Domain 2: Software and Systems Security

Press enter or click to view image in full size

2.1 Implement Security Measures for Managing Infrastructure

2.1.1 Cloud vs. On-Premises

• Cloud: Shared responsibility, remote access, elastic scaling, risks like data exposure or API abuse.
• On-Premises: Greater control, but higher cost and maintenance; risks include misconfigurations, unpatched systems.

2.1.2 Asset Management

• Asset Tagging: Unique identifiers for tracking.
• Purpose: Accountability, loss prevention, accurate inventory.

2.1.3 Segmentation

• Physical: LAN, DMZ, extranet, intranet.
• Virtual: VLANs.
• Jump Box: Secure intermediary access point.
• Air Gap: Total isolation from networks.

2.1.4 Network Architecture

• Logical vs Physical Diagrams: Both needed for audits and planning.
• SDN (Software Defined Networking):
• Control plane (central intelligence)
• Data plane (packet forwarding)

2.1.5 Change Management

• Structured process for approvals and rollback planning.
• Reduces unintended consequences.

2.1.6 Serverless Infrastructure

• e.g., AWS Lambda. Minimal server management, but logging and auth must be well-configured.

2.1.7 Virtualization

• Virtual Desktop Infrastructure (VDI):
• Centralized
• Hosted
• Remote models

2.1.8 Containerization

• e.g., Docker, Kubernetes.
• Benefits: Portability, scalability
• Risks: Insecure base images, weak isolation

2.1.9 Identity and Access Management

• MFA, Federation, Attribute-Based Access Control, Mandatory Access Control
• Manual reviews required for high-privilege accounts

2.1.10 CASB (Cloud Access Security Broker)

• Monitors cloud usage, enforces policies

2.1.11 Honeypots

• Deception tools to lure attackers, gather TTPs

2.1.12 Encryption

• Use TLS, AES-256 for data at rest/in transit
• SSL Inspection: Decrypt → inspect → re-encrypt

2.1.13 Certificate Management

• PKI ensures identity assurance
• Costly but foundational for secure communication

2.1.14 Active Defense

• Combines automated detection with orchestrated response

2.2 Explain Software Assurance Best Practices

2.2.1 Platforms

• Mobile, Web, Embedded, Client-Server, SoC, Firmware — each has unique threat surfaces.

2.2.2 Software Development Life Cycle (SDLC)

1. Requirements Gathering
2. Design
3. Development
4. Testing
5. Deployment
6. Maintenance

2.2.3 DevSecOps

• Integrates security into DevOps.
• Focus: CI/CD + security controls
• Toolchains automate testing, code scanning, monitoring

2.2.4 Software Assessment Methods

• User Acceptance Testing (UAT)
• Code Review
• Stress Testing
• Security Regression Testing

2.2.5 Secure Coding Best Practices

• Input validation, encoding, error handling, least privilege
• Prevent:
• SQLi, XSS, CSRF
• Insecure deserialization
• Command injection

2.2.6 Static Analysis (SAST)

• Analyzes source code without executing
• Tools: SonarQube, Fortify

2.2.7 Dynamic Analysis (DAST)

• Tests application at runtime
• Tools: Burp Suite, ZAP

2.2.8 Service-Oriented Architecture (SOA)

• Includes REST, SOAP, SAML
• Risks: Data leakage, insecure APIs

2.3 Programming Languages / Scripting

2.3.1 Languages

• JSON/XML: Validate input, avoid XXE
• Python/PowerShell: Script automation, check for obfuscation
• Shell Scripting: Watch for privilege escalation, backdoors
• Regex: Used for signature detection (malicious patterns)

2.4 Explain Hardware Assurance Best Practices

2.4.1 Hardware Root of Trust

• TPM (Trusted Platform Module):
• Stores keys and hashes
• Provides binding (link disk to device) and sealing (system state lock)
• HSM (Hardware Security Module):
• Secure key management
• Offloads cryptographic tasks

2.4.2 eFUSE

• Prevents firmware downgrades
• Used to lock chip configurations dynamically

2.4.3 UEFI vs BIOS

• UEFI uses GPT, supports large drives
• Preferred in modern systems due to flexibility and integrity checks

2.4.4 Trusted Foundry

• Ensures authenticity of semiconductors
• U.S. DoD program to reduce risk of hardware backdoors

2.4.5 Secure Processing

• Includes Trusted Execution, Secure Enclave, Processor Extensions

2.4.6 Anti-Tamper

• Blocks access to crypto keys and sensitive data
• Embedded software is the only permitted access route

2.4.7 Self-Encrypting Drive (SED)

• Encrypts/decrypts automatically
• Uses DEK stored on drive

2.4.8 Trusted Firmware Updates

• Signed updates only; prevents firmware-level malware

2.4.9 Measured Boot and Attestation

• Verifies each stage during boot using hash values
• Detects tampering at startup

2.4.10 Bus Encryption

• Protects data in motion between internal components (e.g., CPU to RAM)

Domain 2 has been fully covered, now we will look on Domain 3, let’s go..

Domain 3 — Security Operations and Monitoring

Press enter or click to view image in full size

3.1 Assess Data as a Component of Security Monitoring Tasks

3.1.1 Heuristics

• Detects unknown threats based on behavior and similarity to known malware.
• Used by antimalware and EDR tools.
• Weakness: May trigger false positives (e.g., flagging another antivirus as malware).

3.1.2 Trend Analysis

• Identifies behavioral shifts or anomalies over time.
• Helps establish baselines and detect slow-moving threats.
• Useful for incident detection and post-event investigation.

3.1.3 Endpoint Data Analysis

• Tools: EDR, Sysmon, memory analyzers, reverse engineering tools.
• Analyze file behavior, registry changes, process injection, API calls.
• Reverse Engineering: Disassemblers, unpackers, debuggers (e.g., Ghidra, OllyDbg).

3.1.4 Network Data Analysis

• Flow Analysis: NetFlow to track IP communication.
• Packet Analysis: Wireshark for inspecting individual packets.
• Protocol Analysis: Detect anomalies in standard traffic (e.g., DNS tunneling).

3.1.5 Log Review

• Sources: Event Viewer, firewall, proxy, IDS/IPS logs.
• Detect anomalies (login failures, process anomalies, port scans).

3.1.6 Impact Analysis

• Assesses business impact of detected incidents (downtime, data loss).
• Ties into CIA triad: Confidentiality, Integrity, Availability.

3.1.7 SIEM Review

• SIEM Tools: Splunk, ELK, IBM QRadar.
• Centralize log collection, normalization, alerting, dashboards.

3.1.8 Query Writing

• Use SIEM queries (e.g., SPL, KQL) to search logs for:
• Specific IoCs
• Abnormal user activity
• Time-correlated events

3.1.9 Email Analysis

• Examine headers for SPF/DKIM/DMARC.
• Spot phishing, spoofing, malware links or attachments.

3.1.10 DNS/IP Reputation

• Lookup malicious indicators using tools like VirusTotal, AbuseIPDB, or WHOIS.

3.1.11 File Analysis

• Use strings, hash checks (MD5, SHA-256), VirusTotal.
• Look for encoded payloads, malware signatures, obfuscation.

3.1.12 Sandboxing

• Tools: Joe Sandbox, Cuckoo Sandbox
• Execute malware in isolated environment to monitor behavior (file drops, registry changes, C2).

3.1.13 Detecting Malicious Activity

• Pattern recognition of known TTPs (MITRE ATT&CK).
• Monitor:
• Suspicious command usage (PowerShell, netcat)
• File changes, lateral movement
• Impossible travel, user behavior anomalies

3.2 Apply Modifications to Existing Controls to Enhance Security

3.2.1 Permissions

• Least privilege model.
• User/group-based ACLs for read/write/execute.

3.2.2 Whitelisting/Blacklisting

• App whitelisting: Only allow trusted programs.
• Network blacklisting: Deny known malicious IPs/domains.

3.2.3 Firewalls

• Enforce rules based on IP, port, and protocol.
• Types: Host-based, network, NGFW with application awareness.

3.2.4 Intrusion Prevention Systems (IPS)

• Detect and block known exploits and behavioral anomalies in real time.

3.2.5 DLP (Data Loss Prevention)

• Prevent unauthorized data transfers via email, USB, web.
• Types: Endpoint DLP, Network DLP

3.2.6 Endpoint Detection and Response (EDR)

• High visibility into endpoint actions.
• Real-time detection, behavioral analysis, remediation.

3.2.7 Network Access Control (NAC)

• Restricts access based on compliance (e.g., antivirus, patch level).

3.2.8 Sinkholing

• Redirects malicious traffic to a non-routable or controlled host.

3.2.9 Malware Signatures

• AV/EDR use static signature matching to detect known threats.

3.2.10 Sandboxing

• Prevent unknown malware from impacting production.

3.2.11 Port Security

• Restricts devices per switch port using MAC address binding.

3.2.12 OS Concepts

• System Hardening: Disable unused services, remove bloatware.
• File Structure: Audit critical files and permissions.
• Processes & Registry: Monitor startup items, services, hidden tasks.

3.3 Explain the Importance of Proactive Threat Hunting

3.3.1 Establish a Hypothesis

• Use scientific method: Ask > Hypothesize > Test > Analyze > Conclude.

3.3.2 Threat Actors

• State-sponsored (APT), hacktivists, insiders, criminal syndicates.

3.3.3 Threat Hunting Tactics

• Use process explorer, task manager, behavior analysis.
• Tools: ThreatModeler, IriusRisk

3.3.4 Attack Surface Reduction

• Logical: Remove apps, disable services/ports, restrict media use.
• Physical: Disable USB, locks, clean desk policies.

3.3.5 Bundling Critical Assets

• Classify data: Public, Private, Sensitive, Confidential, Top Secret.
• Map access and risk to critical assets.

3.3.6 Attack Vectors

• CVSS uses:
• N: Network
• A: Adjacent
• L: Local
• P: Physical

3.3.7 Integrated Intelligence

• Combine threat feeds, SIEM logs, TTPs to form a threat model.

3.3.8 Improve Detection

• Apply Plan-Do-Check-Act (PDCA) cycle.
• Use threat intelligence for continuous improvement.

3.4 Compare and Contrast Automation Concepts and Technologies

3.4.1 Workflow Orchestration

• Automate playbooks, ticketing, containment.
• Examples: SOAR platforms (Splunk Phantom, Palo Alto XSOAR)

3.4.2 Scripting

• Common languages: Python, Bash, PowerShell, Ruby.
• Tools: Puppet, Chef, Ansible

3.4.3 API Integration

• APIs connect tools (e.g., SIEM with EDR).
• Ensure secure communication & validation.

3.4.4 Automated Malware Signature Creation

• AV generates signatures post-analysis of unknown files.

3.4.5 Data Enrichment

• Add external context (e.g., GeoIP, domain age, reputation) to alerts.

3.4.6 Threat Feed Combination

• Aggregate feeds (e.g., Palo Alto AutoFocus, Anomali).
• Normalize and correlate IoCs.

3.4.7 Machine Learning

• Detect novel threats via behavioral models.
• Tools: UEBA, AEG (Automatic Exploit Generation)

3.4.8 Automation Standards

• SCAP Framework:
• CCE, CPE, CVE, CWE
• Used in compliance and vulnerability assessments

3.4.9 Continuous Integration

• DevOps pipelines integrate security testing into code push.

3.4.10 Continuous Deployment / Delivery

• Ensures fast, automated delivery of secure, tested builds.

3.4.11 Unified Dashboards (Single Pane of Glass)

• Central view of alerts, logs, trends.
• Boosts situational awareness and response time.

Domain 3, is fully explored. Let’s explore Domain 4 now.

Domain 4 — Incident Response

Press enter or click to view image in full size

4.1 Significance of the Incident Response Process

4.1.1 Importance

• Reduces downtime, data loss, financial and reputational impact.
• Ensures consistent and timely response.
• Helps maintain regulatory and legal compliance.
• Strengthens organizational resilience against future attacks.

4.1.2 Coordination with Entities

• Internal Stakeholders: IT, Legal, PR, Executive.
• External Stakeholders: Law enforcement, CERTs, regulatory bodies.
• Public Relations: One designated spokesperson to ensure consistent messaging.
• Regulatory Compliance: HIPAA, PCI-DSS, GDPR, etc.

4.1.3 Data Criticality

• PII, PHI, SPI: Must be protected under legal frameworks.
• High Value Assets: Systems with business-critical roles.
• Intellectual Property and Financial Info: Require strong protection and incident handling processes.

4.2 Implement the Appropriate Response

4.2.1 Event Classifications

• True Positive: Legitimate threat detected.
• False Positive: Benign event misidentified as threat.
• True Negative: Correctly ignored benign event.
• False Negative: Missed legitimate threat.

4.2.2 Triage

• Prioritize incidents by urgency and impact.
• Refer to BIA (Business Impact Analysis) for identifying critical services.
• Assign roles and escalation levels.

4.2.3 Incident Response Process (Six Phases)

1. Preparation

• Risk assessments, host/network hardening, user awareness training.
• Identify common attack vectors (phishing, DoS, removable media).

Detection & Analysis

• SIEM, AV, logs, IDS/IPS, NetFlow.
• Identify IOCs and confirm true positives.

Containment

• Isolate infected hosts, limit spread.
• Adjust firewall, disable accounts, revoke tokens.

Eradication

• Remove root cause (malware, vulnerabilities).
• Patch systems, re-image devices if needed.

Recovery

• Restore systems from backups.
• Monitor for reinfection or persistence mechanisms.

Post-Incident Activities

• Forensics, root cause analysis, lessons learned.

4.2.4 Response Playbooks

• Documented procedures for common scenarios (ransomware, insider threat, phishing).
• Includes containment, escalation, and reporting steps.

4.2.5 Communication Plan

• Limit internal/external communication to authorized parties.
• Follow legal and regulatory disclosure requirements.

4.3 Incident Response Protocols

4.3.1 Preparation

• Security training, asset inventory, risk awareness.
• Define roles, escalation, contacts, IRP, BCP, DRP.

4.3.2 Detection & Analysis

• Monitor systems using SIEM and log analysis.
• Confirm alert validity; identify affected assets and attack vectors.

4.3.3 Containment

• Short-term: Quick fixes like disconnection.
• Long-term: Structural changes, patching, segmentation.

4.3.4 Eradication & Recovery

• Remove malware, block IPs, clean logs.
• Restore from backups, conduct post-recovery validation.

4.3.5 Post-Incident Activities

• Root cause analysis.
• Report generation for stakeholders.
• Policy refinement and future mitigation planning.

4.4 Analyze Indicators of Compromise (IoCs)

Network-Based

• Bandwidth spikes
• Beaconing to C2 servers
• Rogue devices
• Irregular P2P communication
• Unexpected ports

Host-Based

• Abnormal CPU/Memory/Drive usage
• Unauthorized software/processes
• Scheduled tasks or privilege changes
• Registry/File system modifications

Application-Level

• Anomalous DB/file access
• New user accounts
• Unexpected outbound communication
• Log anomalies

Other

• Social engineering attempts
• Obfuscated URLs and phishing emails

4.5 Apply Digital Forensics Methods

4.5.1 Network Forensics

• Tools: Wireshark, tcpdump, tshark.
• Inspect flow/session data and raw packets.

4.5.2 Endpoint Forensics

• Disk: FTK Imager, EnCase, Autopsy.
• Memory: Volatility, memdump.
• Mobile: Cellebrite, MobilEdit.

4.5.3 Virtualization Forensics

• Examine VM images and virtual disk snapshots.

4.5.4 Legal Hold

• Preserve evidence for legal use; comply with retention requirements.

4.5.5 Procedures

• Use standardized investigation templates and processes.

4.5.6 Hashing

• Generate digital fingerprints (SHA-256, MD5) for integrity verification.

4.5.7 Carving

• Recover deleted or fragmented files (even without file system metadata).

4.5.8 Data Acquisition

• Use imaging/cloning for evidence preservation.
• Avoid working on live evidence.

4.6 Importance of Forensic Concepts

4.6.1 Legal vs Internal Use

• Legal: Admissible in court, requires validated procedures.
• Corporate: Used for internal discipline, governance, audits.

4.6.2 Forensic Process

1. Identification: Locate evidence, assess access.
2. Collection: Secure and log evidence (use court order if needed).
3. Analysis: Correlate logs, apply automation, uncover IOCs.
4. Reporting: Tailor to audience — technical for law enforcement, summarized for executives.

4.6.3 Cryptanalysis

• Decrypt or break ciphered data using statistical, brute force, or side-channel methods.

4.6.4 Steganalysis

• Detect hidden data in images, audio, video, etc.

4.6.5 Integrity Preservation

• Use hashing, checksums, write-blockers.
• Maintain chain of custody.
• Follow order of volatility:
• Registers → RAM → Network sessions → Disk → Archives

Domain 4, fully completed. Let’s see Domain 5.

Domain 5 — Compliance and Assessment

Press enter or click to view image in full size

5.1 Recognize the Significance of Safeguarding and Preserving Data Privacy

5.1.1 Privacy vs Security

• Privacy: Protection of Personally Identifiable Information (PII), ensuring it’s only used for intended purposes.
• Security: Safeguarding systems from unauthorized access and threats.
• PIA (Privacy Impact Assessment): Risk analysis to evaluate handling of PII (collection, storage, processing, transmission).

5.1.2 Non-Technical Controls

• Information Classification:
• Top Secret, Secret, Confidential, Unclassified.
• Data Ownership:
• Assign ownership; SMEs (Subject Matter Experts) guide controls.
• Data Life Cycle:
• Creation → Storage → Use → Archival → Destruction
• Includes minimization, retention & purpose limitation.
• Data Sovereignty:
• Data subject to the laws where it resides.
• NDAs (Non-disclosure Agreements):
• Legal contracts to prevent info leaks.

5.1.3 Technical Controls

• Encryption: Data at rest/in transit.
• DLP (Data Loss Prevention): Host-based, network-based.
• Access Controls:
• Geo-fencing
• GPS, RFID tracking
• Obfuscation & De-identification: Makes data unreadable or anonymous.

5.2 Summarize Privacy and Compliance Regulations

5.2.1 GDPR (General Data Protection Regulation — EU)

• Protects EU citizen data globally.
• Requires:
• Consent for data use
• Breach reporting within 72 hours
• Data erasure (Right to be forgotten)

5.2.2 HIPAA (Health Insurance Portability and Accountability Act)

• U.S. healthcare data protection.
• Protects PHI (Protected Health Information).
• Requires:
• Access controls
• Audit logs
• Breach notifications

5.2.3 PCI-DSS (Payment Card Industry Data Security Standard)

• For organizations that handle cardholder data.
• Requirements:
• Vulnerability scanning
• Logging and monitoring
• Access restrictions
• Encrypted transmissions

5.2.4 SOX (Sarbanes-Oxley Act)

• Protects financial records of public companies.
• Emphasis on data integrity and fraud prevention.

5.2.5 FISMA (Federal Information Security Management Act)

• Applies to U.S. federal agencies and contractors.
• Requires regular audits and security assessments.

5.2.6 FERPA (Family Educational Rights and Privacy Act)

• Governs educational institutions.
• Ensures student data privacy.

5.3 Assess Security Risks in Cloud Environments

5.3.1 Shared Responsibility Model

• Provider: Infrastructure security
• Customer: Data, OS, apps

5.3.2 Risks

• Improper Key Management
• Insecure APIs
• Lack of visibility in multi-tenant environments
• Shadow IT: Unauthorized apps/services bypassing governance.

5.3.3 Risk Mitigation

• Use encryption and MFA.
• Conduct regular security assessments.
• Enforce cloud usage policies.
• Use Cloud Access Security Brokers (CASBs) for monitoring.

5.4 Evaluate Risk and Compliance Output from Audit Reports

5.4.1 Risk Identification and Prioritization

Based on:

• CVSS Scores
• Exploitability
• Asset Criticality
• Business Impact Analysis (BIA)
• Consider vulnerabilities exploited in the wild (zero-days, APTs).

5.4.2 Compliance Reports

• Show alignment with:
• Regulatory Requirements (GDPR, HIPAA)
• Industry Standards (NIST, ISO 27001)
• Internal Policies (corporate security guidelines)

5.4.3 Key Report Elements

• Scope Definition
• Assessment Frequency
• Vulnerability List + Severity
• Remediation Plan + Timeline
• Evidence (Scan reports, logs, patch records)
• Audit Trails (change tracking, accountability)
• Reporting Structure: Executive summaries + technical reports

5.4.4 Action Plans

• Mitigation or patching strategy
• Resource allocation
• Continuous improvement (trend reports, lessons learned)

Domain 5 is covered, now let’s move to last Domain 6. If you came so far, then this post deserve one clap :)

Domain 6 — Reporting and Communication

Press enter or click to view image in full size

6.1 Use Appropriate Reporting and Communication Channels

6.1.1 Communication Plans

Define:

• Chain of command
• Stakeholder roles
• Frequency of updates
• Authorized communication channels (email, phone, encrypted tools)

6.1.2 Internal Communication

• Within incident response team.
• Real-time updates using:
• Secure messaging
• Collaboration platforms
• Team briefings

6.1.3 External Communication

• For executive leadership, regulators, media, customers.
• Channels: Press releases, formal notices, legal disclosures.

6.1.4 Communication Logs

• Document all communications chronologically:
• Date/Time
• Stakeholder
• Message content

6.1.5 Timely Notification

• Prompt alerts to:
• Executives
• Legal teams
• Affected individuals (e.g., breach disclosures within 72 hours under GDPR)

6.2 Apply Environmental Awareness to Determine Incident Impact

6.2.1 Stakeholder Identification

• Internal:
• IR team, IT admins, compliance/legal, executives
• External:
• Customers, regulators, law enforcement, partners

6.2.2 Stakeholder Communication Strategies

• Tailor content and methods:
• Executives: High-level summaries, strategic impact
• Customers: Clear, empathetic messages via email, banners, hotlines
• Regulators: Formal reports within legal timelines
• Law Enforcement: Chain of custody and evidence handoff

6.2.3 Communication Channels

• Secure platforms (Signal, encrypted email)
• In-person briefings
• Public: press releases, media briefings

6.3 Explain the Importance of the Chain of Custody in Incident Response

6.3.1 Chain of Custody

• Ensures evidence is:
• Properly collected
• Securely stored
• Tracked during transfers

6.3.2 Chain of Custody Form

• Fields:
• Case name/number
• Evidence details (hash, serial no.)
• Ownership and timestamps
• Transfer log (who received what, when, why)

6.3.3 Evidence Preservation

Maintain order of volatility:

1. CPU registers/cache
2. RAM
3. Temp files/swap
4. Disk
5. Remote logs
6. Archive media

6.3.4 Forensic Imaging

• Create bit-for-bit clones.
• Secure original; work on the image copy.

6.4 Communication Techniques for Security Findings

6.4.1 Audience-Specific Reporting

• Executives: Business risk, ROI, compliance impact.
• Technical Staff: IoCs, logs, vulnerabilities, patch details.
• Customers/Users: What happened, how it affects them, what to do next.

6.4.2 Reporting Types

• Executive Reports: Short, business-focused.
• Technical Reports: Detailed timelines, logs, malware behavior.
• Legal Reports: Compliance with regulations.

6.4.3 Visual Aids

Use:

• Timelines
• Graphs
• IOC maps
• Dashboards (e.g., from SIEM)

6.4.4 Report Content

• Summary of incident
• TTPs (MITRE ATT&CK)
• Risk & impact
• Containment & recovery efforts
• Recommendations & lessons learned

6.4.5 Empathy in Communication

• Especially for customer-facing content:
• Use clear, human language
• Show action being taken
• Provide guidance and reassurance

If you came so far, then this post deserve one clap :)

(PS: I have created this Mind Maps using AI Models for quick overview)

Best Of Luck, Guys! Hope you all grind it WELL! Meet you guys in my next interesting blogs. Keep sharing this writeups might be useful for someone :)