Staying abreast of the latest cybersecurity knowledge and informed of top offensive security practices is a challenge. There's always some new vulnerability on the horizon. Nevertheless, we're here to try to make it a little bit easier. Stay in the know and brush up on best practices with this roundup of some top offensive security resources available in 2018.
When's the last time you actually hit the books? It might be time to head to the library (or, let's be real, Amazon) to learn more about the latest in cyber vulnerabilities, threat modeling, ethical hacking, and penetration testing.
1. Let's start with one of the more thrilling titles. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon from cybersecurity journalist Kim Zetter was described by The New York Times as "part detective story, part scary-brilliant treatise on the future of warfare."
2. In The Hacker Playbook 2: Practical Guide to Penetration Testing, which came out in 2015, Peter Game presents penetration hacking as a game in this step-by-step guide.
3. Gray Hat Hacking: The Ethical Hacker's Handbook is out now in its fourth edition, but you may want to hold out until June when the 5th edition is due out. The latest revised version promises new chapters including how to analyze and block ransomware.
4. Hacking Exposed has been holding firm on its seventh edition since 2012, but the book is a now classic introduction to the basics of network attack and defense. Authors include McAfee/Intel's Stuart McClure, Citigal's Joel Scambray, and CrowdStrike's George Kurtz.
5. Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software was a recurring recommendation on Medium's survey of cyber security professionals' bookshelves. The book by Michael Sikorski and Andrew Honig presents tools and techniques pros use to analyze, debug, and disassemble malicious software.
6. Threat Modeling: Designing for Security is another how-to approach. This one's written by Adam Shostack, Microsoft's go-to threat modeling guy.
7. An oldie but a goodie is The Art of Computer Virus Research and Defense. In this 2005 guide, one of Norton AntiVirus's lead researchers, Peter Szor, offers a behind-the-scenes look at antivirus efforts.
8. The Art of Deception is a great read to get you thinking also about the low-tech threats to your offensive security efforts. Reformed hacker Kevin Mitnick (writing with William L. Simon) focuses on the human factor and shares true stories of social engineering successes. Mitnick's memoir, Ghost in the Wires, also gets named again and again on top cyber security book lists too.
9. Of course, we'd be remiss not to mention The Social Engineer's Playbook: A Practical Guide to Pretexting by our own Jeremiah Talamantes. But don't just take our word for it; the book also made Tripwire's 2017 list of 10 Must-Read Books for Information Security Professionals.
Of course, you may be more of a visual learner — or prefer to tune into an online lecture. There are resources for you too!
1. A quick primer comes from Deloitte and Symantec, who give viewers a Hollywood-style view of cyber threats, the inevitability of an attack, and a warning to be ready all in five glossy, quick-moving minutes. Break out the microwave popcorn!
2. For a much more thorough approach, you can find a range of video resources on the SANS YouTube channel. One of the popular ones is Physical Security: Everything That's Wrong With Your Typical Door, which is presented by physical pen tester and lock picking pro Deviant OIlam (whose first name had to predispose him to pen testing don't you think?). Another one with a high number of hits is Michah Hoffman's presentation Six Tips for Starting an Effective OSINT Investigation.
The SANS Digital Forensics and Incident Response YouTube channel's most viewed video was only published January 4, but people obviously wanted to know more about the new vulnerabilities Meltdown and Spectre.
3. You may have missed your chance to attend MIT, but you can at least check out the Introduction to Threat Modeling via MIT OpenCourseWare. The lecture starts at 5:40 into the video when the professor talks about why securing systems is so hard.
4. You might also check out the interviews with security pros on the Security Weekly channel. This has included John McAfee, Chris Roberts, and Samy Kamkar.
5. Finally, when you're looking to translate some of what you've learned online with your employees, you might garner some laughs with "Don't Be a Billy" a black and white old-timey video talking about the need to be more thoughtful about using the Internet.
The InfoSec Institute offers several boot camps to help people get certified. Yet, if you don't need more letters after your name or don't care for exams, our Full-Force Red Team Training program offers a real-world crash course in physical intrusion, social engineering, and penetration testing. Our multi-day workshop features full-training exercises with students breaking into actual offices/buildings (legally, of course), hacking system and apps, and social engineering real people, face to face. There are no actors; this is the real deal! Register now to stay in the loop about our next Red Team Training session.
Need the kind of help only a professional can provide? Look no further. RedTeam Security prides itself on delivering made-for-you security solutions that fit within your strategy and budget. Just fill out our scoping questionnaire and let us get to work on a tailor-made proposal for your business.