You can read every free article on threat investigation, but you will only become effective when you take a free alert from The DFIR Report , open a free SIEM (like Splunk Free or ELK Stack on your laptop), and manually walk through the kill chain.
Go to The DFIR Report . Pick the most recent "Ransomware" write-up. Copy the first IP address listed. Put it into VirusTotal (Relations tab). Find the associated domain. Put that domain into URLhaus . See the malware sample. Ask yourself: How did the initial analyst spot this?
Do that once a day, and you will out-perform 90% of paid training graduates within three months. You can read every free article on threat