How do you become an expert in DFIR

Hello fellow cyber security hero!

In recent months, after talking to so many teams and individuals alike, it became clear that there’s lots of confusion regarding how to become great at Digital Forensics and Incident Response (DFIR). It’s hard to develop those skills and confusing to find the best place in your career.

Many professionals also stated that they are hitting a ceiling within their current job. Major incidents don’t occur, which is good for the company, but not great for developing skills and experience. Additionally, there’s the risk of alert fatigue that, with a mix of lack of skills, in several occasions which I’ve seen, has led to devastating ransomware incidents.

Effective cyber security (and DFIR) is always a matter of the three areas:

People <-> Process <-> Technologies

Everything starts with people, as they are the most important asset and we rely on their skills (and talent, motivation, passion for what they do, etc). So let us break down what people can do to stay sharp and improve their skills:

As we can see it gets harder as you are getting closer to the top. However, it is not always just about the advanced skills that are important, but you also need to have a solid fundamental knowledge and understand the basics of enterprise environments really well. How would you be able to tell the difference between legitimate and malicious activity otherwise?

That’s why it’s important to focus on the following areas if you want to build a really well rounded set of skills to be a DFIR expert, ideally, learned through hands-on training:

Blue Team Basics

  • Windows environments:

    • Active Directory Domain Services (AD DS), Domain Controllers, user management, etc.

  • Domain administration and enumeration tools:

    • Group Policy Objects, PowerShell, PowerView, PSExec, Adfind, CMD

  • Windows authentication

    • Kerberos and DCSync attacks

  • Windows internals

    • System architecture, processes, jobs, threads, APIs, security, etc

Forensic Analysis

  • Forensic process

    • Data acquisition and analysis processes

  • Windows forensics

    • Disk and memory analysis

  • Timeline analysis

  • Malware analysis

    • Static and dynamic analysis

  • Phishing analysis

    • Email analysis

    • MalDoc analysis

    • Business email compromise analysis

Advanced Incident Response

  • Cyber crime, threat actor objectives, MITRE ATT&CK framework

  • Cyber Threat Intelligence (CTI)

  • Enterprise security technologies

    • SIEM, EDR, forensic tools

  • Ransomware attack investigation

  • APT attack investigation

  • Cloud incident response

Incident Response Management

  • Standards and policies

  • Risk and asset management

  • Incident management, plans and playbooks

You can see that there are a lot of basics and areas that all come together when investigating a major incident such as a ransomware or an APT compromise scenario.

This blue print should give you a guideline of what to focus on when working on becoming a well-rounded DFIR expert. It may even mean to step back a bit and look into some of the fundamentals or cover new areas.

Here are 3 ways I can help you:

  1. Corporate Training (Group or individual training)

  2. Individual Blue Team Master Coaching (Work with me 1-1 on your career and skills development )

  3. The Practical Windows Forensics course teaches you a wealth of forensic knowledge, completely hands-on and affordable.

Thank you for tuning in and being part of our growing community!

Markus Schober