Hands-on Advanced Malware Traffic Analysis

DATE: 22-23 August 2022

TIME: 09:00-17:00 SGT/GMT +8

Detection of attacks and malware infections in the network is a cornerstone of protecting any organisation and device. Many tools exist giving us alerts and information, many threat intelligence feeds are available. However, without the proper experience and knowledge of how to know what is malicious and what is benign, it is very hard to make any productive decisions and apply real protection and defence. Tools are useless without an understanding of what to expect and what can happen in your network.

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviours from malicious behaviours, how to recognize anomalous patterns and how to deal with large amounts of traffic. Only analysing malware traffic may not be complex, but accurately separating it from normal traffic is much harder.

The most important lesson is not about how to use wireshark or tcpdump. It is about obtaining the knowledge and experience of recognizing real malicious actions in the network. Specifically, how malware hides, how to recognize encryption, how to analyse web patterns and how to discard false connections.

Agenda

Module 1 – Networking and Security

Goal: To give the basic principles of network security topics so everybody is on the same page. The concepts of networking are displayed from a security point of view. You should finish the module knowing what we are doing, why and how to approach the network analysis.

Module 2 – Fundamentals on Tools and Analysis Methodology

Goal: To introduce the core methodology of malware traffic analysis, what questions need to be answered, and the core tools that can be used to answer those questions.

Module 3 – Threat Intelligence For Malware Traffic Analysis

Goal: To introduce concepts of cyber threat intelligence to the analysis of malware traffic. Learning to search for information using OSINT, and other sources of intelligence. You should finish the module knowing how to determine who is attacking, how they are attacking, and having a clear understanding of the adversaries.

Module 4 – Detecting High-Risk Malware Attack and Ransomware

Goal: To learn how to quickly identify and detect high-risk malware that may drop ransomware and how to identify ransomware lateral movement in a local network.

Module 5 – Real-Time Exploit Attacks on the Network

Goal: To learn how a real attack looks in the network by attacking each other. To realise how complex and difficult it can be to separate the normal from the attack in a real life scenario of a local computer attacking others. 

Module 6 – Network Flows, Uninformed Decisions with Good Inference

Goal: To analyse the traffic when you can not access packets and how to deal with inference based on scarce data. To learn how flows work and what can be done with them to aid the analysis.

Module 7 – Threat Hunting on a SIEM

Goal: To give participants real hands-on experience on how to hunt down malware on a SIEM. To learn to think like an attacker and start looking for more complex behaviours in the network. 

Module 8 – Machine Learning to Detect Advanced Attacks

Goal: To work through the analysis of captures that pose a different perspective on the malware behaviour. Tools can not help us so much and we need a deeper understanding of the common behaviours to spot any discrepancy.

Module 9 – Executing Malware to Understand how to Detect it (with authorization only)

Goal: To learn the methodology of how to execute real malware, how to capture its traffic and how to use the intelligence that such activity generates to better understand the malware and think of better defences.