Disclaimer: Be aware that Hurricane Labs does not endorse, nor is responsible for, ANY of the content linked in this blog post.
It's been a little while since I’ve posted anything on the Hurricane Labs Blog. Rest assured, it's because I’ve been busy with things in places. They said I could be anything, so I became a course instructor. Now I am The Senpai.
As the name of this blog post implies, I’m here to impart to you information security training resources that are either free, or relatively affordable, for the professional or newbie on a strict budget.
I’m going to try and break up this list of resources by the type of resource it is -- e.g. full-on training courses/platforms, books, “wargames” or “CTF” exercises, whitepapers, and/or general reading on recent infosec trends. So, let's get started.
Free or Inexpensive Training Resources:
Cybrary.it : Cybrary is a website that hosts a collection of IT and Information Security training videos. Many of the videos hosted here center around IT or InfoSec (Information Security) certifications. Access to the training videos is free; however, if you want access to the accompanying labs, that is where you have to pay. Be aware that all the trainings offer a certificate, as well as CEU/CPE credits, upon completion.
SANS Cyber Aces : A while back the SANS organization, known for very high quality training (albeit extremely pricey), produced some introductory training content on a platform called “Cyber Aces”. While there isn’t a whole lot here, this website allows you to learn some of the basics and foundations of Operating Systems, TCP/IP networking, and Systems Administration.
Cuckoo’s Egg Decompiled : The Cuckoo’s Egg is a book by Cliff Stoll about how he investigated one of the first known cybersecurity attacks in the ‘80s. This training, developed by Chris Sanders, is available for free as an entry-level course. It’s good material for those who are exploring information security and want an introduction to various security concepts. Disclosure: Chris Sanders runs networkdefense.io, the platform that my training is hosted on.
Codecademy : Codecademy is a website that has a load of training material centered around programming and programming languages. Access to most of the material is free; however, some of the advanced material and/or “coding paths” require a monthly subscription.
Khan Academy : Khan Academy is sort of like Codecademy, except all of the material is free. It is also not solely focused on computer science and/or programming.
Udemy : Udemy is similar to Khan Academy and Codecademy in that they provide access to a wide variety of classes and training materials. However, Udemy has a much wider variety and typically the classes have a bit more detail, but at the cost of actually having to pay some amount of money per class. In most cases, the classes aren’t terribly expensive. One of our very own, Tom Kopchak has a class on Splunk Administration available on the site. If you use the link I provided, the coupon code “HURRICANEBLOG” gets applied automatically, dropping the price of this training down to 10 dollars - 67% off
Open Security Training : Open security training has been around for a good long while, and is a solid resource full of information security specific training. While the changelog hasn’t been updated since 2015, a lot of the materials available here are still very much relevant and useful.
RE101 and RE102 : Are you interested in learning how to analyze malware? MalwareUnicorn took the time and resources to develop two meticulously detailed classes that detail some of the introductory concepts with malware analysis, triage, and reverse engineering. Best of all? The material is totally free.
Begin.Re : Special thanks to user @DamskyIrena for making me aware of this resource. Begin.re is, as the name implies, a resource for users who want to learn how to perform reverse engineering. This training was developed by Ophir Harpas of Trusteer, IBM Security.
Samurai WTF : Samurai WTF is a self-contained Virtual Machine that hosts both web exploitation tools, as well as vulnerable web applications hosted locally for users to experiment with web exploitation. It appears that the last update to the Samurai WTF VM was in 2016, but a lot of the material is still very useful. Please note, that in addition to the Samurai WTF VM, there is an accompanying slide deck to help guide your training.
OWASP Juice Shop : The OWASP Juice Shop is a web application written in Node.js, Express, and AngularJS. The web application is intentionally vulnerable. The project page contains instructions on how to setup the project for training purposes. Additionally, there is a link to the official companion guide hosted on Leanpub.
Metasploit Unleashed : Metasploit Unleashed is a free ethical hacking course provided by Offensive Security, of Kali Linux and OSCP/OSCE fame. The training is available online, and comes recommendations for setting up a minimal lab environment. This course will teach you the basics on how to utilize the Metasploit Framework, and serves as a sort of guide to the framework. Note: This training specifically references the “Metasploitable 2” VM. Another great resource that may help you along with this training is the Metasploitable 2 Exploitability Guide.
Sam’s Classes : Sam Bowne is a renowned cyber security instructor and has made a number of his classes available for free. He livestreams all of his courses for free, and a lot of the material states that recordings will be made available on YouTube later on. Classes are all taught by Sam Bowne and Elizabeth Biddlecome.
RPISEC MBE : Rensselaer Polytechnic Institute published materials for a class titled “Modern Binary Exploitation”. This class teaches vulnerability research, reverse engineering, and binary exploitation.
Learning Embedded Systems with Arduino : This is another resource I was made aware of by @DamskyIrena. This workshop provides an introduction to hardware hacking and embedded systems utilizing the Arduino embedded platform. This training is provided by Dafna Mordechai.
Splunk Fundamentals 1 : Splunk is a SIEM and Centralized logging platform. This training, free with registration on Splunk.com, allows anyone to learn the basics on how to operate a Splunk instance.
MISP Training Materials : MISP is a fantastic platform for recording and sharing information about malware threats. The folks at CIRCL Luxembourg have provided a ton of free training materials centered around getting the most out of the platform.
Reverse Engineering for Beginners : This resource is a book by Dennis Yurichev designed to introduce students to reverse engineering.
NSM and Intrusion Detection : This is a small (45 pages) PDF introducing students to NSM concepts such as passive collection, netflow, full packet capture, and IDS/IPS technology. The majority of the content teaches readers how the open-source IDS/IPS platforms -- Snort and Suricata work -- specifically their rule syntax, and how to interpret IDS/IPS alerts from both platforms. Disclosure: I am the author of this material.
Packt Publishing : Packt is a book publisher that specializes in books related to coding, security, and IT concepts. What's really nice is that Packt has a huge library of free books, and has a new free book available for download per day.
Humble Bundle Books : The Humble Bundle is a site dedicated to packaging books, software, and really just about anything. The “bundles” are provided at a significant discount, and almost all of the proceeds either go towards keeping Humble Bundle running, and/or to charity, with the choice for how much to pay and what goes where being left squarely in your hands. Keep an eye out and watch for Humble Bundles featuring no starch press books -- they partner together frequently, and normally the collection of PDFs provided is worth hundreds of dollars.
Leanpub : Leanpub is an online book platform that is a really neat. It’s a self-publishing platform where authors can provide early access to their work. Leanpub allows authors to define a price range for which customers can pay for their book. The author sets a “recommended” price, but also sets a minimum price for selling the book. Of course, you can elect to pay more if you really like the material, or you can choose to pay less than the recommended if you’re really cash strapped. Leanpub has a huge library of IT/Coding/InfoSec books available and at relatively affordable prices. Best part? If you’re not satisfied, you have 45 days to request a refund for whatever book you purchased. Disclosure: This is a publishing platform that I utilize.
Safari Books : Safari is a book subscription service provided by O’ Reilly Books (you know, the publisher who has the IT/Coding/Security books with animals on the cover?). While it isn’t free, 39 bucks a month (or 399.00 USD if you pay up for a full year up front) provides you with access to a huge online library of books, video courses, training, audio books and so on, and not just books from O’Reilly.
Minemeld Unofficial User Guide : A while back, we started utilizing MineMeld quite heavily at Hurricane, and I found that the user guides and documentation were somewhat scattered and hard to use. I took matters into my own hands and wrote a small guide to help users get the most out of the platform. Disclosure: Yup, I wrote this.
Wargames, Vulnerable VMs (boot2root), DFIR Challenges, etc.
Metasploitable 2, Metasploitable 3 : Metasploitable was briefly mentioned as a part of the Metasploit Unleashed course by offensive security above. Currently, there is Metasploitable 2, hosting a huge variety of vulnerable services and applications based on Ubuntu 8.04, and there is a newer Metasploitable 3, that is Windows Server 2008, or Ubuntu 14.04 based. Be aware that Metasploitable 3 relies on HashiCorp tools, such as Packer and Vagrant, to attempt to “build” the virtual machine. Personally, I have /never/ been able to get the virtual machine to build with no errors. So if you run into problems building the Metasploitable 3 VM, I would highly suggest submitting an issue to the Metasploitable 3 GitHub.
OWASP BWA : The OWASP Broken Web Applications project is a VM that contains a whole host of vulnerable web applications. It's sort of like Samurai WTF, except there really isn’t much in the way official, structured training to go with it. The link provided takes you to SourceForge to download the VM. The OWASP project page can be found here.
Google Gruyere : Gruyere is the name of the Google project meant to teach web application exploitation and defense.
Over the Wire : OverTheWire is a collection of online “Wargames” where your goal is to solve a puzzle or challenge in order to gain access to the next system in the series of challenges. The difficulty curve starts off really easy with the “Bandit” wargame, and increases in difficulty as you progress through the challenges. Access to the challenges is totally free, and the best part about them is that if you do get stuck somewhere there is a really good chance that if you Google for the challenge you are working on, someone, somewhere has probably done some sort of a write-up on how to progress through the rest of the challenge. Remember that, as a student, there is absolutely no shame in looking up how to complete a challenge, and/or following along with the write-up if you want. This isn’t a race, this isn’t a closed challenge, this is simply an environment in which you can gain practical knowledge.
SANS/Counterhack Holiday Hack Challenge - Previous Years : Every year, right around the Thanksgiving/Christmas/New Years collection of holidays, Ed Skoudis and the rest of the CounterHack team come together to release a yearly holiday hack challenge. The scenarios, the work involved, and the level of detail that goes into these challenges is simply astounding. They archived the challenges over the previous years and allow students to access them, as well as the answers to the challenges in the event that you get stuck. The best thing about the holiday hack challenges is that they require a wide variety of different skills in order to complete the entire set, so all students and security professionals from all walks of life can learn something new.
Vulnhub : Vulnhub is a website that contains a massive collection of vulnerable virtual machines. These VMs are known as “boot2root” VMs. In most cases you will not have access to the console of the VM, or have credentials to log on in order to re-configure things. You download the OVF, reformat it for the the VM platform of your choice, and usually the VM picks up an IP address through the DHCP server you configured. You would then Nmap your local network to find what IP address the VM picked up, and proceed in analyzing it for clues you can use to determine what its vulnerabilities are. The end goal is to go from zero access on the system, all the way to root access. All of the VMs I have seen on Vulnhub usually provide a link labeled “walkthroughs” that will link to a walkthrough on how to solve the various puzzles for that VM. Just like with previous challenges, there is no shame or loss of pride, if you get stuck. As a security professional, you cannot be expected to have encyclopedic knowledge of all computer security vulnerabilities and/or how to exploit them. Use the walkthroughs when and if you get stuck, and make sure you take notes on the parts you got stuck on for later reference.
Hack The Box : Hack the Box is a website that allows you to access an online semi-persistent wargame environment. The environment has a variety of virtual machines that all have some sort of a theme, or methodology for hacking them. Additionally, they all have difficulty ratings attached to them. New machines are added to the environment and old machines are retired regularly, meaning that the environment always has fresh challenges. Additionally, users are able to request access the retired machines if they want. Be aware that, in order to register you have to figure out how to “hack” the registration (Hint: Its a web application vulnerability. Not an RCE, and NOT SQLi. Don’t go throwing random exploits at a website you don’t own, please).
Malware Traffic Analysis - Training Exercises : Malware Traffic Analysis is, as the name of the site implies, a website dedicated to the analysis of malware and the collection of network artifacts that malware leaves behind. The maintainer of the website has a collection of exercises with alerts, packet captures, and quiz questions to help you gain a better understanding of Incident Response, Hunting for Malware, and/or Network Forensics.
Honeynet Challenges : The Honeynet Project is a website dedicated to the creation of honeypot projects that can be used to collect information from attackers. The project has a collection of challenges and exercises that been issued over the years that are a collection of various Data Forensics and Incident Response (DFIR) challenges. Some of the challenges date as far back as the early 2000s, while the most recently archived challenge dates back to 2015. (Recommended by @BitAengel).
Splunk Boss of the SOC (BOTS) 1.0 Dataset : Not too long ago, I had the unique pleasure of having performed in this competition. Our team did pretty well, all things considered. Splunk has open-sourced the dataset for the competition, the app that they used for scoring, as well as the questions and answers from the dataset. In order to run this challenge, you need a Splunk instance (although the team has provided a JSON copy of the data for analysis on alternative data platforms) -- and you’ll likely need licensing to ingest all that data. (Note: that Splunk provides developer licenses that allow ingesting up to 10GB of data per day, so long as it is for private use -- educational purposes and/or development of Splunk apps. Please note that developer licenses are provided at their discretion). This resource recommended by @likethecoins.
NIST forensics dataset : This page contains a collection of various forensic artifacts and/or datasets that students can use for testing various forensic suites and tools.
Between two DFIRNS challenges : This is a website I was made aware of by @wimremes. It looks like a blogspot blog hosting a TON of various DFIR challenges of varying complexity with a lot of quiz questions.
Blue Team Training Kit : This website, also recommended by @BitAengel, contains a set of tools that allows you to simulate malware infections. The website seems to provide access to free and/or premium training materials.
BlackRoomSec - Hacking Challenge Site Links : BlackRoomSec has amassed a ton of links to various hacking challenges from all over the internet.
OWASP Vulnerable Web Applications Directory Project : This link contains a list of all of the intentionally vulnerable online, offline, webapps that OWASP provides and maintains. Be aware that some of the links are dead and/or pointing to locations that are not correct or accurate.
DFIR.training - CTF & Challenges : This is a list of CTF events and challenges linked from the dfir.training website, a website that is a sort of index of various DFIR tools and resources all over the web. Be aware that some of these links are live CTFs and/or may not be available for use offline. This resource also recommended by @wimremes
NetsecFocus Learning Resources Spreadsheet : This is a google docs spreadsheet containing a couple tabs worth of information. Linking to other resources that can be used for various aspects of information security training.
OWASP : While I have already linked to a number of OWASP projects in general, the OWASP Wiki is an invaluable resource with regards to web application security. One of the most well-known OWASP projects is their Top 10 Web Application Security Risk Report that describes the most commonly exploit web application vulnerabilities. In addition to that, the OWASP Wiki describes tons of other web application bugs, vulnerabilities and problems, how they may be encountered in various programming languages and platforms, and how they may be mitigated. It is an invaluable resource for secure web application development.
SANS Reading Room : The SANS reading room is a massive library of research papers written by analysts and researchers, and curated by SANS. It is an extremely valuable research when attempting to look into the the state of cybersecurity as it stands, as well as looking for authoritative resources to back your own research.
Incident Handler’s Handbook : While we’re talking about the SANS Reading Room, this paper - dating back to 2012 - describes the typical process and best practices used for cybersecurity incident handling. If you want to be a better DFIR professional and know the lifecycle of an incident, then I would highly recommend reading this.
Penetration Testing Execution Standard (PTES) : The PTES is a standard that was devised by a bunch of senior security professionals and penetration testers. The PTES describes the different phases or states of a typical penetration test or red team engagement, and the actions you may consider performing at those various phases. The standard covers everything from scoping and initial reconnaissance, to writing the after-action report for consumption by the customer. Additionally, the site provides a link to Technical Guidelines and/or resources you might consider using for the various phases of a penetration test.
Cyber Kill Chain : Lockheed Martin researched, developed (and patented, can’t forget that) a methodology for describing how organized attackers operate to achieve their goals on target networks. While a lot of what Lockheed Martin has written about the kill chain is marketing fluff, the phases of an attack is a kernel of truth that is extremely valuable. Understanding the kill chain, attacker motivations and actions that they take to achieve their goals is important for threat intelligence. In most cases, when attackers progress through the kill chain to achieve their goals, they leave evidence of their passing. This evidence can become IOCs or indicators of compromise that can be used to enhance detection and interrupt or at least seriously degrade attacker capabilities and progress. If threat intelligence is something you’re interested in, I’d recommend getting familiar with the kill chain.
Mitre ATT&CK and RedCanary Atomic Red Team : Mitre ATT&CK (shorthand for Adversarial Tactics, Techniques, and Common Knowledge) is a resource that, like the Cyber Kill Chain, describes general actions that attackers take when they are attempting to achieve objectives against a target network. Actions such as Initial Access, Execution, Persistence, Privilege Escalation, etc. The key difference between the kill chain and ATT&CK is that the Mitre’s framework takes things a step further by attempting to enumerate specific methods that are used to achieve a generation action. For example, the Initial Access action might include the method spearphishing, or the exploitation of a public-facing application. The ATT&CK matrix is a value information security addition for the red team to give them ideas on how to progress through a network, as well as for the blue team to determine how to develop detections and/or mitigations that may defeat or provide visibility when particular methods are used. RedCanary developed a tool called “Atomic Red Team” that can be used to enumerate different methods described in the ATT&CK framework.
Hope this helps!
If you have any questions on anything I've included, or you've found other resources people should know about, let me know. You can leave a comment underneath the blog, or reach out to us at @hurricanelabs on Twitter.