My name is Chris Sanders, and I’m a security analyst.
When I first started out, learning how to investigate threats was challenging because there was no formal training available. Even in modern security teams today, most training is centered around specific tools and centers too much around on the job training. It wasn’t hard to learn how to use the tools, but I struggled knowing when to use them and what to look for. It wasn’t that I didn’t have enough data…I was overwhelmed by it.
My investigations all followed a similar path.
After getting an alert I’d look in the obvious places — my go to’s that I would later realize were crutches:
- Pull the packet capture
- Look at the HTTP requests
- Google the alert name to find more context
…but then I’d become overwhelmed
What data sources are available…….?
Can I find the host logs based on what information I already have…..?
Is this normal? How can I tell?
Worse yet, if I did find something interesting I was completely unorganized. I had a dozen browser tabs open, data spread across four terminal windows, and nonsensical notes that I’d wrote 5 minutes earlier and had already forgotten the meaning of.
I was paralyzed.
The longer this went on the more I became overwhelmed. I would eventually just stare at the screen hoping for a sudden moment of clarity and for everything to just click. It never happened.
What was I lacking? I knew plenty of people who were good at this — what skill did they possess that I did not?
I sought out a colleague I knew who is an experienced analyst at a big government agency. He was one of the most skilled members of their threat hunting team and spent his time tracking down nation-state level adversaries. I asked him how he learned to be a good analyst, and he told me, “Chris, being a good analyst isn’t really something you can learn. You’ve either got it, or you don’t. You can’t teach this stuff.”
I call malarky.
After I recoiled from the wave of smugness that had suddenly washed over me, I resolved to strive for something better. Chalking investigative ability exclusively up to natural born traits was an excuse, and I that way of thinking had led me to believe things that forced me to make my own excuses.
3 Beliefs That Were Holding Me Back
This discussion was a critical moment in my career. It made me realize three ridiculous beliefs that were holding me back. When I figured this out, it changed the way I looked at everything.
I want to share them with you now.
Belief #1: You have to be born with some special sauce to be a good investigator.
WHAT I THOUGHT: Some people were born “naturals” or were simply much smarter than me.
MY EXCUSE: I’ll probably never figure this out because I’m simply not smart enough.
THE TRUTH: We all start in different places, but nearly anyone can achieve some level of success as a security analyst. Some people get it a little sooner than others and that naturally leads them to situations where they get more practice — more interesting data, a better job, etc. This accelerates their learning.
Belief 2: Being a great analyst is all about mastering your tools
WHAT I THOUGHT: I should spend most of my time learning tools. If I can write great Bro scripts or use IDA, then I’ll be able to find attackers on my network and see what they’re doing.
MY EXCUSE: I’m doing everything I can to learn the skills that are important for my job by focusing on the tools of the trade.
THE TRUTH: Knowing how to use your tools is helpful, but when and why to use them is critical. Tools do things like help us retrieve and manipulate data, but where most people get stuck is decided what data to query and how to manipulate it so that answers to important questions become clear.
Belief #3: Investigating security incidents is a completely new and unique concept
WHAT I THOUGHT: The skills involved in investigating alerts and threat hunting are entirely unique to our field.
MY EXCUSE: This knowledge is so specialized that only a small number of people will be able to really grasp it.
THE TRUTH: Investigating things isn’t unique to cybersecurity. Several fields involve some form of investigation — police officers, lawyers, and even doctors. We can leverage the knowledge of these fields and many more to become better blue teamers.
The problem of tacit knowledge
A major problem working in a new field is that much of the knowledge needed to perform the job is tacit — it isn’t written down. That’s why so much learning that happens on the job mostly focuses on just sitting and watching others do it. We can do better.
When security analysis finally began to “click” for me I resolved not just to be good at catching bad guys — I wanted to help others who are going down the same path by developing a course dedicated exclusively to both the theory and practice investigation process.
If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network. Investigation Theory is designed to help you overcome the challenges commonly associated with finding and catching bad guys.
- I’ve got so many alerts to investigate and I’m not sure how to get through them quickly
- I keep getting overwhelmed by the amount of information I have to work with an investigation
- I’m constantly running into dead ends and getting stuck. I’m afraid I’m missing something.
- I want to get started threat hunting, but I’m not sure how.
- I’m having trouble getting my management chain to understand why I need the tools I’m requesting to do my job better.
Some people just seem to “get” security, but it just doesn’t seem to click for me.
Investigation Theory will teach you how to conduct investigations regardless of the toolset by focusing on the mental models used by experts.
Investigation Theory is not like any online security training you’ve taken. It is modeled like a college course and consists of two parts: lecture and lab. The course is delivered on-demand so you can proceed through it at your convenience. However, it’s recommended that you take a standard 10-week completion path or an accelerated 5-week path. Either way, there are ten modules in total, and each module typically consists of the following components:
- Core Lecture: Theory and strategy are discussed in a series of video lectures. Each lecture builds on the previous one.
- Bonus Lecture: Standalone content to address specific topics is provided in every other module.
- Reading Recommendation: While not meant to be read on pace with the course, I’ve provided a curated reading list along with critical questions to consider to help develop your analyst mindset.
- Quiz: The quiz isn’t meant to test your knowledge, but rather, to give you an opportunity to apply it to reinforce learning through critical thinking and knowledge retrieval.
- Lab Exercise: The Investigation Ninja system is used to provide labs that simulate real investigations for you to practice your skills.
Investigation Ninja Lab Environment
Investigation Theory utilizes the Investigation Ninja web application to simulate real investigation scenarios. By taking a vendor agnostic approach, Investigation Ninja provides real-world inputs and allows you to query various data sources to uncover evil and decide if an incident has occurred, and what happened. You’ll look through real data and solve unique challenges that will test your newly learned investigation skills. A custom set of labs have been developed specifically for this course. No matter what toolset you use in your SOC, Investigation Ninja will prepare you to excel in investigations using a data-driven approach.
Get stuck in a lab? I’m just an e-mail away and can help point you in the right direction.
This isn’t a typical online course where we just give you a bunch of videos and you’re on your own. The results of your progress, quizzes, and labs are reviewed by me and I provide real-time feedback as you progress. I’m available as a resource to answer questions throughout the course.
- Metacognition: How to Approach an Investigation Using Mental Models
- Evidence: Planning Visibility with a Compromise in Mind
- Questions: A Question Well Stated is a Problem Half-Solved
- Transforming Data: Finding Answers in Evidence
- Investigation Playbooks: How to Analyze IPs, Domains, Files, and Common Alerts
- Open Source Intel: Understanding the Unknown
- Mise en Place: Mastering Your Environment with Any Toolset
- The Timeline: Tracking the Investigation Process
- The Curious Hunter: Finding Investigation Leads without Alerts
- Your Own Worst Enemy: Recognizing and Limiting Bias
- Reporting: Effective Communication of Breaches and False Alarms
- Case Studies in Thinking Like an Analyst
Plus, several bonus lectures!
You can view the detailed course syllabus here.
Investigation Theory includes:
- Over 20 hours of demonstration videos. These videos will provide the theoretical foundations of the investigation process, mental models for effective investigations, and SOC best practices to tie these to your workflow.
- Hands-on labs to help you develop and test your skills. You’ll complete lab exercises in the Investigation Ninja tool. Review network security alerts and investigate them using actual data. These labs are designed to challenge you and force you to think through the process of building an intrusion timeline and asking the right questions.
- Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
- 6 months access to course video lectures and lab exercises with the Investigation Ninja tool. You can extend access later if you need more time.
- Access to Chris Sanders online “office hours” held periodically
- A Certification of Completion
- Continuing Education Credits (CPEs/CEUs)
“Investigation Theory is a course that focuses on purposeful, self-aware, and objective approaches to investigation. It can help a novice springboard their start into security analysis and can give the veteran threat hunter new approaches to most efficiently guide an investigation from triage to resolution. I would consider this mandatory training for any Security Analyst, whether fresh or seasoned. I was surprised by how immediately applicable a lot of the lessons are. I work for a large enterprise, but every module here had lessons that both helped me as an individual and also allowed me to bring some efficiencies and improvements to the business. This was a fantastic course that has allowed me to improve in a very short time. It’s not every day that you get a master of their craft breaking down the discipline into its respective parts, to allow concrete practice for a discipline that often gets mired in illusions of what it means to “know security”. Thank you!” – Michael Kuchera
“Investigation Theory is the course that you want to take to learn how to be or improve on being an analyst. I would consider this course a MUST have before focusing on tools. Wish I would have had this course when I started down this whole analyst path. This is the only course that have come across that actually focuses on the whys and whens and not just a bunch of tools and how to use them. Hands down one of the best if not the best course I have taken. It made me think and work through my thoughts in such a way that feel like I own the material learned. Thank you for leading this horse to water. ” – James Ducroiset
“The labs were cool. When you hear simulation, sometimes you think of those boring government simulations you have to complete to check off some box for compliance. But you could tell that the instructor really took his time to make the labs enjoyable and instructive.” – Pushkar, SOC Analyst
“The course re-ignited my passion for doing stuff at home and actually gave me direction in figuring out what I wanted to learn next. It helped give me a framework for handling situations and, it gave me a confidence I didn’t have before… that’s probably the most valuable part of this.” – David, Security Manager
“I learned the thought patterns of Security Analysts and that their duties are vastly different than that of a system admin. The course has given me the ability to create “a space” using a wiki, the hive and visjs that allows my management team to look into what I’m doing. They have a way to see what I’m doing and the value I provide.” – Brook, New to Infosec
“I would highly recommend this course to seasoned Blue Team Veterans and newbies alike. This course teaches one how to think like an analyst and think critically when it comes to responding to security incidents.” – Tony Robinson, Security Analyst
“I finally understand what all the fuss is about playbooks and I can support this exercise from now on. It’s not about step by step instructions which I feared trapped non innovative analysts into routines. It’s about providing that suggested next step for them to think on their own.” – Mike, Consultant
“The investigation theory course is probably one of the best course that I have taken, the content is very handy for noobs and experimented investigators, Chris shows the right path to be a better investigator. I learned the right way to deal with investigations, I think that the labs are the perfect tool to learn and practice.” – Daniel Rodriguez
“I could find many courses that taught tool usage, but none cover the steps in an investigation. Some only mention them with nothing to explain how to move through an investigation. This course focuses on a subject that isn’t taught in any other courses I have found – how to successfully refine your thought process to move through an investigation, not just how to use the tools. The questioning procedure really helps focus on what is important and what resource to use next. I loved the lab setup as well. I have asked past instructors about how to create home labs and most gave answers that were not helpful. As a group, we need to get better at helping others with different thought processes.” – Marsha Miller
This course is also offered as a two-day on-site class taught at your organization. This includes access to the online course material for all attendees. Contact Us for On-Site Inquiries (2-Day Course + Online Access)