CySA+ domain #9: Analyzing common symptoms

Introduction

Trying to secure a network without the right skills and tools is not possible, especially when you’re dealing with cybercriminals that make a living from breaching networks and compromising systems. CompTIA’s CySA+ is designed to help you to learn all of the technical and procedural steps that will enable you to work as a cybersecurity analyst.

This article will tackle the basics of Objective 3.4 and will show you what is required of you as a starting point towards your studies. After reading through this article, you should have a better understanding of what you will need to study in order to pass your exam. This isn’t a very long section, but it has enough detail in it to warrant careful consideration and studying while working towards your CySA+ certification. 

Common network-related symptoms

The following selection of objectives are required for passing the CySA+. You need to have a firm understanding of how to identify the symptoms, what they mean and how you could approach the task of resolving them.

Bandwidth consumption

In any investigation relating to bandwidth consumption, you need a baseline from before the issue first appeared. A comparative analysis will show you when the bandwidth consumption first spiked, as well as the responsible devices and protocols that could be causing it. Any extreme changes in bandwidth consumption could be a sign of an incident.

Beaconing

If you have an infected or compromised system on the network, then it could be trying to make contact with servers over the internet so that it can receive updates or further instructions. Other telltale signs of a beaconing system on your network includes DNS probes and command-and-control connections.

Irregular peer-to-peer communication

In a secure environment, there should not be any peer-to-peer connections such as torrents and file-sharing sites. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Cwx49Z65AJI/