Arguably one of the absolute BEST resources I've found on this cybersecurity journey has been Black Hills Information Security. At this point, I'm not even sure how I first found out about them. But I also don't think I'd be as far along in my self-study journey if it wasn't for what they do for the infosec community.
This blog post is going to be about my most recent training course with them: "Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand". I'll refer to the course as "Getting Started" from here on out. This course isn't the first I've had with them. My very first interaction with them was "Infosec Mentoring | How to Find and Be a Mentor & Mentee" followed shortly after by "The SOC Age Or, A Young SOC Analyst's Illustrated Primer". The biggest difference between those two and Getting Started is that the latter courses were only 1-hour webcasts. Getting Started was a whopping 16-hours spread over 4 days!
I could have easily posted my certificate on my LinkedIn and called it a day. But I wanted to do something different for this course. I gained SO MUCH from this course, both theory/knowledge and practical hands-on that it deserved its own blog post. Additionally, like my CTF posts, I will link my write-ups for the labs I performed as part of this course at the end of this post.
"Getting Started" is a course designed for those new to security. It is based on what BHIS calls the "Atomic Controls" which are the Top 11 vulnerabilities they have observed after performing over 500 security assessments per year. Those 11 controls are:
Application Allow Listing
Egress Traffic Analysis
UEBA (User Entity Behavior Analytics)
Advanced Endpoint Protection
Logging
Host Firewalls
Internet Allow Listing
Vulnerability Management
Active Directory Hardening
Backup and Recovery
I was able to learn about each of these topics, but also have hands-on labs to show proof-of-concept of each vulnerability and how to protect an organization from those attacks.
If you know about John Strand and BHIS, then you know about his asking price of "Pay What You Want!" for the course. If you don't know, John offers the courses he teaches with BHIS literally for whatever you want to pay for it. . .including for FREE! But I recommend kicking down whatever you can for the course. They put in so much work to do these for the infosec community. Additionally, if you pay full price (which is $495 USD), then you get 6-months of access to their Cyber Range.
What was the experience like? If you're not prepared, it can feel like drinking from a firehouse. But there are some things you can do to make the transition easier. If you sign up for any of his courses, make sure you come prepared. At the very least, if there is a Virtual Machine (VM) required, install and test it on your box before the start of class! You don't want to waste class time installing the VM when you can use it to work through the labs and to ask questions. If you've installed VMs before, you know that there is also a chance of technical difficulties (which happened to me!).
He also sends out an e-mail a few days before the start of class with links to videos to help you prepare for the infosec onslaught that's about to take place. If you know you're new, then it would behoove you to prepare! The e-mail also has pointers for the VM install and the Discord server. Speaking of Discord, I had a beast of a time putting the webcast, the Discord server, and the VM all in one little 16" laptop screen. But after you flip through each one constantly throughout the 4 hours of class, it becomes second nature.
The course format is great. There hasn't been one John Strand PowerPoint slideshow that I've sat through and been bored out of my mind. He always has a way of tying each slide into a real-world scenario, or crafts the way he talks about a subject into an interesting story.
I recommend that you make it so that you can at least watch John's presentation AND watch the Discord chat at the same time. There were thousands (yes, THOUSANDS) of people who signed up for this class around the world. And in addition to the BHIS staff, there are attendees who drop gems of knowledge in chat. I find it easier to catch it as it happens rather than combing through the thousands of lines of chat after the fact.
Another pointer that I can give you is to organize your Bookmarks situation beforehand. I guarantee you that you'll come across a website mentioned or displayed in the presentation or in chat that you'll want to save, and if you have that process worked out how you want, then you'll be more efficient in saving those links for future reference.
Now, with all that said, the webcasts are recorded and are available to watch within 24 hours. They're all available in the Discord chat that you'll get invited to when you sign up for the course. Additionally, the entire Discord chat is archived by default, and you can always scroll back as far as you want into the course. So don't feel rushed to get all the information and websites and resources down the first time around.
In my opinion, the BEST part of the course was the labs. Hands down. Why? Because John built them specifically for this course. It wasn't just a random VM that you had to go out and install the tools required to do the labs. John installed everything that is needed on the VM, and even created a webpage index with all the lab procedures available to have within the VM! Everything is one place. Everything just worked. Some people had difficulty installing it, but that was specific to VMWare. And the VM doesn't expire or anything. So now, it's an integral part of my home lab. Because the procedures are part of the VM, I can go through it at any time to refresh my skills.
Most memorable moment: using BlueSpawn, which is an open-source Endpoint Detection and Response (EDR) tool, to monitor and detect myself using Red Canary's Atomic Red Team attack tests on that EDR monitored system all within the same VM! This allowed me to do functional detection tests of attacks and anomalous activities that are mapped to the MITRE ATT&CK Framework! It is such a game changer to KNOW the type of attack that is being used, and then to detect it on your system/network and SEE in real-time what that attack would look like for a blue team defender.
There were so many other topics and tools that I learned about and used, but I'll let my write-ups do the talking for those items. The link to those write-ups are below. I want to close this post by saying I signed up for John's next class: SOC Core Skills. It's another 16-hour, 4 day course tailored to teach core security skills that all SOC Analysts should have. I can't wait! Sign up if you can! You won't be disappointed!
UPDATE 12/14/20: You can have access to the Cyber Range by paying at least $195 or above.