HITB-Invoice-Logo

deep knowledge technical trainings

AUGUST 22 / 23 / 24 / 25 @ INTERCONTINENTAL SINGAPORE

Hands-on Advanced Malware Traffic Analysis

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one.

$3,299.00

Duration

2-day

Delivery Method

In-Person

Level

advanced

Seats Available

20

REGISTRATION CLOSED

DATE: 22-23 August 2022

TIME: 09:00-17:00 SGT/GMT +8

Date Day Time Duration
22 August Monday 09:00-17:00 SGT/GMT +8 8 Hours
23 August Tuesday 09:00-17:00 SGT/GMT +8 8 Hours


Detection of attacks and malware infections in the network is a cornerstone of protecting any organisation and device. Many tools exist giving us alerts and information, many threat intelligence feeds are available. However, without the proper experience and knowledge of how to know what is malicious and what is benign, it is very hard to make any productive decisions and apply real protection and defence. Tools are useless without an understanding of what to expect and what can happen in your network.

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviours from malicious behaviours, how to recognize anomalous patterns and how to deal with large amounts of traffic. Only analysing malware traffic may not be complex, but accurately separating it from normal traffic is much harder.

The most important lesson is not about how to use wireshark or tcpdump. It is about obtaining the knowledge and experience of recognizing real malicious actions in the network. Specifically, how malware hides, how to recognize encryption, how to analyse web patterns and how to discard false connections.

Agenda

Module 1 – Networking and Security

Goal: To give the basic principles of network security topics so everybody is on the same page. The concepts of networking are displayed from a security point of view. You should finish the module knowing what we are doing, why and how to approach the network analysis.


Module 2 – Fundamentals on Tools and Analysis Methodology

Goal: To introduce the core methodology of malware traffic analysis, what questions need to be answered, and the core tools that can be used to answer those questions.


Module 3 – Threat Intelligence For Malware Traffic Analysis

Goal: To introduce concepts of cyber threat intelligence to the analysis of malware traffic. Learning to search for information using OSINT, and other sources of intelligence. You should finish the module knowing how to determine who is attacking, how they are attacking, and having a clear understanding of the adversaries.


Module 4 – Detecting High-Risk Malware Attack and Ransomware

Goal: To learn how to quickly identify and detect high-risk malware that may drop ransomware and how to identify ransomware lateral movement in a local network.


Module 5 – Real-Time Exploit Attacks on the Network

Goal: To learn how a real attack looks in the network by attacking each other. To realise how complex and difficult it can be to separate the normal from the attack in a real life scenario of a local computer attacking others. 


Module 6 – Network Flows, Uninformed Decisions with Good Inference

Goal: To analyse the traffic when you can not access packets and how to deal with inference based on scarce data. To learn how flows work and what can be done with them to aid the analysis.


Module 7 – Threat Hunting on a SIEM

Goal: To give participants real hands-on experience on how to hunt down malware on a SIEM. To learn to think like an attacker and start looking for more complex behaviours in the network. 

Module 8 – Machine Learning to Detect Advanced Attacks

Goal: To work through the analysis of captures that pose a different perspective on the malware behaviour. Tools can not help us so much and we need a deeper understanding of the common behaviours to spot any discrepancy.

 

Module 9 – Executing Malware to Understand how to Detect it (with authorization only)

Goal: To learn the methodology of how to execute real malware, how to capture its traffic and how to use the intelligence that such activity generates to better understand the malware and think of better defences.

 

Assistant Professor

Czech Technical University in Prague

Sebastian is a malware researcher and security teacher with extensive machine learning experience applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect civil society. He likes to analyze network patterns and attacks with machine learning.
As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments.
He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace, he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra), and biohacking.

Project Leader

Stratosphere Research Laboratory & Civilsphere project at Czech Technical University in Prague

Veronica is a researcher and intelligence analyst from Argentina. Her research strongly focuses on helping people. A jack of all trades, she currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has presented her research at international conferences such as BlackHat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. She is currently the director of the Civilsphere project at the Czech Technical University, dedicated to protecting civil organizations and individuals from targeted attacks. She’s also the project leader at the Stratosphere Laboratory, a research group in the Czech Technical University dedicated to study and research in cybersecurity and machine learning.

Why You Should Take This Course

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one.

Who Should Attend

The training is designed for professionals of security, company administrators, SOC and NOC operators, CERT members, government defence professionals, network administrators, forensic analysers, etc.

Key Learning Objectives

[“To identify malicious actions in the network independently of the tool used”,”To separate malicious actions in the network from normal actions accurately”,”To understand the complexity of the attacks, the malware and how they mix in the normal traffic”]

Prerequisite Knowledge

Attendees are required to have a medium knowledge on TCP/IP, and common network protocols.

Hardware / Software Requirements

Attendees are also required to have:

  • Laptop + Power cord

  • Minimal tools installed: wireshark, tcpdump