRE ATT&CK

    MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It organizes attacker behavior into:
  • Tactics — The *why* (e.g., Initial Access, Persistence, Exfiltration)
  • Techniques — The *how* (e.g., Spearphishing, Registry Run Keys)

    • Analysts use ATT&CK to map detected behaviors to known threat actors and identify coverage gaps.

    Cyber Kill Chain

    The Kill Chain (developed by Lockheed Martin) describes the stages of a cyberattack:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command & Control (C2)
  • Actions on Objectives

    • Defenders use this model to identify *where* to interrupt an attack.

    Diamond Model

    The Diamond Model analyzes intrusions using four core features connected at the points of a diamond:

    Adversary
       /          \
  Infrastructure — Capability
       \          /
          Victim

    It helps analysts understand relationships between attacker infrastructure, capabilities, and targeted victims — useful for attribution and threat modeling.

    Threat Modeling

    Threat modeling is a structured process for identifying potential threats to a system *before* they occur. Common approaches include STRIDE and PASTA. It answers: *"What could go wrong, and how bad would it be?"*

    False Positives and False Negatives

    These concepts are critical for analysts evaluating detection tools:

    TermDefinitionRisk
    False PositiveAlert fires, but no real threat existsAnalyst fatigue, wasted resources
    False NegativeReal threat exists, but no alert firesMissed attack — most dangerous
    Tuning detection rules is a constant balancing act between these two errors.

    Threat Hunting and Incident Response

  • Threat hunting is the *proactive* search for hidden threats that have evaded automated detection. Hunters form hypotheses and dig through data to find stealthy attackers.
  • Incident response (IR) is the *reactive* process of identifying, containing, eradicating, and recovering from a confirmed security incident.

    • Challenges in Threat Intelligence

  • Data overload — Too many feeds, too little context
  • False positives — Alert fatigue reduces analyst effectiveness
  • Attribution difficulty — Actors use proxies and false flags
  • Timeliness — Stale intelligence has little value
  • Sharing reluctance — Organizations fear reputational damage

    • Key Takeaways

  • Threat intelligence transforms raw data into actionable insights; its primary goal is enabling proactive, informed security decisions.
  • IOCs are forensic artifacts (hashes, IPs, domains) that indicate compromise; APTs are sophisticated, persistent threat actors often linked to nation-states.
  • STIX defines the *format* for threat data; TAXII defines the *transport* — together they enable automated intelligence sharing, supported by organizations like the CTA.
  • Frameworks like MITRE ATT&CK, the Kill Chain, and the Diamond Model give analysts structured ways to understand, categorize, and respond to attacker behavior.
  • Balancing false positives and false negatives is a core analyst skill — missing a real attack (false negative) is typically the more dangerous outcome.