CyberChef for Security Analysts
The most useful skill a security analyst possesses is the ability to manipulate data and use it to answer questions.
But, there are so many data obfuscation methods and ways to change how systems present information that it’s easy to feel like you need a degree in computer science or years of programming experience to get anywhere. There are few worse feelings than staring at something you know is probably malicious while getting lost in page after page of Stack Overflow results without making progress.
I always thought there needed to be a way to help security analysts like me become better at manipulating security data. When I discovered CyberChef, I knew I found it.
CyberChef is the closest thing defenders have to a Swiss Army Knife.
CyberChef is a free, open-source web application designed for carrying out common data manipulation techniques in a structured, systematic, repeatable way. This includes operations like simple decoding, hash calculation, content extraction, indicator format parsing, and more. Each of these things is essential to blue teamers in any role.
Now, I’m excited to offer an online course dedicated to teaching you data manipulation techniques using CyberChef to become a better investigator.
CyberChef for Security Analysts will teach you how to use CyberChef to perform common data manipulation, transformation, deobfuscation, and extraction techniques using real security data*. This isn’t just a simple tutorial, you’ll work through diverse exercises using real-world security data to build a toolkit of techniques.
Simply put, CyberChef for Security Analysts is an example-driven master class on dealing with the most common types of data you’ll encounter in common blue team roles like SOC analysts, malware reverse engineering, forensic investigations, threat hunting, and threat intelligence.
- Gain comfort with the CyberChef interface
- How to install CyberChef locally and maintain good OPSEC practices
- How to save, load, and share recipes for repeatability and collaboration
Character Encoding and Encryption
- How to identify the most common types of encoding you’ll encounter.
- Techniques for isolating, extracting, and decoding data into readable formats
- How XOR works, including how to identify and use XOR keys to get past what attackers try to hide.
Data Formatting, Parsing, and other Manipulation
- Operations for comparing data to find out where changes occurred
- Techniques for formatting and converting dates and times (because not everything is in UTC by default)
- Extracting and manipulating common indicator formats like IP addresses and domain names, including ways to safely share malicious IPs, domains and URLs.
- How to leverage regular expressions in CyberChef to match and extract important data
Defeating Malware Obfuscation
- Pulling actionable indicators (IPs, domains, etc) from malware samples
- Deobfuscation techniques for web shells and malicious shortcut files
- How to deobfuscate common C2 implant files, like PoshC2 and CobaltStrike PowerShell loaders.
- How to find and practice with malware samples from public sandboxes
- Repeatable techniques for stepping through layered obfuscation with advanced CyberChef operation including subsections, registers, jumps, and more.
Log File and Forensic Analysis Techniques
- How to manipulate the structure of log files for easier analysis
- Methods for anonymizing data for reporting or sharing
- Parsing XML with XPath
- Performing data verification to ensure forensic soundness
- Building custom URL parsers (including building your own Google URI parser)
- How to extract and process EXIF data
- Techniques for mapping GPS coordinates
- Leveraging CyberChef’s optical character recognition (OCR) abilities
HTTP Requests and JSON Data
- Creating HTTP requests from CyberChef to extract or parse data from sites like Github
- Interacting with public security APIs like Shodan
- Parsing JSON with JPath
- Techniques for bypassing SOP and CORS restrictions.
For each of these concepts, you’ll watch me perform multiple examples before working through labs where you try it yourself. These repeated exposures will build skills that you’ll carry with you once you’ve finished the class. You won’t just learn to tackle isolated scenarios, you’ll learn a baseline skill set you can apply to a wide array of situations.
If you want to start building confidence for manipulating data, defeating malware obfuscation, and extracting relevant indicators while building mastery of one of the most versatile security tools available, CyberChef for Security Analysts is the course you’re looking for.
CyberChef for Security Analysts Includes:
Over 10 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept at using CyberChef and improve your data manipulation and deobfuscation skills.
Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by downloading real-world security data* and using CyberChef to isolate, extract, and transform data into a usable state.
Participation in our student charitable profit-sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.
Are there any prerequisites or lab requirements for this course?
This course is designed for all security practitioner skill levels and assumes no prior CyberChef experience. There are no specific system requirements for this course. Once downloaded, CyberChef can run in a modern web-browser such as Firefox or Chrome.
How much time does it take to do this course?
Given the amount of content, it takes people dramatically different times to complete the material. If you focus all your time on it, you can complete everything in about a week. Most choose to spread it out over a few weeks as they take time to practice the concepts demonstrated.
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course averages 15 hours of video+lab work.
Do you offer discounts for groups from the same organization?
Yes. To inquire about discounts or group invoices please contact us at email@example.com.
*Please note that some of the lab material for this class uses real malware. We provide instructions on how to safely handle these files, which includes never executing the files outside of a sandbox environment.
Meet the Course Author – Matt Weiner
Hi! My name is Matt Weiner and I’ve been working in information security for over eight years, and prior to that as an intelligence analyst for seven years. So much of what I’ve needed to do is manipulating, parsing and deobfuscating data. As I moved through my career from Intelligence Analyst, to Digital Forensics Analyst, to Incident Responder, to my current Threat Hunting role I’ve felt crippled by my lack of programming experience. That was until I discovered CyberChef which has changed the way I interact with data. Over time, I’ve grown to understand just how powerful CyberChef can be across all blue team roles. I’ve used it for timestamp manipulation, hashing, inspecting binary data, malware script deobfuscation, simple data re-formatting, extracting indicators…the list goes on. It’s one of the first browser tabs I open in the morning at work because it ‘just works’. Now I’m proud to bring this course to you and to share how useful and powerful CyberChef can be to a network defender, incident responder, or forensic analyst.
You can catch him on twitter @mattnotmax.