Introduction
Getting into the cyber security field can be full of frustration for those exiting college or transitioning from another career. The internet is full of paid courses and free classes that are sometimes good but often bad. What if there was a free program connecting all of these resources together into a concise methodology that also prepares a person for the rigors of a career as an InfoSec Analyst?
This page aims to curate the already available information into a flowing path that any eager mind with a computer can access. Hopefully by providing this resource, we as a community can close the gap between education, certifications, real-life experience, and getting a job offer. On the other hand, if you already have a job as a junior analyst but you are unsure of what to study to grow your skills, this should be a good starting point. By the end of this material, you should have the skills capable to perform the functions of a mid-tier analysts.
This material is being pieced together in a fashion that I believe is helpful based on my experiences in multiple SOCs. It will also continued to be updated based on the feedback I get from users. As you can tell it isn't fully fleshed out yet, but it will be. I have a full-time job and run a company so my time is at a minimum but please check back regularly. As I have time, I will continue to fill in the blanks.
Things may be added to this list based off of recommendations. If I haven't fully vetted material, I will try to mark it as such. Please let me know what you think is useful, what's not, and recommendations to make this page better!
This page aims to curate the already available information into a flowing path that any eager mind with a computer can access. Hopefully by providing this resource, we as a community can close the gap between education, certifications, real-life experience, and getting a job offer. On the other hand, if you already have a job as a junior analyst but you are unsure of what to study to grow your skills, this should be a good starting point. By the end of this material, you should have the skills capable to perform the functions of a mid-tier analysts.
This material is being pieced together in a fashion that I believe is helpful based on my experiences in multiple SOCs. It will also continued to be updated based on the feedback I get from users. As you can tell it isn't fully fleshed out yet, but it will be. I have a full-time job and run a company so my time is at a minimum but please check back regularly. As I have time, I will continue to fill in the blanks.
Things may be added to this list based off of recommendations. If I haven't fully vetted material, I will try to mark it as such. Please let me know what you think is useful, what's not, and recommendations to make this page better!
Phase 1: Windows Operating System
The first I like to teach students is the Windows Operating System. Why? Because in most environments, 90% or more of the monitored devices are Windows based. By understanding how the underlying operating system works, you will best be able to investigate potential threats, know what normal looks like, and be able to analyze artifacts to fill in blanks left by logs. The information in this section will be fundamental to other sections including Windows Forensics, Memory Analysis, and malware analysis.
In this section you will learn about Windows processes, start up items, the registry, and available logs.
In this section you will learn about Windows processes, start up items, the registry, and available logs.
Videos
Windows Process Genealogy by 13 Cubed - Discusses windows process and normal startup items.
Windows MACB Timestamps (NTFS Forensics) by 13Cubed - Discusses timestamps and how they can be modified by attackers.
Windows Registry 1 of 3 by Advanced Digital Forensics - Discusses the fundamentals of the registry.
DFIR Summit 2016: Plumbing the Depths - Windows Registry Internals by Eric Zimmerman - This is an advanced registry video. Watch the other first.
Books
Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (Developer Reference)
Blogs/Web Pages
Registry Hives - Official documentation on the registry Hives
Windows Registry - A detail review of the various Windows Hives.
Directory Structure - A Wikipedia entry discussing the various directories and their purpose.
*Note for me: I need to create a page explaining directory structure for InfoSec
Podcasts
None at the moment
Labs/Homework
1. Identify the processes that start on login. How are these started services, scheduled tasks, etc? And are they normal?
2. Open up the registry from run and browse the different hives.
3. Complete TryHackme class: https://tryhackme.com/room/btwindowsinternals
Windows Process Genealogy by 13 Cubed - Discusses windows process and normal startup items.
Windows MACB Timestamps (NTFS Forensics) by 13Cubed - Discusses timestamps and how they can be modified by attackers.
Windows Registry 1 of 3 by Advanced Digital Forensics - Discusses the fundamentals of the registry.
DFIR Summit 2016: Plumbing the Depths - Windows Registry Internals by Eric Zimmerman - This is an advanced registry video. Watch the other first.
Books
Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (Developer Reference)
- Pg 88-99 - Windows Startup process
- Pg 62-85 - Windows subsystems
- Pg 129-170 - Windows Startup process
- Pg 492-507 - Device Drivers
Blogs/Web Pages
Registry Hives - Official documentation on the registry Hives
Windows Registry - A detail review of the various Windows Hives.
Directory Structure - A Wikipedia entry discussing the various directories and their purpose.
*Note for me: I need to create a page explaining directory structure for InfoSec
Podcasts
None at the moment
Labs/Homework
1. Identify the processes that start on login. How are these started services, scheduled tasks, etc? And are they normal?
2. Open up the registry from run and browse the different hives.
3. Complete TryHackme class: https://tryhackme.com/room/btwindowsinternals
Phase 2: Windows Logs and Analysis Process
Videos
SANS DFIR Webcast - Incident Response Event Log Analysis - Explains various types of logs and uses them to analysis a cyber event.
James Brodsky, Dashing Through the Logs | KringleCon 2019 - In this talk, we will cover critical Windows-based security event log sources like Sysmon, PowerShell, and process launch events.
RDP Event Log Forensics by 13Cubed
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation by Jonathon Poling
Blog/Whitepapers
EVTX and Windows Event Logging - SANS Institute
Labs
**Do the labs at your own risk! I recommend you do the recommended lab in a VM
Windows Incident Response Practice Lab - An incident response lab that walks you through some windows challenges (Need to add labs)
SANS DFIR Webcast - Incident Response Event Log Analysis - Explains various types of logs and uses them to analysis a cyber event.
James Brodsky, Dashing Through the Logs | KringleCon 2019 - In this talk, we will cover critical Windows-based security event log sources like Sysmon, PowerShell, and process launch events.
RDP Event Log Forensics by 13Cubed
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation by Jonathon Poling
Blog/Whitepapers
EVTX and Windows Event Logging - SANS Institute
Labs
**Do the labs at your own risk! I recommend you do the recommended lab in a VM
Windows Incident Response Practice Lab - An incident response lab that walks you through some windows challenges (Need to add labs)
Phase 3: Attacker Methodology
Videos
Abusing Windows Management Instrumentation (WMI) from Black Hat USA 2015 - Discusses offensive capabilities for WMI.
There's Something About WMI from SANS DFIR Summit 2015 - Discusses WMI for offensive use cases. (I know not that great quality)
Mitre ATT&CK: The Play at Home Edition - By Katie Nickels and Ryan Kovar
Persistence Mechanisms by 13Cubed
SANS DFIR Webcast - Incident Response Event Log Analysis by Hal Pomeranz
DerbyCon - Living Off The Land A Minimalist Guide To Windows Post Exploitation by Christopher Campbell and Matthew Graeber
Podcasts
Gozi, Part1: The Rise of Malware-as-a-Service by MaliciousLife
The Equifax Databreach Pt I and Pt II by MaliciousLife
Abusing Windows Management Instrumentation (WMI) from Black Hat USA 2015 - Discusses offensive capabilities for WMI.
There's Something About WMI from SANS DFIR Summit 2015 - Discusses WMI for offensive use cases. (I know not that great quality)
Mitre ATT&CK: The Play at Home Edition - By Katie Nickels and Ryan Kovar
Persistence Mechanisms by 13Cubed
SANS DFIR Webcast - Incident Response Event Log Analysis by Hal Pomeranz
DerbyCon - Living Off The Land A Minimalist Guide To Windows Post Exploitation by Christopher Campbell and Matthew Graeber
Podcasts
Gozi, Part1: The Rise of Malware-as-a-Service by MaliciousLife
The Equifax Databreach Pt I and Pt II by MaliciousLife
Phase 4: Windows Forensics
Videos
Introduction to Windows Forensics by 13 Cubed
Prefetch Deep Dive by 13Cubed
Detecting Persistence in Memory by 13Cubed
RDP Cache Forensics by 13Cubed
Recycle Bin Forensics by 13Cubed
Shellbag Forensics by 13Cubed
LNK Files and JumpLists by 13Cubed
Windows SRUM Forensics by 13Cubed
Windows Application Compatibility Forensics by 13Cubed
Introduction to Memory Forensics by 13Cubed
Windows Memory Analysis by 13Cubed
Paid Training
INE's Digit Forensics Professional - Amazing course and certification. My understanding of forensic processes and skills grew by a factor of ten. If you are interested in this area, I highly recommend this course. I became my employee's forensic SME after this :).You can get this as part of the annual cyber security subscription ($749 but is often discounted), which I also recommend. Get work to pay for this, they will love you for it.
Introduction to Windows Forensics by 13 Cubed
Prefetch Deep Dive by 13Cubed
Detecting Persistence in Memory by 13Cubed
RDP Cache Forensics by 13Cubed
Recycle Bin Forensics by 13Cubed
Shellbag Forensics by 13Cubed
LNK Files and JumpLists by 13Cubed
Windows SRUM Forensics by 13Cubed
Windows Application Compatibility Forensics by 13Cubed
Introduction to Memory Forensics by 13Cubed
Windows Memory Analysis by 13Cubed
Paid Training
INE's Digit Forensics Professional - Amazing course and certification. My understanding of forensic processes and skills grew by a factor of ten. If you are interested in this area, I highly recommend this course. I became my employee's forensic SME after this :).You can get this as part of the annual cyber security subscription ($749 but is often discounted), which I also recommend. Get work to pay for this, they will love you for it.
Phase 5: Coding
Coding is one of the biggest steps you can take in mastering your craft. Think about it. Everything you analyze will be code in some fashion. Unfortunately most Analysts don't even know the basics of one language. If you want to separate yourself from the pack and take a big step towards the Senior Analyst title, learn a common language. I have chosen the selections below based on my experiences in the SOC and as a Pen Tester but to be honest, being competent in any programming language will help you to read code in another language. The principles are the same. If none of these jive with you, pick another an learn it.
Free Courses
Code Academy: Learn Python 2 - I know Python 2 is old but it is the only free Python course on code academy. Their course structure was perfect for me when I was learning so I still have to recommend it. If you have another recommendation for Python3 please let me know. Python is heavily recommended because many of the tools and exploits you may need to analyze will be in this language. Python 2 is not that different from Python 3.
Code Academy: Learn Go - As an alternative to Python I would look at Go. Many tools are now being built with Go because it is cross platform compatible and faster than other languages like Python.
Code Academy: Learn JavaScript - On top of one of the other languages mentioned, JavaScript is highly recommended. Many SOCs will monitor for web attacks which often include malicious JavaScript. Having a basic understanding will separate you from your peers. I have worked full-time in two shops where only one or two people (including myself) could read and understand JavaScript at a basic level.
Labs/Practice
Codewars - A great place to practice your chosen language. After you have taken an intro course, aim to complete a couple of kata's a week to continue to hone your skills.
Free Courses
Code Academy: Learn Python 2 - I know Python 2 is old but it is the only free Python course on code academy. Their course structure was perfect for me when I was learning so I still have to recommend it. If you have another recommendation for Python3 please let me know. Python is heavily recommended because many of the tools and exploits you may need to analyze will be in this language. Python 2 is not that different from Python 3.
Code Academy: Learn Go - As an alternative to Python I would look at Go. Many tools are now being built with Go because it is cross platform compatible and faster than other languages like Python.
Code Academy: Learn JavaScript - On top of one of the other languages mentioned, JavaScript is highly recommended. Many SOCs will monitor for web attacks which often include malicious JavaScript. Having a basic understanding will separate you from your peers. I have worked full-time in two shops where only one or two people (including myself) could read and understand JavaScript at a basic level.
Labs/Practice
Codewars - A great place to practice your chosen language. After you have taken an intro course, aim to complete a couple of kata's a week to continue to hone your skills.
Phase 6: Cryptography
Labs/Practice
Cryptopals - Using your newly formed programming skillset practice solving crypto puzzles with Cryptopals. This will help you understand the different algorithms and how they work. If you choose to go down the malware analysis road, this will be invaluable.
Books
Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age by Steven Levy - A great book on the history of crypto. This was one of my first books on cyber security and it opened the world of cryptography for me.
Cryptopals - Using your newly formed programming skillset practice solving crypto puzzles with Cryptopals. This will help you understand the different algorithms and how they work. If you choose to go down the malware analysis road, this will be invaluable.
Books
Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age by Steven Levy - A great book on the history of crypto. This was one of my first books on cyber security and it opened the world of cryptography for me.
Phase 7: Malware Analysis
Videos
Practical Malware Analysis Essentials for Incident Responders by Lenny Zeltser
Labs
Stuxnet Lab (MS10-061) - HTB Dropzone - This is an HackTheBox VM with one of the exploits used being that which was used by Stuxnet. A good guide was written by 0xdf hacks stuff.
Paid Training
INE's Malware Analysis Professional - I never finished this course but I got through about half before other priorities took precedence. The content I made it through was amazing and I highly recommend this course. You can get this as part of the annual cyber security subscription ($749 but is often discounted), which I also recommend. Get work to pay for this, they will love you for it.
Practical Malware Analysis Essentials for Incident Responders by Lenny Zeltser
Labs
Stuxnet Lab (MS10-061) - HTB Dropzone - This is an HackTheBox VM with one of the exploits used being that which was used by Stuxnet. A good guide was written by 0xdf hacks stuff.
Paid Training
INE's Malware Analysis Professional - I never finished this course but I got through about half before other priorities took precedence. The content I made it through was amazing and I highly recommend this course. You can get this as part of the annual cyber security subscription ($749 but is often discounted), which I also recommend. Get work to pay for this, they will love you for it.