My Review on Certified CyberDefender Certification
Introduction
As I usually take many cybersecurity courses and certifications, I decided to take “CCD” course from CyberDefenders. It is relatively a new cybersecurity company focused on teaching the blue team side of cybersecurity to people through training and practical labs. Even though it is new, its materials are well-made and updated regularly, and its certification became known in the market.
This blog will mainly focus on reviewing the memory forensics part of CCD, as I gave a general overview about it here.
So, What Will I Learn by Attending the Course?
The CCD certification’s unique point is having multiple blue team sub-domain inside it along with foundational knowledge and practical labs to practice your acquired skills. I will just briefly outline the sub-domains that the course covers:
- SecOps Fundamentals
- Incident Response
- Email Security
- Evidence Collection
- Disk Forensics
- Memory Forensics
- Threat Hunting
- Network Forensics
- Malware Analysis (optional) – needs to pay 200$ if you used the pre-sale offer 🙁
Overview about CCD and its Memory Forensics Section
The course is big and it needs a dedication to finish it within 4 months for the first attempts if you have other life commitments. However, the memory forensics section is quite short, and lacks many areas in memory forensics, but as the course keeps evolving and adding content frequently, so I will only give my opinion on the content that it was released during my period (43 slides in total with videos, labs, everything) – final checked on September, 2024.
The course overall has mixed content, written material, videos, practical labs, and quizzes. For memory forensics it has one practical lab.
The course starts with brief intro about Windows memory forensics, followed by collecting OS information Processes and Processes’ genealogy, inspecting network connections in a memory dump, discovering persistence techniques, and MFT related activities in memory dumps, all by using Volatility2 as the main memory forensic tool.
The CCD course ends with an amazing exam that simulates APTs and you need to pass with 70% at least to get the certification. There are many sub-domains involved in the exam, which are:
- Threat Hunting
- Disk Forensics
- Network Security
- Memory Forensics
- Email Security
The exam contains questions that require detailed responses in multiple fields. You are encouraged to include all relevant details in your answers, as the exam is manually reviewed by evaluators rather than automatically graded.
Things you may want to know:
- Passing the exam with 70% – 84% -> Silver Coin
- Passing the exam with >= 85% -> Gold Coin
- If you solved all labs in the CCD course, you will get 5% bonus score in the exam if your initial score is below the passing threshold (70%).
My Humble Opinion on the Memory Forensics Section of CCD Course
The course as a whole is one of the best blue team courses for its diversity and the relevant depth of information it provides.
It is not an easy or beginner certification, and it will help you to be more a well-rounded blue teamer. However, in memory forensics, there are many improvements that I wish to be added to the future version of it. My below pros and cons are only for the memory forensics section and its related part of the exam.
I know that nothing is perfect, but here is my humble overview about it:
Pros:
- I liked the way they present information in the module, they way they are organizing the information, followed by videos to explain concepts in a visual way.
- The course opens your mind into a few 3rd party plugins, used by the community, to aid in some memory forensics activities.
- The course mentioned some creative quick analysis ways such as extracting $MFT file from memory and making R-studio parsing it to visually view it.
- The course talks slightly about processes and processes’ genealogy
- The course talks about some Volatility plugins’ switches that may not be as known as others to you.
- The course tells about some areas that you can check to discover persistence activities by threat actors.
- The memory forensics’ exam part was interesting and let you think outside the box that you may not find in other exams.
Cons:
- I know that the course is getting updates regularly, but the course did not cover any analysis on Linux-based memory / MacOS-based memory forensics, even though the module does not reflect that it is Windows Memory Forensics – as only Windows-related activities were discussed.
- No foundational knowledge about the RAM generally, as they immediately started in memory forensics.
- The course did not cover Volatility3 at all, which is disappointing, as modern investigations need Volatility3 as it supports more recent OS profiles.
- The course discussed very limited specific Volatility plugins and missed many ones such as malfind, cmdline, dlllist, userassist, etc.
- Even though the course talks slightly about processes and processes’ genealogy, but they did not mention what benign and malicious processes expected hierarchy, meaning what process I should expect to be under which process that raises a red flag or to be benign.
- The course talks very very little about system internal concepts/structures related to memory.
- The course did not discuss anything related to process injections or advanced topics.
- I did not like that there is no feedback on the exam even if you passed, as you want to know what mistakes you made and learn from them.
- I wish they add more practical memory forensics labs in the CCD course.
The Course’s Fee
The course’s price is somehow affordable, as it costs 800$ now – it was 500$ in a pre-sale period in 2023.
For people, who cannot pay this amount, do not worry, we will be making a lot of free good content for you 🙂
Final Rating
The memory forensics section in CCD is not strong overall, and I do not want to be harsh on it – because the cert is really good overall.
Taking all into account, I would rate only the memory forensics section to be 4/10, mainly due to the substantial missing content, using only Vol2, not using many other memory forensics tools, very limited used plugins, focusing on Windows memory forensics only (its module must reflect Windows Memory Forensics – not Memory Forensics only), not an easy certification (meaning it is not a beginner certification to only include this), etc.
Conclusion
I talked about a blue team course “CCD” I took previously with CyberDefenders, and my humble review on its memory forensics section, what you will learn during the course, and some pros and cons of it.
Cya till the next one ~ Hoxed