NETRESEC
Β»
Training
Β»
ICS/OT Forensics
Network Forensics for Industrial Control Systems (ICS)
Instructor: Erik Hjelmvik
Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.
A hands-on network forensics course that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a unique data set captured during 30 days on an Internet connected network with multiple clients, servers, PLCs and other embedded devices.
Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.
Training Topics
- Decoding proprietary C2 traffic from a RAT
- Extracting files from PCAP with NetworkMiner
- Sandbox execution of malware and behavioral analysis
- Supply chain attacks
- Credential phishing
- Passive asset discovery of ICS devices
- CIP and EtherNet/IP
- Man-on-the-Side (MOTS) attacks
- Investigating a brute force attack on a web CMS
- Analyzing exploitation of a web server
- Tracking commands sent to web shells
- Tracking lateral movement to ICS devices
- Modbus/TCP forensics
- UMAS over Modbus/TCP
- S7 Communication forensics
- Analyzing IEC 60870-5-104 (IEC 104) traffic
- Using JA3 to track TLS encrypted malware traffic
Target Audience
The ICS / OT training is built for personnel tasked with operating or protecting critical infrastructure, but the topics covered should be relevant for anyone working with security in environments encompassing both IT and OT. Students must be comfortable using linux command line tools and have a basic understanding of TCP/IP communications.
On Site Training
Would you like us to visit your facility to do on-site training? If youβre in the European Union, then that can be arranged. Please contact us for further details.
Live Online Training
Would you like us to teach our network forensics class as a private live online training exclusively to your team? Please contact us for further details.
Two or Three Days
The Network Forensics for ICS training is a two-day class, even though the live online training often is delivered as four half-days. The contents of the training overlaps with the Incident Response version of our network forensics training. We can therefore offer a 3-day combo, covering both Incident Response and ICS labs, as an alternative to the standard two-day class.