CASP+ Domain #2: Security Operations [2022 update]
Are you an advanced-level security architect or senior security engineer and want to verify your high level of cyber security skills? Do you want to prove to hire organizations that you have the knowledge that is up to the task of leading and improving your organization’s cyber security readiness? If so, the CompTIA Advanced Security Practitioner, or CASP+, may be the certification for you. To earn the cert, you will first have to pass the certification exam covering four domains of knowledge.
Earn your CASP+, guaranteed!
What is CASP+?
CASP+ is an advanced-level cyber security certification that is intended for cyber security practitioners. Successful certification candidates will have the knowledge and skill required to:
- Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise
- Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment
- Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques
- Consider the impact of governance, risk, and compliance requirements throughout the enterprise
What has changed since the last CASP+ exam version?
The latest CASP+ exam version is CAS-004, and much has changed since CAS-003. The CASP+ certification exam has dropped a Domain (down to four), and all Domain names and respective percentages of exam material have all changed. Below is a comparison:
CASP+ Domain 2: Security Operations
Below is the material covered by Domain 2 of the CASP+ certification exam.
2.1 Given a scenario, perform threat management activities
1. Intelligence types
- Tactical
- Commodity malware
- Strategic
- Targeted attacks
- Operational
- Threat hunting
- Threat emulation
2. Actor types
- Advanced persistent threat (APT)/nation-state
- Insider threat
- Competitor
- Hacktivist
- Script kiddie
- Organized crime
3. Threat actor properties
- Resource
- Time
- Money
- Supply chain access
- Create vulnerabilities
- Capabilities/sophistication
- Identifying techniques
- Intelligence collection methods
- Intelligence feeds
- Deep web
- Proprietary
- Open-source intelligence (OSINT)
- Human Intelligence (HUMINT)
4. Frameworks
- MITRE Adversarial Tactics, Techniques, & Common knowledge (ATT&CK)
- ATT&CK for Industrial Control System (ICS)
- Diamond Model of Intrusion Analysis
- Cyber Kill Chain
2.2 Given a scenario, analyze indicators of compromise and formulate an appropriate response
1. Indicators of compromise
- Packet capture (PCAP)
- Logs
- Network logs
- Vulnerability logs
- Operating system logs
- Access logs
- NetFlow logs
- Notifications
- FIM alerts
- SIEM alerts
- DLP alerts
- IDS/IPS alerts
- Antivirus alerts
- Notification severity/priorities
- Unusual process activity
2. Response
- Firewall rules
- IPS/IDS rules
- ACL rules
- Signature rules
- Behavior rules
- DLP rules
- Scripts/regular expressions
2.3 Given a scenario, perform vulnerability management activities
1. Vulnerability scans
- Credentialed vs. non-credentialed
- Agent-based/server-based
- Criticality ranking
- Active vs. passive
2. Security Content Automation Protocol (SCAP)
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- Common Configuration Enumeration (CCE)
- Asset Report Format (ARF)
3. Self-assessment vs. third-party vendor assessment
4. Patch Management
5. Information sources
2.4 Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools
1. Methods
- Static analysis
- Dynamic analysis
- Side-channel analysis
- Reverse engineering
- Software
- Hardware
- Wireless vulnerability scan
- Software composition analysis
- Fuzz testing
- Pivoting
- Post-exploitation
- Persistence
2. Tools
- SCAP scanner
- Network traffic analyzer
- Vulnerability scanner
- Protocol analyzer
- Port scanner
- HTTP interceptor
- Exploit framework
- Password cracker
3. Dependency management
4. Requirements
- Scope of work
- Rules of engagement
- Invasive vs. Non-invasive
- Asset inventory
- Permissions and access
- Corporate policy considerations
- Facility considerations
- Physical security considerations
- Rescan for corrections/changes
2.5 Given a scenario, analyze vulnerabilities and recommend risk mitigations
1. Vulnerabilities
- Race conditions
- Overflows
- Broken authentication
- Unsecure references
- Poor exception handling
- Security misconfiguration
- Improper headers
- Information disclosure
- Certificate errors
- Weak cryptography implementations
- Software composition analysis
- Use of vulnerable frameworks and software modules
- Use of unsafe functions
- Third-party libraries
2. Inherently vulnerable system/application
3. Attacks
- Directory traversal
- Cross-site scripting (XSS)
- Cross-site-request forgery (CSRF)
- Injection
- Sandbox escape
- Virtual machine (VM) hopping
- VM escape
- Border Gateway Protocol (BGP)/route hijacking
- Interception attacks
- Denial-of-service (DoS)/DDoS
- Authentication bypass
- Social engineering
- VLAN hopping
2.6 Given a scenario, use processes to reduce risk
1. Proactive and detection
2. Security data analytics
3. Preventive
4. Application control
5. Security automation
6. Physical security
2.7 Given an incident, implement the appropriate response
1. Event classifications
- False positive
- False negative
- True positive
- True negative
2. Triage event
3. Pre-escalation tasks
4. Incident response process
- Preparation
- Detection
- Analysis
- Containment
- Recovery
- Lessons learned
5. Specific response playbooks/processes
- Scenarios
- Ransomware
- Data exfiltration
- Social engineering
- Non-automated response methods
- Automated response methods
6. Communication plan
7. Stakeholder management
2.8 Explain the importance of forensic concepts
1. Legal vs. internal corporate purposes
2. Forensic process
- Identification
- Evidence collection
- Cloning
- Evidence preservation
- Analysis
- Verification
- Presentation
3. Integrity preservation
4. Cryptanalysis
5. Steganalysis
2.9 Given scenario, use forensic analysis tools
1. File carving tools
- Foremost
- Strings
2. Binary analysis tools
- Hex dump
- Binwalk
- Ghidra
- GNU Project debugger (GDB)
- OllyDbg
- readelf
- objdump
- strace
- Idd
- file
3. Analysis tools
- ExifTool
- Nmap
- Aircrack-ng
- Volatility
- The Sleuth Kit
- Dynamically vs. statically linked
4. Imaging tools
- Forensic Toolkit (FTK) Imager
- dd
5. Hashing utilities
- sha256sum
- ssdeep
6. Live collection vs. post-mortem tools
- netstat
- ps
- vmstat
- Idd
- Isof
- netcat
- tcpdump
- conntrack
- Wireshark
Earn your CASP+, guaranteed!
Conclusion
CASP+ is an advanced level security architecture and senior security engineering cybersecurity certification. To earn this cert, you will have to pass the CASP+ certification exam that covers 4 Domains of knowledge. Use this article to help you map out your own study outline for Domain 2 and you will be one step closer to earning the CASP+ cert for yourself.
Sources
- CASP C00-4 Exam Objectives, CompTIA
- CASP+ Certification! 003 vs. 004, Cyberkrafttraining