Best seller!
CS0-002: CompTIA CySA+ Certification Exam (CS0-002) Training Course
Best seller!
star star star star star

CS0-002: CompTIA CySA+ Certification Exam (CS0-002) Certification Video Training Course

The complete solution to prepare for for your exam with CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course. The CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course contains a complete set of videos that will provide you with thorough knowledge to understand the key concepts. Top notch prep including CompTIA CySA+ CS0-002 exam dumps, study guide & practice test questions and answers.

101 Students Enrolled
10 Lectures
07:34:00 Hours

CS0-002: CompTIA CySA+ Certification Exam (CS0-002) Certification Video Training Course Exam Curriculum


Identify Security Control Types

3 Lectures
Time 00:33:00

Threat Intelligence

3 Lectures
Time 00:34:00

Classifying Threats

4 Lectures
Time 00:56:00

Identify Security Control Types

  • 1:00
  • 7:00
  • 5:00

Threat Intelligence

  • 1:00
  • 5:00
  • 10:00

Classifying Threats

  • 1:00
  • 9:00
  • 9:00
  • 8:00

About CS0-002: CompTIA CySA+ Certification Exam (CS0-002) Certification Video Training Course

CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Email Monitoring

1. Email Monitoring (Introduction).

In this section of the course, we're going to discuss COVID email monitoring. Now, our focus in this section is going to continue to be in domains three and four, with objectives three one and four three. Again, objective three states that, given a scenario, you must analyse data as part of security monitoring activities. In this particular section, we're going to focus on the security monitoring activities associated with conducting email analysis. Our second objective is #4, which states that given an incident, you must be able to analyse potential IOCs or indicators of compromise. So this is going to focus on your ability to conduct email analysis within your organization.

As we move through this section, we're going to start with how to conduct your analysis of an email monitoring tool's output. Then we're going to focus on the different types of indicators of compromise, or IOCs, that are used to determine if email phishing or impersonations have occurred within your organization. Following that, we'll look at how to conduct a malicious data analysis on an email header or email content. Then we're going to focus on the proper configuration of your email servers for additional security, how to conduct an analysis of an SMTP log, and how to secure your emails using SMIM and digital signatures.

Finally, I'm going to perform another hands-on demonstration, this time showing you how to analyse an email's header to determine if an indicator of compromise, or IOC, can be identified within it. It's going to be a fun section as we dive deep into determining how secure your email really is inside your organization, because this is such a common attack vector that's used by threat actors as part of their social engineering campaigns using techniques like fishing, spearfishing, and whaling against your users. Let's get started.

2. Email IOCs (OBJ 3.1)

Email indicators are a compromise. Now, email issues are on the rise year after year. Spam and phishing are common social engineering attacks that use email as their delivery vector, and you've already learned about them in your previous A Plus, Network Plus, and Security Plus studies.

To recap, spam is defined as unsolicited and unwanted junk email sent in bulk to an indiscriminate recipient list. Now, the reason why they send things out in a spammy manner is because if you cast a wide net, you'll catch some people. And that's the idea behind spam. Now this goes a step further when you start talking about phishing. Phishing is the fraudulent practise of sending out emails purporting to be from a reputable company in order to induce individuals to reveal personal information such as passwords or credit card numbers. This occurs frequently as part of spam, but with more malicious intent, it becomes phishing. Now, one of the big things about phishing is that you have to have a pretext.

Now a pretext is a form of socialengineering in which the individual lies and providesfalse motive to obtain privileged data. You've probably seen phishing emails that use a pretext like this one, for instance, "I'm from PayPal," and "Your account has been compromised." You need to click this link to set something up or fix something, or if there's been this big charge that's happening, you need to click here to verify it. Those types of things happen, and this is just a way of doing spam and phishing using a pretext that is somewhat believable. Now, if we take it a step further, we can move into spear phishing. Now with spear phishing, we're dealing with an email spoofing attack that targets a specific organisation or individual by seeking unauthorised access to sensitive information. For example, let's say your bank has been compromised in the past.

Now the attackers have a list of all the people who use that bank. So now they can specifically target people who are customers of that bank because they know who they are, and they can use the pretext of being from that bank to target a specific list of people who are customers of that bank. For instance, if you get a spear phishing email saying there's something wrong with your Bank of America account and click here to log into the website to fix it, you're more likely to do that if you're a Bank of America customer. I don't bank with Bank of America, so if I got that through a generic phishing campaign, I would just ignore it because I know it's not my bank. That's the idea behind dealing with spear fishing. It's a little bit more targeted than a regular fishing attack. Now this all relies on the concept of impersonation.

The idea behind a lot of these attacks is to try to trick someone into giving us some information. If we can get some information about you, like your name, your email, your password, your login, and things like that, that would be great. We can then use it to impersonate you. and we deal with impersonation. This is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol. So for example, if I have figured out a particular person who works at your company and I can send an email pretending to be them, I can impersonate them and get you to do things for me. When an attacker does this, it's usually part of a business email compromise or a VEC.

Now, when you're dealing with a business email compromise, this is an impersonation attack in which the attacker gains control of an employee's account and then uses it to convince other employees to perform fraudulent actions. For example, if somebody used a spear phishing campaign to convince one of my employees to click the link and take over their account, Now they can send emails as if they're one of my employees, and if they send me an email as if they're one of my employees from the employee's account, saying, "Hey, you need to release funds to pay XYZ vendor," If I'm not careful, I could say, "Okay," and I could send the money to that vendor. Well, that vendor isn't really a vendor; it's one of their friends, to whom we've now sent that money to. And this is the whole idea behind a business email compromise. Another way this is done is by using email spoofing. Now, with email spoofing, you can actually send out the message and make it look like it's coming from a particular person.

So, once again, if I were able to use social engineering to gather information and I knew who your chief financial officer was, I would know their email address, their name, and I might even have some of their previous emails so I could mimic their writing style. I can then spoof you and make you think that I am your Chief Financial Officer as an attacker, tell you that you need to send a payment from one place to another, and give you the routing information. And you would fall for it, right? Especially if you aren't cautious about verifying whether or not the email came from them. Now, there are a couple of ways that this email spoofing can occur.

One of the most common is known as "forwarding." When you're dealing with forwarding, a phishing email is going to be formatted. So it appears to have come as part of a reply or a chain. So, for example, if I know somebody who works in your office who may not be the CFO, let's say it's not the head person, but instead it's their assistant, I can then forward the email saying, "From the CFO," they said, "transfer money from X account to Y account." Regarding this assistant, And then you have the forward chain below that. That looks like it came from the CFO.

Well, whether it did or not, if it looks like it, you may fall for that. And that's the idea of "forwarding," where you basically compromise a lower-level employee and then forward the email of what is supposedly a higher-level employee to get people to do what you want. Now, many spoofing attempts can be detected by a close examination of the internet headers that are attached to a message. When you open up an email, there is this hidden header that you really don't see. If you use gmail, for example, at the top you'll see the to line, the CC line, the from line, and the subject line. But there is a lot more to it than that. And that's all there is to the email message Internet header. And we'll go over that in the next lesson, as well as how to analyse them.

3. Email Header Analysis (OBJ 3.1)

Email header analysis In this lesson, we're going to talk about those email headers, those things that are essentially hidden from view but contain a lot of important information. An email Internet header is a record of the email servers involved in transferring an email message from the sender to a recipient.

Let's talk a little bit about how this works when you send an email. Now, when the email is created, you create what's called a mail user agent, or MUA. This is essentially going to be your email program, or Gmail. If you're running in the browser, we're going to use Gmail as our example here. Now this programme is going to create your initial header, and then it forwards that information over to a mail delivery agent known as an MDA.

This essentially goes from your email client to your email server, and this happens over SMTP. Now, that mail delivery agent is going to do some checks, like ensuring that the sender is authorised to send the message from that domain. This may be done using digital certificates or by using a username and password, which is much more common. Now that that's done, the MDA is going to check and see if that email can be served locally from its server.

For example, if I'm sending email from myself to my video editor, we both use the same email server, deon training.com. And so in that case, the MDA would simply take that message and put it in their mailbox. But if I'm sending something to [email protected], it now has to transfer that to Gmail servers. And so the MDA passes it over to an MTA, which is a message transfer agent. This message transfer agent is going to route the message to the recipient using DNS to locate the different recipients' mail transfer agents to accept that message. Once I get it over to Gmail servers, Microsoft servers, or whoever it is I'm sending it to, the MTA collects that message.

Now, a lot of times, this doesn't go straight from my server to the destination, but it routes between multiple servers going across the Internet. Every time it goes to a new message transfer agent, that message transfer agent is going to add information to the email's Internet header. In this way, we have a record of every single place this message went. Once it gets to an MTA, that MTA finally looks and says, "This is on my server; I'm going to send this to my person." And so it will send it over to the MDA, the mail delivery agent, for its server. Once it does that, the mail delivery agent puts it into the mailbox, and then it sits there and waits until you connect, using something like pop through your IMAP to access that message from your mailbox into your desktop client, the MUA, which again is our mail user agent.

And so again, this is a simple example of how mail goes from a mail user agent on one end through the different mail delivery agents, through the mail transfer agents, and eventually back through the mail delivery agent to the mailbox and over to the mail user agent once more, where it's going to get to its destination and be read.

So now that we've talked about how email gets from one place to another, let's talk about some of the vulnerabilities that can be exploited by attackers. First, attackers can exploit the fact that there are actually three sender address fields inside an email. And this is something that they are going to be able to exploit. The first one is what's known as the "display from address." For instance, if you get an email from my support team, you're going to get an email that looks like this.

It's going to say, "[email protected]." bracket. That is where the display is from. Now, that doesn't actually mean anything. We can make that say whatever it is we want it to say, but that's what's going to be displayed. And that's one of the three fields that we're going to have as part of this internet header. This is what's known as the "from header" or the "display from header." And this display from is going to be essentially just a nice name for whatever we want to put in there. Now, what attackers will often do is change it to make it look like it comes from support at Deontraining, even though if you looked underneath, it might actually be something like [email protected] or brackettheftatbagguy.com.

If I had that and you only saw the support at Deontrain part, that's all you're going to be seeing because a lot of our male clients only show the friendly part outside the brackets and not what's inside the brackets. As a result, you may see supported deontrained in your Gmail client rather than [email protected], for example. Now the second thing they can exploit is what's called the envelope from. This is another from the field. Now the envelope is going to have various labels that are actually hidden from your mail client. This is essentially your return address. And so if your email is actually rejected by the mail transfer agent, it's going to go and send it back to where the envelope is.

So this field can be anything. Again, in this case, we might have something like [email protected], but you'd never see it because it's something that's hidden from your display client. And then the third thing we have is what's called the "receive from" or "buy." And this is a list of all the different MTAS that have processed this email. Every time an MTA, a mail transfer agent, touches this email as it's going through these different servers along its way, there is a chance that this received message could be changed. Now again, this is a field that's not displayed to your client, but it is in those internet headers.

And so if you think you have a message that may have been spoofed, You can open up your internet headers and see all the different information received from servers, and that would tell you exactly which servers it's gone through as it's passed along the internet. Now, as I said, most headers are not displayed by default by your email applications by default. But if you see something that looks suspicious, you can open up those headers and start doing some analysis, which is what we're going to do here on a sample email.

Now, in the example I'm going to show you here, we've actually removed some of the fields to make it a little easier to read. And, instead of using real IP addresses or real domain names, we've taken some of the original information and replaced it with placeholder information, such as spam foo. The reason we did this is because on the exam, this is similar to what CompTIA will do for you because they don't want to have anybody's real IP addresses or domain names shown inside of an exam simulation because those IP addresses change all the time and may not be malicious anymore.

So let's take a look at this email header. This is what it looks like. Now, this is a lot of text, so I'm going to give you a second to read through it. I'm not going to read through it all right now because we're going to go through it step by step as we go through our analysis. When I open up an email header, one of the first things I'm going to look for is where the authentication results are and what they look like. So if I skip down to the fourth paragraph here, you'll see authentication results. In here, you will see the header from, in this case, "spam Foo." And this came from SMTP mail that was identified as spam foo. So this was the spam server or the phishing server that sent that information.

This is a clue that this is bad. In the real world, it wouldn't be "spam Foo," but it could be a real domain name. This is the area you'd look at to see where that message came from and what the IP address was. In this case, it's been abbreviated as W-X-Y-Z. Because again, we don't want to use a real IP address that's actually owned by some real server. After that, we're going to read from the bottom up. Now, as we read from the bottom up, going from that authentication, we are going to see all the servers that have gone through.

Now the first one we see here is that it went through OpenRelay Foo, which is our spam server here. WXYZ is our IP address once more. Now that we're looking at this, we're going to be able to see exactly where it came from. And that open relay was somebody who was sending spam through that server. A server that's been taken over and used by a bad guy is what's known as an "open relay," which is why we have that placeholder here. Now this field is showing us the SMTP server where the message actually originated from.

It came from open relay foo in this case. Now, if I went and looked at open relayfoo, I might look it up and get some information about it, do some open source intelligence, and figure out whether this is a known spam agent. And if it is, it may be found on some blacklists, and if so, we might want to add it to our blacklist as well. So we're not getting that spam inside our systems either. Now, the next thing I want to look at is how we can do it in a much cleaner and easier way of looking at this information. Well, one of the things is that this information is a lot of text, and it's pretty heavy to look through. But there are some tools out there that you can use. One of them is called testconnectivity Microsoft.com.

You'll also find a tool called message header analysis if you go there. You can take your message header and paste it into the top block like I've done here. Hit "analyse headers," and it will actually break it down into areas for you to see in a much easier format. So, for example, the first top was open relay foo, and then at the bottom we can see the authentication results I showed you earlier. SMTP mail from = spam foo, and header from = spam foo. Both of those are the pieces of information we wanted as we started looking through the different headers.

And we wanted to see where it came from; by using something like this, you can identify things quickly as you're looking through them and identify exactly what the delays were in between and how long things sat. For instance, if a message sat somewhere with a long delay, that could have been the time that an attacker was using to modify that message, and that would be something you'd want to look at as well. Now let's take a look at the actual message itself as we go through some of the rest of the headers here. As we continue down the header, we'll see some more information.

For instance, the subject, in this case, your account, is blocked by the administrator. That's a pretty alarming subject, and it might get somebody's attention to open up and click that email and click a link inside of it. Then we can see the content inside of it: different content types, the date, the Mime version, the from account, the to account, and the return path. Let's take a look at that account a little bit more in depth. Now look at that. According to spam foo, gmail accounts are less than spammer but more than sign. So again, remember that the header is just what we want it to display. I could type anything I want in there. So, in this case, we're claiming it's from Gmail accounts when it's not; it's from spammer at spam foo. And then we have the return path.

This is where the email actually goes if there's a problem delivering it. In this case, you can see that the real email address is spammerat spam foo. Now again, I can change that from account to anything I want, but the return path has to be the right one, otherwise the MTA will not deliver the messages. All right, let's look at the next part of the header. Here I have what are called the X headers. And you'll see "x MS Exchange," "x MS Office," "x Sender," and "X Sid." There's a lot of different things here. Now, Ex headers indicate custom headers that are controlled by the SMTP server administrator. As you can see in my example, we have Microsoft Exchange, Microsoft Office 365, and Microsoft Antispam. These are all things controlled by that server. And in the example I showed you earlier in the diagram, we were sending our information to a Microsoft Exchange server that was run by the Microsoft Corporation, and that's who's controlling these headers.

So if I look at that, you might see one here that has Excidpra. Now Xsidpra has spammer at spammer foo. Again, this is some information that helps us as we are going through and figuring out spam. And it's something that we can actually use as part of our analysis by setting up these X headers to be able to document different pieces of information. This is one that is used by Microsoft 365 as part of their antispam efforts. So I hope you enjoyed this quick walkthrough of the email's internet header as we looked at some of the basic information in it. For the exam, you should be able to read and pull out different pieces of information if you're given an email header. Now, later in this section, we are going to go into our lab environment, and I'm going to walk through some more headers with you so you can get comfortable with this concept. But in this lesson, I just want to give you the introduction so you can understand how to read the different parts of it.

4. Email Content Analysis (OBJ 3.1)

Email content analysis Now, for an attacker to send something malicious, they first have to do some things. And the first thing they have to do is craft some sort of payload to complete the exploit when the victim actually opens that message. Now, how do they do that? Well, they use something called mime. Mime is the multipurpose Internet mail extension, and this is not something malicious in and of itself. This is actually something that allows the body of an email to support different formats such as HTML rich text format, binary data encoded at the base, 64 ASCII characters, and attachments.

All of these are not things that are bad by themselves, but they could be made bad and turned into a malicious payload. For example, when you send me an email and you want to bold something or italicise something or add a picture to it, that's all done using mine, and there's nothing wrong with that. But if you add a malicious payload, which is an exploit or attachment that contains some sort of malicious code implemented within the message body, then you have now turned Mime into something bad. Now notice that there are two different types of malicious payloads. It can be an exploit or an attachment. Let's take a look at each of these. First, we have an exploit.

Now, an exploit is any kind of message data that contains scripts or objects that target some vulnerability inside the message client. Now in this case, you can actually see when the email programme opens up, the client preview, that it executes some kind of code. Like I said, Mime does support HTML, which means it also supports JavaScript and other things like that. As a result, you can write an exploit in one of those languages, which the client will read when it goes to preview it inside the browser and then exploit your machine. Now, alternatively, you can use an attachment. Now an attachment is a little bit more of your standard type of malware, right?

This is going to be a message that contains a file attachment in the hope that the user will actually open or execute that file. And that file might be a virus, a worm, or something else. It's some kind of malware that's been attached to this email. Now, as users have gotten smarter over the years, they're less likely to open attachments from people they don't know. However, many people will continue to click on unknown links. And that's why people start using embedded links. Embedded links are any links that can be comprised of a friendly string plus the URL or a shortened URL to hide the identity of the real target. For example, if you see a link in your email, you should never click on that link directly.

Instead, you should copy that link, paste it into a web browser, and then, based on that, you can determine once you've read the whole thing whether or not you should hit Enter and go into that thing. For instance, here in my signature block, you can see I have www.deontrained.com. Now, that's what the display text is showing you, but the link underneath it may or may not actually go there. I could actually have the link underneath it go to badguysite.malware or whatever I want it to. You don't really know because all you're seeing is what is displayed. So if you wanted to click on that link, it would be better for you to go to deentrain.com and hit Enter in your web browser, or copy the text of that and not the link, and then be able to go there.

Now, another thing I want to talk about—and you're looking at my signature block—is Here is the concept of email signature blocks: When you see the email signature block, you can actually use this as a clue as to whether or not that message is valid, if it's phishing, or if it's something malicious. Now, how do you do that? Well, if you see a missing or poorly formatted email signature block, this could be an indicator of a phishing message. If everybody in your company uses the exact same format for their signature block and then somebody sends you something that looks like it's from your company but doesn't have a signature block, that's an indicator that it's not coming from within your company. These are just some of the hints and tricks that you can look at as you're doing some basic analysis on the content of your emails.

Prepaway's CS0-002: CompTIA CySA+ Certification Exam (CS0-002) video training course for passing certification exams is the only solution which you need.

Free CS0-002 Exam Questions & CompTIA CS0-002 Dumps
Views: 461
Downloads: 711
Size: 5.78 MB
Views: 1057
Downloads: 1510
Size: 1.32 MB
Views: 304
Downloads: 1280
Size: 1.68 MB
Views: 663
Downloads: 1438
Size: 1.13 MB
Views: 676
Downloads: 1572
Size: 1.1 MB
Views: 737
Downloads: 1708
Size: 244.66 KB

Student Feedback

star star star star star
star star star star star
star star star star star
star star star star star
star star star star star

Add Comments

Post your comments about CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course, exam dumps, practice test questions and answers.

Comment will be moderated and published within 1-4 hours

insert code
Type the characters from the picture.