Skip to main content

Top Readings for InfoSec

Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;). I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification.

This blog can also be found on Medium: (
Incident Response:
  • Incident Response & Computer Forensics, Third Edition
  • Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
  • Red Team Field Manual
If your goal is to work in the IR field (or maybe you already are), the first book is a must read. Not only does it cover some of the key forensic artifacts, it does a great job covering incident response methodologies. I’ve had to revisit this book several times due to its context. While this book does get into some cross platform topics, I recommend reading the books under the “specialized” category below to gain further insight into OS internals. The second book, “Windows Registry Forensics”, is also a must read, on top of using RegRipper. Since Windows is still the most prevalent operating system analyzed by investigators, understanding Windows and the Windows registry is a must. While RegRipper does help alleviate the pain of parsing some complex registry artifacts, I highly recommend understanding how the registry works and its data structures.
Malware Analysis:
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • Reversing: Secrets of Reverse Engineering
  • Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
  • The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
The first book “Practical Malware Analysis” or “PMA” is a great resource for someone new to Windows malware. The chapters build upon each other and the included labs ensure you understand each of the chapter objectives. The labs at the end of each chapter include relevant samples and help reenforce the tools and malware analysis methodologies covered in each chapter. (Don’t forget to checkout the Appendix A — Common Windows Functions). I’ve also included two other books “Reversing” and “Learning Malware Analysis” as great supplemental resources to read after you complete the PMA book. While on the topic of malware, be sure to study scripting languages, starting with PowerShell. Lastly, you’ll want to give “The Shellcoder’s Handbook” a read, as many PowerShell frameworks such as Metasploit, PowerSploit, PS Empire and Cobalt Strike leverage shellcode quite extensively. A great way to get started analyzing shellcode is to setup Metasploit, build a few payloads and analyze them manually using a disassembler of your choice.
  • Hacking: The Art of Exploitation, 2nd Edition
  • What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager
  • File System Forensic Analysis
  • Windows Internals**
  • MacOS and iOS Internals**
  • Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
Once you’ve powered through the books in the previous categories, we dig into more of the specialized topics, including Windows, Linux and MacOS. In my opinion, Linux is by far the easiest operating system to understand, while MacOS and Windows are vastly more complex, mainly due to their proprietary nature. I recommend starting with the specialized Windows books first, then move into MacOS and lastly, Linux.
  • The Go Programming Language (Addison-Wesley Professional Computing Series)
  • Head First Python: A Brain-Friendly Guide
Learning how to code, specifically automating mundane tasks is one of the most rewarding skills you can develop. In the world of incident response, time is usually heavily constrained. This means if you can automate something simple and repetitive (say parsing the NTUSER.DAT or $MFT) into a format you can rapidly ingest from multiple systems at once, you’ll have more time to perform analysis and obtain root cause that much quicker. Automation can come in handy performing administrative tasks such as marking hosts for analysis, detonating malware samples or parsing detonation reports from various sandboxes. The general rule of thumb I have with automation is “if you have to repeat the task more than X times or use copy/paste, it’s time to automate it”. No code is perfect, start small, fail fast and continue to evolve. As a personal preference, I lean to Go over Python when writing applications for production while I leverage Python when I want to script up something rapidly.
  • AWS Certified Solutions Architect Official Study Guide: Associate Exam (AWS Certified Solutions Architect Official: Associate Exam)
  • Terraform: Up and Running: Writing Infrastructure as Code
As the world continues to shift to cloud, its critical to understand how cloud environments are built, deployed and secured. While many cloud providers exist, I’ve encountered AWS the most. Because of this, the book “AWS Certified Solutions Architect Official Study Guide”, is a solid overview into deploying and managing AWS resources. In additional to this book, you should also checkout “Terraform”, both the book above and its related site ( While it’s possible to manage cloud infrastructure from the web console, most organizations use “Infrastructure as Code” like Terraform to both version control and manage cloud resources. As an added benefit, Terraform with the AWS backend can help you understand how cloud resources are related and tied together.
Web Resources:

This website has an extensive list of training resources ranging from beginner, intermediate and advanced. I specifically found the course “Introductory Intel x86” very useful.

Our team did the CTF at Defcon 27 this year and I found its content to be very relevant, including the usage of modern tools like OSQuery, Moloch and GrayLog. Working through the flags, we found each flag and evidence very similar to what you’d encounter in a real world incident response investigation.
  • Be humble, don’t be afraid to say “I don’t know” and if something doesn’t make sense, do your own research and come to your own conclusion. It’s better to be late and correct than early and wrong.
  • Never stop reading. Technology is constantly changing and you should try to stay on top of the trends. I personally use FlipBoard, Twitter and LinkedIn, on top of a few other blog sites.
  • If you want to learn something, pretend you have to teach it to your peers.
  • Get hands-on. When a new piece of malware comes out that’s getting a lot of attention, try to obtain a sample and understand its infection vector (including the forensic artifacts related to execution).
  • Engage with the community. There are some very intelligent people in the community who love to teach as long as there are those willing to learn.
  • Do what you love. Information security is full of different roles, find what you enjoy and work your way towards that goal.
  • Try to learn something new everyday, no matter how small it is.
  • Take pride in your work and always give 100%.
  • Make a professional roadmap and check your career progression against this every six months to a year.


Popular posts from this blog

Analyzing and detecting web shells

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i've been asked by others to do a write up on web shells, so here it is ;).  For those new to web shells, think of this type of malware as code designed to be executed by the web server - instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types. Let's take a looks at some common servers and some web extensions: Operating System Service Binary Name Extensions Windows IIS (Internet Information Services) w3wp.exe .asp/.aspx Windows/Linux apache/ apache2/nginx httpd/httpd.exe/nginx .php Windows/Linux Apache Tomcat* tomcat*.exe/tomcat* .jsp/.jspx Web shells 101 To better understand web shells, let’s take a look at a simple eval web shell below: <?php

Web shell hunting: Meet the web shell analyzer

 In continuation of my prior work on web shells ( Medium / Blog ), I wanted to take my work a step further and introduce a new tool that goes beyond my legacy webshell-scan tool. The “webshell-scan” tool was written in GoLang and provided threat hunters and analysts alike with the ability to quickly scan a target system for web shells in a cross platform fashion. That said, I found it was lacking in many other areas. Allow me to elaborate below… Requirements of web shell analysis In order to perform proper web shell analysis, we need to define some of the key requirements that a web shell analyzer would need to include. This isn’t a definitive list but more of a guide on key requirements based on my experience working on the front lines: Static executable: Tooling must include all dependencies when being deployed. This ensures the execution is consistent and expected. Simple and easy to use: A tool must be simple and straightforward to deploy and execute. Nothing is more frustrating

RDP Over Tor

Happy Tuesday, everyone! Recently, I encountered a threat actor leveraging Tor to establish Remote Desktop Protocol (RDP) sessions from a victim system to an attacker-controlled server. The best part of this is, because the threat actor was using Tor, all encrypted communications were sent over port 443. Therefore, there wasn’t any evidence of RDP (port 3389) being used on the network illegitimately. In fact, we could have closed port 3389 on their firewall and the attacker would have still had access to the system via RDP. I found this very sneaky by the threat actor, but realized how simple it was to configure it and thought I would share it with everyone. In this blog post, we will cover the basics of proxying RDP traffic over TOR and how to set it up, with tips to avoid being detected. Before We Get Started For those of you who are unfamiliar with Tor, it’s a free and anonymous network that provides anonymity when browsing the Internet. Also known as “The Onion Router”, user