On This Page


CrowdStrike | March 29 - 30



Focusing on network security monitoring (NSM) and incident response, this course will teach you techniques for hunting advanced adversaries in network traffic. Topics include methods of hunting for adversary activity in Bro IDS logs, identifying indicators of compromise, and how to get started writing Bro scripts and ChopShop modules.

Course topics:
  • Overview of key NSM concepts and technologies
  • Leveraging Bro to hunt for advanced attackers in network traffic
  • Validating activity found during hunts using open source intelligence
  • Writing Bro scripts for targeted activity discovered during hunts
  • Writing ChopShop network decoders for activity discovered during hunts

Who Should Take this Course

Intermediate and experienced NSM analysts, incident responders, and security professionals comfortable with network forensics that are tired of relying on intrusion detection systems and AV alerts. The course is designed for professionals who want to improve their skill set in attacker hunting and detection, gain experience in Bro and ChopShop development, and learn about hunting tools and techniques.

Student Requirements

This course is targeted at existing NSM practitioners and professionals with a technical understanding of network protocols and experience with network forensics tools and techniques. Students should have some incident response or network defense experience and experience with Linux command line tools. Students already familiar with Bro IDS and Splunk will get the most out of this course.

What Students Should Bring

Students should bring a laptop that meets the following requirements:
  • At least 60 gigabytes of hard drive space available
  • At least 4 gigabytes of RAM installed
  • VMware virtualization software installed and functional
  • At least one available USB port

What Students Will Be Provided With

A USB thumb drive containing slides, lab guides, virtual machine, and tools used during class.


Andy Schworer became a Principal Consultant at CrowdStrike after a seven-year career with the United States Department of Defense as a Global Network Exploitation and Vulnerability Analyst. At CrowdStrike, he maintains a docket of cyber security casework including: compromise assessments, incident response, IR program development, next generation penetration testing, and remediation work. In addition, he leads the development of CrowdStrike Services' Falcon Network detection capabilities.

William Tan conducts incident response investigations to determine the extent and scope of compromises, preforms network log analysis, and emulates adversary tatics for next generation pentration testing. Previously William was a Network Incident Analyst at Mandiant where his focus was identifying intrusions from advanced adversaries. William has front-line experience with the tools, tatics and procedures of many adversaries and has developed many capabilites to detect malicious adversaries within network activity. William has a Bachelor's degree in Computer Engineering and a Masters in Information Security Management from Syracuse University.