CyberSecurity Introductory Resources

Podcasts

• Podcast - https://darknetdiaries.com/ - CyberSecurity related podcast, from Ethical Hacking, to interviews of people who have perpetrated Cyber Crime. NOTE: He will announce at the beginning of the podcast if there is foul language or potentially sensitive topics. 
• Podcast - https://thecyberwire.com/ - Daily podcast

Blogs

• https://krebsonsecurity.com/ - Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.
• SANS Blog - https://www.sans.org/blog/
• SANS DFIR (Digital Forensics / Incident Response) Blog - https://www.sans.org/digital-forensics-incident-response/
• https://thisweekin4n6.com/
• https://cheeky4n6monkey.blogspot.com/
• https://volatilityfoundation.org/volatility-blog/
• https://arcticwolf.com/resources/blog/
• Black Hills Information Security - Blog: https://www.blackhillsinfosec.com/blog/

Training / Webinars / Organizations

• https://www.antisyphontraining.com/  - Training and Summits, many of which are free or low cost. (For some courses they have a "Pay-What-You-Can" approach.) I recommended this course: https://www.antisyphontraining.com/live-courses-catalog/soc-core-skills-w-john-strand/ to a high-school student I knew from church who had an interest in CyberSecurity. He thoroughly enjoyed it. They have many 1hr webcasts on a variety of topics that can be very useful. They generally post them on their youtube channel - https://www.youtube.com/@AntisyphonTraining after a few weeks. 
• Black Hills Information Security -  YouTube Channel: https://www.youtube.com/@BlackHillsInformationSecurity
• DFRWS - https://dfrws.org/ - DFRWS is a non-profit, volunteer organization dedicated to bringing together everyone with a legitimate interest in digital forensics to address the emerging challenges of our field. DFRWS organizes digital forensic conferences, challenges, and international collaboration to help drive the direction of research and development.

Career

• Workforce Framework for Cybersecurity (NICE Framework) - https://niccs.cisa.gov/workforce-development/nice-framework - The Workforce Framework for Cybersecurity, commonly referred to as the NICE Framework, is a nationally focused resource to help employers develop their cybersecurity workforce. It establishes a common lexicon that describes cybersecurity work and workers regardless of where or for whom the work is performed. The NICE Framework applies across public, private, and academic sectors.
  • Incident Response - https://niccs.cisa.gov/workforce-development/nice-framework/work-role/incident-response
  • Digital Forensics - https://niccs.cisa.gov/workforce-development/nice-framework/work-role/digital-forensics

Reading

• NIST CyberSecurity - https://www.nist.gov/cybersecurity
• NIST Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
• NIST Cybersecurity Framework - https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0
• NIST Risk Management Framework - https://csrc.nist.gov/Projects/risk-management
• NIST Trustworthy Networks Program - https://www.nist.gov/programs-projects/trustworthy-networks-program

Forensics Tools

• Autopsy Digital Forensics - https://www.autopsy.com/ - end-to-end open source digital forensics platform
• FTK-Imager ( https://www.exterro.com/ftk-imager#:~:text=FTK%20Imager%20allows%20you%20to,memory%20on%20the%20active%20device.)
• BelkaSoft RamCapturer ( https://belkasoft.com/ram-capturer)
• Arsenal Image Mounter ( https://arsenalrecon.com/products/arsenal-image-mounter Note: Free vs Professional Modes)
• Volatility ( https://github.com/volatilityfoundation/volatility / https://github.com/volatilityfoundation/volatility3 / )
• SIFT ( https://www.sans.org/tools/sift-workstation/ / https://github.com/ekristen/cast)
• Eric Zimmerman tools ( https://ericzimmerman.github.io/)
• RegRipper - https://github.com/keydet89/RegRipper3.0 / https://github.com/keydet89/RegRipper4.0 - 
• MemProcFS - https://github.com/ufrisk/MemProcFS - MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
  • MemProcFS-Analyzer.ps1 - https://github.com/evild3ad/MemProcFS-Analyzer - a PowerShell script utilized to simplify the usage of MemProcFS and to optimize your memory analysis workflow.
• Hayabusa - https://github.com/Yamato-Security/hayabusa - a Windows event log fast forensics timeline generator and threat hunting tool. 
  • Hayabusa-Rules - https://github.com/Yamato-Security/hayabusa-rules - a repository containing curated sigma rules that detect attacks in Windows event logs.
  • Takajo - https://github.com/Yamato-Security/takajo - Takajō (鷹匠), created by Yamato Security, is a fast forensics analyzer for Hayabusa results
• jq - https://github.com/jqlang/jq - jq is a lightweight and flexible command-line JSON processor akin to sed,awk,grep, and friends for JSON data.
• miller - https://github.com/johnkerl/miller - Miller is like awk, sed, cut, join, and sort for data formats such as CSV, TSV, JSON, JSON Lines, and positionally-indexed. 
• xsv - https://github.com/BurntSushi/xsv - xsv is a command line program for indexing, slicing, analyzing, splitting and joining CSV files.  
• entropy - https://github.com/merces/entropy -  a simple command-line tool to calculate the entropy of files.
• capa - https://github.com/mandiant/capa - capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, shellcode file, or a sandbox report and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
• FileAlyzer - https://www.safer-networking.org/products/filealyzer/ - FileAlyzer shows basic file content, a standard hex viewer, and a wide range of customized displays for interpreted complex file structures that help you understand the purpose of a file.
• NIRsoft - https://www.nirsoft.net - Many useful utilities.
• Chainsaw - https://github.com/WithSecureLabs/chainsaw - Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Curated Lists of tools:

• Awesome Malware Analysis - https://github.com/rshipp/awesome-malware-analysis - A curated list of awesome malware analysis tools and resources. 
• Awesome Incident Response - https://github.com/meirwah/awesome-incident-response - A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
• Awesome Forensics - https://github.com/Cugu/awesome-forensics - Curated list of awesome free (mostly open source) forensic analysis tools and resources.
• AboutDFIR - https://aboutdfir.com/ - The Definitive Compendium Project Digital Forensics & Incident Response
• Stark 4N6 - https://start.me/p/q6mw4Q/forensics  - 

Artifacts

• ForensicArtifacts - https://github.com/ForensicArtifacts/artifacts - A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.

LINUX Distributions

• KALI - https://www.kali.org/
• Paladin - https://sumuri.com/software/paladin/ - PALADIN Forensic is a modified “live” Linux distribution based on Ubuntu that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox. PALADIN is available in 64-bit and 32-bit versions.
• SIFT Workstation - https://www.sans.org/tools/sift-workstation/ - The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
• Parrot Security - https://parrotsec.org/ - Parrot Security provides a huge arsenal of tools, utilities and libraries that IT and security professionals can use to test and assess the security of their assets in a reliable, compliant and reproducible way.
• Tsurugi Linux - https://tsurugi-linux.org/ - a DFIR open source project that is and will be totally free, independent, without involving any commercial brand
• CAINE - https://www.caine-live.net/ - CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
• Flare VM - https://github.com/mandiant/flare-vm - Welcome to FLARE-VM - a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). 
• CSI LINUX - https://hackernoon.com/csi-linux-linux-distribution-for-cyber-and-osint-investigation /  http://downloads.csilinux.com/ - 
• REMnux - https://remnux.org/ - REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.

Forensic Challenges / Samples

• https://www.root-me.org/en/Challenges/Forensic/
• https://dfchallenge.org/
• https://www.cfreds.nist.gov/
• https://www.forensicfocus.com/images-and-challenges
• https://datasets.fbreitinger.de/other-repositories/
• https://www.dfir.training/resources/downloads/ctf-forensic-test-images/more-images
• https://forensics.cert.org/
• https://www.rcfl.gov/image-repository
• https://www.forensicfocus.com/images-and-challenges
• Digital Corpa - https://digitalcorpora.org/corpora/disk-images/ - We have many sources of disk images available for use in education and research. The easiest disk images to work with are the NPS Test Disk Images. We also have detailed scenarios that contain multiple disk images. Finally, we have real disk images containing real data from real people; IRB approval is required to work with those disks.

Incident Response

EDR / Endpoint Visibility Tools

• Black Hills Presentation on free EDRs - https://www.blackhillsinfosec.com/wp-content/uploads/2021/03/SLIDES_OpenandFreeEDR.pdf
• Velociraptor - https://github.com/Velocidex/velociraptor - Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.
• Wazuh - https://wazuh.com/ - The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.
• OpenEDR - https://edr.comodo.com/ 
• OPSSEC - https://www.ossec.net/about/
• OSQuery - https://www.osquery.io/
• GRR Rapid Response - https://grr-doc.readthedocs.io/en/v3.2.1/index.html - an incident response framework focused on remote live forensics.

Red Team / Penetration Testing

• Infection Monkey - https://github.com/guardicore/monkey - Infection Monkey is an open-source adversary emulation platform that helps you improve your security posture using empirical data.
• Atomic Red Team - https://atomicredteam.io/  - Atomic Red Team is an open-source library of tests that security teams can use to simulate adversarial activity in their environments.

Sandboxes / Malware analysis

• DRAKVUF Sandbox - https://github.com/CERT-Polska/drakvuf-sandbox/ an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.
• CAPE - https://github.com/kevoreilly/CAPEv2 - A sandbox is used to execute malicious files in an isolated environment whilst instrumenting their dynamic behaviour and collecting forensic artefacts.
• Panda.re - https://panda-re.mit.edu/ - PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. PANDA can be controlled from the command line, through our Python package, or even a Jupyter notebook. 
• Ghidra - https://ghidra-sre.org/ - A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
• Thorium - https://github.com/cisagov/thorium - A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale.

Python Modules

• Marimo - https://marimo.io/ - marimo is an open-source reactive notebook for Python — reproducible, Git-friendly, AI-native, SQL built-in, executable as a script, shareable as an app.
• Dissect - https://pypi.org/project/dissect/ - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group). (Docs: https://docs.dissect.tools/en/latest/)