Learn the process of conducting security investigations regardless of the toolset.

• A simple investigation framework to ensure you’ll never get stuck or overwhelmed by data when pursuing leads.
• The characteristics of evidence and which sources will provide the most value.
• A formula for building investigation playbooks that will help you get to the right conclusion faster and consistently.
• Useful techniques for building timelines, making threat hunting observations, and optimizing your workflow through the principle of mise en place.

A structured system to ensure you’re never at a loss for what to hunt for, where to find it, and how to see it amongst the noise.

• Two ways to get started: attack-based hunting (ABH) and data-based hunting (DBH)
• Techniques for leveraging threat intelligence and the MITRE ATT&CK framework for hunting input
• The 9 most common types of anomalies you’ll encounter when reviewing evidence
• A 5-step framework for dissecting and simulating attacks to prepare for hunting expeditions
• The 4 ways threat hunters most commonly transform data to spot anomalies
• My two-step system for effective note taking while hunting

Learn to use YARA to detect malware, triage compromised systems, and perform threat intelligence research.

• Understand the fundamentals of YARA rule structures, composition, and matching.
• Learn how to confidently write your own rules from scratch using a diverse variety of real-world malware samples.
• Use YARA to detect specific malware on an individual host, hunt for common malware techniques, or look for related malware amongst a large corpus of samples.
• Dissect existing rules to tune them for greater specificity and fewer false positives.
• Learn basic and advanced detection engineering principles, including balancing precision vs. coverage and looking for threat-dense equities, concealed equities, and other red flags.
• Understand common malware file formats and how to detect unique properties of those files.
• Recognize common adversary tactics such as masquerading, using entropy and obfuscation, linked libraries, stack strings, and more.
• Set up your own YARA lab to help you perform detection engineering more efficiently using other helpful tools.

Learn how to use Splunk to find threats, centralize data, and make sense of logs.

• Build your own Splunk lab to import data, explore new evidence sources, and run your own security simulations as you follow along with class exercises.
• Understand how data travels through Splunk from input, to parsing, indexing, and search.
• Learn how to onboard data into Splunk from diverse sources like Windows Event Logs, CSV files, HTTP Server logs, and more.
• Leverage the powerful SPL search syntax to find answers to security questions and hunt through data.
• Generate statistics, charts, and dashboards to summarize large data sets and find anomalies.
• Troubleshoot common Splunk issues like inputs not showing up or changes not taking effect.
• Discover expert tips that go beyond the Splunk documentation to help you make effective use system resources as you search and generate stats.
• Work through security specific scenarios to strengthen your analysis skills.

Detection Engineering with Sigma will teach you how to write and tune Sigma rules to find evil in logs using real-world examples that take you through the detection engineering process.

• Learn the detection engineering process from initial detection gap identification to deploying your rule into production.
• Write your own detection rules using familiar log sources like Windows Events, Zeek Logs, Sysmon Logs, AWS CloudTrail logs, and more.
• Understand the structure of Sigma rules, including the difference between lists and maps, how condition expressions work, and all the essential metadata that’ll be useful for investigating alerts it generates.
• Utilize a rule development environment using the VSCode Sigma plugin to develop rules efficiently and use the Sigma command-line tools.
• Leverage Sigma-CLI to convert rules to popular investigation and detection tool formats like Splunk, Kibana, and others.
• Learn to write resilient rules that find more evil, stand the test of time, and cause headaches for adversaries.
• Operationalize your Sigma knowledge by learning how to manage your custom ruleset with Git and share your rules.

15 CPEs

Intrusion Detection Honeypots rely on deception to trick attackers into interacting with fake systems, services, and data. In this class, you’ll get hands-on experience designing, building, deploying, and monitoring honeypots to detect network adversaries before they accomplish their goals.

• Use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps. If you control what the attacker sees and thinks, you can control their actions. This strategy is the key to deceptive defense. 
• Leverage honey services that mimic HTTP, SSH, and RDP and alert you when attackers attempt to connect to them.
• Hide honey tokens and web bugs in office documents. When attackers interact open them, you’ll know they’re on the network.
• Embed honey credentials in services and memory so that attackers will find and attempt to use them. You’ll leverage various forms of authentication monitoring to know when this happens. 
• Build deception-based defenses against common attacks like Kerberoasting and LLMNR spoofing

15 CPEs

Get hands-on experience capturing, dissecting, and making sense of packets.

• 5 techniques for capturing packets in any scenario and how to know which one is appropriate
• A tutorial on using packet maps to navigate protocols along with color-coded printable maps for all the most common protocols you’ll encounter.
• Learn all of Wireshark’s analysis features including how to create graphs, traverse protocol hierarchy charts, and generate stats that are simple AND useful.
• My tips for customizing your analysis environment by using features like Wireshark profiles, custom columns, and individual packet color coding.
• Techniques for extracting complete files from network communication via multiple protocols — even custom malware command and control.
• How to use tshark and tcpdump to perform packet analysis on the command line.
• How to approach and dissect these protocols: IPv4, IPv6, TCP, UDP, DHCP, DNS, HTTP, SMTP, and ICMP.
• Learn what normal looks like so you can spot abnormal when you encounter it.

You can use CyberChef to answer the data questions you have, whether you’re a digital forensic analyst, incident responder, threat hunter, or malware reverse engineer. In this class, you’ll get hands-on experience in this master class on deobfuscation and data manipulation using the most powerful and flexible tool for the job.

• Speed up the most common forensic data manipulations like extracting indicators from threat intel reports, identifying and decoding XOR’d data, and converting timestamps
• Learn dozens of techniques for decoding common malware obfuscation techniques in JavaScript, PowerShell, VBScript, and more
• Parse and manipulate commonly encountered indicators like IP addresses, domain names, and file hashes along with data formats like XML and JSON
• Build repeatable recipes that you can share with your peers to automate data manipulation
• Learn the basic and advanced techniques offered by CyberChef and see why so many skilled analysts keep CyberChef in an open tab at all times

Level up your host-based investigation skills with one of the best tools for the job.

• How to craft SQL queries to interrogate Windows, Linux, and MacOS hosts
• Common queries for performing software inventory and asset control
• Strategies for interrogating processes to determine if they are malicious
• Techniques for uncovering persistence and lateral movement
• Triaging suspicious systems using high-value data tables
• Hunting leveraging MITRE ATT&CK techniques
• Complete deployment of distributed Osquery across your network using FleetDM and ElasticStack

Master your data by learning how to centralize, parse, and analyze it using the popular open source ELK toolkit.

• Store, index, and search data in a centralized location with Elasticsearch.
• Explore the most useful Logstash plugins to effectively collect and manipulate structured and unstructured data.
• Learn techniques for searching data and building useful visualizations and dashboards with Kibana.
• Watch step-by-step guides for building data pipelines for common data sources: HTTP proxy logs, Bro/Zeek logs, file-based logs, Windows events and Sysmon data, netflow, and IDS alerts.

Learn my system for writing that communicates a clear message, keeps your reader engaged, and creates meaningful change.

• My repeatable system for faster, more effective security writing through storytelling and empathy development.
• Techniques to bridge the gap between technical and non-technical audiences.
• The critical components of a penetration testing report and how to write one so that network owners will finally take your findings and recommendations to heart.
• How to write compromise reports that aren’t boring, and help stakeholders understand the scope of an attack that has occurred.
• How to write more effective short-form communication, including e-mails, case notes, and chat messages.

Learn to wield the full power of regex for searching in your SIEM, building detection rules, and more.

• Learn the most common uses of regular expressions and how to apply them in places you weren’t even aware of
• Stop merely powering through regex and set yourself apart by making it a useful tool in your arsenal
• Iteratively build and test regular expressions for things you want to match
• Overcome common gotchas like dealing with whitespace
• Evaluate the efficiency of expressions by the number of steps it takes to match
• Get the definitive guide to escaping characters so you’ll know when and how to do it
• Use quantifiers to match specific numbers of data occurrences
• Use capture groups to reference specific matched content and perform additional operations on it

A hands-on “choose your own adventure” walkthrough for building an IT security lab for penetration testing, network security monitoring, and more.

• Enhance your IT or security skills by building a lab that will help you get hands-on practice attacking and defending systems
• Watch as we walk you through every step you’ll take to build your lab.
• Evaluate virtualization platforms and become better equipped to choose the hardware you need for your lab
• Configure virtual networking so that systems can talk to each other securely
• Learn what types of systems should be contained in a virtual lab
• Install a network firewall, SIEM, IPS, and network attack platform.
• Gain familiarity with popular tools like PfSense, Snort, Suricata, Splunk, Kali Linux, and Metasploit.

A free introduction to information security course based on the true story of Cliff Stoll and his bestseller “The Cuckoo’s Egg”.

• Explore the field of information security with this dive into various specialties of the field
• See how much (and how little) has changed in the field over the thirty years since the book was released
• Watch course instructor Chris Sanders complete demonstrations of modern attack and defense concepts
• Track a persistent intrusion campaign across the globe from the perspective of a network defender
• Complete individual exercises and lab work to take the course further and gain exposure to new tools and skills