This course is not currently offered by Global Knowledge. Information here is provided for reference only.

Performing network monitoring is a critical skill set for any organization that wants to monitor incoming traffic (intrusion detection) as well as monitor outgoing traffic (extrusion detection). During this intense 3-day course, experienced Mandiant instructors cover the processes and technology that allow an organization to successfully implement network traffic monitoring. We discuss how to place network sensors, how to eliminate white noise and isolate traffic of interest, and how to interpret the data. Students perform hands-on event, session, and full content monitoring of the classroom network, as well as review network traffic from dozens of attack scenarios.

What You'll Learn

• Understand and recognize the most common and critical low-level network protocols
• Set up and manage an enterprise-wide network security monitoring capability
• Use network security monitoring to assist in the Incident Response process
• Implement full-content monitoring of employees or intruders
• Configure traffic sensors and minimize the data collection effort
• Reconstruct various types of network traffic
• Recognize common threats such as denial of service attacks or buffer overflow exploits

Who Needs to Attend

Information technology and information security personnel, corporate investigators, or other staff who require an understanding of how networks work, how to capture network traffic, how to investigate network use, how to identify and escalate suspected computer security incidents, and how to safeguard corporate assets via network defense.

Prerequisites

There are no prerequisites for this course.

Follow-On Courses

There are no follow-ons for this course.

Course Outline

• Introduction Full Content Monitoring Introduction to the Snort IDS
• Case Study Full Content Monitoring Exercise Investigating BOT Networks
• Network Protocol Review Traffic Analysis - Protocols Honeypots and Real-World Attacks
• The Incident Response Process - Network Traffic Analysis Protocol Analysis Exercise Final Exercise
• Connection Monitoring Traffic Analysis - Tools
• Network Monitoring Hardware and Placement Traffic Analysis Tools Exercise

Network Monitoring - Day One

Introduction: We introduce the instructors, the company, and the schedule of the course. Attendees then introduce themselves to the class and discuss some of their background in the computer field. Each attendee will provide at least one thing they want to learn more about during the course. Instructors also discuss the classroom network topology, handout materials, and software.

Case Studies: In this section we will go step-by-step through a case study that demonstrates the importance of successful network traffic analysis. The case study provides students with an appreciation of how effective network monitoring provides appropriate investigative leads as well as fosters more effective remediation of an incident.

Network Protocol Review: Students review the concepts of the OSI model, encapsulation, and discuss the structure of TCP/IP packets and how they traverse the Internet. We also review the function of switches, hubs, routers, firewalls, and other network devices. We discuss the Windows TCP/IP protocol stack, discuss what ports and daemons are, and review some of the commonly used ports. This section is definitely intended as a review of networking concepts and TCP/IP, and a student unfamiliar with general networking concepts will be challenged.

The Incident Response Process - Network Traffic Analysis: This section provides a primer on how network monitoring and traffic analysis contribute to the Incident Response process. Students will learn the differences between event, session (connection), and full content monitoring, and they will discuss the different tools that are used to perform each type of network monitoring.

Session Monitoring: During this session we discover why session/connection monitoring is so important to network defense and Incident Response. We discuss review techniques to help network traffic analysis progress faster and how analysts can quickly minimize the data to find the more relevant sessions of interest. We examine and use open source connection monitoring tools, including ARGUS, SANCP, TCPFLOW, and TCPTRACE. We also discuss commercial session analysis tools and tools such as Sanitizer, Netflow Analyzer, and Stealthwatch, which assist in reviewing netflow and sflow data collected by network devices. Students get plenty of hands-on experience reviewing TCP session data, cutting through the white noise to the sessions of interest.

Network Monitoring Hardware and Placement: Students review network topologies and discuss how hubs, SPAN ports, taps, and bridges affect the placement of network monitoring devices. We discuss the complications that VLANs introduce to performing network monitoring and how to respond to the challenge. During this session, the students learn what they need to know in order to properly place network capturing devices on their target networks. We conclude this section by discussing some of the challenges of storing the immense amounts of data that is often captured on large networks.
Network Monitoring - Day Two

Full Content Monitoring: Students examine how to perform full content monitoring of network traffic. Since full content packet capturing involves the potential to collect significant amounts of data, we discuss all the different criteria and methods used to minimize the capture of data when full content is sought. Specifically, students learn command line tools and methods to filter the collection of network traffic based on IP ranges, port numbers, and other TCP/IP header information.

Full Content Monitoring Exercise: Mandiant believes that hands-on, practical exercises are the best way to turn classroom theory into actual capability. This extensive exercise presents the students with an opportunity review data taken from a real computer intrusion. The exercise is designed to be challenging and require students to employ all the tools and techniques they have been taught. An instructor will review the entire exercise to ensure that all learning points have been covered and that methodologies are completely understood.

Traffic Analysis - Protocols: This section is the operational aspect of the course. Students examine the common protocols in use by end users and how to recognize web traffic, e-mail, instant messaging, file transfers, and numerous other common network activities at the lowest level. In fact, students emerge from this class with the ability to recognize the network traffic of over 20 common network applications. This skill set will enable the students more rapidly "weed out" the malicious network traffic from the legitimate traffic on their networks.

Protocol Analysis Exercise: During this exercise students will use Ethereal to further analyze individual network protocols and traffic from common network services. The exercise is designed to be challenging and require students to employ all the tools and techniques they have been taught. An instructor will review the entire exercise to ensure that all learning points have been covered and that methodologies are completely understood.

Traffic Analysis - Tools: After reviewing the low-level content of packets, this section focuses on tools for automating the process of reviewing network traffic. Students get to see how effective commercial products such as NetIntercept and Netwitness replay the sessions of network traffic. Students also learn to use open source tools such as tcpflow, ngrep, flowgrep, and tcpxtract to replay captured network traffic. The student emerges well versed in capturing, reviewing low-level details, and interpreting captured traffic.

Traffic Analysis Exercise: During this exercise students will demonstrate their ability to identify sessions of interest from captured network traffic using a variety of tools and techniques from the previous section. The exercise is designed to be challenging and requires students to employ all the tools and techniques they have been taught. An instructor will review the entire exercise to ensure that all learning points have been covered and that methodologies are completely understood.

Network Monitoring - Day Three

Introduction to the Snort IDS: In this section, students will be introduced to the popular Snort IDS and its functions. Students will also learn the basics of how Snort signatures are written and how to apply a new signature to a sensor. Students will learn how to use the off-line capability of the Snort engine to review network traffic captured by other sensors and rapidly identify suspicious traffic.

Investigating BOT Networks: Botnets are currently the largest source of computer intrusion on the Internet. Millions of computers have been infected by botnet Trojans that allow "Bot Herders" to remotely control victim systems for spamming, further hacking, and denial-of-service attacks. Students will learn how botnets operate and examine the network signatures of common botnet communication channels. Students review several examples of botnet network traffic and learn the steps that can be taken to respond to and minimize the damage from a botnet intrusion.

Honeypots and Real-World Attacks: We believe that nothing presented in a training class replaces reviewing network traffic from real attacks. Using a network Honeypot, Mandiant provides students with an opportunity to study successful and unsuccessful attacks on a victim system as they were performed by real intruders. Students will also be introduced to Honeypot networks and learn how they are used by security professionals to better protect networks.

Network Traffic Analysis Final Exercise: Students review binary network capture files in an effort to determine the "how, when, what, where" information surrounding a computer intrusion into a financial service. The final exercise fortifies the student's knowledge of network traffic analysis and interpretation and of how to use the conclusions of their analysis to resolve issues and initiate the appropriate remediation steps.

Labs

As Noted in Course Outline