Network Forensics for Incident Response
A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.
We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!
Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.
Agenda
- Day 1 : Theory and Practice using Open Source Tools
- Investigating spear phishing email with malware attachment
- Reassembling exfiltrated data
- Identifying C2 traffic in decrypted HTTPS traffic
- Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy
- Using NetFlow with Argus
- Tracking lateral movement with stolen AD credentials
- Searching application layer data with Wireshark, tshark, tcpflow and ngrep
- Threat Hunting with Security Onion
- Leveraging passive DNS to track C2 domains
- Decoding proprietary C2 traffic from a RAT
- Extracting files from PCAP with NetworkMiner
- Sandbox execution of malware and behavioral analysis
- Supply chain attacks
- Extracting files from SMB and SMB2 traffic
- Analyzing exfiltration by an APT style attacker
- Investigating a spear phishing attack with credential theft
- Day 2 : Advanced Network Forensics using Netresec Tools
- Theory: HTTP Cookies
- Analyzing Cobalt Strike beacons
- Investigation of botnet infection (TrickBot)
- Extracting and verifying X.509 certificates from network traffic
- Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”
- Investigating a brute force attack on a web CMS
- Analyzing exploitation of a web server
- Tracking commands sent to web shells
- Tracking lateral movement via Linux servers
- Using JA3 to track TLS encrypted malware traffic
- Live TLS decryption lab
Hardware / Software Requirements
- A PC running any 64 bit Windows OS (can be a Virtual Machine)
- At least 16GB RAM
- At least 100 GB free disk space
- VirtualBox (64 bit) installed (VMWare will not be supported in the training)
Instructor
Erik Hjelmvik is an incident responder and developer who is well known in the network forensics field for having created NetworkMiner, which is used by incident responders and law enforcement all around the world. Erik has a background in SCADA security and has spent over 5 years doing incident response at one of the best CERTs in Sweden. Nowadays Erik runs the company Netresec AB, where he develops network forensics software and occasionally teaches network forensic classes.
Where
This is not the same address as the conference! Same building but different entrance.
Söder Mälarstrand 57
118 25 Stockholm
Day 1 (2021-09-07)
8.30 – 09.00 | Registration & breakfast |
9.00 – 12.00 | Training |
12.00 – 13.00 | Lunch |
13.00 – 15.00 | Training |
15.00 – 15.30 | Coffee break |
15.30 – 17.00 | Training |
Day 2 (2021-09-08)
8.30 – 09.00 | Registration & breakfast |
9.00 – 12.00 | Training |
12.00 – 13.00 | Lunch |
13.00 – 15.00 | Training |
15.00 – 15.30 | Coffee break |
15.30 – 17.00 | Training |