Hack The Box Certified Defensive Security Analyst (HTB CDSA) Review 2024
- Posted by whoami_alex
- Categories Certifications
- Date 2024-03-22
Certification Description
HTB Certified Defensive Security Analyst (HTB CDSA) is a highly hands-on certification that assesses the candidates’ security analysis, SOC operations, and incident handling skills. HTB Certified Defensive Security Analyst (HTB CDSA) certification holders will possess technical competency in the security analysis, SOC operations, and incident handling domains at an intermediate level. They will be able to spot security incidents and identify avenues of detection that may not be immediately apparent from simply looking at the available data/evidence. They will also excel at thinking outside the box, correlating disparate pieces of data/evidence, and pivoting relentlessly to determine the maximum impact of an incident. Another skill they will bring is the creation of actionable security incident reports tailored for diverse audiences.
Hack The Box Academy exam description
The certification exam, along with the learning path, provides a comprehensive introduction to all aspects related to security analysis, SOC operations, and incident handling. In my opinion, what makes the CDSA (and all HTB Academy certifications) stand out is its hands-on practice learning process; it is fascinating to read and learn about a topic and then apply what you’ve learned through tons practical examples. The exam itself is quite challenging, but I found that I was learning and discovering new things as I completed it.
I believe that learning all these concepts related to defensive security is highly beneficial for any cybersecurity operator, as it provides insight into what is happening behind the scenes on the target devices when a cyber incident occurs. Particularly for penetration testers, understanding the impact of a given attack on the target hosts is crucial to grasp the full picture of how the components of the attack connect and behave.
As described by Hack The Box, this certification is aimed at:
- Entry level Security Analysts
- Entry level SOC Analysts
- Entry level Incident Handlers
- Entry level Forensics Analysts
- Penetration Testers
- IT Administrators
- IT Security Personnel
Certification Process and Pricing
Certification Process and Pricing to obtain the certification, you must fully complete the “SOC Analyst” learning path. This path is designed to equip you with everything necessary to pass the exam, starting from a basic level. However, if you are new to the field, completing the “SOC Analyst Prerequisites” path is strongly recommended to build a solid foundation in key concepts such as Assembly Language, Linux and Windows fundamentals, or networking. The “SOC Analyst” path includes the following modules:
- Incident Handling Process
- Security Monitoring & SIEM Fundamentals
- Introduction to Threat Hunting & Hunting With Elastic
- Windows Event Logs & Finding Evil
- Understanding Log Sources & Investigating with Splunk
- Windows Attacks & Defense
- Intro to Network Traffic Analysis
- Intermediate Network Traffic Analysis
- Working with IDS/IPS
- Introduction to Malware Analysis
- JavaScript Deobfuscation
- YARA & Sigma for SOC Analysts
- Introduction to Digital Forensics
- Detecting Windows Attacks with Splunk
- Security Incident Reporting
Regarding pricing, several options are available for acquiring this certification. Firstly, access to the modules and an exam voucher are necessary. Modules can be accessed either through a yearly subscription or by direct purchase using cubes, the currency on the Hack The Box Academy platform. Modules are categorized into “tiers,” with each module returning 20% of its value upon completion (except for tier 0 modules, which return their full value):
- Tier 0 Modules: Cost 10 cubes and gives you back 10 cubes.
- Tier 1 Modules: Cost 50 cubes and gives you back 10 cubes.
- Tier 2 Modules: Cost 100 cubes and gives you back 20 cubes.
Have in mind that all modules required for the certification are Tier 2 or lower.
You can either purchase cubes directly or opt for a monthly subscription, which provides unlimited access to the Pwnbox (I will explain this wonderful feature in the “Learning Path” section of this post) and more cubes for the price. The exam voucher is available for purchase at 180€ + VAT in the store. Each voucher is valid for one year and includes two exam attempts.
In summary, accessing the full SOC Analyst path requires 1220 cubes, but completing it grants you 260 cubes back, reducing the total needed to 960 cubes. Furthermore, yearly subscriptions include an exam voucher of your choosing, so the options are:
- 1 month of Platinum subscription (58€ + VAT) + exam voucher (180€ + VAT): you can just subscribe for one month and cancel it after, so you can get 1000 cubes and complete the path with the cubes you will be receiving along your journey.
- Student subscription (7€ + VAT) + exam voucher (180€ + VAT): If you have a student email, this subscription provides access to all modules up to Tier 2, allowing you to also access prerequisite modules. So if it is your case, do not overthink it and get this deal!
- Silver annual subscription (410€): This grants one-year access to all modules up to Tier 2 and includes an exam voucher. I personally took this one, since I am aiming to get CPTS (and hopefully CBBH) this year. As well as the student subscription, since you have access to all modules up to tier 2, you can also access the prerequisites.
IMPORTANT NOTE: Completed modules are retained permanently in your account, even with a student or annual subscription. Additionally, modules purchased with cubes remain yours, regardless of completion.
Learning Path
Hands down, this is one of the best learning experiences I have ever had, from the completeness of the materials to the practical exercises. I really enjoyed the gamification that HTB Academy offers, and all topics are segmented into modules, making the learning path intuitive and easy to follow. All materials are text-based, which I prefer over video-based courses, as it facilitates note-taking and allows easier review of specific parts of the lessons that were not well understood or about which I felt less confident (and it is always better to test the concepts yourself rather than just staring at someone else’s terminal). Additionally, the interface is excellent, tracking your progress and simplifying the process of resuming lessons from where you left off.
I found the “Dashboard” section of the academy particularly useful, as it allows you to enroll in the learning path and displays a list of all modules in order, showing the progress made on each. It also tracks your percentage of completion at the top, which, at least in my case, motivated me to continue with the path.
Since I was already familiar with some of the contents of the path, such as Malware Analysis, Active Directory, or Splunk, I completed the learning path in about a month and a half, dedicating around 20 hours a week. This duration might vary depending on your background knowledge, experience, or motivation, but the most important aspect is to take thorough notes and ensure you understand everything taught, reviewing as often as necessary to fully grasp each topic. I found all modules particularly engaging (especially Detecting Windows Attacks with Splunk and Introduction to Digital Forensics), and even though I already had experience and substantial knowledge in some areas, the content is very well explained, and I learned new aspects of topics I thought I was proficient in. It’s always beneficial to learn from different perspectives, as it can offer new insights and polish your understanding.
Do not rush through the modules, as the learning material is truly top-tier, and everything taught might appear on the exam, so ensure you fully understand it before moving on to the next lesson.
Finally, the PwnBox is one of the best features of the HTB Academy, since it allows you to start a fresh Parrot-OS machine (similar to Kali, for all of you that might not be familiarized with it) right from the web browser. This is very convenient for the learning process, since it equips you with everything needed for all the practical exercises and Skill Assessments, and makes you ready to go in one click within seconds.
Exam Preparation & Personal Experience
In my case, I finished the exam and completed some easy active sherlocks available on the main platform. These challenges are interesting if you want to sharpen your skills in some of the tools mentioned on the learning path and they are a good practice if you feel unprepared for the exam. However, while some of them are really ease to solve with the concepts leared in the learning path, others are completely unrelated or need you to use tools and concepts completely out of the scope of the exam. Do not get me wrong, they are awesome and fun to solve, but in terms of preparing for the exam, they only give you proficiency with some tools and will not prepare you for passing the exam itself.
My personal recommendation is to finish the learning path, revisit all skill assessments, redo all modules you feel weak on, and jump straight to the exam without overthinking it too much. Remember that the modules arm you with everything needed to pass the exam
Additionally, I highly recommend joining the Hack The Box Official Discord Server, where a supportive community will be happy to assist you at any time, addressing your queries and guiding you through the process. Keep in mind that many others might have encountered the same issue or question as you, so use the Discord Server’s search function to look for relevant keywords (or even post your entire question), since in 99% of the cases, your issue has likely been addressed previously. Remember, while many are willing to assist, direct answers won’t be provided; you’re encouraged to seek hints and work through the problems yourself.
There is also a Hack The Box Official Forum where people ask for hints, but I find the Discord Server far more resourceful. And trust me, people there is awesome!
Exam Experience
The candidate will have to perform security analysis, SOC operations, and incident handling activities against multiple real-world and heterogeneous networks hosted in HTB’s infrastructure and accessible via VPN (using Pwnbox or their own local VM). Upon starting the examination process, a letter of engagement will be provided that will clearly state all engagement details, requirements, objectives, and scope. All a candidate needs to perform the required activities is a stable internet connection and VPN software. HTB Certified Security Analysis Specialist is the most up-to-date and applicable certification for Security Analysts, SOC Analysts, and Incident Handlers that focuses on both security incident analysis and professionally communicating security incidents.
Upon clicking the “ENTER EXAM” button and accepting the terms and conditions of the exam, a letter of engagement will be provided that will clearly state all engagement details, requirements, and objectives, as well as the scope. A report template will also be provided to you.
You can now commence security analysis, SOC operations, and incident handling activities against the network mentioned in the letter of engagement. A good strategy is to keep detailed notes and start drafting your report right away, filling it in as you go.
To ensure that you have fully achieved the exam’s objectives, you will also be asked to submit several flags on the exam lab’s page. The exam lab will be accessible for seven (7) days without restrictions.
Each candidate will be provided with a dedicated instance of the exam lab. This means that you can perform your security analysis, SOC operations, and incident handling activities without interruptions caused by others and reset the lab at any time.
To obtain the certification, a certain amount of points must be gathered alongside a commercial-grade report.
Hack The Box Academy CDSA Exam Description
This are the objectives of the exam extracted from the publicly available Sysreptor template (I will come to that in a second):
Since I work full time, the amount of time I could allocate to solve to the exam was limited. I invested an average of 6-7 hours daily in solving it. Given that it was my first exam of this type (particularly focusing on blue team topics), I was not sure what to expect from it. Within the first 20 hours, I got 15 flags, and by the end of the second day I had a total of 19 flags.
With 19 out of 20 flags and a boost in confidence from knowing I had achieved the passing score for the first incident, I began drafting the report for it. After completing a draft for the first incident, I moved on to the second one, and by the fifth day, I had drafts for both incidents. The final two days were spent refining the report and attempting to capture the last flag to achieve a perfect score. Unfortunately, I was unable to secure that final flag, which was somewhat disappointing as I was very close to achieving a perfect score on the exam.
The report is a crucial component of the exam, so I tried to adhere as closely as possible to the guidelines provided in the Security Incident Reporting section. I must be cautious with the details shared here, as discussing specifics about the exam environment is prohibited. After a long wait, I got the notification that I had passed the exam, being one of the first 50 people that currently hold the certification.
Exam Tips & Conclusions
To summarize the insights shared in this post, here are some exam tips that you might find helpful:
- Note-taking: Keep detailed notes on anything you find particularly interesting or challenging during the learning path.
- Taking breaks: If you hit a roadblock, take a break. During my exam, there were moments when I was stuck for hours, but after a 30-minute break, I could swiftly identify the solution within seconds.
- Academy search feature: Utilize this feature extensively. The exam spans seven days; it’s more of a marathon than a sprint. Refer back to the modules whenever necessary to refresh concepts or gain new ideas.
- Trust in your knowledge: If you’ve completed the learning path with minimal hints, you’re likely well-prepared for the exam.
- Practice your reporting skills: since the report writting is the main deliverable for the exam (you could fail witha weak report event if you got all flags), it is crucial to be confident on the reporting part of the exam. I highly recommend reviewing the Security Incident Reporting module and practice it with some real-world incidents.
- (OPTIONAL) Sherlocks: While they weren’t particularly beneficial for me in order to take the exam, others find them helpful. It might be worth giving them a shot. Do not get me wrong, they are really interesting challenges and can teach you tons of interesting new things, but in the context of preparing for the CDSA, I did not find them that helpful.
There are two options for building the report, one being a Word template provided by HTB, which is structured following the Security Incident Reporting module, and the Sysreptor platform.
Sysreptor made available its platform for HTB exam reporting, which provides a really easy to use interface and facilitates the reporting task. It automatically fills the sections with the information provided on the template and makes your life way easier while solving the exam.
Check it out on this link: https://docs.sysreptor.com/htb-reporting-with-sysreptor/
The learning journey and the exam itself were highly enriching experiences for me. I can’t emphasize enough that HTB Academy offers exceptional content (and no, they aren’t sponsoring me). The exam environment was very stable, and although there were occasional connectivity issues in the modules’ labs, HTB resolved them quickly.
I hope this review was useful and that I encouraged you to also take the exam. And if you have any questions, do not hesitate to contact me through LinkedIn. You can also find me on the HTB Discord Server under the name of ElijahBaley!
If you are thinking about registering on the HTB Academy, I highly appreciate if you use my referral link, since it allows me to get some extra cubes and get more courses so I can make more reviews like this in the future! Thank you in advance!
Referral link: https://referral.hackthebox.com/mzwMsDV
Tag:CDSA, Hack The Box