Let me be clear about the intention of this “guide”:
This is NOT an exhaustive, start-to-finish guide on the entire topic of information security. This is simply a compilation of the various resources I have used over the past years to supplement/grow my knowledge. The intention is to grow this guide as I complete my consumption of additional resources. I don't want to add potential future resources in here, or make vague recommendations. I want to include the resources I have consumed and that I believe to have been at least partially fundamental to my current knowledge and skillset.
It should be noted, though, that aside from the resources listed here I have the benefit of years of on-the-job experience and conversations with groups and individuals on Twitter, IRC, Discord, forums, etc. Those things cannot necessarily be measured, and thus to a certain degree the resources I have herein compiled—many of which I gleaned from the aforementioned conversations—are lacking context.
Nevertheless, it is my hope that this small guide will provide a sort of prioritization or organization of resources for different areas related to infosec. Oftentimes newcomers are uncertain of where they want to end up in security. When they ask for guidance, they are met with some variation of the response, “Do you even know where you want to end up in security? It's a big field. Come back to us when you have a more specific idea of what you want.” I take issue with this response.
I am 31 years old as of writing this sentence. Only six months ago did I realize specifically where I want to end up in information security. I found this only by dabbling with and discussing the various sections presented in this guide over many years. When newcomers are turned away with the response I wrote above, those who turn them away seem to forget that the very issue itself is that security is a wide field. Large, too, is the Internet itself, as are the ever-growing troves of resources available to would-be security practitioners. Rather than expect every newcomer to turn around and meander aimlessly from place to place, assuming they won't grow weary or overwhelmed by the monumental task of picking the direction they want to go, why can't we provide them with a “security sample platter”, as it were. That, in the end, is the true goal of this guide.
Please, let me know your thoughts and experiences with using this guide. I will grow it the best I can over time, and perhaps one day evolve it to account for the experiences of others, but for now this is what I can present to you, the reader. May it serve you well in your foray into the world of information security.
|Malware Analysis||||||Offsec||||||OSINT||||||Podcasts||||||Risk Assessment|
Over the years I have collected a couple hundred blog and feed sources in my Feedly account. I periodically export my .OPML file from Feedly so that I can host a copy on my own blog for others to download and import. I strongly credit my success in security learning and work to my voracious appetite for reading.
While I have only ever submitted one bug bounty report in my career, the concepts behind bug bounty hunting are not entirely foreign, especially considering they overlap fairly strongly with offsec and OSINT concepts.
• LiveOverflow - This may be the first and most definitive channel that focuses on techniques often used in bug bounty hunting that I discovered. Frequently updated, covers a wide variety of content from both individual techniques to CTF explanations, and all high quality stuff.
• PwnFunction - A channel that is very similar in topic, feel, and even aesthetic to LiveOverflow. Sadly, this channel has little content and is not frequently updated.
• STÖK - With both a massive personality and standing in the bug bounty world, STÖK's channel is frequently updated and features a massive library of high quality content.
While certifications are an oft-debated topic in the information security world, I continue to obtain them through work. Certifications may not be the best way to gain knowledge, but depending upon the skill/knowledge/experience level and learning style of the person studying for them, they may be a fast track to putting someone in a desirable position as a candidate trying to either break into or move throughout the industry.
I have listed below the certifications I have obtained or am working toward thus far, as well as the resources I used to study for them (which may be out of date, so look for the modern equivalent)—minus, unfortunately, any resources I was able to access through work-provided training programs.
A large portion of my work centers around ensuring that organizations are compliant with one or more frameworks. Below I have included the frameworks that I work with in my role, along with links to the current, official copies of documentation for each one.
• NIST SP 800-171:
• Title 23 NYCRR Part 500:
• Colorado Consumer Protection Act:
• NY Shield Act:
• NY EDUC § 2-d:
• CTPAT MSC:
General incident response is both a part of my current job duties and the reason I got my position in the first place. However, actual, legitimate DFIR is beyond what I am equipped or expected to provide in my current position. Nevertheless, below are the scant resources I have enjoyed enough that are related to the topic at hand, so I have included them.
• Hexacorn - There are a ton of great entries on this frequently-updated blog, but perhaps my favorites are those in the long-running "Beyond good ol’ Run key" series.
• Windows Incident Response - Ran by the venerable Harlan Carvey (author of some definitive books on DFIR), this blog is updated at a healthy cadence and offers some thought-provoking and informative pieces on the state of DFIR as it is and could be.
• NIST SP 800-61r2 - The “Computer Security Incident Handling Guide” is the base upon which several other case-specific guides are based. It provides a framework for organization to build out their incident response capabilities.
• NIST SP 800-86 - The “Guide to Integrating Forensic Techniques into Incident Response" builds upon the framework laid out in NIST SP 800-61r2, diving into forensic-specific topics and challenges.
• NIST SP 800-83 - The "Guide to Malware Incident Prevention and Handling for Desktops and Laptops" builds upon the framework laid out in NIST SP 800-61r2, diving into malware-specific topics and challenges.
• NIST SP 800-101 - The "Guidelines on Mobile Device Forensics" covers a handful of topics expediently while still attempting to provide some useable takeaways in the ever-more relevant field of mobile device forensics.
Malware analysis is a traditioned and scientific art. Between dynamic and static analysis, there are descending and ascending layers of complexity... and that's just the stuff that is strictly categorized as “malware analysis”. To that end, I've included below my humble list of resources that have granted me my passing skills in malware analysis, which should serve you well in dealing with day-to-day malicious activity, thought not, perhaps, actual, 9-5 malware analysis work.
• Malware-Traffic-Analysis - Ran by Brad Duncan of the SANS Internet Storm Center, this site offers packet captures with malicious traffic that can be downloaded and examined to practice identifying and working with .PCAP files.
• OpenSecurityTraining - While not the highest quality videos (and they are also outdated in terms of the technology used during demonstrations), I learned most of what I know about basic dynamic analyis from this channel.
• OALabs - Quite possibly the best malware analysis channel on YouTube. Excellent walkthroughs on debugging malware, dumping things in-memory, etc.
• Hasherezade - While not updated as frequently as other channels, Hasherezade's channel has some great videos that are similar in nature to OALabs. Hasherezade has also authored several tools, such as pe-sieve and pe-bear.
• MalwareAnalysisForHedgehogs - Again, while not reguarly updated, Karsten's channel features analysis videos similar in nature to Hasherezade.
I am not a red teamer, a pentester, or a black hat. Let's make sure we're clear about that straight away. That having been said, I have endeavored to increase my skills in offensive security enough to understand what attackers might do should they target organizations I am protecting and/or analyzing. The below list is a good start to what would otherwise be a strong foundation in offsec.
• HackTheBox - HackTheBox possibly propelled my offensive security skills forward more than any other resource. It is a site that offers a VPN connection to the HackTheBox network. Once connected, users select "boxes" (which may be easy, medium, hard, or insane difficulty and may be a variety of operating systems) that they activate, then attempt to capture both a low-level user flag and an elevated admin/root flag. The site also offers challenges in a variety of categories (stenography, cryptography, reverse engineering, etc.) Two notes: first, you have to solve the registration challenge to create an account; second, I highly recommend paying for VIP, which makes your experience more stable and gives you access to retired boxes. Also, I suggest you write up each of your solutions to boxes and challenges. Even if you don't plan to publish them, it's a good way to solidify your knowledge and practice writing reports.
• OverTheWire - OverTheWire offers a number of console/terminal based games over SSH. At a minimum, I recommend completing Bandit. While not directly related to security, having a solid grasp of the Linux terminal has served me immeasurably during my time learning offensive security.
• PortSwigger Web Security Academy - If you do any work in web app security, you're going to end up using Burp. It's nearly an absolute certainty. The makers of Burp have created a series of written lessons, research posts, and labs for learning web application security testing concepts. Definitely a great resource, though if you are diving in here with no background in offensive security you may find it lacking in directions/context.
• 0xdf - This is by far my favorite blog for HackTheBox write-ups. It is well-formatted, well-written, informative but not overly verbose, and so on.
• 0xrick - Yet another great blog for HackTheBox write-ups, though not as frequently updated as of late.
• Rawsec - The most recent blog I've discovered covering HackTheBox write-ups. Cleanly written, updated constantly, and has an excellent tools compendium that is often linked to from within posts.
• Ippsec - I do not think I would have completed a single box on HackTheBox if I hadn't started watching IppSec's videos. While video as a format can be harder to reference for some, I find a combination of written and video HackTheBox guides to be optimal for my information absorption and understanding.
• CTFtime - CTFtime is an online portal that lists upcoming CTFs of multiple varieties. It can be a good place to find competitions to test and hone your skills.
These days, OSINT is the main area of my focus in both studying and personal projects. OSINT, as it turns out, is a huge field. Aside from different areas of intelligence in general, such as SOCMINT, HUMINT, GEOINT, etc., everything is intelligence, so the methods, tools, etc. are innumerable. That having been said, the below resources are the common, more generic resources I have used thus far.
• Sourcing.Games - This site contains an impressive collection of levels that themselves contain multiple tasks for sourcing information. A wide variety of skills are tested here. Excellent for someone seeking a well-rounded approach to testing themselves.
• Geoguessr - While not strictly OSINT-focused, Geoguessr is an excellent platform for testing GEOINT skills. Plus, it's just downright fun to play. Your approach may vary, but I personally play in two modes: the Daily Challenge, which gives you 3 minutes per stage across 5 stages and complete freedom to move, and still image modes that give you unlimited time but zero ability to move. The former develops attention to detail and prioritization in a short window of time, and the latter challenges you to dive deep and spend effort on an image that may offer only the most subtle of clues.
• Quiztime - A group of OSINT and OSINT-adjacent individuals who post a picture (almost) every weekday along with a challenge, (e.g. “Where was this photo taken?”, “Which train is in the background?”, “What time of day was this photo taken?”). The quality and difficulty levels may vary here, but it's great to collaborate, discuss with the poster, and review how other people found the answer.
• TraceLabs - My first introduction to TraceLabs (and actually practicing OSINT for real) was their CTF events, in which teams compete to find intel on real missing person cases. The data from the CTF is sent to the appropriate organizations to then hopefully further those cases. TraceLabs also has ongoing, rotating operations that they run via Slack and Trello. Again, the intel gathered for these missing persons cases is sent off to the appropriate parties periodically.
• Robert Folker - While not specifically OSINT, Robert's three Intelligence Analyst classes are beyond anything you could hope for quality-wise, and Robert himself is as credentialed an instructor as you can get. These classes will help you develop a mental toolkit for approaching data, combatting your biases, and applying logical thinking. The courses are not cheap, but wait around for one of Udemy's infamous “sales”, and you can grab all three courses for approximately $30.
• Verification Handbook - Another item that is not strictly OSINT, but for a quick read full of tools, real world case studies, and advice from dozens of people actively working in the field, it is an excellent resource.
• Open Source Intelligence Methods and Tools - A Practical Guide to Online Intelligence - A large book full of specific techniques and tools. I don't have anything to compare it to at this moment, such as something more well-know like Bazzell's book, but thus far it has been a good source of information.
Probably one of the earliest formats via which I began consuming security infomation, podcasts are an excellent supplement/alternative to traditional blog posts. Though not for everyone, in the right setting (during a commute, background audio while working on a less-cognitive task, etc.) podcasts can provide a reliable way to keep up with the latest infosec news or hear fascinating stories. Here I have included the podcasts I've listened to frequently enough to consider them “formative” influences.
• Darknet Diaries - Driven by the insanely talented Jack Rhysider, this podcast explores true stories “from the dark side of the Internet.” Jack has covered everything from the DigiNotar hack to the fall of Mt. Gox, as well as interviewed dozens of personalities both new and current, famous and less well-known.
• Malicious Life - Narrated by the fantastic Ran Levi, Malicious Life has a very similar feel to Darknet Diaries. In fact, they have done some crossover work on each other's podcasts. Between the two of them, they are tied for my favorite podcast.
• OSINTCurious - As mentioned in the OSINT subnode, OSINTCurious runs an excellent, frequently-updated podcast featuring both regular and rotating members. They cover everything from recent developments in OSINT, examples of OSINT in the news, new tools/tricks that have just been discovered, upcoming conferences, etc.
• Security Now - The first podcast I ever listened to was Security Now. It is a veteran program (as in the show launched in 2005) that covers, with great detail, the latest news in security, malware, vulnerabilities, etc.
• Smashing Security - When Graham Cluley departed from Naked Security, I admit that I was saddened, as I always enjoyed his contributions. However, given how hilarious and informative the Smashing Security podcast is (with equal credit given to the incredible Carole Theriault), I'd say it was worth it in the end.
• Kaspersky's Transatlantic Cable Podcast - A generally shorter format podcast, but packed with all the relevant news and plenty of humor.
Whether it be for auditing or for internal blue team work, risk assessment and management is a huge part of security. As anyone with experience in the field will tell you, there are a wide variety of ways an organization can spend its money and time in the pursuit of greater security. Without the guidance of a risk assessment, determining where to spend time and money is, at best, an enduated guess.
This is where I spend the majority of my time professionally, so I hope these resources give you a baseline understanding of what it takes to put together a model for risk assessment (gathering the data for the assessment is a whole other game altogether!)
• NIST SP 800-30 - The “Guide for Conducting Risk Assessments” is the basis upon which I perform all of my work. The basic concepts of enumerating threat events, threat sources, impact, likelihood, vulnerabilities, and controls to calculate risk per threat event is presented here.
• NIST Cybersecurity Framework - Coupled with NIST SP 800-53, the Cybersecurity Framework provides a series of basic categories and controls that every organization should review and implement as appropriate in their environment.
• NIST SP 800-53 - “Security and Privacy Controls for Federal Information Systems and Organizations”, when coupled with the Cybersecurity Framework, provides a more detailed collection of categories and controls that every organization should review and implement as appropriate in their environment.
• MITRE Cyber Prep - On top of the above-listed resources, Cyber Prep provides a means by which context is provided to the risk definition and, therefore, assessment process.