Technical Level: 2 of 3
For different reasons, many organizations do not have full packet capture of network traffic for security monitoring. Because of this, many security professionals involved in near-real-time detection of malicious activity do not have experience in analyzing malicious network traffic. However, analyzing packet captures (pcaps) of network traffic provides a better understanding of malicious activity. Pcap analysis can provide insight to security professionals responsible for near-real-time detection of malicious activity, incident response, and threat research. This training is a one day workshop designed to provide people with a minimal knowledge of traffic analysis a basic foundation for investigating malicious network traffic.
The workshop begins with basic investigation concepts for packet captures (pcaps), setting up Wireshark in a manner better suited for security analysts, and identifying hosts or users in network traffic. After these basic concepts, the workshop covers characteristics of malware infections and other suspicious network traffic. Participants will learn techniques to determine the root cause of an infection and assessing false positive alerts.
The workshop concludes with an evaluation designed to give participants experience in writing an incident report. This training is a mix of classroom discussion and hands-on exercises. Participants require a laptop, preferably running a non-Windows OS (a Windows laptop using a virtual machine running Linux will work for this). Participants also require a recent version of Wireshark, at least version 2.4.x or later, and an Internet connection to download pcaps used for this tutorial.
The training outline is as follows:
I. Introduction and setting up WIreshark
II. Identifying host and users in the traffic
III. Malware infections
IV. Bad web traffic
V. Policy violations
VI. Root causes and false positives
VII. Drafting incident reports