Part 2: Free Training Plan for New (or Aspiring) Incident Responders

If you’re a newer analyst like me and have been trying to cram everything into your brain at once…or if you’re looking at all this free training wondering where to even start (after you have an understanding of the four core categories), I saw this video and attempted to make a free training plan from it.

This is based on Ryan Chapman’s BSidesSF 2019 – Implementing a Kick-Butt Training Program: BLUE TEAM GO! talk (video below)

Check out his GitHub for the PDFs.

Before starting Week 1, I recommend taking Intro to DFIR: The Divide and Conquer Process by Basis Technology

Week 1

Obviously Days 1-3 can’t be done here so I’m skipping to Day 4 & 5.

SIEM Training (This will depend on what SIEM you’re using but you can also practice in a home lab if you’re following this before you get your first IR job)

Splunk – There are Free Splunk Courses by Splunk. Sam Bowne also has a Network Security Monitoring course using Splunk. In addition, there is an Introduction to Splunk Workshop by Kenneth Ellington.

IBM QRadarIBM Has Several Free Training Courses. There are also a lot of QRadar videos on Jose Bravo’s YouTube Channel

SIEM tutorials by I.T Security Labs – There are many tutorials on their YouTube channel for different open-source SIEMs. Set one up, or play around with a few.

INEFree Defensive Security Labs (Includes Splunk)

Week 2

Day 1: Common Protocols and How They Work

Day 2: Network Logs

SANS DFIR Webcast – Incident Response Event Log Analysis

Basic Approach: Analyzing Files Log For Attacks (2021)

Get Hands-On with the Free Version of LetsDefend (SOC Simulation Environment)

Do the Hammered – Log Analysis Challenge on CyberDefenders

Day 3 & 4: Email

Hands-On Computer Security & Incident Response – Email Header Analysis (Ryan Chapman)

Email Header Analysis and Forensic Investigation (13Cubed)

Email Forensics Workshop (Metaspike)

Sign up for Blueteamlabs.online and try their free “Phishing Analysis” challenges

Day 5: Wireshark & PCAP Challenge

Wireshark for Incident Response & Threat Hunting Workshop the lab files are HERE

Advanced Network Forensics (Netsec Explained)

Do The Malware Traffic Analysis PCAP Challenges on CyberDefenders

Week 3

Day 1: Windows Artifacts

Introduction to Evidence Acquisition by Cyber 5W

NTFS Forensics and the Master File Table (Jonathan Adkins)

Introduction to Windows Forensics (13Cubed) – (start this)

Day 2: Registry Analysis cont.

Introduction to Windows Forensics (13Cubed) – (complete this)

Try the “Hire Me” Windows Forensics Challenge on CyberDefenders

Day 3: Corporate Forensics Tool(s)

Here are some of them:

EncaseGuidance Software YouTube Channel

AxiomMagnet Forensics YouTube Channel

ParabenFree Paraben Training Videos

BelkasoftBelkasoft Video Tutorials

AutopsyStarting a New Digital Forensics Investigation Case in Autopsy (DFIR Science)

Day 4: Eric Zimmerman Tools

EZ Tools on the SANS Website

Day 5: Memory Analysis Deep Dive

Introduction to Memory Forensics (13Cubed)

Volatility Command Reference

Try Some Challenges:

Week 4

Days 1 & 2: PDF Analysis, Office File Analysis

Getting Started Analyzing Malicious Office Documents (Dr Josh Stroschein)

Analyzing Malicious Office Documents Presented By Didier Stevens Workshop

Understanding and Analyzing Weaponized Carrier Files (Ryan Chapman)

Analyzing Malicious Documents Cheat Sheet (Lenny Zeltser)

Try the MalDoc Challenges on CyberDefenders

Day 3 and 4: Dynamic & Static PE Analysis

Getting Started with the Portable Executable (PE) File Format (Dr Josh Stroschein)

Malware Analysis Bootcamp (HackerSploit)

Day 5: Sam’s Malware Workshop

Sam’s Malware Workshop

There is also a Malware Noob2Ninja Course by 0xf0x

Go to TryHackMe Hacktivies, Select “Show: Free Only” and do a search for “Malware” for some malware challenges.

Week 5

Day 1: IOCs

What Are Indicators of Compromise Used For?

Indicators of Compromise 101

What are Indicators of Attack? (IOA)?

What is the Traffic Light Protocol?

SANS Webcast – YARA – Effectively Using and Generating Rules

Complete the YARA room on TryHackMe

Complete the Pyramid of Pain room on TryHackMe

Day 2: Threat Hunting

Foundations of Operationalizing MITRE ATT&CK on AttackIQ Academy

Active Countermeasure Threat Hunting Training Course

Day 3: Operationalizing OSINT

Leveraging OSINT for Better DFIR Investigations (SANS)

OSINT Training (Includes Detecting Malicious Domains or IPs with OSINT)

Advanced VirusTotal Tutorial

Go to TryHackMe Hacktivities, select Show “Free Only” and search for “OSINT”. You will find free challenges for Shodan, Threat Intelligence Tools, Google Dorking, and more.

Day 4: Working Tickets

This is going to vary by company, but if you haven’t started in Incident Response yet, here is a video about The Hive, a free and open-source ticketing system that can be set up in your home lab. Visit The Hive Project at: https://thehive-project.org/

Day 5: Review & Wrap-Up

Writing a Forensics Report by Cyber 5W

Enterprise DFIR: How to conduct a forensic investigation of a compromised employee workstation (bluecapesec)

To test your skills, try more CTFs and Challenges listed here.


For more free training, check out the Free and Affordable Training site. There are over 400 free and affordable training resources listed there with the majority of them related to Digital Forensics & Incident Response.


Additional Resources: