10-Day Study Plan

Day-by-Day Focus

1. Threat Management

   • Learn threat types, indicators
   • Tools: Nmap, TCPdump

2. Vulnerability Management

   • Scans, assessments
   • CVSS, OpenVAS

3. Security Architecture

   • Firewalls, proxies, CASB
   • Zero Trust

4. Identity & Access

   • SSO, MFA, OpenID
   • Account policies

5. Incident Response

   • IR phases: reimaging, containment, recovery

6. Data Security

   • DLP, masking, sanitization
   • Encryption

7. Governance & Risk

   • BIA, SLA, risk register
   • Frameworks: NIST, ISO

8. Review + Practice Exam

   • Analyze results
   • Review weak areas

9. Labs & Simulations

   • Hands-on with tools
   • Fill knowledge gaps

10. Final Review + Practice

    • Rest, light review
    • High-yield terms

CySA+ (CS0-003) Study Materials

Threat Management Cheat Sheet

1. Indicators of Compromise (IOCs)

• What: Artifacts indicating a system may be compromised (e.g., IPs, file hashes, domains).
• Use: Log analysis, threat hunting, incident detection.
• Best Scenario: Detecting a malware hash in a system’s registry.

2. Indicators of Attack (IOAs)

• What: Evidence showing attacker behavior or intent (e.g., lateral movement, privilege escalation).
• Use: Behavioral analysis, SIEM alert investigation.
• Best Scenario: Anomalous login times and privilege changes trigger suspicion.

3. Threat Intelligence Feeds

• What: External or internal data sources for threat information.
• Use: Triage, correlation, threat enrichment.
• Best Scenario: Correlating a malicious IP with external feed data.

4. Threat Actor Types

• Types: Nation-state, hacktivist, insider, cybercriminal, script kiddie.
• Use: Risk assessment, threat modeling, incident analysis.
• Best Scenario: Classifying an attack from a nation-state.

5. MITRE ATT&CK Framework

• What: Matrix of adversary tactics and techniques.
• Use: Threat hunting, mapping attack behavior.
• Best Scenario: Detecting credential dumping after suspicious memory access.

6. SIEM (Security Information & Event Management)

• What: Aggregates and analyzes logs for threat detection.
• Use: Monitoring, alerting, incident investigation.
• Best Scenario: Multiple failed logins followed by a successful login alert.

7. Sandboxing

• What: Isolated environment to safely analyze suspicious files.
• Use: Malware analysis, email inspection.
• Best Scenario: Analyzing phishing attachments safely.

8. Threat Hunting

• What: Proactive search for network threats.
• Use: After a compromise or regularly.
• Best Scenario: Finding a long-dormant backdoor.

9. EDR (Endpoint Detection and Response)

• What: Provides deep visibility into endpoint activity.
• Use: Malware detection, behavioral analysis.
• Best Scenario: Spotting and quarantining abnormal PowerShell execution.

10. Incident Response Lifecycle (NIST 800-61)

• Phases: Preparation, Detection/Analysis, Containment, Eradication, Recovery, Lessons Learned.
• Use: Any security incident.
• Best Scenario: Following steps post-ransomware attack.

11. Traffic Analysis Tools

• Examples: Wireshark, TCPdump
• Use: Verifying C2 communication, data exfiltration.
• Best Scenario: Spotting DNS tunneling for data leaks.

12. Anomaly vs. Signature-Based Detection

• Anomaly: Detects deviations, use for unknown threats.
• Signature: Matches known patterns, use for known threats.

Key Terms

• IOC: Artifacts of breach, used for detection.
• SIEM: Log aggregator, used for monitoring and correlation.
• EDR: Endpoint insight, used for malware detection.
• Threat Intel Platform (TIP): Aggregates intel for alert enrichment.
• Threat Hunting: Proactive threat search.
• Sandboxing: Safe environment for malware analysis.
• Traffic Analysis: Network packet inspection.
• Vulnerability Scanning: Identifies known vulnerabilities.
• MITRE ATT&CK: Behavior mapping framework.
• Incident Response Lifecycle: Structured process for IR.
• Anomaly Detection: Flags deviations, used for zero-days.
• Signature-Based Detection: Matches known threats.

Common Exam Tools & Their Use

• Splunk / QRadar (SIEM): Log monitoring, multi-source data correlation.
• Wireshark / TCPdump: Packet analysis, troubleshooting.
• OpenVAS / Nessus: Vulnerability scanning.
• CrowdStrike / SentinelOne (EDR): Endpoint threat detection.
• Cuckoo Sandbox: Dynamic malware analysis.
• MISP / Recorded Future (TIP): Threat intel correlation.
• MITRE ATT&CK Navigator: Mapping attacker techniques.

Real-World Use Cases

• Phishing Campaign Detection: Use SIEM and sandboxing.
• Ransomware Response: Use EDR, sandbox, and IR lifecycle.
• Insider Threat Hunting: Utilize anomaly detection and traffic analysis.
• Cloud Monitoring: Use cloud-native SIEM and threat intel.
• APT Mitigation: Combine threat intel feeds with MITRE ATT&CK.