Network Monitoring and Detection

מק"ט: #7518 | משך קורס: 32 שעות אק'
| מספר מפגשים: 4

Modern enterprise security faces many challenges. First, and by far the most fundamental is the lack of visibility; Network data can be easily accessed if you only knock on the right doors; a bit of tcpdump and grep can take you a long way. What data resides inside network traffic? Can files be extracted? How to perform various forms of statistical analysis, fingerprint operating systems and applications, hunt user sessions, detect malware, dynamically analyze suspicious code, parse application layer protocols, fingerprint attacks and write your own intrusion detection rules... Knowing your network will get you a step closer towards owning it.

*שדות חובה
PDF version


What you will learn:

  • How to achieve high levels of network visibility
  • Perform network traffic analysis
  • Perform application-layer analysis
  • Deploy sensors and taps
  • Use intrusion detection as intelligence gathering tool
  • Analyze malware in network traffic
  • Perform detection at different stages of the kill chain
  • Perform malware hunting in enterprise networks 

קהל יעד

  • SOC teams
  • Security oriented system managers
  • Incident Response juniors
  • Security and network analysts
  • Network forensic investigators 

תנאי קדם

  • Hands-on familiarity with networking technologies (IP, TCP, DNS, HTTP, HTTPs)
  • Good linux system skills
  • Prior experience working with wireshark (or any other network parser)



Part 1: Network visibility

  • APT kill chain(s)
  • Bad things happen inside not outside
  • Sensors, taps, mirrored ports
  • The storage dilemma
  • Real-time vs recently vs post-mortem
  • What is incident response

Part 2: Network traffic analysis

  • Traffic Acquisition Software
  • Sniffing and reading pcaps
  • Basic statistics
  • Protocol analysis
  • Ethernet and interface analysis
  • Packet and address analysis
  • Transports and flow analysis
  • Traffic visualization


Part 3: Analysing the application layer

  • Application mapping with protocol hierarchy
  • DNS protocol analysis with tshark
  • HTTP protocol analysis analysis (OS and application fingerprinting)
  • Extract all (readable) text
  • TCP stream reassembly
  • File extraction approaches
  • File headers and trailers
  • File carvers (scalpel/foremost)
  • Extracting unrecognized files
  • LAB scenario: email harassment case


Part 4: Sensors and taps

  • sniffing vs. tapping
  • port mirroring vs. hardware taps
  • linux as a tap: PF_RING, PROMISC ON, ARP OFF
  • CPU, memory and interface requirements
  • the storage dilemma
  • security onion - monitor in a box
  • setup and configuration
  • file and directory structure
  • squert is a decent GUI, capme makes it better, wireshark ties the strings
  • Test drive: tcpreplay email harassment case


Part 5: IDS as Intelligence gathering system

  • what is IDS? what is IPS?
  • snort and the rest
  • snort rules and repositories (Talos, ET and the world)
  • snort.conf (and classification.config)
  • writing simple snort rules (catch strings)
  • using regular expressions (pcre)
  • matching binary code (hex)
  • optimizing performance with depth, offset, distance and within
  • using thresholds to fingerprint frequency of events
  • LAB: intercepting sockstress and slowloris

Part 6: Malware in network analysis

  • Evidence: operation aurora browser exploit (ie6-8)
  • Deobfuscating javascript exploit at the client
  • Extracting binaries for deeper analysis
  • Using anti-malware services and dynamic analysis
  • Indications of compromise (IoC)
  • How to handle zero days
  • LAB: fingerprint the exploit with snort rule


Part 7: Detection and the kill chain

  • Anatomy of APT attacks
  • Step 1: finding the breach
  • Step 2: extracting malware and performing analysis
  • Step 3: detecting control connections
  • Step 4: analysing privilege escalation
  • Step 5: analysing persistence
  • Step 6: analysing horizontal movement (pivots, MITM)
  • Step 7: analysing data exfiltration
  • Real scenario: RAT breaches enterprise and exfiltrates data


Part 8: Live project: we were breached

  • This LAB is performed like a CTF
  • Students will submit full case reports
  • Conclusions and next steps