Appendix 1 - Resources

This resource guide contains high-quality databases and frameworks. The resources below will allow you to quickly find and synthesize information needed to detect, characterize, and counter threat actors.

  • Center for Internet Security (CIS) Benchmarks
    CIS Benchmarks, published by the Center for Internet Security (CIS), are documented industry best practices for securely configuring IT systems, software, and networks. Currently, there are more than 140 CIS Benchmarks in total, spanning across seven core technology categories.

  • SANS Institute Incident Handler’s Handbook
    The SANS reading room, and specifically the Incident Handler’s Handbook, holds a wealth of knowledge for learners looking to become practitioners. The information within the handbook will help learners obtain skills in policy creation as well as planning on cyber incident mitigation. The handbook also contains an important checklist on incident handling.

  • A Taxonomy of Operational Cyber Security Risks
    The taxonomy provides a resource for the categorization of risk. This resource breaks down risk into several categories including actions of people and internal and external issues. It also provides a framework for how to categorize the risk based on FISMA and other government regulations.

  • ATT&CK: Adversarial Tactics, Techniques & Common Knowledge Navigator
    This resource is used to define and describe the steps of a cyber attack. It lists the strategies and methods in a simple, easy-to-follow algorithm. The steps contained in the resources are not an exhaustive list, but the majority of incidents will be covered. The major benefit of this resource is it gives many suggestions on how to respond to cyber attacks and how to be proactive against cyber attacks.

  • ATT&CK for Cyber Threat Intelligence Training
    The training contains five modules that consist of videos and exercises. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents and complete the exercises, then proceed with viewing the video to go over the exercise.

  • MITRE Engage Starter Kit "MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals." MITRE Engage is considered an Adversary Engagement Approach. This is accomplished by the implementation of Cyber Denial and Cyber Deception. The starter kit is a collection of whitepapers and PDFs explaining various checklists, methodologies, and processes to get you started.

  • MITRE Crown Jewels Analysis
    In a large and complex enterprise, it is difficult to know how problems in a portion of an IT infrastructure may affect the broader operational mission. CJA provides a methodology to help understand what is most critical—beginning during systems development and continuing through system deployment.

  • NIST Guide for Mapping Types of Information and Information Systems to Security Categories
    Special publications from NIST assist in the cyber education of the country. Specifically, NIST SP 800-60 provides a structure for incident response and categories of incidents.

  • NIST Risk Management Framework
    The risk management framework is technically NIST 800-39, but it relies heavily on two special publications. The first is NIST 800-37, and the second is NIST 800-53. NIST 800-39 provides a framework to handle risk management in six steps. The steps are categorize, select, implement, assess, authorize, and monitor.

  • Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
    This publication is previously known as NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems. It provides a framework for certification and accreditation in the federal government. This resource delivers a methodology for the government to stabilize its accreditation evaluation. This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations.

  • NIST Security and Privacy Controls for Information Systems and Organizations
    This publication is previously known as NIST SP 800-53 Recommended Security Controls for Federal Information Systems and provided a methodology for implementation of security controls for information systems. Now this publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks

  • Regular Expressions 101-102
    The website has gone over many iterations, and started as a simple hobby project which has now grown to become one of the largest regex testing services in the world. You can view all the iterations over on the web archive.

  • What2Log
    What2Log was a project that began when we saw a noticeable gap in computer security notation in regards to logs. There had not been a centralized resource of what and how to understand the logs of the major operating systems that are used everyday. What2Log was made to fill that exact gap.

  • nmap Cheat Sheet

  • tcpdump Cheat Sheet

  • Wireshark CLI Cheat Sheet

  • Zeek Logs Cheat Sheet

  • Explain Shell
    This site contains 29761 parsed manpages from sections 1 and 8 found in Ubuntu's manpage repository. A lot of heuristics were used to extract the arguments of each program, and there are errors here and there, especially in manpages that have a non-standard layout. It is written in Python and uses bashlex, a bit of NLTK (to find the interesting parts of the manpage), a little d3.js (for the connecting lines graphic) and Flask. It is served with uwsgi and nginx.

  • Abuse IP DB
    AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

  • ThreatCrowd
    ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. You can view a short tutorial at

  • National Initiative for Cybersecurity Education (NICE) Cyber Career Pathways Tool
    This tool presents a new and interactive way to explore work roles within the Workforce Framework for Cybersecurity (NICE Framework). It depicts the Cyber Workforce according to five distinct, yet complementary, skill communities. It also highlights core attributes among each of the 52 work roles and offers actionable insights for employers, professionals, and those considering a career in Cyber.

  • National Initiative for Cybersecurity Education (NICE) Framework Work Role Videos
    The Workforce Framework for Cybersecurity (NICE Framework) provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cybersecurity work performed by individuals and teams. These building blocks can be used to for Work Roles. Work Roles are not job titles, but rather a way of describing a grouping of work for which someone is responsible or accountable. The NICE Framework has 52 Work Roles divided into 7 Categories. The video library provides links to videos depicting a day in the life of cybersecurity practitioners who have a range of Work Roles.

  • Cybersecurity & Infrastructure Security Agency Trusted Internet Connections Core Guidance Documents
    Core guidance documents are intended to be used collectively in order to achieve the goals of the program. The documents are additive; each builds on the other like chapters in a book.

  • Privacy: Statutory Protections
    EFF's website that includes information about statutory protections.

  • ATT&CK Groups
    Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Organizations' group definitions may partially overlap with groups designated by other organizations and may disagree on specific activity.
    For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to refer to any of the above designations for a cluster of adversary activity. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”)

  • Mandiant Advanced Persistent Threats

  • OASIS Cyber Threat Intelligence
    The STIX and TAXII standards are governed by the OASIS Cyber Threat Intelligence Technical Committee (CTI TC). STIX and TAXII were created in 2012 under the auspices of the US Department of Homeland Security. In June of 2015, DHS licensed all of the intellectual property and trademarks associated with STIX and TAXII to OASIS, a nonprofit consortium that drives the development, convergence and adoption of open standards for the global information society. The OASIS Cyber Threat Intelligence (CTI) TC supports automated information sharing for cybersecurity situational awareness, real-time network defense, and sophisticated threat analysis.

  • Rock the SOC - A Career Guide
    Compiled from the collective wisdom of both Devo executives and infosec community members, this guide will help you land your first role as a SOC analyst, and understand the different career tracks available to you. There are also plenty of tips on how to uplevel your skill set in order to stand out among your peers.

  • SANS SOC Training & Resources
    Equipping Blue Teamers with the right training and resources to safeguard their organizations.

  • SANS Course Previews
    Free course demos allow you to see course content, watch world-class instructors in action, and evaluate course difficulty.