3.2 Given a scenario, perform incident response activities.

📘CompTIA CySA+ (CS0-003)

1. Detection and Analysis (Overview)

Detection and analysis is the phase where security teams identify suspicious activity and determine whether a real security incident has occurred.

Main goals:

Identify security events quickly
Confirm if the event is malicious or normal behavior
Understand the scope (what systems are affected)
Collect and analyze evidence

In IT environments, detection usually comes from:

Security tools (SIEM, EDR, IDS/IPS)
System logs (Windows Event Logs, Linux logs)
Network traffic monitoring tools
User reports or alerts

2. Indicators of Compromise (IoC)

What is an IoC?

An Indicator of Compromise (IoC) is a piece of evidence that suggests a system has been compromised or attacked.

IoCs help analysts detect known attack patterns.

Common types of IoCs:

1. File-based IoCs

Malicious files on a system
Example:
- Unknown .exe running in system folder
- Malware hash detected in antivirus system

2. Network-based IoCs

Suspicious network communication
Example:
- Server connecting to unknown external IP address
- Unusual traffic to command-and-control (C2) server

3. Host-based IoCs

Changes in system behavior
Example:
- New unauthorized admin account created
- Unexpected registry changes in Windows system

4. Behavioral IoCs

Abnormal activity patterns
Example:
- Large data transfers at unusual times
- Multiple failed login attempts followed by success

How IoCs are used:

SIEM tools match logs against known IoC databases
Security teams investigate alerts triggered by IoCs
Helps identify attacks like malware, phishing, or intrusion

3. Evidence Acquisition

Evidence acquisition is the process of collecting digital evidence from systems in a secure and structured way.

This is critical because evidence may be used for investigation, reporting, or legal action.

Key components of evidence acquisition:

A. Chain of Custody

What it means:

The chain of custody is a documented record that shows:

Who collected the evidence
When it was collected
Where it was stored
Who accessed it

Purpose:

Ensures evidence is not tampered with
Maintains legal and investigative integrity

Example in IT:

Security analyst collects server log files
Logs are stored in a secure evidence repository
Every access to those logs is recorded

If chain of custody is broken, evidence may become invalid in legal or audit situations.

B. Validating Data Integrity

What it means:

Ensuring that evidence has not been modified after collection.

How it is done:

Using hash values (MD5, SHA-256)
Comparing original hash vs copied evidence hash

Example:

A disk image is collected from a compromised server
SHA-256 hash is generated before and after transfer
If hashes match → data is unchanged

Why it matters:

Prevents tampering
Ensures reliability of investigation findings

C. Preservation

What it means:

Preservation means protecting evidence so it remains unchanged during investigation.

Key actions:

Creating forensic copies (not using original data)
Isolating infected systems from the network
Preventing log overwriting
Storing evidence in secure, access-controlled systems

Example in IT:

A compromised VM is snapshot instead of being directly modified
Logs are exported before rotation deletes them

D. Legal Hold

What it means:

A legal hold is a formal instruction to preserve all relevant data because it may be needed for legal or compliance purposes.

Why it is used:

During lawsuits
Regulatory investigations
Internal audits

Example:

Company detects data breach
Legal team instructs IT to preserve:
- Email logs
- Access logs
- Database records
Systems must NOT delete or modify this data

4. Data and Log Analysis

What is it?

Data and log analysis is the process of reviewing collected logs and system data to understand what happened during a security incident.

Types of logs used in analysis:

1. System logs

Operating system activity
Example:
- Windows Event Logs (logon/logoff events)
- Linux syslog entries

2. Security logs

Authentication and security events
Example:
- Failed login attempts
- Firewall alerts

3. Application logs

Activity from applications
Example:
- Web server logs showing HTTP requests
- Database access logs

4. Network logs

Traffic and communication data
Example:
- NetFlow data
- Proxy logs
- DNS query logs

What analysts look for in logs:

Unauthorized login attempts
Suspicious IP addresses
Unusual data transfers
Malware execution traces
Privilege escalation activity
Lateral movement between systems

Log analysis tools:

SIEM platforms (central log collection and correlation)
Endpoint Detection and Response (EDR)
Packet analyzers (for network traffic review)

Example analysis flow in IT environment:

SIEM alert detects multiple failed logins
Analyst checks authentication logs
Finds successful login after failures
Correlates with unusual IP address
Checks endpoint logs for malicious activity
Confirms possible brute-force attack

Exam-Focused Summary

To pass CySA+ for this topic, remember:

Detection & Analysis includes:

Identifying suspicious activity
Using IoCs to detect attacks
Investigating alerts using logs and tools

IoCs:

File-based, network-based, host-based, behavioral indicators

Evidence Acquisition:

Chain of custody = tracking evidence handling
Data integrity = using hashes to verify no changes
Preservation = protecting original data
Legal hold = formal requirement to keep evidence

Data & Log Analysis:

Reviewing system, security, application, and network logs
Using SIEM/EDR tools
Identifying attack patterns and scope