I'm happy to announce that I will teach a two-day Network Forensics class at the upcoming Troopers conference in March! The first day of training (March 14) will cover how to use open source tools to analyze intrusions and malware in captured network traffic. On day two (March 15) I will show attendees some tips and tricks for how to use software developed by us at Netresec, i.e. NetworkMiner Professional and CapLoader. This training is a rare opportunity to learn how to use this software directly from the main developer (me). Everyone taking the class will also get a free 6 month personal license for both NetworkMiner Pro and CapLoader.
Scenario and Dataset
The dataset analyzed in the class has been created using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. The scenario includes events, such as:
- Web Defacement
- Man-on-the-Side (MOTS) attack (much like NSA/GCHQ's QUANTUM INSERT)
- Backdoor infection through trojanized software
- Spear phishing
- Use of a popular RAT (njRAT) for remote access and exfiltration
- Infection with real malware
Class attendees will learn to analyze captured network traffic from these events in order to:
- Investigate web server compromises and defacements
- Detect Man-on-the-Side attacks
- Identify covert backdoors
- Reassemble incoming emails and attachments
- Detect and decode RAT/backdoor traffic
- Detect malicious traffic without having to rely on blacklists, AV or third-party detection services
Training room at TROOPERS'15
For more details about the training, please visit Netresec's or Troopers' training pages:
The TROOPERS conference and training take place at the Print Media Academy in Heidelberg, Germany.
For more info about travel and accommodation, please visit:
Hope to see you at TROOPERS16 in Heidelberg, Germany!
Posted by Erik Hjelmvik on Tuesday, 15 December 2015 10:53:00 (UTC/GMT)