This page contains links to couple of interesting training resources, tools and other material useful for Incident Response, Penetration Testing, Malware Analysis and other security-related areas.

Although I’ve placed it here mainly for myself and students of my security courses, if you find it useful, it is also accessible through the easily remembered URL csirt.xyz.

Bellow, you may find materials for the following areas:

• Security Monitoring and Incident Response
• Threat Hunting
• Threat Intelligence
• Threat Modeling
• Penetration Testing and Red Teaming
• Purple Teaming
• Malware Analysis
• Application Security
• OT Security
• Miscellaneous

Security Monitoring and Incident Response

• Standards and Best Practices
  • ENISA Good Practice Guide for Incident Management
  • NIST Computer Security Incident Handling Guide (SP 800-61r2)
  • SIM3: Security Incident Management Maturity Model
  • SOC-CMM
  • Reference Security Incident Classification Taxonomy (current version)
  • FIRST CSIRT/PSIRT Services Framework
  • MaGMa Use Case Framework
  • Traffic Light Protocol (TLP)
  • Incident Response Hierarchy of Needs
  • INTERPOL Guidelines for Digital Forensics First Responders
  • NIST Guide to Integrating Forensic Techniques into Incident Response (NIST SP 800-86)
  • CISA Cybersecurity Incident & Vulnerability Response Playbooks
  • ENISA CSIRT Maturity Framework
  • Google SOAR Maturity Model
  • RFC 2350 - Expectations for Computer Security Incident Response
  • Best practices for event logging and threat detection

• Training Resources
  • Tutorials for Network Miner and Other Netresec Tools
  • PCAP Files for Training - Malware Traffic Analysis
  • FIRST Courses
  • TRANSITS Materials
  • Encyclopedia of evasion techniques
  • STOic TTX Framework
  • STOic TTX Facilitator Training Materials
  • STOic TTX Facilitator Training Videos
  • CISA Tabletop Exercise Packages (CTEP)
  • ENISA Cybersecurity Exercise Methodology
  • Blue Team CTF Challenges

• Collections of Resources
  • Awesome Incident Response
  • Awesome Security APIs
  • Awesome Detection Engineering
  • Awesome SOAR List
  • Tool Analysis Result Sheet
  • TriOp - Tool for quickly gathering statistical information from Shodan.io

• Tools
  • CyberChef
  • SIFT - SANS Forensic VM
  • Sigma - Generic Signature Format for SIEM Systems
  • Uncoder.IO: Universal Sigma Rule Converter
  • sigconverter.io
  • KAPE - Kroll Artifact Parser and Extractor
  • Kansa
  • MITRE ATT&CK Navigator
  • DeTT&CT - Detect Tactics, Techniques & Combat Threats
  • YARA
  • Network Miner
  • PolarProxy
  • osquery
  • Velociraptor
  • Wazuh
  • Arkime
  • Zeek
  • Malcolm
  • Suricata
  • Security Onion
  • JARM/JA3/JA3S
  • JA4+ Network Fingerprinting
  • freq
  • Dissect
  • What2Log
  • Logging Made Easy (LME)
  • DeepBlueCLI
  • Lookyloo
  • IRIS - Open-Source Collaborative Incident Response Platform
  • Timesketch

• Misc
  • Incident Response: Protecting Individual Rights Under the General Data Protection Regulation
  • Processing Data to Protect Data: Resolving the Breach Detection Paradox
  • NISD2: A Common Framework for Information Sharing Among Network Defenders
  • CyberChef Recipes
  • RE&CT Framework
  • Practical SOC Metrics
  • SOC-CMM Metrics Suite
  • Metrics for the Computer Security Incident Response Team (CSIRT) Services Framework
  • 11 Strategies of a World-Class Cybersecurity Operations Center
  • Incident Response Public Playbooks and Structure
  • CREST Cyber Security Incident Response Maturity Assessment
  • Permissible Actions Protocol (PAP)
  • Minimum recommended audit policy for Windows
  • ASD Strategies to Mitigate Cyber Security Incidents
  • EDR Telemetry
  • Open Detection Engineering Framework (ODEF)
  • Detection Rules Development Framework
  • SANS Guide to Security Operations

Threat Hunting

• Methodologies and Best Practices
  • Hunt Evil: Your Practical Guide to Threat Hunting
  • Sqrrl Cyber Hunting Maturity Model
  • The Endgame Guide to Threat Hunting
  • TaHiTI Threat Hunting Methodology
  • TTP-Based hunting
  • PEAK Threat Hunting Framework
  • The Threat Hunter’s Cookbook

• Collections of Resources
  • Threat Hunter Project
  • The ThreatHunting Project
  • Security Datasets Project (Mordor)
  • Security lists for SOC/DFIR detections

• Training Resources
  • Active Countermeasures Threat Hunt Training Course

• Misc
  • Generating Hypotheses for Successful Threat Hunting

Threat Intelligence

• Methodologies and Best Practices
  • ENISA Threat Landscape Methodology
  • NIST Guide to Cyber Threat Information Sharing (SP 800-150)
  • Intelligence Community Directive 203: Analytic Standards
  • X-ISAC Guidelines to setting up an information sharing community

• Training Resources
  • FIRST Cyber Threat Intelligence Curriculum
  • A Cyber Threat Intelligence Self-Study Plan: Part 1
  • A Cyber Threat Intelligence Self-Study Plan: Part 2

• Misc
  • APT Groups and Operations
  • Quantifying Threat Actor Assessments
  • Psychology of Intelligence Analysis
  • CREST Cyber Threat Intelligence Maturity Assessment Tools
  • Recent ransomware victims
  • Recent ransomware attacks

Threat Modeling

• Methodologies and Best Practices
  • Attack Trees
  • DREAD
  • LINDDUN
  • OCTAVE & OCTAVE-Related Assets
  • PASTA
  • STRIDE
  • CARVER
  • Trike
  • VAST
  • MITRE EMB3D Threat Model
  • NIST Guide to Data-Centric System Threat Modeling (SP 800-154)
  • Threat modeling in Security Operations using MITRE ATT&CK
  • Crown Jewels Analysis

• Tools
  • Microsoft Threat Modeling Tool
  • OWASP Threat Dragon
  • Computer Aided Integration of Requirements and Information Security (CAIRIS)
  • Visual Paradigm Online Threat Modeling Toool

• Collections of Resources
  • A Threat Modeling Field Guide
  • Threat Model Examples

• Misc
  • Threat Modeling Manifesto
  • Threat Modeling: 12 Available Methods
  • Cyber Threat Modeling: Survey, Assessment, and Representative Framework
  • A Threat-Driven Approach to Cyber Security
  • OWASP Threat Modeling Cheat Sheet

Penetration Testing and Red Teaming

• Methodologies and Best Practices
  • OWASP Web Security Testing Guide (WSTG) v4.2
  • Open Source Security Testing Methodology Manual (OSSTMM) v3
  • Open Source Security Testing Methodology Manual (OSSTMM) v2.1
  • Information Systems Security Assessment Framework (ISSAF) v0.2.1
  • Penetration Testing Execution Standard (PTES)
  • NIST Technical Guide to Information Security Testing and Assessment (SP 800-115)
  • CVSS - Common Vulnerability Scoring System
  • FedRAMP Penetration Test Guidance
  • CREST - A guide for running an effective Penetration Testing programme
  • GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
  • TIBER-EU Framework
  • NESCOR Guide to Penetration Testing for Electric Utilities
  • CyberArk Thick Client Penetration Testing Methodology
  • ISO/IEC 18045:2022 - Evaluation criteria for IT security — Methodology for IT security evaluation

• Training Resources
  • Google Hacking for Penetration Testers
  • PortSwigger WebSecurity Academy
  • API Security University

• Collections of Resources
  • PayloadsAllTheThings
  • Awesome Penetration Testing
  • Kerberosity Killed the Domain: An Offensive Kerberos Overview
  • LOLBAS - Living Off The Land Binaries, Scripts and Libraries
  • GTFOBins
  • LOLRMM - Living Off The Land Remote Monitoring and Management

• Tools
  • Reverse Shell Generator
  • Nmap
  • Empire
  • BloodHound
  • Impacket

• Misc
  • The C2 Matrix

Purple Teaming

• Methodologies and Best Practices
  • Purple Team Exercise Framework (PTEF)
  • Purple Team Maturity Model

• Tools
  • Atomic Red Team
  • MITRE Caldera
  • Infection Monkey
  • VECTR
  • Network Flight Simulator
  • MAAD-AF

• Collections of Resources
  • Enterprise Purple Teaming
  • CTID Adversary Emulation Library

Malware Analysis

• Training Resources
  • Malware Unicorn Workshops
  • Haseherezade Malware Training vol. 1
  • Introduction to Malware Analysis and Reverse Engineering
  • Malware Hunting with the Sysinternals Tools
  • Learning Reverse Engineering
  • Ghidra Class

• Collections of Resources
  • Awesome Malware Analysis
  • Awesome IDA, Ghidra, x64DBG, GDB & OllyDBG plugins
  • malware-gems
  • Overview of free online malware analysis sandboxes
  • Obfuscator Collections

• Sample sources
  • theZoo - A Live Malware Repository
  • Malware Samples
  • Malware Sample Sources for Researchers
  • MalwareBazaar
  • vx-underground Malware Source Code
  • vx-underground Malware Collections

• Tools
  • Flare VM
  • REMnux: A Linux Toolkit for Malware Analysis
  • Sysinternals Suite
  • Didier Stevens Suite
  • pestudio
  • Cuckoo3 Sandbox
  • CAPE: Malware Configuration And Payload Extraction
  • DRAKVUF Sandbox
  • Ghidra
  • Malcat
  • Malware Hash Registry
  • Mobile Security Framework (MobSF)

• Misc
  • Ten process injection techniques: A technical survey of common and trending process injection techniques
  • Malware Analysis Fundamentals - Files & Tools
  • Malpedia
  • Unprotect Project

Application Security

• Standards and Best Practices
  • Avoiding the Top 10 Software Security Design Flaws
  • Microsoft Security Development Lifecycle Practices
  • NIST Secure Software Development Framework (SSDF)
  • NIST Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (SP 800-160 Vol. 1)
  • NIST Developing Cyber-Resilient Systems: A Systems Security Engineering Approach (SP 800-160 Vol. 2)
  • NIST Application Container Security Guide (SP 800-190)
  • ISO/IEC 21827:2008 - Systems Security Engineering — Capability Maturity Model (SSE-CMM)
  • OWASP Application Security Verification Standard
  • OWASP SAMM - Software Assurance Maturity Model
  • OWASP Developer Guide
  • OWASP Mobile Security Project
  • OWASP Code Review Guide
  • OWASP Top 10
  • OWASP Top 10 CI/CD Security Risks
  • OWASP API Security Top 10
  • OWASP DSOMM - DevSecOps Maturity Model
  • SEI Secure Design Patterns
  • SEI Top 10 Secure Coding Practices

• Training Resources
  • DevSecOps University

• Collections of Resources
  • Ultimate DevSecOps Library

• Tools
  • Analysis Tools

• Misc
  • CISA Software Bill of Materials (SBOM)
  • OWASP CycloneDX
  • Software Package Data Exchange (SPDX)
  • CWE Top 25 Most Dangerous Software Weaknesses
  • Threat Modeling Resources

OT Security

• Standards and Best Practices
  • NIST Guide to Operational Technology (OT) Security (SP 800-82 Rev. 3)
  • Purdue Enterprise Reference Architecture
  • SANS Five ICS Cybersecurity Critical Controls
  • NIST Cybersecurity White Paper - Security Segmentation in a Small Manufacturing Environment (CSWP 28)
  • Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) for Department of Defense (DOD) Industrial Control Systems (ICS)
  • Industrial Internet of Things Security Framework (IISF)
  • Crown Jewels Analysis (CJA) for Industrial Control Systems (ICS)

• Training Resources
  • ICS Training Available Through CISA

• Collections of Resources
  • A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity
  • Awesome Industrial Control System Security

• Tools
  • ControlThings Platform
  • Caldera for OT Plugins
  • GRASSMARLIN

• Misc
  • CISA Industrial Control Systems Network Protocol Parsers (ICSNPP) for Zeek
  • Scanning Higly Sensitive Networks
  • Cyber Security Procurement Language for Control Systems
  • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide
  • Quick Start Guide: An Overview of ISA/IEC 62443 Standards
  • Applying ISO/IEC 27001/2 and the ISA/IEC 62443 Series for Operational Technology Environments
  • NAMUR Checklist for Risk Assessment of Safety Industrial Systems (AK-PRAXIS 4.18: NA163 Checklist)
  • FERC Order 706
  • SANS ICS Cybersecurity Field Manual
  • CURRICULAR GUIDANCE: Industrial Cybersecurity Knowledge

Miscellaneuos

• Standards and Best Practices
  • CIS Critical Security Controls
  • CIS Risk Assessment Method (RAM)
  • ETSI TR 103 305-1: Critical Security Controls for Effective Cyber Defence
  • NIST Cybersecurity Framework (CSF)
  • NIST Guide for Conducting Risk Assessments (SP 800-30r1)
  • NIST Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137)
  • NIST Assessing Information Security Continuous Monitoring (ISCM) Programs:Developing an ISCM Program Assessment (SP 800-137A)
  • NIST ISCMA: An Information Security Continuous Monitoring Program Assessment (IR 8212)
  • NIST Risk Management Framework for Information Systems and Organizations (SP 800-37r2)
  • European Cybersecurity Skills Framework Role Profiles
  • NICE Framework Resource Center
  • NCSC Cyber Assessment Framework (CAF)
  • RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure

• Training Resources
  • Wireshark Tutorial
  • Géant Security Training
  • Cybrary.it - Security Training Videos
  • Free ISC2 Certified in Cybersecurity Course and Certification

• Tools
  • Cyber Security Evaluation Tool (CSET)

• Other
  • MITRE ATT&CK
  • MITRE D3FEND
  • Categorizing human phishing difficulty: a PhishScale
  • Hexacorn Blog
  • BloodHound versus Ransomware: A Defender’s Guide
  • Active Directory Fundamentals
  • Internet Outage Detection and Analysis (IODA)
  • ShodanTools - Collection of scripts & fingerprinting tricks for Shodan.io
  • AuditScripts Collective Risk Project
  • ENISA - Interoperable EU Risk Management Framework
  • Cloud Controls Matrix
  • SANS Vulnerability Management Maturity Model (VMMM)
  • Vulnerability Management Maturity Model – Self-Assessment Tool (VMMM-SAT)
  • FIRST Exploit Prediction Scoring System (EPSS)
  • OASIS Common Security Advisory Framework (CSAF)
  • Cybersecurity Capability Maturity Model (C2M2)
  • Cyber-Informed Engineering (CIE)
  • NIST Building a Cybersecurity and Privacy Learning Program (SP 800-50r1)
  • Archiver MOTW Support Comparison