Stage 6: Even More Knowledge
Registry
The registry is typically used to configure Windows. However, bad guys use the registry to persist on a computer even after a reboot. As an analyst, you need a basic understanding of this Windows feature to understand how changes are made and which keys are commonly abused. You will see interactions with the registry through process logs and registry-specific logs.
Training
Windows Registry 1 of 3 by Advanced Digital Forensics- A video that discusses the fundamentals of the registry.
Registry Hives - Official documentation on the registry Hives
Windows Registry - A detail review of the various Windows Hives.
Training
Windows Registry 1 of 3 by Advanced Digital Forensics- A video that discusses the fundamentals of the registry.
Registry Hives - Official documentation on the registry Hives
Windows Registry - A detail review of the various Windows Hives.
Processes
Processes are fundamental to how you interact with an operating system. In fact, anything you do in Windows involves a process in one way or another.
Understanding the relationship between children and parent processes will help you tremendously while you are sleuthing as an analyst.
Looking into the future, in order to grasp more advanced topics such as process hollowing and process injection attacks, you must first learn the basics.
Training
Windows Process Genealogy by 13 Cubed - A video that discusses windows process and normal startup items.
Understanding the relationship between children and parent processes will help you tremendously while you are sleuthing as an analyst.
Looking into the future, in order to grasp more advanced topics such as process hollowing and process injection attacks, you must first learn the basics.
Training
Windows Process Genealogy by 13 Cubed - A video that discusses windows process and normal startup items.
Event Logs
Event logs are how software tracks errors, changes, and interactions. For this training section you will be focused on the Windows Operating System software logs.
As an analyst, these logs will be your primary medium for investigations. The better you understand the different types of logs, the more efficient an analyst you will be. If you are like me, I knew nothing about logs at the beginning of my career.
Training
SANS DFIR Webcast - Incident Response Event Log Analysis - A video that explains various types of logs and uses them to analysis a cyber event.
James Brodsky, Dashing Through the Logs | KringleCon 2019 - A video that covers critical Windows-based security event log sources like Sysmon, and PowerShell.
As an analyst, these logs will be your primary medium for investigations. The better you understand the different types of logs, the more efficient an analyst you will be. If you are like me, I knew nothing about logs at the beginning of my career.
Training
SANS DFIR Webcast - Incident Response Event Log Analysis - A video that explains various types of logs and uses them to analysis a cyber event.
James Brodsky, Dashing Through the Logs | KringleCon 2019 - A video that covers critical Windows-based security event log sources like Sysmon, and PowerShell.
Active Directory
You can't hop on an organizational network for a large enterprise without running into Active Directory. Administrators use this Windows tool to efficiently manage all the computers, servers, and accounts on a network.
Understanding how administrators use Active Directory will help you understand why attackers often target servers running the service. By the end of this training, you should know what Active Directory is and have some ideas of how it is used.
Training
Active Directory Basics (THM) – A short course on Active Directory. This course teaches you the basics for this prevalent service to make investigation easier for you.
Understanding how administrators use Active Directory will help you understand why attackers often target servers running the service. By the end of this training, you should know what Active Directory is and have some ideas of how it is used.
Training
Active Directory Basics (THM) – A short course on Active Directory. This course teaches you the basics for this prevalent service to make investigation easier for you.
Attacker Methodology/Log Analysis
I don't know if you know this, but understanding the attacker methodology is huge in your journey to becoming a great analyst. As you grow in your tradecraft, you will be able to see attacks by simply looking at a few logs.
The thing is, attackers go through the same process no matter how good they are. In the cyber security industry, we call this process the attacker methodology. By understanding what phase of the attack you are seeing, you increase the likelihood you will find the other pieces of the attack.
But right now, I just want you to understand the phases of attacks and tools you can use to continue growing your understanding.
Training
Mitre ATT&CK: The Play at Home Edition by Katie Nickels and Ryan Kovar - A video that discusses how various roles in cybersecurity can use the Mitre ATT&CK matrix. This is a common framework that many organizations are starting to integrate into their security program.
Persistence Mechanisms by 13Cubed - A video that discusses the persistence phase of the attacker methodology.
SANS DFIR Webcast - Incident Response Event Log Analysis by Hal Pomeranz - A video that dives into log analysis.
DerbyCon - Living Off The Land A Minimalist Guide To Windows Post Exploitation by Christopher Campbell and Matthew Graeber - A video that covers a common tactic of attackers living off the land. This is bad guys using normal administrator tools for evil purposes.
Gozi, Part1: The Rise of Malware-as-a-Service by MaliciousLife - A podcast discussing malware as a service. Most malware you come across will be part of one of these cyber crime services.
The Equifax Databreach Pt I and Pt II by MaliciousLife - A set of podcasts discussing how the Equifax data breach occurred. These podcasts will help you understand the full attack chain.
Investigating Windows (THM Free) – This short course is a Windows investigation like the title says. You RDP to the system and look for clues to answer questions. I think this content provides an interesting perspective to the journeyman learner. I know when I first started out, I wish I was directly on the system to investigate. This is that scenario. Enjoy.
The thing is, attackers go through the same process no matter how good they are. In the cyber security industry, we call this process the attacker methodology. By understanding what phase of the attack you are seeing, you increase the likelihood you will find the other pieces of the attack.
But right now, I just want you to understand the phases of attacks and tools you can use to continue growing your understanding.
Training
Mitre ATT&CK: The Play at Home Edition by Katie Nickels and Ryan Kovar - A video that discusses how various roles in cybersecurity can use the Mitre ATT&CK matrix. This is a common framework that many organizations are starting to integrate into their security program.
Persistence Mechanisms by 13Cubed - A video that discusses the persistence phase of the attacker methodology.
SANS DFIR Webcast - Incident Response Event Log Analysis by Hal Pomeranz - A video that dives into log analysis.
DerbyCon - Living Off The Land A Minimalist Guide To Windows Post Exploitation by Christopher Campbell and Matthew Graeber - A video that covers a common tactic of attackers living off the land. This is bad guys using normal administrator tools for evil purposes.
Gozi, Part1: The Rise of Malware-as-a-Service by MaliciousLife - A podcast discussing malware as a service. Most malware you come across will be part of one of these cyber crime services.
The Equifax Databreach Pt I and Pt II by MaliciousLife - A set of podcasts discussing how the Equifax data breach occurred. These podcasts will help you understand the full attack chain.
Investigating Windows (THM Free) – This short course is a Windows investigation like the title says. You RDP to the system and look for clues to answer questions. I think this content provides an interesting perspective to the journeyman learner. I know when I first started out, I wish I was directly on the system to investigate. This is that scenario. Enjoy.
Basic Malware Analysis
You may not do full malware analysis at the junior level, but you will do some. These resources will introduce the topic to you and provide you with the skills needed to conduct Tier 1 triage. By the end of these courses, you should get a good idea of the malware you are seeing and how to find indicators to help you determine if the malware successfully executed.
Training
Practical Malware Analysis Essentials for Incident Responders by Lenny Zeltser - A video from one of the biggest instructors on malware analysis. He breaks down the topic so that you can have a great understanding of how it works in the real world.
Training
Practical Malware Analysis Essentials for Incident Responders by Lenny Zeltser - A video from one of the biggest instructors on malware analysis. He breaks down the topic so that you can have a great understanding of how it works in the real world.
Conclusion
This guide is something I wish was available when I first started out. But, back then the community wasn't as developed and resources were scattered all over the internet. Today you have wonderful people and companies providing free or low cost resources to help people like you. I hope this program serves you well on your path to becoming a cyber security professional and if it does let me know! I love hearing success stories. The world can always use some more good news.
After this roadmap, feel free to move on to the Intermediate level topics, such as the Intermediate SOC Analyst Roadmap or explore on your own.
Last but not least, if you want to stay up to date on the The Cyber Union, sign up for the newsletter.
After this roadmap, feel free to move on to the Intermediate level topics, such as the Intermediate SOC Analyst Roadmap or explore on your own.
Last but not least, if you want to stay up to date on the The Cyber Union, sign up for the newsletter.
Stage 5: Expand Your Knowledge
Stage 4: Interview Prep
Stage 3: Find Jobs
Recommended Study Guide: CompTIA Security+ Certification Kit: Exam SY0-601
Free Videos: Professor Messer
Free Videos: Professor Messer