Skip to main content

Top Readings for InfoSec

Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;). I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification.

This blog can also be found on Medium: (https://medium.com/@tstillz17/top-readings-for-infosec-4a1635de6ea0)
Incident Response:
  • Incident Response & Computer Forensics, Third Edition
  • Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
  • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
  • Red Team Field Manual
If your goal is to work in the IR field (or maybe you already are), the first book is a must read. Not only does it cover some of the key forensic artifacts, it does a great job covering incident response methodologies. I’ve had to revisit this book several times due to its context. While this book does get into some cross platform topics, I recommend reading the books under the “specialized” category below to gain further insight into OS internals. The second book, “Windows Registry Forensics”, is also a must read, on top of using RegRipper. Since Windows is still the most prevalent operating system analyzed by investigators, understanding Windows and the Windows registry is a must. While RegRipper does help alleviate the pain of parsing some complex registry artifacts, I highly recommend understanding how the registry works and its data structures.
Malware Analysis:
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • Reversing: Secrets of Reverse Engineering
  • Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
  • The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
The first book “Practical Malware Analysis” or “PMA” is a great resource for someone new to Windows malware. The chapters build upon each other and the included labs ensure you understand each of the chapter objectives. The labs at the end of each chapter include relevant samples and help reenforce the tools and malware analysis methodologies covered in each chapter. (Don’t forget to checkout the Appendix A — Common Windows Functions). I’ve also included two other books “Reversing” and “Learning Malware Analysis” as great supplemental resources to read after you complete the PMA book. While on the topic of malware, be sure to study scripting languages, starting with PowerShell. Lastly, you’ll want to give “The Shellcoder’s Handbook” a read, as many PowerShell frameworks such as Metasploit, PowerSploit, PS Empire and Cobalt Strike leverage shellcode quite extensively. A great way to get started analyzing shellcode is to setup Metasploit, build a few payloads and analyze them manually using a disassembler of your choice.
Specialized:
  • Hacking: The Art of Exploitation, 2nd Edition
  • What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager
  • File System Forensic Analysis
  • Windows Internals**
  • MacOS and iOS Internals**
  • Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
Once you’ve powered through the books in the previous categories, we dig into more of the specialized topics, including Windows, Linux and MacOS. In my opinion, Linux is by far the easiest operating system to understand, while MacOS and Windows are vastly more complex, mainly due to their proprietary nature. I recommend starting with the specialized Windows books first, then move into MacOS and lastly, Linux.
Development:
  • The Go Programming Language (Addison-Wesley Professional Computing Series)
  • Head First Python: A Brain-Friendly Guide
Learning how to code, specifically automating mundane tasks is one of the most rewarding skills you can develop. In the world of incident response, time is usually heavily constrained. This means if you can automate something simple and repetitive (say parsing the NTUSER.DAT or $MFT) into a format you can rapidly ingest from multiple systems at once, you’ll have more time to perform analysis and obtain root cause that much quicker. Automation can come in handy performing administrative tasks such as marking hosts for analysis, detonating malware samples or parsing detonation reports from various sandboxes. The general rule of thumb I have with automation is “if you have to repeat the task more than X times or use copy/paste, it’s time to automate it”. No code is perfect, start small, fail fast and continue to evolve. As a personal preference, I lean to Go over Python when writing applications for production while I leverage Python when I want to script up something rapidly.
Cloud:
  • AWS Certified Solutions Architect Official Study Guide: Associate Exam (AWS Certified Solutions Architect Official: Associate Exam)
  • Terraform: Up and Running: Writing Infrastructure as Code
As the world continues to shift to cloud, its critical to understand how cloud environments are built, deployed and secured. While many cloud providers exist, I’ve encountered AWS the most. Because of this, the book “AWS Certified Solutions Architect Official Study Guide”, is a solid overview into deploying and managing AWS resources. In additional to this book, you should also checkout “Terraform”, both the book above and its related site (https://www.terraform.io/). While it’s possible to manage cloud infrastructure from the web console, most organizations use “Infrastructure as Code” like Terraform to both version control and manage cloud resources. As an added benefit, Terraform with the AWS backend can help you understand how cloud resources are related and tied together.
Web Resources:

This website has an extensive list of training resources ranging from beginner, intermediate and advanced. I specifically found the course “Introductory Intel x86” very useful.

Our team did the CTF at Defcon 27 this year and I found its content to be very relevant, including the usage of modern tools like OSQuery, Moloch and GrayLog. Working through the flags, we found each flag and evidence very similar to what you’d encounter in a real world incident response investigation.
Extras:
  • Be humble, don’t be afraid to say “I don’t know” and if something doesn’t make sense, do your own research and come to your own conclusion. It’s better to be late and correct than early and wrong.
  • Never stop reading. Technology is constantly changing and you should try to stay on top of the trends. I personally use FlipBoard, Twitter and LinkedIn, on top of a few other blog sites.
  • If you want to learn something, pretend you have to teach it to your peers.
  • Get hands-on. When a new piece of malware comes out that’s getting a lot of attention, try to obtain a sample and understand its infection vector (including the forensic artifacts related to execution).
  • Engage with the community. There are some very intelligent people in the community who love to teach as long as there are those willing to learn.
  • Do what you love. Information security is full of different roles, find what you enjoy and work your way towards that goal.
  • Try to learn something new everyday, no matter how small it is.
  • Take pride in your work and always give 100%.
  • Make a professional roadmap and check your career progression against this every six months to a year.

Comments

Popular posts from this blog

Revealing malware relationships with GraphDB: Part 1

In this post, we will learn how using a Graph Database like Neo4j can help visualize malware relationships and extend these relationships to identify patterns between samples. Before we dig into Neo4j, let’s start with some fundamental graph terminologies:   
Nodes represent entities such as a human, car, laptop or phone. Properties are attributes nodes can contain. A steering wheel or tires would be a property of the “car” node. Labels are a way to group together nodes of a similar type. For example, a label of “FastFood” may include nodes such as “Taco Bell, McDonald’s, and Chipotle”. Edges (or vertices) represent the relationship connection between two nodes. Relationships can also have their own properties. Getting started with Neo4jLink: https://neo4j.com/
Neo4j is a Graph Database commonly known for its pure simplicity and easy to use interface. I find the structure of a graph database quite fascinating, on top of learning how to normalize malware analysis data for each sample into a …

Analyzing and detecting web shells

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i've been asked by others to do a write up on web shells, so here it is ;). 
For those new to web shells, think of this type of malware as code designed to be executed by the web server - instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types. Let's take a looks at some common servers and some web extensions:
Operating System Service Binary Name Extensions Windows IIS (Internet Information Services) w3wp.exe .asp/.aspx Windows/Linux apache/apache2/nginx httpd/httpd.exe/nginx .php Windows/Linux Apache Tom

Introduction to Malware Analysis

Why malware analysisMalware analysis (“MA”) is a fun and excited journey for anyone new or seasoned in the career field. Taking a specimen (malware sample) and reverse engineering it to better understand its inner workings can be a long, tedious adventure. With the sheer number of malware samples circulating the internet, in addition to the various formats specimens are found in, makes malware analysis a good challenge. Outside of learning MA as a hobby, here are some other reasons why we perform malware analysis:To better understand how a specimen works. This may yield certain unique attributes about how the malware was written, methods it performs or its dependencies.To collect intelligence and build Indicators of Compromise (“IOCs”), usually comprised of Host Based Indicators (“HBIs”) and/or Network Based Indicators (“NBIs”).For general knowledge or research purposes.How do I get started?!If you’re new to malware analysis, you want to ensure you’ve taken the right precautions befor…