🔟 10-Day Study Plan
Day
Focus Area
Activities
1
Threat Management
Learn threat types, indicators, tools (Nmap, TCPdump)
2
Vulnerability Management
Understand scans, assessments, CVSS, OpenVAS
3
Security Architecture
Study firewalls, proxies, CASB, Zero Trust
4
Identity & Access
SSO, MFA, OpenID, account policies
5
Incident Response
IR phases, reimaging, containment, recovery
6
Data Security
DLP, masking, sanitization, encryption
7
Governance & Risk
BIA, SLA, risk register, frameworks (NIST, ISO)
8
Review + Practice Exam
Analyze results, review weak areas
9
Labs & Simulations
Hands-on with tools; fill gaps
10
Final Review + Practice
Rest, light review, high-yield terms
🛡️ Threat Management Cheat Sheet – CySA+ (CS0-003)
🔍 1. Indicators of Compromise (IOCs)
* What: Artifacts showing a system may be compromised (e.g., IPs, file hashes, domains).
* When to Use: During log analysis, threat hunting, and incident detection.
* Best Case Scenario: Detecting an attacker’s malware hash in a system’s registry.
________________
⚠️ 2. Indicators of Attack (IOAs)
* What: Evidence showing attacker behavior or intent (e.g., lateral movement, privilege escalation).
* When to Use: During behavioral analysis or SIEM alert investigation.
* Best Case Scenario: Anomalous login times + privilege changes trigger suspicion before a breach occurs.
________________
🛠️ 3. Threat Intelligence Feeds
* What: External or internal data sources that inform you of new or known threats.
* When to Use: During triage, correlation, and threat enrichment.
* Best Case Scenario: Correlating a malicious IP from an alert with an external feed showing recent ransomware activity.
________________
🧠 4. Threat Actor Types
* Types: Nation-state, hacktivist, insider, cybercriminal, script kiddie.
* When to Use: During risk assessment, threat modeling, or incident analysis.
* Best Case Scenario: Classifying an attack as likely from a nation-state due to APT tactics and geopolitical timing.
________________
🧩 5. MITRE ATT&CK Framework
* What: A matrix of real-world adversary tactics and techniques.
* When to Use: Threat hunting, mapping attack behavior, creating detection rules.
* Best Case Scenario: Detecting credential dumping (T1003) after recognizing suspicious LSASS memory access.
________________
🖥️ 6. SIEM (Security Information & Event Management)
* What: Aggregates and analyzes logs from multiple sources to detect threats.
* When to Use: Monitoring, alerting, and incident investigation.
* Best Case Scenario: SIEM alerts on multiple failed logins followed by a successful login from an unusual location.
________________
🧪 7. Sandboxing
* What: Isolated test environment to safely execute and analyze suspicious files.
* When to Use: Malware analysis, email attachment inspection.
* Best Case Scenario: Analyzing a phishing attachment without infecting production systems.
________________
🕵️ 8. Threat Hunting
* What: Proactive search for threats already inside the network.
* When to Use: After a compromise, or regularly to detect stealthy threats.
* Best Case Scenario: Finding a long-dormant backdoor that SIEM alerts never flagged.
________________
🧰 9. EDR (Endpoint Detection and Response)
* What: Provides deep visibility into endpoint activity (processes, behaviors).
* When to Use: Detecting malware, behavioral analysis, IR.
* Best Case Scenario: Spotting abnormal PowerShell execution on a user’s device and quarantining it.
________________
🧯 10. Incident Response Lifecycle (NIST 800-61)
* Phases: Preparation → Detection/Analysis → Containment → Eradication → Recovery → Lessons Learned.
* When to Use: During any security incident.
* Best Case Scenario: Following these steps after ransomware hits ensures minimal damage and fast recovery.
________________
📶 11. Traffic Analysis Tools
* Examples: Wireshark, TCPdump
* When to Use: Verifying suspected C2 (Command & Control) communication, data exfiltration.
* Best Case Scenario: Spotting DNS tunneling used for stealth data leaks.
________________
📈 12. Anomaly vs. Signature-Based Detection
Type
What
When to Use
Scenario
Anomaly
Detects deviations from baseline behavior
Unknown or zero-day threats
User logs in at 3 AM from Russia
Signature
Matches known threat patterns
Known malware or threats
Detecting WannaCry hash in file scan
1. Key Terms, When to Use & Best Case Scenarios
Term
What It Is
When To Use
Best Case Scenario
Common Exam Q’s
IOC (Indicator of Compromise)
Artifacts showing breach (file hashes, IPs)
Incident detection & analysis
Detecting malware hash in logs
"Identify signs of intrusion from logs"
SIEM
Central log aggregator & alerting
Monitoring, correlating logs
Detecting brute force via multi-source alerts
"Which tool correlates multiple data sources?"
EDR
Endpoint behavior visibility & response
Detecting malware, lateral movement
Stopping PowerShell abuse on endpoint
"Detect abnormal endpoint activity"
Threat Intel Platform (TIP)
Aggregates intel from feeds
Enrich alerts, hunt threats
Correlating suspicious IP with recent attacks
"Enrich SIEM alerts using external feeds"
Threat Hunting
Proactive searching for stealth threats
Routine or post-incident
Finding dormant backdoor unnoticed by SIEM
"Best practice to find hidden threats"
Sandboxing
Isolated malware behavior analysis
Unknown suspicious files
Confirming ransomware before network infection
"How to safely analyze suspicious attachments?"
Traffic Analysis
Inspect network packets or flows
Detect C2, data leaks
Spotting DNS tunneling
"Use Wireshark for what type of investigation?"
Vulnerability Scanning
Identifies known vulnerabilities
Routine asset checks
Finding unpatched web servers
"Scan type that finds missing patches"
MITRE ATT&CK
Matrix of attacker tactics & techniques
Mapping adversary behavior
Detecting credential dumping techniques
"Framework for adversary tactics?"
Incident Response Lifecycle
Structured IR process (Prep→Recovery)
All security incidents
Following steps after ransomware hit
"Phases of IR lifecycle?"
Anomaly Detection
Flags deviations from baseline
Unknown threats & zero-days
Detecting logins at unusual hours
"Detecting unknown behavior relies on?"
Signature-Based Detection
Matches known threat patterns
Known malware detection
Identifying WannaCry hash
"Detecting known malware relies on?"
________________
2. Most Common Exam-Asked Tools & Their Use
Tool
Purpose
When to Use
Best Case Scenario
Splunk / QRadar (SIEM)
Logs, alerts, dashboards
Monitor multi-source data
Detect lateral movement across servers
Wireshark / TCPdump
Packet capture & analysis
Troubleshooting, C2 detection
Catching exfil via DNS tunneling
OpenVAS / Nessus
Vulnerability scanning
Routine vulnerability assessment
Finding outdated software exploits
CrowdStrike / SentinelOne (EDR)
Endpoint threat detection
Malware detection, response
Stopping malicious PowerShell scripts
Cuckoo Sandbox
Malware dynamic analysis
Analyze suspicious files safely
Confirming phishing payload behavior
MISP / Recorded Future (TIP)
Threat intel correlation
Enrich alerts, correlate IOCs
Linking IP with APT activity
MITRE ATT&CK Navigator
Map attacker techniques
Threat hunting & detection design
Pinpoint credential dumping TTP
4. Real-World Use Cases
* Detecting a Phishing Campaign:
Use SIEM to spot spikes in suspicious email sources + sandbox suspicious attachments.
* Responding to Ransomware:
Use EDR for isolating endpoints + sandbox files + apply IR lifecycle.
* Hunting for Insider Threats:
Combine anomaly detection in SIEM + traffic analysis to detect unusual data transfers.
* Monitoring Cloud Infrastructure:
Use cloud-native SIEM + threat intel for suspicious API calls and access anomalies.
* Mitigating APT Attacks:
Use threat intel feeds + MITRE ATT&CK to identify and block advanced techniques.