Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;).
I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification.
- Incident Response & Computer Forensics, Third Edition
- Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Red Team Field Manual
If your goal is to work in the IR field (or maybe you already are), the first book is a must read. Not only does it cover some of the key forensic artifacts, it does a great job covering incident response methodologies. I’ve had to revisit this book several times due to its context. While this book does get into some cross platform topics, I recommend reading the books under the “specialized” category below to gain further insight into OS internals. The second book, “Windows Registry Forensics”, is also a must read, on top of using RegRipper. Since Windows is still the most prevalent operating system analyzed by investigators, understanding Windows and the Windows registry is a must. While RegRipper does help alleviate the pain of parsing some complex registry artifacts, I highly recommend understanding how the registry works and its data structures.
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Reversing: Secrets of Reverse Engineering
- Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
- The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
The first book “Practical Malware Analysis” or “PMA” is a great resource for someone new to Windows malware. The chapters build upon each other and the included labs ensure you understand each of the chapter objectives. The labs at the end of each chapter include relevant samples and help reenforce the tools and malware analysis methodologies covered in each chapter. (Don’t forget to checkout the Appendix A — Common Windows Functions). I’ve also included two other books “Reversing” and “Learning Malware Analysis” as great supplemental resources to read after you complete the PMA book. While on the topic of malware, be sure to study scripting languages, starting with PowerShell. Lastly, you’ll want to give “The Shellcoder’s Handbook” a read, as many PowerShell frameworks such as Metasploit, PowerSploit, PS Empire and Cobalt Strike leverage shellcode quite extensively. A great way to get started analyzing shellcode is to setup Metasploit, build a few payloads and analyze them manually using a disassembler of your choice.
- Hacking: The Art of Exploitation, 2nd Edition
- What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager
- File System Forensic Analysis
- Windows Internals**
- MacOS and iOS Internals**
- Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
Once you’ve powered through the books in the previous categories, we dig into more of the specialized topics, including Windows, Linux and MacOS. In my opinion, Linux is by far the easiest operating system to understand, while MacOS and Windows are vastly more complex, mainly due to their proprietary nature. I recommend starting with the specialized Windows books first, then move into MacOS and lastly, Linux.
- The Go Programming Language (Addison-Wesley Professional Computing Series)
- Head First Python: A Brain-Friendly Guide
Learning how to code, specifically automating mundane tasks is one of the most rewarding skills you can develop. In the world of incident response, time is usually heavily constrained. This means if you can automate something simple and repetitive (say parsing the NTUSER.DAT or $MFT) into a format you can rapidly ingest from multiple systems at once, you’ll have more time to perform analysis and obtain root cause that much quicker. Automation can come in handy performing administrative tasks such as marking hosts for analysis, detonating malware samples or parsing detonation reports from various sandboxes. The general rule of thumb I have with automation is “if you have to repeat the task more than X times or use copy/paste, it’s time to automate it”. No code is perfect, start small, fail fast and continue to evolve. As a personal preference, I lean to Go over Python when writing applications for production while I leverage Python when I want to script up something rapidly.
- AWS Certified Solutions Architect Official Study Guide: Associate Exam (AWS Certified Solutions Architect Official: Associate Exam)
- Terraform: Up and Running: Writing Infrastructure as Code
As the world continues to shift to cloud, its critical to understand how cloud environments are built, deployed and secured. While many cloud providers exist, I’ve encountered AWS the most. Because of this, the book “AWS Certified Solutions Architect Official Study Guide”, is a solid overview into deploying and managing AWS resources. In additional to this book, you should also checkout “Terraform”, both the book above and its related site (https://www.terraform.io/). While it’s possible to manage cloud infrastructure from the web console, most organizations use “Infrastructure as Code” like Terraform to both version control and manage cloud resources. As an added benefit, Terraform with the AWS backend can help you understand how cloud resources are related and tied together.
This website has an extensive list of training resources ranging from beginner, intermediate and advanced. I specifically found the course “Introductory Intel x86” very useful.
Our team did the CTF at Defcon 27 this year and I found its content to be very relevant, including the usage of modern tools like OSQuery, Moloch and GrayLog. Working through the flags, we found each flag and evidence very similar to what you’d encounter in a real world incident response investigation.
- Be humble, don’t be afraid to say “I don’t know” and if something doesn’t make sense, do your own research and come to your own conclusion. It’s better to be late and correct than early and wrong.
- Never stop reading. Technology is constantly changing and you should try to stay on top of the trends. I personally use FlipBoard, Twitter and LinkedIn, on top of a few other blog sites.
- If you want to learn something, pretend you have to teach it to your peers.
- Get hands-on. When a new piece of malware comes out that’s getting a lot of attention, try to obtain a sample and understand its infection vector (including the forensic artifacts related to execution).
- Engage with the community. There are some very intelligent people in the community who love to teach as long as there are those willing to learn.
- Do what you love. Information security is full of different roles, find what you enjoy and work your way towards that goal.
- Try to learn something new everyday, no matter how small it is.
- Take pride in your work and always give 100%.
- Make a professional roadmap and check your career progression against this every six months to a year.