Introduction xxviiAssessment Test xliChapter 1 Today's Cybersecurity Analyst 1Cybersecurity Objectives 2Privacy vs. Security 3Evaluating Security Risks 4Identify Threats 6Identify Vulnerabilities 8Determine Likelihood, Impact, and Risk 8Reviewing Controls 10Building a Secure Network 10Network Access Control 10Firewalls and Network Perimeter Security 12Network Segmentation 15Defense Through Deception 16Secure Endpoint Management 17Hardening System Configurations 17Patch Management 17Group Policies 18Endpoint Security Software 19Penetration Testing 19Planning a Penetration Test 20Conducting Discovery 21Executing a Penetration Test 21Communicating Penetration Test Results 22Training and Exercises 22Reverse Engineering 22Isolation and Sandboxing 23Reverse-Engineering Software 23Reverse-Engineering Hardware 24The Future of Cybersecurity Analytics 25Summary 26Exam Essentials 26Lab Exercises 28Activity 1.1: Create an Inbound Firewall Rule 28Activity 1.2: Create a Group Policy Object 28Activity 1.3: Write a Penetration Testing Plan 30Activity 1.4: Recognize Security Tools 30Review Questions 30Chapter 2 Using Threat Intelligence 35Threat Data and Intelligence 36Open Source Intelligence 37Proprietary and Closed Source Intelligence 39Assessing Threat Intelligence 39Threat Indicator Management and Exchange 41The Intelligence Cycle 42The Threat Intelligence Community 43Threat Classification 44Threat Actors 44Threat Classification 45Threat Research and Modeling 46Attack Frameworks 48MITRE's ATT&CK Framework 48The Diamond Model of Intrusion Analysis 50Lockheed Martin's Cyber Kill Chain 51The Unified Kill Chain 53Common Vulnerability Scoring System (CVSS) 53Applying Threat Intelligence Organizationwide 53Proactive Threat Hunting 54Summary 55Exam Essentials 56Lab Exercises 57Activity 2.1: Explore the ATT&CK Framework 57Activity 2.2: Set Up a STIX/TAXII Feed 58Activity 2.3: Intelligence Gathering Techniques 58Review Questions 59Chapter 3 Reconnaissance and Intelligence Gathering 63Mapping and Enumeration 64Active Reconnaissance 65Mapping Networks and Discovering Topology 65Pinging Hosts 67Port Scanning and Service Discovery Techniques and Tools 69Passive Footprinting 75Log and Configuration Analysis 76Harvesting Data from DNS and Whois 84Responder 91Information Aggregation and Analysis Tools 92Information Gathering Using Packet Capture 92Gathering Organizational Intelligence 92Organizational Data 93Electronic Document Harvesting 94Detecting, Preventing, and Responding to Reconnaissance 97Capturing and Analyzing Data to Detect Reconnaissance 97Preventing Reconnaissance 99Summary 100Exam Essentials 101Lab Exercises 102Activity 3.1: Port Scanning 102Activity 3.2: Write an Intelligence Gathering Plan 102Activity 3.3: Intelligence Gathering Techniques 103Review Questions 103Chapter 4 Designing a Vulnerability Management Program 109Identifying Vulnerability Management Requirements 110Regulatory Environment 110Corporate Policy 114Identifying Scan Targets 114Determining Scan Frequency 115Active vs. Passive Scanning 117Configuring and Executing Vulnerability Scans 118Scoping Vulnerability Scans 118Configuring Vulnerability Scans 119Scanner Maintenance 123Developing a Remediation Workflow 126Reporting and Communication 127Prioritizing Remediation 129Testing and Implementing Fixes 130Delayed Remediation Options 131Overcoming Risks of Vulnerability Scanning 131Vulnerability Scanning Tools 133Infrastructure Vulnerability Scanning 133Web Application Scanning 133Interception Proxies 134Wireless Assessment Tools 136Summary 137Exam Essentials 138Lab Exercises 139Activity 4.1: Install a Vulnerability Scanner 139Activity 4.2: Run a Vulnerability Scan 140Review Questions 140Chapter 5 Analyzing Vulnerability Scans 145Reviewing and Interpreting Scan Reports 146Understanding CVSS 148Validating Scan Results 155False Positives 156Documented Exceptions 156Understanding Informational Results 157Reconciling Scan Results with Other Data Sources 158Trend Analysis 158Common Vulnerabilities 158Server and Endpoint Vulnerabilities 159Network Vulnerabilities 168Virtualization Vulnerabilities 173Internet of Things (IoT) 176Web Application Vulnerabilities 177Authentication Vulnerabilities 181Summary 183Exam Essentials 184Lab Exercises 185Activity 5.1: Interpret a Vulnerability Scan 185Activity 5.2: Analyze a CVSS Vector 185Activity 5.3: Remediate a Vulnerability 185Review Questions 187Chapter 6 Cloud Security 191Understanding Cloud Environments 192The Case for Cloud Computing 193Cloud Service Models 194Cloud Deployment Models 200Operating in the Cloud 204DevOps Strategies 205Infrastructure as Code (IaC) 206Application Programming Interfaces 207Cloud Monitoring 208Cloud Infrastructure Security 208Cloud Infrastructure Security Tools 209Cloud Access Security Brokers (CASB) 213Summary 214Exam Essentials 215Lab Exercises 216Activity 6.1: Run a ScoutSuite Assessment 216Activity 6.2: Explore the Exploits Available with Pacu 216Activity 6.3: Scan an AWS Account with Prowler 216Review Questions 217Chapter 7 Infrastructure Security and Controls 221Understanding Defense-in-Depth 222Layered Security 222Zero Trust 223Segmentation 224Network Architecture 226Physical Network Architectures 227Software-Defined Networks 227Virtualization 228Asset and Change Management 229Logging, Monitoring, and Validation 229Encryption 230Active Defense 231Infrastructure Security and the Cloud 231Improving Security by Improving Controls 233Layered Host Security 234Permissions 235Whitelisting and Blacklisting 235Technical Controls 236Policy, Process, and Standards 238Analyzing Security Architecture 240Analyzing Security Requirements 240Reviewing Architecture 241Common Issues 242Reviewing a Security Architecture 246Maintaining a Security Design 248Summary 249Exam Essentials 249Lab Exercises 250Activity 7.1: Review an Application Using the OWASP Attack Surface Analysis Cheat Sheet 250Activity 7.2: Review a NIST Security Architecture 251Activity 7.3: Security Architecture Terminology 252Review Questions 253Chapter 8 Identity and Access Management Security 259Understanding Identity 260Identity Systems and Security Design 261Threats to Identity and Access 269Understanding Security Issues with Identities 269Attacking AAA Systems and Protocols 270Targeting Account Creation, Provisioning, and Deprovisioning 275Preventing Common Exploits of Identity and Authorization 276Acquiring Credentials 277Identity as a Security Layer 280Identity and Defense-in-Depth 280Securing Authentication and Authorization 281Detecting Attacks and Security Operations 288Federation and Single Sign-On 289Federated Identity Security Considerations 289Federated Identity Design Choices 291Federated Identity Technologies 293Federation Incident Response 297Summary 297Exam Essentials 298Lab Exercises 299Activity 8.1: Federated Security Scenario 299Activity 8.2: On-site Identity Issues Scenario 300Activity 8.3: Identity and AccessManagement Terminology 301Review Questions 303Chapter 9 Software and Hardware Development Security 307Software Assurance Best Practices 308The Software Development Life Cycle 309Software Development Phases 310Software Development Models 311DevSecOps and DevOps 317Designing and Coding for Security 318Common Software Development Security Issues 319Security Implications of Target Platforms 321Secure Coding Best Practices 322API Security 325Service-Oriented Architectures 325Application Testing 327Information Security and the SDLC 327Code Review Models 328Software Security Testing 331Software Assessment: Testing and Analyzing Code 332Web Application Vulnerability Scanning 335Hardware Assurance Best Practices 337Cryptographic Hardware 337Firmware Security 338Hardware Security 339Summary 340Exam Essentials 341Lab Exercises 342Activity 9.1: Review an Application Using the OWASP Application Security Architecture Cheat Sheet 342Activity 9.2: Learn About Web Application Exploits from WebGoat 342Activity 9.3: SDLC Terminology 343Review Questions 344Chapter 10 Security Operations and Monitoring 349Security Monitoring 350Analyzing Security Data 350Logs 351Endpoint Data Analysis 358Network Data Analysis 362Protecting and Analyzing Email 365Scripting, Searching, and Text Manipulation 369Summary 371Exam Essentials 371Lab Exercises 372Activity 10.1: Analyze a Network Capture File 372Activity 10.2: Analyze a Phishing Email 373Activity 10.3: Security Architecture Terminology 373Review Questions 374Chapter 11 Building an Incident Response Program 379Security Incidents 380Phases of Incident Response 381Preparation 382Detection and Analysis 383Containment, Eradication, and Recovery 384Postincident Activity 385Building the Foundation for Incident Response 387Policy 387Procedures and Playbooks 387Documenting the Incident Response Plan 388Creating an Incident Response Team 389Incident Response Providers 391CSIRT Scope of Control 391Coordination and Information Sharing 391Internal Communications 392External Communications 392Classifying Incidents 393Threat Classification 393Severity Classification 394Summary 398Exam Essentials 398Lab Exercises 399Activity 11.1: Incident Severity Classification 399Activity 11.2: Incident Response Phases 400Activity 11.3: Develop an Incident Communications Plan 400Review Questions 401Chapter 12 Analyzing Indicators of Compromise 405Analyzing Network Events 406Capturing Network-Related Events 407Network Monitoring Tools 411Detecting Common Network Issues 413Detecting Scans and Probes 417Detecting Denial-of-Service and Distributed Denial-of-Service Attacks 417Detecting Other Network Attacks 420Detecting and Finding Rogue Devices 420Investigating Host-Related Issues 422System Resources 422Malware, Malicious Processes, and Unauthorized Software 426Unauthorized Access, Changes, and Privileges 428Investigating Service and Application-Related Issues 430Application and Service Monitoring 431Application and Service Issue Response and Restoration 433Detecting Attacks on Applications 434Summary 435Exam Essentials 436Lab Exercises 436Activity 12.1: Identify a Network Scan 436Activity 12.2: Write a Service Issue Response Plan 437Activity 12.3: Security Tools 438Review Questions 439Chapter 13 Performing Forensic Analysis and Techniques 443Building a Forensics Capability 444Building a Forensic Toolkit 444Understanding Forensic Software 448Capabilities and Application 448Conducting Endpoint Forensics 452Operating System, Process, and Memory Dump Analysis 452Network Forensics 455Cloud, Virtual, and Container Forensics 458Conducting a Forensic Investigation 460Forensic Procedures 460Target Locations 462Acquiring and Validating Drive Images 463Imaging Live Systems 467Acquiring Other Data 467Forensic Investigation: An Example 471Importing a Forensic Image 471Analyzing the Image 473Reporting 476Summary 478Exam Essentials 478Lab Exercises 479Activity 13.1: Create a Disk Image 479Activity 13.2: Conduct the NIST Rhino Hunt 480Activity 13.3: Security Tools 481Review Questions 482Chapter 14 Containment, Eradication, and Recovery 487Containing the Damage 489Segmentation 490Isolation 492Removal 493Evidence Gathering and Handling 495Identifying Attackers 495Incident Eradication and Recovery 496Reconstruction and Reimaging 497Patching Systems and Applications 497Sanitization and Secure Disposal 498Validating the Recovery Effort 500Wrapping Up the Response 500Managing Change Control Processes 501Conducting a Lessons Learned Session 501Developing a Final Report 501Evidence Retention 502Summary 502Exam Essentials 502Lab Exercises 503Activity 14.1: Incident Containment Options 503Activity 14.2: Incident Response Activities 505Activity 14.3: Sanitization and Disposal Techniques 506Review Questions 507Chapter 15 Risk Management 511Analyzing Risk 512Risk Identification 513Risk Calculation 514Business Impact Analysis 515Managing Risk 518Risk Mitigation 519Risk Avoidance 520Risk Transference 520Risk Acceptance 521Security Controls 522Nontechnical Controls 522Technical Controls 526Summary 528Exam Essentials 529Lab Exercises 529Activity 15.1: Risk Management Strategies 529Activity 15.2: Risk Identification and Assessment 530Activity 15.3: Risk Management 530Review Questions 531Chapter 16 Policy and Compliance 535Understanding Policy Documents 536Policies 536Standards 539Procedures 541Guidelines 542Exceptions and Compensating Controls 543Complying with Laws and Regulations 545Adopting a Standard Framework 546NIST Cybersecurity Framework 546ISO 27001 549Control Objectives for Information and Related Technologies (COBIT) 550Information Technology Infrastructure Library (ITIL) 551Implementing Policy-Based Controls 552Security Control Categories 552Security Control Types 553Security Control Verification and Quality Control 553Summary 554Exam Essentials 554Lab Exercises 555Activity 16.1: Policy Documents 555Activity 16.2: Using a Cybersecurity Framework 556Activity 16.3: Compliance Auditing Tools 556Review Questions 557Appendices 561Appendix A Practice Exam 561Exam Questions 562Appendix B Answers to Review Questions and Practice Exam 581Chapter 1: Today's Cybersecurity Analyst 582Chapter 2: Using Threat Intelligence 583Chapter 3: Reconnaissance and Intelligence Gathering 585Chapter 4: Designing a Vulnerability Management Program 587Chapter 5: Analyzing Vulnerability Scans 589Chapter 6: Cloud Security 590Chapter 7: Infrastructure Security and Controls 592Chapter 8: Identity and Access Management Security 595Chapter 9: Software and Hardware Development Security 597Chapter 10: Security Operations and Monitoring 599Chapter 11: Building an Incident Response Program 601Chapter 12: Analyzing Indicators of Compromise 603Chapter 13: Performing Forensic Analysis and Techniques 605Chapter 14: Containment, Eradication, and Recovery 607Chapter 15: Risk Management 609Chapter 16: Policy and Compliance 610Practice Exam Answers 612Appendix C Answers to Lab Exercises 621Chapter 1: Today's Cybersecurity Analyst 622Solution to Activity 1.4: Recognize Security Tools 622Chapter 2: Using Threat Intelligence 622Solution to Activity 2.3: Intelligence Gathering Techniques 622Chapter 3: Reconnaissance and Intelligence Gathering 623Solution to Activity 3.3: Intelligence Gathering Tools 623Chapter 5: Analyzing Vulnerability Scans 623Solution to Activity 5.2: Analyze a CVSS Vector 623Chapter 7: Infrastructure Security and Controls 624Solution to Activity 7.3: Security Architecture Terminology 624Chapter 8: Identity and Access Management Security 625Solution to Activity 8.1: Federated Security Scenario 625Solution to Activity 8.2: On-site Identity Issues Scenario 625Solution to Activity 8.3: Identity and Access Management Terminology 626Chapter 9: Software and Hardware Development Security 627Solution to Activity 9.3: Security Tools 627Chapter 10: Security Operations and Monitoring 627Solution to Activity 10.3: Security Architecture Terminology 627Chapter 11: Building an Incident Response Program 628Solution to Activity 11.1: Incident Severity Classification 628Solution to Activity 11.2: Incident Response Phases 629Chapter 12: Analyzing Indicators of Compromise 629Solution to Activity 12.3: Security Tools 629Chapter 13: Performing Forensic Analysis and Techniques 630Solution to Activity 13.2: Conduct the NIST Rhino Hunt 630Solution to Activity 13.3: Security Tools 630Chapter 14: Containment, Eradication, and Recovery 631Solution to Activity 14.1: Incident Containment Options 631Solution to Activity 14.2: Incident Response Activities 632Solution to Activity 14.3: Sanitization and Disposal Techniques 633Chapter 15: Risk Management 633Solution to Activity 15.1: Risk Management Strategies 633Chapter 16: Policy and Compliance 634Solution to Activity 16.1: Policy Documents 634Solution to Activity 16.3: Compliance Auditing Tools 634Index 635

ABOUT THE AUTHORSMIKE CHAPPLE, PhD, CySA+, CISSP, is Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame. He's a cybersecurity professional and educator with over 20 years of experience. Mike provides cybersecurity certification resources at his website, CertMike.com. DAVID SEIDL, CySA+, CISSP, PenTest+, is Vice President for Information Technology and CIO at Miami University. David co-led Notre Dame's move to the cloud, and has written multiple cybersecurity certification books.