Tech Solvency: Blue Team

Literally everything by Phil Venables
The Razor's Edge - Cutting Your TLS Baggage (jschauma)
Database anonymization for testing (John Cook)
Incident response team *must* run its own infrastructure
NIST CSF
Belfer Center's Cybersecurity Campaign Playbook (election/campaign-specific, but some good general lessons also)
Security and Privacy in Computer Systems - Willis Ware, RAND, 1967. Prescient.
Learning from Near Misses (Adam Shostack
Army War College Campaign Planning Handbook
Coercion - a problem larger than authentication (the grugq)
Dropbox's pro-researcher bug-bounty philosophy
Paranoid Principles (jschauma)
MITREattack as CSV
The Anomaly of Cheap Complexity (Halvar Flake)
Paint by Numbers: Resilience in Security (Kelly Shortridge)
Device Guard and Application Whitelisting on Windows - An Airing of Grievances (@mattifestation)
Introduction to logging for security purposes (SCSC/GCHQ)
Daniel Ellsberg on the Limitations of Knowledge
Inciteful Gujarat study on re-incentivizing audit
FIRST Best Practice Guide Library (BPGL)
Understanding Cyber Conflict: 14 Analogies (Carnegie Endowment, Perkovich & Levite eds)
The Rational Rejection of Security Advice by Users (Cormac Herley)
Future Cyberwar (Schneier excerpting Mark Cancian)
In cyberwar, there are no rules (Why the world desperately needs digital Geneva Conventions.) (Tarah Wheeler)
Supply Chain Security 101: An Expert’s View (Brian Krebs / Tony Sager)
Stop using Apache Struts (Chad Loder)
How to irregular cyber warfare - "Accomplishing one specific goal is hard, but accomplishing any goal is easy." (Rob Graham)
Disable all crash dumps (John-Mark Gurney)
A Theory of Information Warfare: Preparing for 2020 (USAF, 1995)
Manage Insider Risk and Prevent ‘Big Brother’ Perception, Part 3 (OODA)
Perry Metzger Twitter thread on certs, and computer security as actual warfare
Misconceptions, Battle Scars, and Growth (Tim MalcomVetter)
Designing Security for Billions (Facebook)
Forcing the Adversary to Pursue Insider Theft (Bejtlich)
Cyber Incident Response and Resiliency in Cities
Fundamental Drivers of Security Risk (@philvenables)
Security Program Tactics (@philvenables)
Left and Right of Boom (@malcomvetter)
Simple Rules of (InfoSec) Career Success (Phil Venables)
Classifying Types of Security Work - applying Phoenix Project work types (Ryan McGeehan)
MITRE ATT&CK Framework
Your First Month as a CISO: Forming an Information Security Program (Lenny Zeltser)
MITRE Shield Active Defense Matrix
Technical Approaches to Uncovering and Remediating Malicious Activity (CISA)
Raise the Baseline by Reducing the Cost of Control (Phil Venables)
Hometown Security (CISA)
Computer Security and the Internet: Tools and Jewels (Paul van Oorschot)
(Technical) Infosec Core Competencies (@jschauma)
Stewardship of global collective behavior
The Actual Cybersecurity Workforce Challenge
Cybersecurity: The Board's Perspective (Phil Venables)
Account Takeover Checklist
Some reasons to measure (Dan Luu - an inspiring take)
Microsoft Cybersecurity Reference Architectures
How to ask questions to succeed with security projects (Zeltser
RFC 1087 - Ethics and the Internet
Threat Modeling (shellsharks)

Ransomware Protection Strategies (CISA)
CISA Insights: Ransomware Outbreak (PDF)
US-CERT Ransomware summary
Ransomware Protection and Containment Strategies (FireEye)
Mitigating malware and ransomware attacks (UK NCSC)
nomoreransom.org

Mutually Agreed Norms for Routing Security

Getting clear about risk (Godin) - "How much would it cost you (in time, money, effort, distraction) to make yourself ten times less likely to be at risk?"

x0rz/phishing_catcher
Sysmon configuration for the enterprise (SwiftOnSecurity)
Sysmin and ETW for So Much More (Binary Defense)
the missing Sysmon changelog
sysmon-modular
Microsoft's Sysmon suspicious activity guide
LogonTracer (JPCERT)
ACSC Windows Event Logging
Weffles - Windows Event Forwarding + PowerBI(@jepayneMSFT)
list of Windows Event ID 4624 login type codes (@jepayneMSFT)
Magic-Unicorn-Tool - Office 365 Activities API report parsing tool
Alert on registry changes related to security:
- LMCompatibilityLevel, NTLMMinClientSec and RestrictSendingNTLMTraffic
LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event log (JPCERTCC)
SpiderLabs list of scanner user agents
How do I detect technique X in Windows? (@mattifestation) - tweet (w/slides and code)
7 Habits of Highly Effective SOCs (Expel.io)
BlueTeamLabs/sentinel-attack - Repository of sentinel alerts and hunting queries leveraging sysmon and ATT&CK
ShadowServer Executable allow-list lookup
Intro to YARA (Varonis)

Psychology of Intelligence Analysis (CIA)
Guide To Using Reverse Image Search For Investigations (Bellingcat)

Infection Monkey - crawl the network, propagate via benign exploitation, and report
SSH Auditor - "designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.">
Vulnerability Disclosure Policy Templates (CERT/CC)
Vulnerability Coordination Maturity Model (Luta Security)
SharpHound - map AD interdependency and attack graph. Safe to run non-invasively (BloodHound)
VUlnerability MAnagement - Updated (Phil Venables)
CISA Known Exploited Vulnerabilities Catalog
Modemly Pulse - tracks router and related vulnerabilities monthly

russelltomkins/Active-Directory Collection of scripts for querying and managing Active Directory and Domain Controllers
MFA coverage audit (Microsoft)

x0rz/phishing_catcher
EyeWitness - take screenshots of websites, get server headers, identify default creds if possible
Preparing for a BeyondCorp world: Understanding your device inventory
Axonius - commercial asset inventory by mashing up all of your existing data sources - brilliant
rumble.run - commercial asset discovery with simple agents, fantastic interface (by HD Moore) - also excellent
Taking Inventories to the Next Level - Reconciliation and Triangulation (Phil Venables

Keep an eye on your root certificates (SANS, Mertens)
Provisioning and securing security certificates (NCSC)

CSP Cheat Sheet (Helme)
How to configure Samba to use SMBv2 and disable SMBv1
Content Security Policy cheat sheet (Helme)
Fleet Management at Scale (Google)
Wifi/gateway/router security checklist
PacBot - cloud config hardening and auto-remediation
Linux Hardening in the Wild
Mozilla guide on hardening OpenSSH
Azure AD: disabling legacy auth
NCSC guidance on managing public domain names
WDEG (successor to EMET, Windows 10 1709 and later)
Awesome Windows Domain Hardening (PaulSec)
Azure AD Password Protection
HardeningKitty.ps1
Windows 10 Hardening (0x6d69636b)

How to Stop Apps From Tracking Your Location (NYT)

Cache-Control recommendations (April King)

Controlling Google Chrome Web Extensions for the Enterprise (rootsecdev)

Disabling SMBv1: aka.ms/stopusingsmb1 aka.ms/stillneedssmb1 aka.ms/smb1rs3 aka.ms/disablesmb1 - tweet (@NerdPyle)
Active Directory administrative tier model (Microsoft)
Securing opening Microsoft Office documents that contain DDE fields
Network access: Do not allow storage of passwords and credentials for network authentication (Microsoft)
Network access: Restrict clients allowed to make remote calls to SAM
Preventing Mimikatz attacks
Mitigations against Mimikatz Style Attacks (SANS/Rob VandenBrink)
Wifi/gateway/router security checklist
Demystifying the Windows Firewall (Jessica Payne)
How to Disable LLMNR and Why You Want To (Black Hills InfoSec)
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
Set-MpPreference -PUAProtection enable - enable PUA protection on Windows (run from admin PowerShell prompt)
An Introduction to BitLocker (Elcomsoft)
Preventing SMB traffic from lateral connections and entering or leaving the network
Securing Domains Controllers Against Attack (Microsoft

iOS Security Overviews archive (0xmachos)
OS X / Mac OS Security Guides (0xmachos)

PassFiltEx Windows password strength requirement (passfilt.dll-based)
OpenPasswordFilter - another implementation
good design for account recovery / password reset, and Troy Hunt outline of same
Sharing Secrets (Jan Schaumann)

CIRCLean - USB sanitizer (Pi-based media sanitization station)
DangerZone (Convert PDF/doc/image to sanitized PDFs)

@malwareunicorn's RE Malware 101
Tyler Hudak's Intro to Reverse Engineering
Antivirus Event Analysis Cheat Sheet
Google Timesketch - collaborative forensic timeline analysis (GitHub)
Google GRR - GRR Rapid Response - remote live forensics for IR (GitHub)
Google Turbinia - automation and scaling of digital forensics tools (GitHub)
QuickBMS - "Files extractor and reimporter, archives and file formats parser, advanced tool for reverse engineers and power users, and much more."
data from a specific set of Cowrie honeypot logs (xxdesmus)
AbuseIPDB - pooled honeypot/scan data
FIR - Fast Incident Response - general framework for IR information sharing
GHCQ CyberChef - The Cyber Swiss Army Knife (web-based; encode, decode, convert, hexdump ...)
How to get started with Malware Analysis (@0verfl0w_)