Part 2: Free Training Plan for New (or Aspiring) Incident Responders

If you’re a newer analyst like me and have been trying to cram everything into your brain at once…or if you’re looking at all this free training wondering where to even start (after you have an understanding of the four core categories), I saw this video and attempted to make a free training plan from it.

This is based on Ryan Chapman’s BSidesSF 2019 – Implementing a Kick-Butt Training Program: BLUE TEAM GO! Talk

Check out his GitHub for the PDFs.

Before starting Week 1, I recommend taking Intro to DFIR: The Divide and Conquer Process by Basis Technology

Week 1

Obviously Days 1-3 can’t be done here so I’m skipping to Day 4 & 5.

SIEM Training (This will depend on what SIEM you’re using but you can also practice in a home lab if you’re following this before you get your first IR job)

Splunk – There are Free Splunk Courses by Splunk and a free Splunk Module on the RangeForce Free Community Edition. Sam Bowne also has a Network Security Monitoring course using Splunk. In addition, there is an Introduction to Spunk Workshop by Kenneth Ellington.

IBM QRadar – IBM Has Several Free Training Courses. There are also a lot of QRadar videos on Jose Bravo’s YouTube Channel

SIEM tutorials by I.T Security Labs – There are many tutorials on their YouTube channel for different open-source SIEMs. Set one up, or play around with a few.

Try the Splunk Boss of the SOC Challenges on CyberDefenders.

Week 2

Day 1: Common Protocols and How They Work

• DNS
  • Understand How DNS Works in Depth
  • A Cat Explains DNS
  • How a DNS Server (Domain Name System) Works
• HTTP
  • HTTP Crash Course & Exploration
• TLS
  • Transport Layer Security (TLS)
  • TLS Handshake Explained
  • SSL, TLS, HTTP, HTTPS Explained
• DHCP
  • DHCP Explained – Dynamic Host Configuration Protocol
  • A Cat Explains DHCP
• Email Protocols
  • What is SMTP – Simple Mail Transfer Protocol
  • POP3 vs IMAP – What’s the Difference?
• FTP
  • FTP (File Transfer Protocol), SFTP and TFTP Explained

Day 2: Network Logs

Day 3 & 4: Email

Hands-On Computer Security & Incident Response – Email Header Analysis

Email Header Analysis and Forensic Investigation

Email Forensics Workshop

Day 5: Wireshark & PCAP Challenge

Wireshark for Incident Response & Threat Hunting Workshop the lab files are HERE

Do The Malware Traffic Analysis PCAP Challenges on CyberDefenders

Week 3

Day 1: Windows Artifacts

Introduction to Evidence Acquisition by Cyber 5W

NTFS Forensics and the Master File Table

Introduction to Windows Forensics (start this)

Day 2: Registry Analysis cont.

Introduction to Windows Forensics (complete this)

Try the “CorporateSecrets – Windows Forensics” Challenge on CyberDefenders

Day 3: Corporate Forensics Tool(s)

Here are some of them:

Encase – Guidance Software YouTube Channel

Axiom – Magnet Forensics YouTube Channel

Paraben – Free Paraben Training Videos

Autopsy – How to Start a New Case in Autopsy 4

Day 4: Eric Zimmerman Tools

EZ Tools on the SANS Website

Day 5: Memory Analysis Deep Dive

Introduction to Memory Forensics

Volatility Command Reference

Try Some Challenges:

• Try the Memory Forensics Challenges on CyberDefenders (Ulysses & Banking Troubles)
• MemLabs

Week 4

Days 1 & 2: PDF Analysis, Office File Analysis

Analyzing Malicious Office Documents Presented By Didier Stevens Workshop

Understanding and Analyzing Weaponized Carrier Files

Analyzing Malicious Documents Cheat Sheet

Try the MalDoc101 – Malicious Document Challenge on CyberDefenders

Day 3 and 4: Dynamic & Static PE Analysis

Malware Analysis Bootcamp

Day 5: Sam’s Malware Workshop

Sam’s Malware Workshop

There is also a Malware Noob2Ninja Course by 0xf0x

Go to TryHackMe Hacktivies, Select “Show: Free Only” and do a search for “Malware” for some malware challenges.

Week 5

Day 1: IOCs

What Are Indicators of Compromise Used For?

Indicators of Compromise 101

What are Indicators of Attack? (IOA)?

What is the Traffic Light Protocol?

SANS Webcast – YARA – Effectively Using and Generating Rules

Do the YARA modules on the RangeForce Free Community Edition

Day 2: Threat Hunting

AttackIQ Academy (There is a free MITRE ATT&CK for Dummies ebook and all of their courses are free) Select the MITRE ATT&CK Learning Path for now.

Active Countermeasure Threat Hunting Training Course

Day 3: Operationalizing OSINT

Incident Response: How to Use OSINT

OSINT Training (Includes Detecting Malicious Domains or IPs with OSINT)

Advanced VirusTotal Tutorial

Day 4: Working Tickets

This is going to vary by company, but if you haven’t started in Incident Response yet, here is a video about The Hive, a free and open-source ticketing system that can be set up in your home lab.

Day 5: Review & Wrap-Up

Writing a Forensics Report by Cyber 5W

For more hands-on learning, sign up for the Free Community Edition of RangeForce and work through the SOC Module. There is also a Microsoft Module with Windows Event Logs.

To put it all together, go through The Case of the Stolen Szechuan Sauce on DFIR Madness.

To test your skills, try the CTFs and Challenges listed here.

Additional Resources:

• Free Resources for Incident Response Professionals
• SANS DFIR Cheat Sheets
• SANS DFIR Posters
• Incident Response Playbook Gallery
• Open Source YARA Rules
• Free and Affordable DFIR Training