Enhance digital forensics and incident response (DFIR) skills with Sherlocks

In our latest report on the critical skills for modern SOC analysts, over half (58.4%) of participants ranked practical Machines (instances of vulnerable virtual machines) as the resources they’re most interested in to improve their DFIR skills. This is one of the main reasons why it is so exciting to add our new investigation-based defensive security scenarios to HTB Labs: Sherlocks.

15 Sherlocks will be initially available entirely for free to all users: this will give the opportunity to all platform members to experience a simulated incident investigation and familiarize themselves with a new type of practical labs. 

After the first release period, we will gradually start to divide Sherlocks into free and premium labs, but always keeping 8 (eight) of them accessible with a free plan. Premium Sherlocks will be included in VIP and VIP+ subscriptions. A new, free Sherlock will be regularly released every two weeks.

“Having worked in a variety of roles, from System Administrator to SOC Analyst, and even as a DFIR professional, relevant and fun learning experiences can be hard to find. A huge challenge was ensuring my technical skills were relevant, and that I had the motivation to continue learning. Sherlocks provides the community and industry the opportunity to do this. With a heavy focus on realism, I am confident any individual can utilize the skills learned within Sherlocks almost immediately.”

 

Sabastian Hague (sebh24), Defensive Security Content Lead @ Hack The Box

What is a Sherlock?

Let’s start from the basics. Sherlocks are defensive security practical labs simulating real-world incidents. You’ll be asked to conduct an investigation based on a provided cyber attack scenario and clues, with the goal of unraveling the dynamics behind them. By practicing with Sherlocks, individuals and organizations can grow their skills and knowledge on:

• Digital Forensics and Incident Response (DFIR)

• Security Operations Center (SOC)

• Threat Hunting and Threat Intelligence

• Malware Analysis

Sherlocks follow a semi-guided learning approach: a set of questions will appear to lead the investigator in the correct direction, with a very similar interface as the newly introduced Guided Mode feature on Machines. While in Guided Mode questions are meant to lead you through the scenario and get the flags, in Sherlocks questions are the actual flags!

1. Understand the scenario

In any incident, we always say “context is king”. Reading the scenario, understanding what has occurred, and what you are investigating before starting any analysis is the correct practice to follow. This is also a great opportunity to deeply engage with the situation you are in. We have built Sherlocks to be as realistic as possible and therefore the scenario is extremely important!

2. Work your way through the data

What follows is the right phase to start analyzing the provided artifacts! Download the zip file, unzip it using the provided password, and get an understanding of the clues you have been provided with. At this stage, it's worth taking notes of what tools you might need. A simple CLI would suffice for some Sherlocks, whereas for others you may need to call on the help of Zimmerman’s Tools or install a local SIEM instance such as Splunk or ELK. 

3. Unravel the mystery

You understand the scenario, and you have analyzed the data. Next, we need to answer the key questions within the Sherlock! As you answer the relevant questions the mystery of how the compromise, breach, or attack has happened will be gradually clear. 

PLAY SHERLOCKS

Recommended read: A step-by-step guide to writing incident response reports (free template inside)

Comprehensive blue team upskilling

Hack The Box is now an all-in-one solution for defensive learning and upskilling. With the release of Sherlocks on HTB Labs, all our community and business clients have access to enhanced threat-connected content, from guided fundamental courses to fully practical scenarios.

All HTB defensive security content is mapped against the NIST/NICE framework, making it easier than ever to build a skills development path or incident response plan following the main industry threats and how to detect techniques, tactics, and procedures used by real adversaries.

As an example, every course featured on the SOC Analyst job-role path—and leading to the recently launched HTB Certified Defensive Security Analyst exam—can be further enhanced by practicing on Sherlocks, improving the capability to prioritize and identify logs.

Defensive security for enterprises

The average cost of an attack is about $2.5M. At the same time, companies find it challenging to source and retain talented security professionals. This shortage leads to increased workloads and burnout among existing team members.

HTB’s defensive security-focused labs and courses provide professionals with the tools and skills to deliver the required day-to-day tasks to keep an organization secure and avoid risks. Sherlocks are already available as part of our Dedicated Labs business plans—get in touch with our team to know more.