CySA+ CS0-003

Chapter 4
Classifying Threats

A comprehensive study guide covering threat types, threat actors, malware categories, attack frameworks, threat research, and indicator-sharing formats — aligned to the CompTIA CySA+ exam objectives.

Objective 1.4 — Threat intelligence & threat hunting Objective 2.3 — Vulnerability prioritization Objective 3.1 — Attack methodology frameworks
1

Known vs. Unknown Threats & the Johari Window

At the highest level of classification, every threat is either known or unknown. Understanding this distinction drives everything from your tooling choices to your incident response posture.

Known threats
Signature-identifiable
Any threat identifiable via basic signature or pattern matching — documented malware (viruses, rootkits, Trojans, botnets) and documented exploits with known CVEs. Static, blockable at the perimeter.
Unknown threats
Behavior-based analysis required
Cannot be identified via signature alone. Includes zero-day exploits, obfuscated malware, recycled exploit code, and entirely novel attack vectors. Requires heuristic or behavioral detection.

Unknown threat sub-types

Zero-day exploit — An unknown exploit in the wild that exposes a vulnerability in software or hardware before a vendor patch exists. The attack happens on "day zero" of discovery, giving defenders no lead time.
Obfuscated malware — Malicious code whose execution is hidden via compression, encryption, or encoding, defeating static analysis. Continuous re-obfuscation turns known threats into unknown ones.
Behavior-based detection — Evaluates an object based on its intended actions before execution. A sandboxed email attachment, for example, is assessed for malicious behavior before delivery.
Recycled threat — Parts of existing exploit code combined and modified to create new variants that bypass signature scanners.
Known unknown — A threat known to be bad, but without a signature — behavior-based analysis is the primary detection path. Research is needed to reduce uncertainty.
Unknown unknown — A completely novel attack vector that has never been seen. Requires experimentation and research; often begins as an unexplained anomaly.

The four-quadrant model (Johari Window)

Threat classification maps directly to the Johari Window concept. The goal is always to move threats toward "open/known" so signatures or automation can block them.

Known to you
Unknown to you
Known Known
Known to you and to others. You have a signature, you can detect and block it immediately. Example: documented malware with a matching AV signature in your database.
Unknown Known
Known to others but not to you. Another vendor has a signature, yours does not. Highlights the importance of threat-intel sharing.
Known Unknown
You know it exists and is bad, but you lack a signature. Research and behavior-based analysis are required. This is where most threat-hunting activity occurs.
Unknown Unknown
Neither you nor others know about it yet — zero-days often start here. Requires discovery, experimentation, and eventual disclosure to reach "known known."
Exam note: The exam won't ask you to classify a specific threat into a quadrant, but understanding this mental model underpins every detection strategy you'll be tested on.
2

Threat Actors

A threat actor is any entity that wants to harm your networks or steal data. Not all threat actors are equal — they differ in skill, funding, motivation, and target selection. In cybersecurity, we distinguish black hat (unauthorized/malicious), white hat (authorized/ethical), and gray hat (semi-authorized) hackers. Below are the eight main categories you must know for the exam.

Script Kiddies
Lowest skill level. Use pre-built tools (Metasploit, Aircrack-ng, LOIC) without understanding how they work. Motivated by notoriety or curiosity, not necessarily profit. Still a real threat because even simple tools can cause significant damage.
Low skill Low funding Opportunistic
Insider Threats
Current or former employees with knowledge of internal systems, policies, and data. Extremely dangerous because they may have authorized access. Two sub-types: intentional (data theft, sabotage, coercion) and unintentional (phishing victim, weak passwords, human error). Mitigated through DLP systems, access controls, SIEM monitoring, and employee training.
Variable skill Authorized access Hardest to detect
Competitors
Rogue businesses conducting corporate espionage — stealing proprietary data, disrupting operations, or damaging reputation. Often use insider threats or direct network intrusion.
Medium skill Financial motive
Organized Crime
Well-funded criminal organizations focused on financial gain. Operate globally, leveraging ransomware, social engineering, and sophisticated technical attacks. Often responsible for large-scale botnet operations.
High skill Well funded Financial motive
Hacktivists
Politically motivated hackers targeting governments, corporations, and individuals to advance an ideology. Range from loosely organized (Anonymous) to highly structured groups. Typically not financially motivated — ideology drives the attack.
Variable skill Low funding Ideological motive
Nation-State
Government-affiliated groups conducting espionage, sabotage, or intelligence gathering. Exceptionally skilled, funded, and organized with access to zero-day vulnerabilities. Can maintain network presence for months to years before detection. Use false flag attacks to attribute blame to another actor. Conduct supply chain attacks (SolarWinds 2020, Target 2015) to compromise downstream targets at scale.
Elite skill State funded Political motive Usually APTs
APT
An Advanced Persistent Threat is a type of attack (not a specific group) — long-term covert presence on a network to harvest data. Can be conducted by nation-states, organized crime, or sophisticated individuals. Characterized by persistence, "living off the land," and blending in with normal traffic. Average dwell time before detection: 6–9 months.
High skill Long dwell time Known unknown
Supply Chain
Attacks targeting a trusted vendor or supplier to compromise downstream customers. Example: backdoor inserted into a SolarWinds update propagated to thousands of organizations. Requires rigorous vendor management and trusted supplier policies.
High impact Broad reach Often nation-state
Key distinction for the exam: Nation-state actors are almost always APTs, but not all APTs are nation-state actors. Nation-state = government affiliation. APT = a long-term, covert attack pattern — any well-resourced actor can execute an APT.
3

Malware Categories: Commodity, Zero-Day & C2

Beyond basic malware types (viruses, worms, Trojans — assumed knowledge from Security+), the CySA+ exam focuses on three higher-level categories that drive incident severity assessment.

Type 1
Commodity malware
Generic, off-the-shelf malicious software available for purchase on dark web marketplaces — RATs like Poison Ivy, Dark Comet, Extreme RAT. Targets everyone indiscriminately. Lower incident severity than targeted malware.
Type 2
Targeted / custom malware
Developed with a specific target in mind. If you detect targeted malware in your environment, severity is high — you are not a random drive-by victim, you are the objective.
Type 3
Zero-day malware
Exploits a vulnerability discovered before a vendor patch exists. Extremely valuable — some iPhone zero-days have sold for over $1 million. Nation-states stockpile them for high-value operations only.
"Zero-day" usage on the exam: The term may refer to the vulnerability itself or the malware exploiting it. Read the question context carefully to determine which sense is intended.

Command & Control (C2)

APTs maintain persistence through a C2 (Command and Control) node — infrastructure that allows the attacker to direct, distribute, and control malware across a botnet of compromised machines. Once established, the bot master can issue commands to all bots simultaneously (e.g., launch a DDoS, pivot laterally, exfiltrate data).

C2 channels use evasion techniques to resist detection and blocking:

Port hopping — The C2 application dynamically switches between ports (e.g., 22 → 53 → 1258) to evade port-based firewall rules and detection signatures.
Fast flux DNS — Rapidly changes the IP address associated with a domain, defeating IP-based blacklisting. Detectable by monitoring your proxy logs for a single domain resolving to many different IPs over time.

Persistence is the ability of a threat actor to maintain covert access to a target host or network. Studies show APTs remain undetected for an average of six to nine months, giving them ample time to exfiltrate data or conduct further operations.

APTs typically start with commodity malware for initial access. Only if the target is valuable enough — and commodity tools fail — will they deploy their expensive zero-day arsenal.
4

Threat Research: IOCs, IOAs & TTPs

As attackers move away from static malware toward sophisticated behavioral techniques, analysts must correlate multiple indicators rather than rely on a single signature. Threat research provides the foundation for both detection and threat hunting.

1 — Reputational threat research

Uses reputation data — blacklists of known-bad sources: malware signatures, IP ranges, DNS domains. Tools like Cisco Talos Intelligence assign each source a granular reputation score (good / neutral / poor). Reputation data anchors the known-threat layer of your research.

2 — Indicators of Compromise (IOC)

An IOC is a residual sign that an asset or network has been successfully attacked, or is actively being attacked. Individual IOCs are weak signals; correlated patterns of IOCs are strong evidence.

File system
Unexpected executables, modified system files, new files in temp directories
Registry
New Run keys (persistence), modified service entries, unauthorized scheduled tasks
Network
Unknown protocols, excessive bandwidth, connections to known-bad IPs or domains
Account
Unauthorized privilege escalation, off-hours logins, unusual lateral movement
Hardware
Rogue devices on the network, unauthorized USB media
Application
High CPU/memory with no explanation, unexpected outbound encryption within a LAN
IOC vs. IOA: An IOC is evidence that an attack has been successful. An IOA (Indicator of Attack) is evidence of an intrusion in progress — the attack has begun but may not yet be complete. Most industry usage defaults to IOC.

3 — Behavioral threat research & TTPs

Correlating IOCs into recognizable attack patterns produces TTPs — Tactics, Techniques, and Procedures. TTPs describe how an adversary operates based on historical attack data, enabling analysts to anticipate the next move and attribute activity to a specific threat actor.

TTP: DDoS
Traffic surge from multiple geographic origins; botnet leveraged to saturate services. Detectable via traffic volume anomalies.
TTP: Port scan
Sequential port probing (1, 2, 3…) visible in firewall/IDS logs. Signals reconnaissance preceding an attack.
TTP: APT C2
Look for the C2 mechanism — port hopping, fast-flux DNS — as it is typically unique to each APT group.
TTP: Exfiltration
Sudden spike in outbound data; unexpected LAN-to-LAN encryption; compressed/archived files appearing before unusual transfers.
5

Attack Frameworks

Three frameworks provide structured ways to model adversary behavior. They can be used individually or combined for maximum analytical depth.

5.1 — Lockheed Martin Cyber Kill Chain

A seven-step linear model (Hutchins, Cloppert & Amin, Lockheed Martin) describing an attack from initial reconnaissance through final objectives. Each step is an opportunity to detect, deny, disrupt, degrade, deceive, or destroy an attacker's capability (the "Six Ds").

Step 1
Reconnaissance
Attacker profiles the target using passive OSINT and active scanning to identify vulnerabilities, software versions, and network topology — without triggering alerts if possible.
Step 2
Weaponization
Attacker creates or adapts an exploit payload — malware is built in their own lab, not yet delivered. No victim contact occurs in this phase.
Step 3
Delivery
The weaponized payload is transmitted to the target — via spearphishing email, malicious link, USB drop, or watering-hole attack.
Step 4
Exploitation
The victim triggers execution of the payload — clicking a link, opening an attachment, plugging in a USB drive. The vulnerability is exploited here.
Step 5
Installation
A backdoor or RAT is installed for persistent access. A stage-one dropper downloads and installs the full stage-two implant.
Step 6
Command & Control (C2)
The implant establishes an outbound channel to the attacker's C2 server, enabling remote control and potential download of additional tools.
Step 7
Actions on Objectives
The attacker achieves their goal — data exfiltration, ransomware deployment, lateral movement, destructive action, or long-term espionage.
The kill chain is criticized for being perimeter-focused and too linear. It does not model attacks that originate inside the network (insider threats) or involve multiple simultaneous attack threads well. This led to the development of MITRE ATT&CK.

5.2 — MITRE ATT&CK Framework

A knowledge base maintained by MITRE Corporation at attack.mitre.org (free and open source). Unlike the linear kill chain, ATT&CK uses a matrix model where each column is a tactic and each cell is a specific technique. It is much more granular and better suited to post-exploitation analysis. An additional pre-ATT&CK matrix covers the reconnaissance and weaponization phases not represented in the main matrix.

Reconnaissance
Active scanning, OSINT, phishing for info
Initial Access
Phishing, supply chain, valid accounts, exploit public-facing apps
Execution
Command-line, scripting engines, scheduled tasks
Persistence
Registry Run keys, scheduled tasks, new accounts
Defense Evasion
Obfuscation, disable security tools, masquerading
Credential Access
Keylogging, credential dumping, brute force
Discovery
Network scanning, account enumeration, OS fingerprinting
Lateral Movement
Pass-the-hash, RDP, SMB, internal spearphishing
Collection
Data staged locally before exfiltration; screen capture
Exfiltration
Encrypted channel, DNS tunneling, C2 channel
Impact
Data destruction, ransomware, service disruption

The ATT&CK Navigator tool lets analysts overlay a specific APT group's known TTPs onto the matrix, making it easy to compare observed activity against documented adversary behavior and identify defensive gaps.

5.3 — Diamond Model of Intrusion Analysis

Every intrusion event has four core features that are always related to each other: Adversary, Capability, Infrastructure, and Victim. The Diamond Model is especially useful for attribution and for understanding how one element of an incident points toward others.

Diamond Model of Intrusion Analysis Adversary Victim Capability Infra-structure
  • Adversary — The threat actor conducting the attack
  • Capability — The tools, malware, and techniques used
  • Infrastructure — Servers, domains, IPs used to deliver or control the attack (C2 nodes)
  • Victim — The targeted organization, system, or person
  • Meta-features: timestamp, phase, result, methodology, direction

In practice, evidence about one corner of the diamond quickly points toward the others. For example: identifying malware (Capability) may contain a hardcoded C2 domain (Infrastructure); resolving that domain reveals IP ownership (Adversary attribution); checking firewall logs confirms which systems called home (Victim scope).

The three frameworks complement each other. The Kill Chain provides a linear attack narrative. ATT&CK provides granular TTP detail. The Diamond Model provides a relationship map for attribution and evidence pivoting. Use them in combination for the richest analysis.
6

Indicator-Sharing Formats: STIX, TAXII, OpenIOC, MISP

Threat intelligence is only valuable if it can be shared quickly and consumed automatically. Four standardized formats and platforms make this possible.

STIX v2

Structured Threat Information eXpression. A standard JSON-based format for describing IOCs and the relationships between them. Part of the OASIS Cyber Threat Intelligence (CTI) framework. Designed for automated feeds between systems.

Key objects (SDOs): Observed Data, Indicators, Attack Patterns, Campaigns, Threat Actors, Courses of Action.

TAXII

Trusted Automated eXchange of Indicator Information. The transport protocol for delivering STIX data between clients and servers over HTTPS via a REST API. Think of STIX as the language and TAXII as the delivery mechanism.

OpenIOC

Open source framework by Mandiant. XML-formatted files for encoding IOCs with rich metadata: author, category, confidence level, usage license, description. Uses logical statements (AND/OR) to compose complex indicator definitions.

MISP

Malware Information Sharing Project. A free, open source platform that ties everything together: supports OpenIOC definitions, imports/exports STIX over TAXII, and provides a collaborative server for threat intelligence sharing communities.

STIX v2 JSON format — what it looks like

On the exam, if you see JSON like the following, think STIX version 2. STIX v1 used XML — v2 uses JSON. The exam only tests v2.

{
  "type": "indicator",
  "id": "indicator--26ffb872-1dd9-4b3a-b65f-72e3f8a",
  "created": "2024-03-15T08:00:00.000Z",
  "modified": "2024-03-15T08:00:00.000Z",
  "name": "Malicious IP indicator",
  "pattern": "[ipv4-addr:value = '198.51.100.42']",
  "valid_from": "2024-03-15T08:00:00.000Z",
  "labels": ["malicious-activity"]
}
Exam priority: STIX gets the most exam weight of the four. The key takeaway: JSON format = STIX v2. Seeing a JSON-formatted IOC on the exam almost certainly means the answer is STIX. Know that TAXII transports it, OpenIOC uses XML with logical statements, and MISP is the open-source platform that integrates all three.

Exam

Quick Reference Cheat Sheet

Known vs. Unknown
Known = signature-detectable. Unknown = behavior/heuristic required. Zero-day = unknown unknown. Obfuscated = known turned unknown.
Threat Actors
Script kiddie < Insider < Competitor < Organized crime < Hacktivist < Nation-state/APT. Nation-state ≈ APT but not all APTs are nation-states.
Malware types
Commodity = generic/dark-web. Targeted = specific victim, higher severity. Zero-day = exploits unpatched vuln, expensive. C2 = bot master controlling botnet.
IOC vs. IOA
IOC = evidence attack succeeded. IOA = evidence attack in progress. Correlate multiple IOCs to identify TTPs and attribute to adversary.
Attack frameworks
Kill Chain = 7-step linear (outside→in). ATT&CK = matrix, granular TTPs, free at attack.mitre.org. Diamond = 4-corner relationship model for attribution.
Sharing formats
STIX v2 = JSON format. TAXII = transport (HTTPS/REST). OpenIOC = XML + logical AND/OR. MISP = open-source platform integrating all three.