Reddit reviews Incident Response & Computer Forensics, Third Edition

This is your curriculum:

1 & 2 below are basically required reading in my CSIRT; 3 is optional, but advisable.

1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich
   
   
2. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Matthew Valites, and Brandon Enright
   
   
3. Incident Response & Computer Forensics, Third Edition by Jason Luttgens, Matthew Pepe, & Kevin Mandia will shore up any other gaps.
   
   Next get yourself and/or your organization to participate in FIRST

Read this book front to back, if you don’t understand something ask on reddit/twitter. Use the second link to find training images and the tools to analysis them for active training. Bury your nose in this and you’ll land a job within 6 months, even at a firm like Mandiant (the book was coauthored by the founder).

https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684

https://www.dfir.training/

There are a ton of different things you can do on the defensive side. The path here is a bit less defined because you can specialize in each of these areas with out ever really touching the other ones. But I think these are the most important skills as a defender, so I’ll break it up into three smaller chunks. For the most part, defender/Blue-team concepts draw from these skills, I’ve setup the courses in order, as some of these skills may feed into other areas.


IR:

• Computer Forensics and IR - This is the hole grail of IR. Written by the best in the business, a great start to the world of IR and Forensics
  
  
• Network Analysis. SOC-based 1-day course (Includes slides and labs)
  
  
• Hacking Techniques and Intrusion Detection - 5-6 day course
  
  
• PCAP analysis and Network Hunting - 2 day course
  
  
• Blue Team Field Manual
  
  
  Forensics:
  
  
• Network Forensics - 2 day course
  
  
• File System Forensics
  
  
• Windows 8 Forensics
  
  
• Registry Forensics
  
  
• Memory Forensics
  
  
• 13 Cubed Youtube Series
  
  
• Advanced Network Forensics - SANS ( meaning If you can get someone else to pay for it, SANS courses are expensive)
  
  
• Overall Cheatsheet/Forensics knowledge dump
  
  
• Now, you’re ready for the CHFI Certification
  
  Reverse Engineering (Dynamic and Static):
  
  
• Practical Malware Analysis
  
  
• Malware Unicorn (Awesome RE, has an awesome blog and some good intro training)
  
  
• Malware Analyst’s cookbook
  
  
• IDA Pro Book
  
  
• Intro to Reverse Engineering - 2 day course
  
  
• Malware Dynamic Analysis - 3 day course
  
  
• SANS*** GREM Certification
  
  I know there’s not a lot of certs here, and unfortunately, that’s how it is across the blue team. Certs here are usually very vendor-specific, and not applicable to defense as a whole. Those certifications exist, but I’m not listing them here.
  
  If people are interested, I can also do a similar write-up on Mobile Forensics and Cloud Forensics (which is my direct background).
  
  Lastly, here are some of my favorite news sources across the InfoSec community -
  
  News Sources
  
  
• Ars Technica
  
  
• InfoSecurity Magazine
  
  
• Security Weekly
  
  
• Iron Geek
  
  
• Krebs on Security
  
  
• reddit.com/r/netsec
  
  
• reddit.com/r/netsecstudents
  
  
• reddit.com/r/asknetsec
  
  
• reddit.com/r/computerforensics

Every practitioner has his/her favourite toolset but try not to limit yourself to any one tool (appreciate that your company isn't going to buy more than one platform at this stage for you). Learn EnCase by all means and go for your ENCE, practically all job adverts ask for either ENCE or ACE but aren't usually fussy about which. The reality is if you can evidence that you can use EnCase, FTK, or X-ways to a good professional level, if you are being interviewed by a practitioner they should understand that it wouldn't be a huge leap to learn another toolset. Ultimately, they all do a similar job in slightly different ways. My personal preference is for FTK, then X-ways, and lastly EnCase (too many wasted hours/days getting back to where I was when it crashed out on me back in the day).

Ultimately more important than any tool or cert is going to be proving that you have a proper, deep understanding of CF principles, filesystems and so forth, know your hardware and are confident pulling things apart to image them and all that good stuff. Get yourself a book or three such as https://www.amazon.co.uk/Incident-Response-Computer-Forensics-Third/dp/0071798684 and think about answers to questions that a good interviewer will ask you - tell me how you would evidence that this user did a certain thing, show me where you would look for this particular file and what its significance might be, explain to me when/how this data got deleted etc. If you become a practitioner, these are the sorts of questions that will get thrown at you on a daily basis, sometimes by opposing counsel, and you will want to have the answers in your back pocket.

Good luck with your study. This is an awesome industry to get into...

This

This book is also given out in the class.

Source: Multiple Co-workers took the course recently.