D340 - Cyber Defense and Countermeasures (CySA+)

---

About

Traditional defenses—such as firewalls, security protocols, and encryption—sometimes fail to stop attackers determined to access and compromise data. This course provides the fundamental skills to handle and respond to computer security incidents in an information system. The course addresses various underlying principles and techniques for detecting and responding to current and emerging computer security threats. Students learn how to leverage intelligence and threat detection techniques; analyze and interpret data; identify and address vulnerabilities; suggest preventative measures; effectively respond to and recover from incidents; and handle various types of incidents, risk assessment methodologies, and various laws and policies related to incident handling. This course prepares students for the CompTIA Cybersecurity Analyst (CySA+) certification exam.

Objective

Objective

• Manages Security Threats and Vulnerabilities
  • The learner manages security testing and response in defense of organizational threats and vulnerabilities
• Applies Software and System Security
  • The learner applies controls and procedures for software and system security
• Applies Automation
  • The learner applies improvement techniques and automation based on system monitoring and threat hunting
• Applies Incident Response Procedures
  • The learner applies incident response procedures based on digital forensic analysis
• Applies Security Concepts
  • The learner applies security concepts to risk mitigation with regards to privacy and protection

Skills Developed

Threat and Vulnerability Management

• Conducting threat intelligence research and analysis
• Performing vulnerability scanning and assessment
• Prioritizing remediation based on risk impact
• Understanding and applying Common Vulnerability Scoring System (CVSS)
• Identifying false positives in vulnerability scans

Security Operations and Monitoring

• Monitoring and analyzing network traffic and logs for anomalies
• Understanding SIEM (Security Information and Event Management) tools and data interpretation
• Performing packet capture and analysis (e.g., using Wireshark)
• Detecting and responding to Indicators of Compromise (IOCs)
• Developing and tuning alerts and dashboards

Incident Response

• Applying the incident response lifecycle: preparation, detection, containment, eradication, recovery, and lessons learned
• Writing and following incident response plans (IRPs)
• Conducting forensic analysis on hosts and networks
• Using tools for memory and disk forensics
• Coordinating incident response efforts with other teams or agencies

Security Architecture and Tool Sets

• Understanding of defense-in-depth principles
• Identifying and implementing appropriate security controls
• Deploying and managing security technologies (e.g., firewalls, IDS/IPS, antivirus)
• Configuring and tuning endpoint detection and response (EDR) tools
• Managing access controls, network segmentation, and zero-trust architectures

Compliance and Assessment

• Understanding regulations and frameworks (e.g., NIST, GDPR, HIPAA, PCI-DSS)
• Performing risk assessments and gap analyses
• Preparing for audits and implementing security policies
• Understanding the concept of least privilege and data classification

Automation and Scripting (Basic)

• Applying basic scripting (Python, PowerShell, Bash) to automate repetitive security tasks
• Parsing logs and extracting relevant data using scripts
• Writing scripts to perform basic data enrichment and correlation

Data Analysis and Reporting

• Using tools to visualize and report security findings
• Creating clear and actionable security reports
• Explaining security incidents to technical and non-technical stakeholders
• Making data-driven decisions for improving the organization’s security posture

Soft Skills and Professionalism

• Applying analytical thinking to investigate security issues
• Practicing ethical decision-making in cybersecurity contexts
• Collaborating effectively within cybersecurity teams
• Communicating effectively in high-pressure incident scenarios

These skills prepare students for real-world roles such as Security Analyst, Threat Hunter, SOC Analyst, and Incident Responder.

Course Outline

• Threats and Security Intelligence
  • Understand Vulnerability Response, Handling, and Management
  • Explore Threat Intelligence and Threat Hunting Concepts
  • Explain Important System and Network Architecture Concepts
  • Understand Process Improvement in Security Operations
• Apply Security Solutions
  • Implement Vulnerability Scanning Methods
  • Perform Vulnerability Analysis
  • Communicate Vulnerability Information
  • Explain Incident Response Activities
  • Demonstrate Incident Response Communication
• Software and Cloud Solutions
  • Apply Tools to Identify Malicious Activity
  • Analyze Potentially Malicious Activity
  • Understand Application Vulnerability Assessment
  • Explore Scripting Tools and Analysis Concepts
  • Understand Application Security and Attack Mitigation Best Practices
• CySA+ Labs

Pacing

• Week 1 (3/6)
  • 1A - Understanding Cybersecurity Leadership Concepts
  • 1B - Exploring Control Types and Methods
  • 1C - Explaining Patch Management Concepts
  • 1 - Lab 1 - Exploring the Lab Environment
  • 1 - Lab 2 - Configuring Controls
  • 2A - Exploring Threat Actor Concepts
  • 2B - Identifying Active Threats
  • 2C - Exploring Threat-Hunting Concepts
  • 2 - Lab 1 - Reviewing IoC and Threat Intelligence Sources
  • 2 - Lab 2 - Performing Threat Hunting
  • 3A - Reviewing System and Network Architecture Concepts
  • 3B - Exploring Identity and Access Management (IAM)
  • 3C - Maintaining Operational Visibility
  • 3 - Lab 1 - Configuring Centralized Logging
  • 3 - Lab 2 - Assess Time Synch Errors
  • 4A - Exploring Leadership in Security Operations
  • 4B - Understanding Technology for Security Operations
  • 4 - Lab 1 - Configuring Automation
    • automate blocking of IPs in firewall from threat feed
    • automate malware removal based on threat feed
    • automate blocking DNS resolution based on threat feed
• Week 2 (3/13)
  • 5A - Explaining Compliance Requirements
  • 5B - Understanding Vulnerability Scanning Methods
  • 5C - Exploring Special Considerations in Vulnerability Scanning
  • 5 - Lab 1 - Performing System Hardening
  • 5 - Lab 2 - Performing Asset Discovery
  • 5 - Lab 3 - Performing Vulnerability Scanning
  • 6A - Understanding Vulnerability Scoring Concepts
  • 6B - Exploring Vulnerability Context Considerations
  • 6 - Lab 1 - Performing Passive Scanning
  • 6 - Lab 2 - Establishing Context Awareness
  • 7A - Explaining Effective Communication Concepts
  • 7B - Understanding Vulnerability Reporting Outcomes and Action Plans
  • 7 - Lab 1 - Analyzing Vulnerability Reports
  • 7 - Lab 2 - Detecting Legacy Systems
  • 8A - Exploring Incident Response Planning
  • 8B - Performing Incident Response Activities
  • 8 - Lab 1 - Performing Post-Incident Forensic Analysis
    • analyze a forensic drive image to discover hidden partition
    • analyze a forensic drive image to recover deleted files
    • analyze a forensic drive image to perform file carving
    • using The Sleuth Kit (TSK) tools
  • 8 - Lab 2 - Collecting Forensic Evidence
    • Use Autopsy to create a case file and import a forensic image
    • locate, recover, analyze, and display files from the image
  • 9A - Understanding Incident Response Communication
  • 9B - Analyzing Incident Response Activities
  • 9 - Lab - Performing Playbook Incident Response
• Week 3 (3/23)
  • 10A - Identifying Malicious Activity
  • 10B - Explaining Attack Methodology Frameworks
  • 10C - Explaining Techniques for Identifying Malicious Activity
  • 10 - Lab 1 - Perform Root Cause Analysis
  • 11A - Exploring Network Attack Indicators
  • 11B - Exploring Host Attack Indicators
  • 11C - Exploring Vulnerability Assessment Tools
  • 11 - Lab 1 - Performing IoC Detection and Analysis
  • 11 - Lab 2 - Using Network Sniffers
  • 11 - Lab 3 - Researching DNS and IP Reputation
  • 11 - Lab 4 - Using File Analysis Techniques
  • 11 - Lab 5 - Analyzing Potentially Malicious Files
  • 12A - Analyzing Web Vulnerabilities
  • 12B - Analyzing Cloud Vulnerabilities
  • 12 - Lab - Using Nontraditional Vulnerability Scanning Tools
  • 12 - Lab - Performing Web Application Vulnerability Scanning
  • 12 - Lab - Analyzing Cloud Vulnerabilities
  • 12 - Lab - Exploiting Weak Cryptography
  • 13A - Understanding Scripting Languages
  • 13B - Identifying Malicious Activity Through Analysis
  • 13 - Lab - Performing and Detecting Directory Traversal and Command Injection
  • 13 - Lab - Performing and Detecting Privilege Escalation
  • 13 - Lab - Performing and Detecting XSS
  • 13 - Lab - Performing and Detecting LFI/RFI
  • 14A - Exploring Secure Software Development Practices
  • 14B - Recommending Controls to Mitigate Successful Application Attacks
  • 14C - Implementing Controls to Prevent Attacks
  • 14 - Lab - Performing and Detecting SQLi
  • 14 - Lab - Performing and Detecting CSRF
  • 14 - Lab - Detecting and Exploiting Security Misconfigurations
• Week 4 (3/27)
  • Review all notes (3/23)
  • CertMaster Learn: (3/24)
    • 90%+ on all lesson quizzes
    • 90%+ on all PBQs
    • 90%+ Practice Exam (voucher approval)
      • Result: 87% (97/111)
      • Result 2: 100% (111/111)
  • CertMaster Practice (3/26)
    • Practice Questions
      • 90% Practice Questions
    • 90%+ Practice Exam
      • Result 1: 82% (93/114)
      • Result 2: 76% (87/113)
      • Result 3: 90% (103/114)
  • Dion Practice Exams (90%s by 3/30)
    • Exam 1: 80% (72/90)
    • Exam 2: 80% (72/90)
    • Exam 3:
  • Pluralsight Exam
    • Attempt 1: 85% (72/85)
  • Infosec CySA+ Labs
• CySA+ Exam (4/1)
  • Result: PASS (834/900)

TEST DETAILS

• Required exam: CS0-003
• Passing = 750/900 (83.33%)
• Number of questions: Maximum of 85
• Types of questions: Multiple-choice and performance-based
• Length of test: 165 minutes (2 hr 45 min)

Resources

• comptia-cysa-cs0-003-exam-objectives.pdf
• CompTIA. (n.d.). CertMaster learn for CySA+ (Exam CS0-003).
• CompTIA. (n.d.). CertMaster practice for CySA+ (Exam CS0-003).
• CompTIA CertMaster. (n.d.). CySA+ labs.
• Chapple, M. (2023). Exam tips: CompTIA Cybersecurity Analyst+ (CySA+)(CS0-003) Video. LinkedIn Learning.
• Meredith, D. (2023). CompTIA CySA+ (CS0-003) Video. Pluralsight.
• WGU Percipio Resources
  • Percipio/Skillsoft CySA+ Course + Labs + Tests. Link.

Additional Resources

• Jason Dion’s CySA+ Course: https://wgu.udemy.com/course/comptia-cysa-003/learn/lecture/35230374#overview
• Linux commands: https://www.hostinger.com/tutorials/linux-commands
• Nmap commands: https://www.stationx.net/nmap-cheat-sheet/
• TCPdump commands: https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/
• Five Tuple Log Analysis: https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/

Log Parsing and Analyzing

• Percipio Log Analysis (Understanding what information to take from different log types): https://wgu.percipio.com/linked-contents/e3329afe-9640-4f08-a3e8-a41b8e534c08/landing
• Intro to Logs: https://tryhackme.com/r/room/introtologs
• LogOperations: https://tryhackme.com/r/room/logoperations
• LogAnalysis: https://tryhackme.com/r/room/introtologanalysis

Nmap

• Overview: https://wgu.percipio.com/courses/a103cae9-529e-4d2d-8998-b206983e4020/videos/dff024b9-1218-44f1-bcd9-49b5adba1c61
• TCP Scans: https://wgu.percipio.com/courses/5fbfd7e7-7ed8-4268-a376-1b8f3c40e27e/videos/c84d5e0a-0504-4c71-8abd-9807bc29253a
• IP Scans: https://wgu.percipio.com/courses/246a316c-94ca-4a6a-a7d1-a91a68a92e48/videos/6f97876e-7557-4dad-8a4d-d3a9c60630c4
• Host Discovery Scans: https://wgu.percipio.com/courses/b673f830-f6e4-11e8-8ea1-67831d21d303/videos/d7100d90-f6e4-11e8-8ea1-67831d21d303
• Deeper Level Knowledge: https://wgu.percipio.com/courses/8ad4eda3-7695-4de1-b69c-f175cb7bed20/videos/21cd28fa-31cb-4055-bce4-b8dd03134a16
• Nmap Commands Cheat Sheet: https://www.stationx.net/nmap-cheat-sheet/

Practice Exams

• 6 Jason Dion CySA+ (SC0-003) Practice Exams
• LinkedIn Learning Practice Assessment 1
• LinkedIn Learning Practice Assessment 2
• LinkedIn Learning Practice Assessment 3
• LinkedIn Learning Practice Assessment 4

TryHackMe CySA+ Rooms

Domain 1

• Junior Security Analyst Intro: https://tryhackme.com/r/room/jrsecanalystintrouxo
• Traffic Analysis Essentials: https://tryhackme.com/r/room/trafficanalysisessentials
• Snort: https://tryhackme.com/r/room/snort
• Endpoint Security: https://tryhackme.com/r/room/introtoendpointsecurity
• Intro to SIEM: https://tryhackme.com/r/room/introtosiem
• Intro to Cyber Threat Intel: https://tryhackme.com/r/room/cyberthreatintel
• Threat Intel Tools: https://tryhackme.com/r/room/threatinteltools
• Intro to Logs: https://tryhackme.com/r/room/introtologs
• Log Operations: https://tryhackme.com/r/room/logoperations
• Log Analysis: https://tryhackme.com/r/room/introtologanalysis
• Splunk SPL: https://tryhackme.com/r/room/splunkexploringspl
• Detection Engineering: https://tryhackme.com/r/room/introtodetectionengineering
• SOC Threat Intel: https://tryhackme.com/r/room/threatintelligenceforsoc
• Threat Hunting Intro: https://tryhackme.com/r/room/introductiontothreathunting
• Threat Hunting Foothold: https://tryhackme.com/r/room/threathuntingfoothold
• Threat Emulation: https://tryhackme.com/r/room/threatemulationintro
• Malware Introduction: https://tryhackme.com/r/room/malmalintroductory
• Phishing Analysis Fundamentals: https://tryhackme.com/r/room/phishingemails1tryoe
• Phishing Emails in Action: https://tryhackme.com/r/room/phishingemails2rytmuv
• Dissecting PE Headers: https://tryhackme.com/r/room/dissectingpeheaders

Domain 2:

• OWASP Top 10: https://tryhackme.com/r/room/owasptop102021
• Nmap: https://tryhackme.com/r/room/furthernmap
• Metasploit Intro: https://tryhackme.com/r/room/metasploitintro
• Nessus: https://tryhackme.com/r/room/rpnessusredux
• OpenVAS: https://tryhackme.com/r/room/openvas

Domain 3:

• Pyramid of Pain: https://tryhackme.com/r/room/pyramidofpainax
• Cyber Kill Chain: https://tryhackme.com/r/room/cyberkillchainzmt
• Unified Kill Chain: https://tryhackme.com/r/room/unifiedkillchain
• Investigating Windows: https://tryhackme.com/r/room/investigatingwindows
• Windows Forensics: https://tryhackme.com/r/room/windowsforensics1
• DFIR Intro: https://tryhackme.com/r/room/introductoryroomdfirmodule
• IR Preparation: https://tryhackme.com/r/room/preparation
• IR Identification and Scoping: https://tryhackme.com/r/room/identificationandscoping