Rick Butler

Well-known member
  • Aug 8, 2019
    1,855
    7
    3,370
    Colorado Springs, CO
    www.intellitec.edu
    Well...although i still need to take my CySA (a matter of personal scheduling at the moment)

    1) Kali - Kali - Kali (with OpenVAS installed and running)
    2) Metasploit and metasploitables
    3) Patched and unpatched Windows Vista, 7, 2008, 2008r2 and 2012 boxes
    4) An Apple-y iThing
    5) Couple different Linux targets
    6) Wi-Fi AP that you can attack with Aircrack-NG, Kismet, and other fun toys
    7) Get copies of Nessus and Qualys to compare to OpenVAS if you can
    8) Step through a forensic cleanup operation using something like SIFT, Encase, or ftk

    You might also study the PenTest+ labs, those have a fair bit of crossover with CySA.

    Prolly a bunch of other stuff out there, but those come right to mind for me...

    /r
     

    Rick Butler

    Well-known member
  • Aug 8, 2019
    1,855
    7
    3,370
    Colorado Springs, CO
    www.intellitec.edu
    Log Files! Don't forget the log files. I have heard that you need to be able to determine what may be happening based on what is presented in log files. Also, your poutputs from tools @Rick Butler mentioned, especially Wireshark.

    Good Hunting!

    Yes sir...lots of little things in logfiles.

    NMAP output...look for the details.
     

    Tess Sluijter

    Well-known member
    Apr 1, 2020
    376
    1
    535
    the Netherlands
    www.kilala.nl
    Well...although i still need to take my CySA (a matter of personal scheduling at the moment)

    1) Kali - Kali - Kali (with OpenVAS installed and running)
    2) Metasploit and metasploitables
    ...
    Mind you, you're suggesting an awful lot of pentesting tools and processes here which, as you rightly point out, belong on the Pentest+ certification. As Rick and Stephen point out: log files, threat analysis, network investigation, incident response procedures, risk ratings and vulnerability classifications: that's where it's at with CySA+. We're testing for Security Analysts, not for pen-testers.
     

    Rick Butler

    Well-known member
  • Aug 8, 2019
    1,855
    7
    3,370
    Colorado Springs, CO
    www.intellitec.edu
    We're testing for Security Analysts, not for pen-testers.

    Hello @Tess Sluijter, thanks for reading my post. Appreciate your comments! In short - you can NEVER have too much.

    I guess it goes along with the definition of "security analyst" and "pen-tester". One might consider them to the same thing; like so many other things in the IT world, definitions are not very static - they have have different meanings within the Job Description.

    I do suggest a lot of tools because the OP was looking for a comprehensive list of tools used for building a laboratory environment. I would agree - deep knowledge of how to use Metasploit or Kali is not as intense in CySA as it would be in PT+. But there is a LOT of cross-over between these different credentials, because they are two sides of the same coin. CySA, as you know is basically "Blue Team Operations"; PenTest is "Red Team Operations". And exposure to Nessus, Qualys, OpenVAS, Burp, Nikto, dig, how to do a dd for a forensic capture, or how to read and study log files is essential technical knowledge for the CySA, as well as building a vulnerability program, incident management, and all the various IT and security management frameworks is critical to being successful.

    I know for myself, I can talk about Metasploit all day long, but until I used it the first time to scan a targeted Windows box for Bluekeep, it didn't become real to me. I may or may not have sat out in my backyard one fine evening with a little laptop running Kali and fiddled with Aircrack-NG with the scores of APs in my neighborhood...not going to lie. (don't worry, I didn't break INTO anything, but it cemented the knowledge of how painfully easy it is to penetrate - which is benefits me as a defender) And I have been using OpenVAS on my corporate network to scan my servers and vulnerabilities pretty regularly.

    In fact, I scanned my population of Polycom phones with OpenVAS and they all started ringing when the sweep happened. That was a sorry/not sorry/funny moment.

    Both CySA and PenTest benefit from deep knowledge of the other. I personally see these two exams as interrelating as much as A+ does for (historically) hardware and software, which now have even a tighter blend with Core 1 and 2.

    So yes, while my list is long, I am quite certain I didn't mention everything needed because when building an instructional lab, instructors need to overprepare and build much more varied environments for their students. While students often have that mindset of "what is the minimum I need to pass the exam", instructors need to really be saying, "how can i enrich my learning environment to provide more resources than I could ever cover in class".

    /r
     

    Tess Sluijter

    Well-known member
    Apr 1, 2020
    376
    1
    535
    the Netherlands
    www.kilala.nl
    I can only agree with just about everything you wrote Rick, all of what you wrote is true: in many situations there is no clear distinction between the two jobs with regards to the required knowledge. Both jobs will benefit from experiencing the things you wrote about.

    The only "but" that remains lies with the objectives for both tests. That's what I meant with "we're testing for X, not Y". Deon asked specifically about prep-work for this one particular exam and they sounded in a hurry (or like they're in the last stages of preparing).
     
    • Like
    Reactions: Hod Berman