Focal Point - Malicious Network Traffic Analysis

In this class you will come away with the following knowledge:

• Identify and analyze attacks across the various layers of the network stack
• Identify signs of reconnaissance being conducted against a network and recommend mitigation steps to limit the data provided to attackers
• Perform flow analysis to uncover anomalous and malicious activity at a statistical level
• Detect and investigate tunneling, botnet command & control traffic, and other forms of covert communications being utilized in a network
• Accurately correlate multiple stages of malicious activity in order to build a complete picture of the scope and impact of a coordinated network intrusion

Course Outline:

Analyzing Reconnaissance

• What Constitutes Malicious Traffic?
• Malvertising
• Drive-By-Downloads
• Social Network propagation 
• Scareware
• Trusted site utilization
• Organized crime
• Social engineering / phishing
• Network Attack Lifecycle
• OSI Layer Attacks
• Targeted Attack vs. Large Scale Attack
• Network Intrusion Analysis Process
• Process
• Analytical Tools of the Trade
• Beginning Phase of Attacks 
• Social Engineering
• Visual Observation
• Search Engines
• Website Mining
• Network Tools
• Port Scanning
• Banner Grabbing
• Web Application Fuzzing
• NMAP Port Scans

OSI Layer Attack Types

• Vulnerability Discovery Phase
• User Layer Attacks 
• Application Layer Attacks
• Drive-by-downloads
• XSS
• Flash, Active X, JavaScript
• Browser Exploits
• Application Layer Analyst Takeaways
• Presentation Layer Attacks
• Takeaways
• Session Layer Attacks
• Transport Layer Attacks
• Network Layer Attacks
• Data Link Layer Attacks
• Physical Layer Attacks

Botnets

• Botnet History and Evolution
• Botnet Architectures and Design
• Central
• Peer-to-peer
• Hybrid
• Initial Infection
• Secondary Infection
• Malicious Activity
• Maintenance and Upgrade
• Malicious Uses
• Botnet Communications
• IRC, P2P, HTTP/HTTPS
• Twitter
• ICMP
• DNS / DDNS
• Bot Evasion and Concealment
• Identification Challenges
• Fast Flux Service Network
• Double Flux Services
• Analysis Techniques
• Black Energy Walkthrough
• Zeus Walkthrough

Advanced Communication Methods

• Covert Communication Methods
• Tunneling
• Encryption
• Both Tunneling and Encryption
• Network Layer Tunneling – IPv6 Tunneling
• Incomplete support for IPv6
• IPv6 auto-configuration
• Malware that enables IPv6
• Transport Layer Tunneling
• Application Layer Tunneling
• Traffic Cloaking

Labs:

• Wireshark Exercise Part 1
• Wireshark Exercise Part 2
• Metadata Analysis
• Reconnaissance #1
• Hard NOC Life
• Reconnaissance #2
• Reconnaissance #3
• Big Bad Recon Scan
• Global Consulting Intrusion #1
• Global Consulting Intrusion #2
• Holophone Intrusion #1
• Holophone Intrusion #2
• Multi-Stage #1
• Holophone Intrusion #3
• Holophone Intrusion #4
• Advanced Persistent Threat
• Global Consulting Intrusion #3
• Data Mining
• Johnson Trucking
• Final Scenario

• Threat operation analysts seeking a better understanding of network-based malware and attacks
• Incident responders who need to quickly address a system security breach
• Forensic investigators who need to identify malicious network attacks
• Individuals who want to learn what malicious network activity looks like and how to identify it