MNTA-Tech 2000-Malicious Network Traffic Analysis-Training-T2000

Course Overview

Uncover System Intrusions by Identifying Malicious Network Activity

There are a tremendous amount of network-based attacks to be aware of on the internet today and the number is increasing rapidly. You can’t defend against these lethal network attacks if you don’t know about them or if you’ve never seen what it looks like at the packet level. This course teaches you how to analyze, detect and understand all the network-based attacks that we could find being used today in modern network warfare.

From Layer 2 attacks against network devices through complex botnets and specific application vulnerabilities, this class will fulfill your desire to see what these attacks look like. We even show you how to detect attacks using Flow Analysis if you don’t have network packets to analyze or you only have statistical information at your disposal. We’ll use the popular protocol analyzer Wireshark and session analysis tool Netwitness alongside custom tools developed by ANRC networking experts to show you how to detect these network attacks and be prepared to handle them.

Price:

$4,500

Duration:

5 days

Strategic, Tactical, and Operational Analysis
Situational Awareness
Current Networking Trends in Malware
IDS / IPS evasion techniques
Flow Analysis to help identify malicious behavior
Coordinated Attacks
Botnets
Browser Attacks (Javascript, Obfuscation)
Drive-By-Downloads
OSI Layer 2,3,4,5,6,7 Attacks
Social Engineering and Phishing Attacks
Tunneling and Advanced Tunneling

Course Details:

70% Labs, 30% Lecture using real-world network attack captures
Laptops are provided during the class
Student will receive a link to download student materials after the course

DAY 1: Analyzing Reconnaissance

What Constitutes Malicious Traffic?
- Malicious traffic generators
- Recent trends in Malware Networking
Malvertising
Drive-By-Downloads
Social Network propagation
Scareware
Trusted site utilization
Organized crime
Social engineering / phishing
Network Attack Lifecycle
- Reconnaissance Phase
- Attack Phase
- Proliferation Phase
OSI Layerv Attacks
- User Layer Attacks
- Application Layer Attacks
- Presentation Layer Attacks
- Session Layer Attacks
- Transport Layer Attacks
- Network Layer Attacks
- Data Link Layer Attacks
- Physical Layer Attacks
Targeted Attack vs. Large Scale Attack
Network Intrusion Analysis Process
- Strategic Analysis
- Tactical Analysis
- Operational Analysis
- ANRC Network Intrusion Analysis Process
Analytical Tools of the Trade
- IDS / IPS Technologies
- Flow Analysis Tools
- Network Flows Overview
- Protocol Analysis Tools
- Logs
- Other information sources
Beginning Phase of Attacks
- Recon
- Types of Recon
Social Engineering
Visual Observation
Search Engines
Website Mining
Network Tools
Port Scanning
Banner Grabbing
Web Application Fuzzing
NMAP Port Scans
- Host discovery
- TCP Ping Sweep
- TCP Connect Scan
- XMAS Tree Scan
- SYN Stealth Scan
- UDP Scan
- O/S Discovery Scans
Afternoon Labs

DAY 2: OSI Layer Attach Types

Vulnerability Discovery Phase
- Vulnerability Analysis Tools
- Vulnerability Analysis Detection
User Layer Attacks
- Phishing
- Spear Phishing
- Whaling
- Social Engineering Emails
- User Layer Analyst Takeaways
Application Layer Attacks
- Input Validation Attacks
- SQL Injection
- Brute Force Attacks
- Browser Attacks
Drive-by-downloads
XSS
Flash, Active X, Javascript
- IE and Firefox Exploits
- Application Layer Analyst Takeaways
Presentation Layer Attacks
- SMB MS08-067 study
- ASN Attack study
- Presentation Layer Analyst Takeaways
Session Layer Attacks
- Man-in-the-middle (MITM)
- Arp Poisoning / Spoofing
- Session Layer Analyst Takeaways
Transport Layer Attacks
- TCP Sequence Prediction
- TCP Redirection
- Denial of Service Attacks
- Tunneling
- Transport Layer Analyst Takeaways
Network Layer Attacks
- ICMP Redirects
- DHCP Poisoning / Spoofing
- Network Layer Analysis Takeaways
Data Link Layer Attacks
- ARP Poisoning
- ARP Poisoning One Way
Physical Layer Attacks
- Theft
- Power Outages
- Loss of Environmental Control
- Unauthorized data connections
- Physical Network Taps
- Physical Network Redirection

DAY 3: Botnets

Botnet History and Evolution
- Botnets 2003 to the present
- AgoBot
- Operation b49
Botnet Architectures and Design
- Command and Control Structures
Central
Peer-to-peer
Hybrid
- Lifecycle Stages
Initial Infection
Secondary Infection
Malicious Activity
Maintenance and Upgrade
Malicious Uses
- Port Scanning
- Exploitation
- DNS Proxy (Fast Flux Service Networks)
- Web Services
- Spam Services
Botnet Communications
- Botnet Recruitment
- Communication protocols
IRC, P2P, HTTP/HTTPS
Twitter
ICMP
DNS / DDNS
Bot Evasion and Concealment
Identification Challenges
Fast Flux Service Network
Double Flux Services
Analysis Techniques
- Baselining Network Activity
- Situational Awareness
- Ingress and Egress SMTP and HTTP
- FFSN Activity
- Flow Analysis
Black Energy Walkthrough
Zeus Walkthrough

DAY 4: Advanced Communication Methods

Covert Communication Methods
- Data Exfiltration
- Command and Control
- Methods
Tunneling
Encryption
Both Tunneling and Encryption
Network Layer Tunneling – IPv6 Tunneling
Incomplete support for IPv6
IPv6 auto-configuration
Malware that enables IPv6
- ICMP Tunneling
- Analyst Takeaways
Transport Layer Tunneling
- TCP / UDP Tunneling
- Analyst Takeaways
Application Layer Tunneling
- HTTP Tunneling
- DNS Tunneling
- DNSCat
- Analyst Takeaways
Traffic Cloaking
- Using websites to conceal malicious activities
- Limited attribution
- Social Networking and Encryption benefits
- Cloud Computing Data Centers

DAY 5: Student Practical Demonstration

Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will uncover a multi-part network intrusion. In the intrusion capture file there will be at least 3 Application Layer attacks, 2 Advanced Communications Methods, and a hacker toolkit to discover. Students will have to prepare a report detailing the attack from start to finish as well as document what things the hacker did as well as what information was leaked if any.

DAY 1:

Netflow Analysis Tools Lab
Wireshark Exercise Part 1
Wireshark Exercise Part 2
Lab 01 – Identify the Reconnaissance #1
Lab 02 – Identify the Reconnaissance #2
Lab 03 – Identify the Reconnaissance #3
Lab 04 – Identify the Reconnaissance #4
Lab 05 – Identify the Reconnaissance #5
Lab 06 – Identify the Reconnaissance #6
Lab 07 – Identify the Reconnaissance #7

DAY 2:

Lab 08 – Identify the OSI Layer Intrusion #1
Lab 09 – Identify the OSI Layer Intrusion #2
Lab 10 – Identify the OSI Layer Intrusion #3
Lab 11 – Identify the OSI Layer Intrusion #4
Lab 12 – Identify the OSI Layer Intrusion #5
Lab 13 – Identify the OSI Layer Intrusion #6
Lab 14 – Identify the OSI Layer Intrusion #7
Lab 15 – Identify the OSI Layer Intrusion #8
Lab 16 – Identify the OSI Layer Intrusion #9

DAY 3:

Lab 17 – Identify the Botnet #1
Lab 18 – Identify the Botnet #2
Lab 19 – Identify the Botnet #3

DAY 4:

Lab 20 – Find and decrypt the covert channel

Knowledge of IPv4 networking protocols is required
Skills and experience with Wireshark display filtering is required
Knowledge of RSA Netwitness is recommended
Attending students should have a thorough understanding of Microsoft Windows
Python scripting abilities would be beneficial
Comptia’s Network+ and Security+ certifications would be beneficial but not required

Threat operation analysts seeking to have a better understanding of network based malware and attacks
Incident responders who need to quickly address a system security breach
Forensic investigators who need to identify malicious network attacks
Individuals who want to learn what malicious network activity looks like and how to identify it

Malicious Network Traffic Analysis (MNTA)

Course Overview

CLASS INFORMATION

DELIVERY FORMATS

CLASS SCHEDULE