Scribd
Upload
48 views

CySA+ Chapter 17 Slide Handouts

Network-related symptoms of compromise include abnormal bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices on the network, scans/sweeps, and unusual traffic spikes or connections on non-standard ports. Host-related symptoms include abnormal processor/memory/disk usage, unauthorized software/processes/privileges, data exfiltration, and file/registry changes. Application-related symptoms include anomalous activity, unexpected errors/output, and unexpected outbound communication.

Uploaded by

pxgpxg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

CySA+ Chapter 17 Slide Handouts

Network-related symptoms of compromise include abnormal bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices on the network, scans/sweeps, and unusual traffic spikes or connections on non-standard ports. Host-related symptoms include abnormal processor/memory/disk usage, unauthorized software/processes/privileges, data exfiltration, and file/registry changes. Application-related symptoms include anomalous activity, unexpected errors/output, and unexpected outbound communication.

Uploaded by

pxgpxg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Common Symptoms of Compromise

Chapter 17

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Episode 17.01
Network Symptoms

Objective: 4.3 Given an incident, analyze potential indicators of compromise.


• Network-related
- Bandwidth consumption
- Beaconing
- Irregular peer-to-peer communication
- Rogue device on the network
- Scan/sweep
- Unusual traffic spike
- Common protocol over non-standard port

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Diagnose Symptoms

• What are processes doing?

• Unauthorized system usage


Application
• Connections

Host • Processes & applications

• Unusual bandwidth changes

Network
• Unusual traffic

• Unusual connections

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Network-Related Symptoms
• Bandwidth consumption
• Traffic spikes
• Traffic irregularities

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Bandwidth Consumption

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Network-Related Symptoms
• Beaconing
• Peer-to-peer communications
• Rogue devices
• Scan sweeps

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Scan Sweep

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Episode 17.02
Host Symptoms

Objective: 4.3 Given an incident, analyze potential indicators of compromise.


• Host-related
- Processor consumption
- Memory consumption
- Drive capacity consumption
- Unauthorized software
- Malicious process
- Unauthorized change
- Unauthorized privilege
- Data exfiltration
- Abnormal OS process behavior
- File system change or anomaly
- Registry change or anomaly
- Unauthorized scheduled task

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Host-Related Symptoms
• Memory consumption
• Disk consumption
• Processor consumption
• Unauthorized applications or processes
• Unauthorized privileges
• Data exfiltration

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Windows Task Manager

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
macOS Activity Monitor

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Episode 17.03
Application Symptoms

Objective: 4.3 Given an incident, analyze potential indicators of compromise.


• Application-related
- Anomalous activity
- Introduction of new accounts
- Unexpected output
- Unexpected outbound communication
- Service interruption
- Application log

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Application-Related Symptoms
• Anomalous activity
• Unexpected error messages
• Out of memory alerts
• Unexpected outbound transmissions

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Little Snitch

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon
Windows Firewall

CompTIA CySA+ Cybersecurity Analyst (CS0-002)


with Brent Chapman and Michael Solomon

You might also like