On This Page

Advanced Malware Traffic Analysis: Adversarial Thinking

Veronica Valeros, Sebastian Garcia | December 3 - 4



Overview

This intensive hands-on training gives you the most important thing when it comes to malware traffic analysis: the experience and knowledge of understanding malware behaviors on the network. Heavily hands-on, this training will give you the experience and methodology to recognize malicious connections, how to distinguish normal from malicious behaviors, how to recognize anomalous patterns, and how to deal with large amounts of traffic.

The most important lesson of the training is not about how to use the tools. The goal is to transmit the experience of recognizing the malicious actions of malware in the network. Specifically how malware hides, how to recognize the encryptions, how to analyze the web patterns and how to discard false connections. You will execute your own malware and learn to think like the adversary. The participants should leave with the knowledge to do a good analysis of network traffic to recognize malicious behaviors.

The following is the high-level overview for the class:

Day I:
  • Quick review of key concepts about protocols and how they work
  • What is an attack? What is the difference with normal traffic? What is malware? What is a botnet?
  • Overview of tools for capturing network traffic. Differences. How to choose the right one.
  • Guided hands-on analysis of traffic captures (4 hours):
    • Normal? Malicious? Why?
    • The importance of asking the right questions
    • Revising unconscious bias
    • Understanding the intention
    • Analysis under pressure and time constraints.
    • Introduction to large captures and common problems.

Day II:
  • Working with large pcaps: traditional tools.
  • Working with large pcaps: flows and behaviors.
  • Exercise: attacking each other, capturing traffic, recognizing attacks.
  • Exercise: executing your own malware, capturing traffic and analyzing.

Who Should Take this Course

This course is ideal for those wanting to take their network traffic analysis skills to the next level, and learn to identify and recognize from normal and malicious behaviors on the network to better protect their organizations.

  • Network administrators
  • Devops
  • Threat analysts
  • Malware researchers
  • SOC analysts
  • DFIR
  • Machine learning researchers
  • Government network defense specialists
  • CSIRT teams

Student Requirements

Attendees are required to have a high level knowledge on TCP/IP, common protocols, and networking. Basic knowledge of malware behavior is essential.

What Students Should Bring

  • Laptop
  • Power cord
  • Minimal tools installed: wireshark, tcpdump, CapTipper
  • Optional: we recommend to bring a Kali linux which has already all the tools we will use

What Students Will Be Provided With

  • Detailed course outline (pdf) with commands and tools used.
  • Large pcap datasets of real labeled malware captures.
  • Large pcap datasets of real labeled normal captures.
  • Legally licensed Windows VM virtual machine ready for malware infection.
  • Bundle of current working malware samples to execute.
  • Printed malware infection methodology cheat sheet

Trainers

Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace and the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.

Sebastian is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hackitivy, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.