Certification

A brief introduction to Certified Defensive Security Analyst (CDSA) from HackTheBox.

HTB Certified Defensive Security Analyst (HTB CDSA) is a highly hands-on certification that assesses the candidates’ security analysis, SOC operations, and incident handling skills. HTB Certified Defensive Security Analyst (HTB CDSA) certification holders will possess technical competency in the security analysis, SOC operations, and incident handling domains at an intermediate level. They will be able to spot security incidents and identify avenues of detection that may not be immediately apparent from simply looking at the available data/evidence. They will also excel at thinking outside the box, correlating disparate pieces of data/evidence, and pivoting relentlessly to determine the maximum impact of an incident. Another skill they will bring is the creation of actionable security incident reports tailored for diverse audiences.

The candidate will have to perform security analysis, SOC operations, and incident handling activities against multiple real-world and heterogeneous networks hosted in HTB’s infrastructure and accessible via VPN (using Pwnbox or their own local VM). Upon starting the examination process, a letter of engagement will be provided that will clearly state all engagement details, requirements, objectives, and scope. All a candidate needs to perform the required activities is a stable internet connection and VPN software. HTB Certified Security Analysis Specialist is the most up-to-date and applicable certification for Security Analysts, SOC Analysts, and Incident Handlers that focuses on both security incident analysis and professionally communicating security incidents.

HTB Certified Defensive Security Analyst (HTB CDSA) certification evaluates the candidates’ knowledge on the following:

• SOC Processes & Methodologies

• SIEM Operations (ELK/Splunk)

• Tactical Analytics

• Log Analysis

• Threat Hunting

• Active Directory Attack Analysis

• Network Traffic Analysis (Incl. IDS/IPS)

• Malware Analysis

• DFIR Operations

Pricing

There are three available pricing options.

A voucher comes with two attempts. To qualify for the second attempt, you need to submit a report detailing your progress.

Pre-Requisites

It is advisable to have a bit of knowledge in web and infrastructure penetration testing concepts, as per HackTheBox. If you are very new, I suggest taking the Pre-Requisites path as it will be really helpful. The attacks or the offensive knowledge needed for the exam will be taught in the path itself.

Background

A little bit of my knowledge before starting the SOC Analyst path.

• No Defensive knowledge

• No Splunk knowledge, a little bit of Kibana knowledge

• A little bit of Computer Forensics knowledge

• Did a bit of Let's Defend challenges

• Penetration Testing knowledge from HackTheBox and TryHackMe

Exam Preparation

SOC Analyst Path

The following are the required modules for completing the SOC Analyst path.

• Incident Handling Process

• Security Monitoring & SIEM Fundamentals

• Introduction to Threat Hunting & Hunting With Elastic

• Windows Event Logs & Finding Evil

• Understanding Log Sources & Investigating with Splunk

• Windows Attacks & Defense

• Intro to Network Traffic Analysis

• Intermediate Network Traffic Analysis

• Working with IDS/IPS

• Introduction to Malware Analysis

• JavaScript Deobfuscation

• YARA & Sigma for SOC Analysts

• Introduction to Digital Forensics

• Detecting Windows Attacks with Splunk

• Security Incident Reporting

The first and foremost requirement to take the CDSA exam is to complete the SOC Analyst path. The estimated time to complete it is 23 days, according to HackTheBox. However, it can take more time as well. I finished it in about a month or a month and a half. I began the path in August 2023 when it was initially released. As I was about to complete the path, four more modules were added. I took a substantial break from it, but I resumed after a month and completed it in mid-October. There was almost a one-and-a-half-month gap between completing the path and attempting the exam.

During that time, HackTheBox announced Sherlocks, and I completed almost all of them. I was hesitant and scared to take the exam because, at that time, only seven people were certified, and all of them had either significant experience or impressive certifications, which intimidated me. Despite my reservations, I decided to give it a shot and see what happens.

Resources

After completing the SOC Analyst path, the following are some of the resources that I suggest to do.

1. HackTheBox Sherlocks (Active - Free, Retired - Paid)

2. Splunk BOTS (Free)

3. Splunk 2 & Splunk 3 Rooms in TryHackMe based on Splunk BOTS (Paid)

Sherlocks

Don't you think there might be a reason for releasing Sherlocks right after the CDSA?

Choose a Sherlock of your interest and attempt to prepare a Security Incident Report for it. I completed active Sherlocks and noticed Splunk BOTS after finishing the exam, which proved to be quite useful.

Although doing each of these is not necessary for the exam, if you're relatively new and aiming for confidence, these resources might prove helpful.

1. RogueOne

2. Recollection

3. Jinkies

4. Bought

5. Mellitus

6. APTNightmare

7. Detroit becomes Human

Blogs

• HTB CDSA - Who is it for?

• 3 Courses To Prepare You For The SOC Analyst Path

• 13 essential skills for successful SOC analysts

• Detecting PsExec lateral movements: 4 artifacts to sniff out intruders

• Memory forensics with Volatility on Linux and Windows

• Kerberoasting attack detection

• AS-REP roasting detection

• NTLM relay attack detection

• LLMNR poisoning attack detection

• NTDS dumping attack detection

• 5 Active Directory misconfigurations (& how they're exploited)

• 8 Powerful Kerberos attacks (that analysts hate)

• Decoding Windows event logs: A definitive guide for incident responders

• What is network traffic analysis? (2024 blue teamer guide)

• Incident Response Cheatsheet

• 3 Tips On Getting Into Defensive Security

• 3 Essential Security Solutions For Blue Teamers

• Our top 5 DFIR labs for beginner analysts (to get good fast)

• What is network traffic analysis? (2024 blue teamer guide)

• 4 SOC tools beginner blue teamers should learn

• Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

• A step-by-step guide to writing incident response reports (free template inside)

Other resources

Note Taking

There are plenty of note-taking apps like Obsidian, Notion, OneNote, Joplin, etc. I personally use Obsidian.

While completing the path, ensure to consolidate SIEM queries in one place. If you're new and find yourself confused with all the tools discussed in the path, document each tool and its use.

During the exam, make sure to organize your notes. Avoid keeping everything in one file, as it becomes challenging to navigate if the notes grow larger. Instead, create files, folders, and maintain a clean organization. Capture screenshots of any commands used, SIEM queries, results, etc., and name them accordingly.

Report Writing

There are two options for preparing the report: using the traditional Word template provided during the exam or utilizing the Sysreporter tool.

1. Word Template

2. Sysreporter Tool

I opted for the Sysreporter tool, and it's truly fantastic. No need to worry about formatting issues or adjusting fonts, etc. Just input information into the respective fields, and it takes care of the rest.

Exam Experience

CDSA is a 7-day marathon. Since I utilized both attempts, it turned into a 14-day marathon for me. In my first attempt, I obtained the minimum required flags in 2 days but spent an additional four days preparing the incident report. My strategy was to investigate each incident, complete the report right away, and then move on to the next incident. For the second incident, I had 29 hours left (awake for 24 hrs straight) and managed to finish the investigation and report within that timeframe. Unfortunately, I failed in the first attempt due to a very minute mistake, which I realized while attempting the second time.

After receiving the results of the first attempt, I had 14 days remaining to retake the exam. However, I chose to retake it after just 7 days.

In the second attempt, I expedited the process, completing everything quickly and drafting the report in two days. Making some adjustments to the report and delving further into the investigation took a bit more time because I struggled to find what I needed and sensed something was not right. I persisted in the investigation until I felt it was conclusive and couldn't find anything more. To seasoned professionals, this might sound amusing, but this was my approach.

I spent more time writing the report than on the investigation, but I don't regret it. Now, I know how to prepare a proper Security Incident Report.

Some tips for the exam:

• Take proper notes and screenshots

• If you're finding something hard even after spending a lot of time on it, just take a short break and then continue.

• If you find yourself stuck, go back and refer to the specific module.

• Ensure you have enough sleep.

Conclusion

Finally, I want to emphasize that you can undertake this exam without any prior defensive knowledge before starting the SOC Analyst path. All you need is time and a commitment to complete it. The exam is challenging, demanding the application of knowledge gained from the SOC Analyst path.