- Ken Dunham - Introduction to Malicious Netflow Investigations (8am - 12pm)
- Filtering the Noise (1 - 5pm)
Introduction to Malicious Netflow Investigations(8am - 12pm)
Ken Dunham will lead a hands-on class on how to quickly perform incident response and threat research to properly respond to ongoing threats against a network. Key components include introduction to Wireshark and netflow traffic, baselining normal activity, streams analysis, and HTTP data filters. Finally, participants will learn how to apply domain intelligence and malcode analysis to discoveries made during netflow investigations.
Target audience: Incident responders and tactical staff that regularly work with domain and IP management.
Topics covered:
- Triage of netflow activity
- Identification of normal activity
- Identify C&Cs of interest
- Stream analysis
- HTTP data
- Filters
- Domain Intelligence
- Malcode Analysis Triage
Required setup:Laptop with VMware or a similar virtualization solution with:
- Windows XP or Windows 7 installed as VM
- Updated version of Wireshark installed on Windows VM
- Wireless capabilities
Note:There will not be time for extensive setup support during class. Be prepared to start at 8am sharp. Please take care of any setup issues prior to class.
Recommended skills: Participants, ideally will have experience with Windows, some Linux, and will not be afraid of the command line or analyzing PCAP data (experience highly preferred). Familiarity with netflow is a must as there will not be time for specific instructions or questions to get those new to the subject up to speed.
Filtering the Noise (1 - 5pm)
This workshop will explore the building blocks to starting an affordable security testing methodology. The workshop will begin by getting some well known security tools installed and configured for real-world ethical testing of participants' own infrastructure and applications.
Target audience: Security, network, and system administrators interested in learning how to identify target systems on their network and in participating in design and remediation discussions.
Topics covered:
- Building a toolbox
- Mapping systems
- Identifying risk in systems
- Identifying risk on the wire
- Remediation
- Network design considerations
- System build solutions
Required setup: Windows laptop. Other requirements TBD.
Note:There will not be time for extensive setup support during class. Be prepared to start at 1pm sharp. Please take care of any setup issues prior to class.
Recommended skills: Hands-on participants will ideally have experience with Windows, some Linux, and will not be afraid of the command line. Design and solution discussions are open to the less technical, but will require a logical understanding of networking.
