The Honeynet Project
For those looking to get some real world hands-on experience in DFIR to build up or expand your skill set, check out honeynet.org. The non-profit offers information and challenges to help sharpen your skills.
The Honeynet project (https://www.honeynet.org) is freely available and offers informal training opportunities in the form of forensic challenges. Self-training is the primary form of continuing education for most DFIR professionals. There are a number of freely available resources that offer high quality training and only require you to put in the time and effort. This type of training may be found by exploring the Honeynet Project.
What is it?
To quote from the website, “The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. With Chapters around the world, our volunteers have contributed to fight against malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world. The organization continues to be on the cutting edge of security research by working to analyze the latest attacks and educating the public about threats to information systems across the world.”
The Challenges (Self-Training Opportunities)
The honeynet project deploys honey pots around the world. The collected information is used, in part, to create challenges on the latest attacks and hot security issues. There are a number of exercises that put you in the place of an Incident Responder carrying out an intrusion investigation. Challengee materials include a download of source material to work with. In addition, for those looking for more of a learning experience, some of the top challenger responses are posted in the form of white papers that document the TTP of others. This provides a “cheat sheet” of sorts so if you are newer to a certain type of investigation you are not left simply to your own devices. It may be helpful to try to replicate a more experience analysts TTPs and conclusions.
Examples of the Challenges
Some are dated but remember, times change faster than protocols change so much of the archived challenges are still relevant learning experiences. Here are some I recommend checking out:
Investigating PCAPs https://www.honeynet.org/node/504
Intrusion Investigation https://www.honeynet.org/node/906
Examining a compromised server https://www.honeynet.org/challenges/2011_7_compromised_server
The project has a number of DFIR white papers available for download https://www.honeynet.org/papers
Check them out!
* Views are based on my own experience, resources are cited where applicable.