Coding 4 Bread
CompTIA Cybersecurity Analyst (CySA+)

CompTIA Cybersecurity Analyst (CySA+) Intermediate — Quiz 2

CompTIA Cybersecurity Analyst (CySA+) Intermediate — Quiz 2 — Study Guide

CySA+ Intermediate Quiz 2: Threat Detection, Incident Response & Forensics

Understanding how to detect, respond to, and recover from cyber incidents is the backbone of any security analyst's job. Whether you're triaging a phishing email or preserving forensic evidence, these skills separate reactive defenders from proactive ones. This lesson covers everything from SIEM data sources and incident response phases to malware analysis and threat intelligence frameworks — exactly what you'll need to ace Quiz 2.

SIEM and Data Sources

A Security Information and Event Management (SIEM) system aggregates and correlates log data from across your environment to detect threats in real time.

Common SIEM Data Sources

Data SourceWhat It Provides
Firewall logsAllowed/denied traffic, IP connections
IDS/IPS alertsSignature-based threat detections
Endpoint/host logsProcess execution, login events
DNS logsDomain lookups, potential C2 traffic
Email gateway logsPhishing attempts, spam filtering
Authentication logsFailed logins, privilege escalation
Correlation is the SIEM's superpower — it links events across sources to identify patterns a single log would miss. For example, a failed login followed by a successful one from a foreign IP, combined with a large file transfer, might indicate a breach.

Analogy: A SIEM is like a security camera control room — individual cameras (data sources) are useful, but the operator watching all feeds simultaneously (correlation) spots the threat.

Incident Response Lifecycle

The incident response (IR) process follows a structured lifecycle. Knowing the order of phases is critical for the quiz.

The Six Phases (PICERL)

  • Preparation — The FIRST step. Train staff, build playbooks, configure tools, run tabletop exercises.
  • Identification — Detect and confirm an incident using log analysis, SIEM alerts, or user reports.
  • Containment — *Stop the bleeding.* Isolate affected systems to prevent further spread without destroying evidence.
  • Eradication — Remove the root cause: delete malware, patch vulnerabilities, close backdoors.
  • Recovery — Restore systems to normal operation and monitor closely.
  • Lessons Learned — Post-incident review to improve future response. Document what worked and what didn't.

    • Key exam tip: The primary goal of Containment is to limit damage and prevent spread — NOT to fix the problem (that's Eradication).

    Lessons Learned

    The lessons learned meeting serves to:

  • Identify gaps in detection and response
  • Update runbooks and playbooks
  • Improve training and tool configurations
  • Fulfill compliance documentation requirements

    • Phishing and Email Security

    Phishing remains the #1 initial attack vector. When a user reports a suspicious email:

    Best initial action: Do NOT click the link. Isolate the email, report it to the security team, and analyze the headers and link in a sandbox environment.

    Email Security Controls

  • SPF — Verifies the sending mail server is authorized
  • DKIM — Digitally signs emails to confirm integrity
  • DMARC — Policy enforcement combining SPF and DKIM
  • Sandboxing — Detonates suspicious attachments/links in an isolated VM to observe behavior safely

    • Malware Analysis and Sandboxing

    A sandbox is an isolated environment where you can safely execute and observe malware behavior without risking production systems.

    Types of Malware Analysis

    TypeDescription
    Static AnalysisExamine code/file without executing it (strings, hashes, PE headers)
    Dynamic AnalysisExecute in a sandbox and observe behavior (network calls, registry changes)
    Behavioral AnalysisMonitor system changes caused by the malware
    A rootkit is particularly dangerous malware that hides itself at the OS or kernel level, making it difficult to detect with standard tools. Host-based intrusion detection systems (HIDS) monitor individual endpoints for signs of rootkits and other malicious activity.

    Threat Intelligence: TTPs, APTs, and Threat Actors

    Threat intelligence is actionable information about adversaries that helps you anticipate and defend against attacks.

    Key Concepts

  • TTPs (Tactics, Techniques, and Procedures) — The *how* of an attacker's behavior. More valuable than IOCs because TTPs don't change as easily as IP addresses.
  • APT (Advanced Persistent Threat) — A sophisticated, often nation-state-sponsored threat actor focused on long-term, stealthy access.
  • Threat Actors — Categories include nation-states, cybercriminals, hacktivists, and insider threats.

    • Attack Frameworks

    FrameworkPurpose
    MITRE ATT&CKCatalogs real-world TTPs used by threat actors
    Cyber Kill Chain7-stage model of an attack from recon to exfiltration
    Diamond ModelAnalyzes relationships between adversary, capability, infrastructure, and victim
    The Kill Chain stages: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives.

    Forensics, Evidence, and Chain of Custody

    Digital forensics involves collecting and preserving evidence in a legally defensible way.

    Volatile vs. Non-Volatile Data

    Volatile data is lost when a system is powered off — always collect it FIRST:

  • RAM contents
  • Running processes
  • Active network connections
  • Logged-in users

    • Chain of Custody

    Chain of custody is the documented record of who collected, handled, and transferred evidence. Breaking the chain can make evidence inadmissible in court.

    Evidence Collected → Logged with hash value (MD5/SHA-256)
→ Transferred to analyst (documented)
→ Stored securely (access logged)
→ Presented in court (fully traceable)

    Vulnerabilities, Exploits, and False Positives

  • Vulnerability — A weakness in a system (e.g., unpatched software)
  • Exploit — Code or technique that takes advantage of a vulnerability
  • False Positive — An alert that flags benign activity as malicious. Too many false positives cause alert fatigue, making real threats easier to miss.

    • Network segmentation limits the blast radius of an exploit by dividing networks into isolated zones, so a compromised segment can't freely communicate with critical systems.

    Preparation: Training and Exercises

    The Preparation phase isn't just about tools — it's about people.

  • Tabletop exercises — Discussion-based simulations where teams walk through hypothetical scenarios
  • Red team/blue team exercises — Simulated attacks vs. defenders
  • Security awareness training — Teaches users to recognize phishing and social engineering

    • Well-prepared teams respond faster, make fewer mistakes, and preserve evidence correctly.

    Key Takeaways

  • Preparation is always the FIRST phase of incident response — training, playbooks, and exercises happen before any incident occurs.
  • Containment stops the spread; Eradication removes the cause — don't confuse the two phases on the exam.
  • SIEM correlates data from multiple sources (firewalls, endpoints, DNS, email) to detect threats no single log could reveal.
  • Chain of custody and volatile data collection are foundational forensics concepts — collect RAM first, document everything.
  • TTPs and frameworks like MITRE ATT&CK and the Kill Chain give analysts a structured way to understand and anticipate adversary behavior.