Looking through some books, courses for SG ideas. Guiding ideas:
- target delivery : four weeks, twice a week ... or break into chunks
- Building data models and heuristics , good process , demo tools and techniques (in that order)
- supplement individual education plans, not job training
- need a book or major reference, don't write a course
Books:
- HC's WFA3 : response and investigation of windows systems
- -10: F word , -10: very host based
- -10: no labs built in: would have to find/make some from corpus/CTFs
- Ch3 on memory analysis .. is dated and crunchy, would have to sub in
- Ch2 on triage analysis hs soem good process, illustated with his tools
- threat investigation perspective intros windows EP data and leads towards internals
- defines and demonstrates hundreds of important concepts eg: Registry, ADS, PE, DLL, EVTX
- CS,et al : ANSM
- -20: leadership needs it, not analysts
- -10: and then engineering ( C/D) , intel, need it, not analysis (A)
- +10: lots of great definitions and terms, like: friendly intelligence, canary honeypots
- PMA => LLMW
- +25: excellent introductions to PE, Windows APIs
- -10: only going to use 4? chapters of a huge expensive ($60/800 pp) book
- -5: labs are dated, may need 32bit or XP
- HC1
- -10: 20 text labs w/ no files
- +10: would force discussion and de-emphasize tools
- PPA2/3 / Wireshark 101
- +25: Packets available: http://chrissanders.org/ppa/ppa2ecaptures.zip
- PPA3 available March
- All packets, no flows, logs or other datatypes
- Not security analysis specific, though certainly some great security content
- AoMF
- 100pp on intro to OS and volatility, 460pp of Windows memory (200 linux, 100 mac building off that)
- everything Pavel covers in WI of any interest, from a DFIR perspective
- full technical detail including memeory, disk, file structures
- MZ: TTW => RtW
- Part 1 only: -10: only going to use 1/3 of an expensive ($50/320 pp) book
- best introduction to web technologies (and their troubled history)
OST.info courses:
- HTID : is an attack techniques class, compares poorly to 504
- Flow & Hunting : many tool details, only the last section looks interesting / doesn't overlap with 503
- PCAP & Hunting: relies on ChopShop tool, no files available
- MDA: a PMA-along class, videos have terrible audio quality
Pluralsight courses:
- EH program
- Pavel
- Sec+, CASP, CCNA, CISSP? prep courses
Cybary courses
- 6 courses: https://www.cybrary.it/learning-path/entry-level-cyber-security-analyst .. a bit like 301/401
- EH prep, etc
Odder ideas:
- Sec+ prep
- HC : Hacker's Challenge (1 2 3)
- TMSA
- Scripting (Python/sh/ps)
BBs:
- attack/analysis lab build workshop
- intro to yara ?
- mta Thursdays
- https://app.pluralsight.com/library/courses/information-security-big-picture/table-of-contents
- debugging