Context
After a real good experience with ElearnSecurity content, I decided to enroll for the eLearnSecurity Certified Incident Responder (eCIR) certification course. To be honest, I previously had experience with incident response and the following lines are to be taken with this in mind, especially if you never have done some before.
Course
As usual for ElearnSecurity, the course material consist in both slide presentations, videos and practical labs.
My overall impression on the course is that it is good, but not complete. I would recommend the course to newcomers in incident response/detection/SOC jobs who want to introduce themselves to some of the principles and the open-source tools available on the market. I would not consider it a master class on incident response. First because it is very hard to make an all-in-one course/certification on such a broad domain and second because too many aspects of incident response are not explored in depth in the materials (such as memory forensics). This being said, the course is of good value compared to other providers I have tested in the past and it is still hands-on which put it at a way higher rank than slides-based, quizz-exams certifications from which you get no practice and nothing is left when you are done with it.
I did not see any job offer mentioning that certification, I feel like it would not be a groundbreaker for anyone to have it to be hired but I like to think of it as a good plus to add to your resume.
The versions of the tools used in the course are not up to date and thus the current documentation for Suricata for example could not be applied, you can still access the old versions online though.
Incident Handling & Response Overview
Probably the part of the course I liked less but not because of the subject, rather because working via VNC for the GRR and Velociraptor labs was just a pain. It is slow and the displayed window can not be resized from a Linux host.
Network & Traffic analysis
This part is well explained, however, do not consider you will know everything there is about network once you have been through the material. The course covers amongst other things basic concepts on 802.x, IP and TCP and how to analyze a pcap file with wireshark.
A small problem I had was to not be able to access the “traffic analysis” lab. I did not figure it out with INE support as I knew the subject in depth, but I suggest you do if you take the course.
I would recommend to play in depth with wireshark and not only follow the course material as this is a critical skill to have in IR.
I used malware traffic a lot in the past, you could use it to get some wireshark practice.
Suricata
Suricata material is basic but well-explained with interesting side ressources given, especially on people reversing malware for you to take it as an input to create rules. This is real-life detection job scenario but simplified and it is fine for incident response activities. The point is not to turn you into a reverse-engineer. However, I found the rules described not always relevant and it did not always take into account important detection principles such as not raising false positives, not being specific enough or not making a signature on something that can be pulled out of a log.
I also would have liked to see more complicated signatures scenarios with LUA.
Zeek
Version used for the labs is also quite old (2.5.2, October 2017 release).
As for Suricata, well-explained introduction to Zeek (formerly Bro), content on how logging works, how to use logs and on how to write scripts is relevant but basic. It is up to you to dig and understand how Zeek scripts work, what are the different protocols that it can handle etc. This makes total sense as the course is not an in-depth lesson on Zeek’s capabilities.
As for the Suricata part however, I found the lab “tasks” quite heterogeneous, some being relevant, others being less, requiring you to think very out of the box to find things by yourself. I would advise not to spend to much time on trying to do everything by your own means and go through the solutions when you are stuck for more than half an hour.
Note that the Zeek devs have a pretty good interactive tutorial to learn the script’s syntax and concepts.
Snort
The snort part is like both other IDS above, more of an introduction that an in-depth section.
Practical incident handling
There was no labs in the section, just slides. It is divided in several subsections:
- Reconnaissance & Information Gathering
- Scanning
- Exploitation
- Post-exploitation
The reconnaissance means are good, even if passive ones can not be detected.
The post-exploitation phase is the most furnished, with a lot of Windows knowledge on common attacks. Linux is covered but with less examples.
SOC 3.0
This part is where the previous concepts start to make sense. It has for objective to make of you a good SIEM analyst. IMHO, the main value of the course is in that section
There is labs on both Splunk and ELK solutions. This is very good practice for real incidents as it is likely with one of these two you will be dealing in the real world. The scenarios of the labs are good and well guided, it teaches you how to navigate into logs ingested by both solutions.
I would suggest to get extra practice on Splunk because since the course material was published, several “Boss of the SOC” events happened and it is free, good training. Check it out there.
There is a lot of Tactics, Techniques and Procedures (TTPs) for Windows attacks, and very few for Linux which is a pity. I agree that most incidents happens on Windows machines but a lot of enterprise servers run on Linux and thus the Linux TTPs is a must-known for incident responders. I strongly suggest to find extra material to familiarize yourself with it. For example the very good GTFOBins for privilege escalation.
I truly think the “Baseline” section is irrealistic (more below).
Exam
The exam is a practical incident response case consisting in a virtual lab lasting 48 hours. The goal is to identify and report what happened and how it did happen. You get 48 more hours after to write your report but I would suggest to write it as you are doing the IR.
It is the more realistic blue team exam/exercise I have seen until now. That being said, I did not take other IR or blue-team oriented certifications before this one.
Because of the time constraints and the tasks asked, there is quite a bit of pressure. I would recommend to spend your time rationnally and not getting stuck on one task for hours while totally ignoring another that you knew how to do.
I regret that most of what I used for the exam were technics I knew from my previous jobs, I did use some of the ones in the course but I feel like if the only ressource you use is INE material, then you will not have enough knowledge.
Keep in mind the following:
- learn how, when and on what to pivot in a log
- you do not need to find the infection vector to start an investigation, you can catch a post-exploitation phase for example and “walk back” on the attackers' actions
- keep a list of the indicator of compromission you find (hash and name of executables, IP addresses etc)
Course vs. reality
I find the course to be a good introduction to incident response. I think it is better than other courses I have seen before, and it is good to have before starting an IR job.
I think a complete course on incident response is impossible because nothing teaches you how messy things can go in real life, so educating yourself through these type of course/certifications should be seen as a step towards being a better analyst but will never do as good as field experience.
A few other things:
- Keep in mind that a good detection rule for production must be thought of way more than what is presented in this course. The rules put as examples in it are for incident response and are usually meant to be temporary. One should be careful on both performance and pertinence of rules in other contexts.
- Building a baseline of software is almost mission impossible. IT in organisations are usually understaffed and do not want to deal with the “new software from HR is not working because not whitelisted” problem. It require a good maturity and follow-up to implement baselines.
That’s all folks. If you have feedback or want to exchange, write to me :).