This page contains links to couple of interesting training resources, tools and other material useful for Incident Response, Penetration Testing, Malware Analysis and other security-related areas.

Although I’ve placed it here mainly for myself and students of my security courses, if you find it useful, it is also accessible through the easily remembered URL csirt.xyz.

Bellow, you may find materials for the following areas:

• Security Monitoring and Incident Response
• Threat Hunting
• Threat Intelligence
• Threat Modeling
• Penetration Testing and Red Teaming
• Purple Teaming
• Malware Analysis
• Application Security
• OT Security
• Miscellaneous

Security Monitoring and Incident Response

• Standards and Best Practices
  • ENISA Good Practice Guide for Incident Management
  • NIST Computer Security Incident Handling Guide (SP 800-61r2)
  • NIST Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137)
  • NIST Assessing Information Security Continuous Monitoring (ISCM) Programs:Developing an ISCM Program Assessment (SP 800-137A)
  • NIST ISCMA: An Information Security Continuous Monitoring Program Assessment (IR 8212)
  • SIM3: Security Incident Management Maturity Model
  • SOC-CMM
  • Reference Security Incident Taxonomy (RSIT) (current version)
  • FIRST CSIRT/PSIRT Services Framework
  • MaGMa Use Case Framework
  • Traffic Light Protocol (TLP)
  • Incident Response Hierarchy of Needs
  • INTERPOL Guidelines for Digital Forensics First Responders
  • NIST Guide to Integrating Forensic Techniques into Incident Response (NIST SP 800-86)
  • CISA Cybersecurity Incident & Vulnerability Response Playbooks
  • ENISA CSIRT Maturity Framework
  • RFC 2350 - Expectations for Computer Security Incident Response

• Training Resources
  • CSIRT Training Resources from ENISA
  • Tutorials for Network Miner and Other Netresec Tools
  • PCAP Files for Training - Malware Traffic Analysis
  • FIRST Courses
  • TRANSITS Materials
  • Encyclopedia of evasion techniques
  • STOic TTX Facilitator Training
  • BlueYard - Blue Team CTF Challenges

• Collections of Resources
  • Awesome Incident Response
  • Awesome Security APIs
  • Awesome Detection Engineering
  • Awesome SOAR List
  • Tool Analysis Result Sheet
  • TriOp - Tool for quickly gathering statistical information from Shodan.io

• Tools
  • CyberChef
  • SIFT - SANS Forensic VM
  • CSI Linux
  • Sigma - Generic Signature Format for SIEM Systems
  • Uncoder.IO: Universal Sigma Rule Converter
  • sigconverter.io
  • KAPE - Kroll Artifact Parser and Extractor
  • Kansa
  • MITRE ATT&CK Navigator
  • DeTT&CT - Detect Tactics, Techniques & Combat Threats
  • YARA
  • Network Miner
  • osquery
  • Velociraptor
  • Wazuh
  • Arkime
  • Zeek
  • Malcolm
  • Suricata
  • Security Onion
  • JARM/JA3/JA3S
  • JA4+ Network Fingerprinting
  • freq
  • Dissect
  • What2Log
  • Logging Made Easy (LME)
  • DeepBlueCLI

• Misc
  • Incident Response: Protecting Individual Rights Under the General Data Protection Regulation
  • Processing Data to Protect Data: Resolving the Breach Detection Paradox
  • NISD2: A Common Framework for Information Sharing Among Network Defenders
  • CyberChef Recipes
  • RE&CT Framework
  • Practical SOC Metrics
  • 11 Strategies of a World-Class Cybersecurity Operations Center
  • Incident Response Public Playbooks and Structure
  • CREST Cyber Security Incident Response Maturity Assessment
  • Permissible Actions Protocol (PAP)
  • Minimum recommended audit policy for Windows
  • ASD Strategies to Mitigate Cyber Security Incidents

Threat Hunting

• Methodologies and Best Practices
  • Hunt Evil: Your Practical Guide to Threat Hunting
  • Sqrrl Cyber Hunting Maturity Model
  • Crown Jewels Analysis
  • The Endgame Guide to Threat Hunting
  • TaHiTI Threat Hunting Methodology
  • TTP-Based hunting
  • PEAK Threat Hunting Framework

• Collections of Resources
  • Resource Threat Detection and Hunting
  • Threat Hunter Project
  • The ThreatHunting Project
  • Threat Hunting & DFIR
  • Security Datasets Project (Mordor)
  • Threat Model Examples

• Training Resources
  • Active Countermeasures Threat Hunt Training Course

• Misc
  • Generating Hypotheses for Successful Threat Hunting

Threat Intelligence

• Methodologies and Best Practices
  • ENISA Threat Landscape Methodology
  • NIST Guide to Cyber Threat Information Sharing (SP 800-150)

• Training Resources
  • FIRST Cyber Threat Intelligence Curriculum
  • A Cyber Threat Intelligence Self-Study Plan: Part 1
  • A Cyber Threat Intelligence Self-Study Plan: Part 2

• Misc
  • APT Groups and Operations
  • Quantifying Threat Actor Assessments
  • Psychology of Intelligence Analysis
  • CREST Cyber Threat Intelligence Maturity Assessment Tools

Threat Modeling

• Methodologies and Best Practices
  • Attack Trees
  • DREAD
  • LIDDUN
  • OCTAVE & OCTAVE-Related Assets
  • PASTA
  • STRIDE
  • CARVER
  • Trike
  • VAST
  • NIST Guide to Data-Centric System Threat Modeling (SP 800-154)
  • Threat modeling in Security Operations using MITRE ATT&CK

• Tools
  • Microsoft Threat Modeling Tool
  • OWASP Threat Dragon
  • Computer Aided Integration of Requirements and Information Security (CAIRIS)
  • Visual Paradigm Online Threat Modeling Toool

• Collections of Resources
  • A Threat Modeling Field Guide

• Misc
  • Threat Modeling Manifesto
  • Threat Modeling: 12 Available Methods
  • Cyber Threat Modeling: Survey, Assessment, and Representative Framework
  • A Threat-Driven Approach to Cyber Security
  • OWASP Threat Modeling Cheat Sheet

Penetration Testing and Red Teaming

• Methodologies and Best Practices
  • OWASP Web Security Testing Guide (WSTG) v4.2
  • Open Source Security Testing Methodology Manual (OSSTMM) v3
  • Open Source Security Testing Methodology Manual (OSSTMM) v2.1
  • Information Systems Security Assessment Framework (ISSAF) v0.2.1
  • Penetration Testing Execution Standard (PTES)
  • NIST Technical Guide to Information Security Testing and Assessment (SP 800-115)
  • CVSS - Common Vulnerability Scoring System
  • FedRAMP Penetration Test Guidance
  • CREST - A guide for running an effective Penetration Testing programme
  • GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
  • TIBER-EU Framework
  • NESCOR Guide to Penetration Testing for Electric Utilities
  • CyberArk Thick Client Penetration Testing Methodology

• Training Resources
  • Google Hacking for Penetration Testers
  • PentesterLab - Web App Pentesting Training
  • PortSwigger WebSecurity Academy
  • API Security University

• Collections of Resources

  • PayloadsAllTheThings
  • Awesome Penetration Testing
  • Kerberosity Killed the Domain: An Offensive Kerberos Overview
  • LOLBAS - Living Off The Land Binaries, Scripts and Libraries
  • GTFOBins

• Tools
  • Pentest-Tools
  • Reverse Shell Generator
  • Nmap
  • Empire
  • BloodHound
  • Impacket

• Misc
  • The C2 Matrix

Purple Teaming

• Methodologies and Best Practices
  • Purple Team Exercise Framework (PTEF)
  • Purple Team Maturity Model

• Tools
  • Atomic Red Team
  • MITRE Caldera
  • Prelude Operator
  • Infection Monkey
  • APTSimulator
  • VECTR
  • Network Flight Simulator

• Collections of Resources
  • Enterprise Purple Teaming
  • CTID Adversary Emulation Library

Malware Analysis

• Training Resources
  • Malware Unicorn Workshops
  • Haseherezade Malware Training vol. 1
  • Introduction to Malware Analysis and Reverse Engineering
  • Malware Hunting with the Sysinternals Tools

• Collections of Resources
  • Reverse Engineering resources
  • Awesome Malware Analysis
  • Awesome IDA, Ghidra, x64DBG, GDB & OllyDBG plugins
  • malware-gems
  • Overview of free online malware analysis sandboxes

• Sample sources
  • theZoo - A Live Malware Repository
  • Malware Samples
  • Malware Sample Sources for Researchers
  • MalwareBazaar
  • vx-underground Malware Source Code
  • vx-underground Malware Collections

• Tools
  • Flare VM
  • REMnux: A Linux Toolkit for Malware Analysis
  • Sysinternals Suite
  • Didier Stevens Suite
  • pestudio
  • Cuckoo Sandbox
  • CAPE: Malware Configuration And Payload Extraction
  • Malware Hash Registry

• Misc
  • Ten process injection techniques: A technical survey of common and trending process injection techniques
  • How To Build A Malware Analysis Lab
  • Malware Analysis Fundamentals - Files & Tools
  • Malpedia
  • VirusTotal Intelligence Cheat Sheet
  • Semantic NOPs for x64 architecture

Application Security

• Standards and Best Practices
  • Avoiding the Top 10 Software Security Design Flaws
  • Microsoft Security Development Lifecycle Practices
  • NIST Secure Software Development Framework (SSDF)
  • NIST Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (SP 800-160 Vol. 1)
  • NIST Developing Cyber-Resilient Systems: A Systems Security Engineering Approach (SP 800-160 Vol. 2)
  • ISO/IEC 21827:2008 - Systems Security Engineering — Capability Maturity Model (SSE-CMM)
  • OWASP Application Security Verification Standard
  • OWASP SAMM - Software Assurance Maturity Model
  • OWASP Secure Coding Practices Quick Reference Guide
  • OWASP Mobile Security Project
  • OWASP Code Review Guide
  • OWASP Top 10
  • OWASP Top 10 CI/CD Security Risks
  • OWASP API Security Top 10
  • OWASP DSOMM - DevSecOps Maturity Model
  • SEI Secure Design Patterns
  • SEI Top 10 Secure Coding Practices

• Training Resources
  • DevSecOps University

• Collections of Resources
  • Department of Defense and Federal Government Cloud Computing and DevSecOps
  • Ultimate DevSecOps Library
  • NTIA Software Bill of Materials Library

• Tools
  • Analysis Tools

• Misc
  • OWASP CycloneDX
  • Software Package Data Exchange (SPDX)
  • CWE Top 25 Most Dangerous Software Weaknesses
  • Threat Modeling Resources

OT Security

• Standards and Best Practices
  • NIST Guide to Operational Technology (OT) Security (SP 800-82 Rev. 3)
  • Purdue Enterprise Reference Architecture
  • SANS Five ICS Cybersecurity Critical Controls
  • NIST Cybersecurity White Paper - Security Segmentation in a Small Manufacturing Environment (CSWP 28)
  • Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) for Department of Defense (DOD) Industrial Control Systems (ICS)
  • Crown Jewels Analysis (CJA) for Industrial Control Systems (ICS)

• Training Resources
  • ICS Training Available Through CISA

• Collections of Resources
  • A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity

• Tools
  • ControlThings Platform
  • Caldera for OT Plugins

• Misc
  • CISA Industrial Control Systems Network Protocol Parsers (ICSNPP) for Zeek
  • Scanning Higly Sensitive Networks
  • Cyber Security Procurement Language for Control Systems
  • Applying ISO/IEC 27001/2 and the ISA/IEC 62443 Series for Operational Technology Environments
  • NAMUR Checklist for Risk Assessment of Safety Industrial Systems (AK-PRAXIS 4.18: NA163 Checklist)
  • FERC Order 706

Miscellaneuos

• Standards and Best Practices
  • CIS Critical Security Controls
  • CIS Risk Assessment Method (RAM)
  • NIST Cybersecurity Framework (CSF)
  • NIST Guide for Conducting Risk Assessments (SP 800-30r1)
  • NIST Risk Management Framework for Information Systems and Organizations (SP 800-37r2)
  • European Cybersecurity Skills Framework Role Profiles
  • NICE Framework Resource Center
  • RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure

• Training Resources
  • BHIS - 30 things to get you started
  • Wireshark Tutorial
  • Géant Security Training
  • Cybrary.it - Security Training Videos
  • Free ISC2 Certified in Cybersecurity Course and Certification

• Other
  • MITRE ATT&CK
  • MITRE ATT&CK Top 10 Techniques Calculator
  • MITRE D3FEND
  • MITRE Engage
  • MITRE Cyber Resiliency Engineering Framework (CREF) Navigator
  • Categorizing human phishing difficulty: a PhishScale
  • Hexacorn Blog
  • BloodHound versus Ransomware: A Defender’s Guide
  • Active Directory Security
  • Active Directory Fundamentals
  • Internet Outage Detection and Analysis (IODA)
  • ShodanTools - Collection of scripts & fingerprinting tricks for Shodan.io
  • AuditScripts Collective Risk Project
  • Cloud Controls Matrix
  • SANS Vulnerability Management Maturity Model (VMMM)
  • FIRST Exploit Prediction Scoring System (EPSS)
  • Cybersecurity Capability Maturity Model (C2M2)
  • Cyber-Informed Engineering (CIE)