On This Page

Adversary Hunting and Incident Response: Network Edition

CrowdStrike | November 10-11


Focusing on incident response and network security monitoring (NSM), this course will teach you techniques for hunting advanced adversaries like Hurricane Panda, Energetic Bear, and Rocket Kitten in network traffic. Topics include methods of identifying, maintaining, and operationalizing indicators of compromise, designing and deploying NSM systems, and how to get started writing Bro scripts and ChopShop modules.

Course topics:
  • Overview of key NSM concepts and technologies
  • Leveraging Bro to hunt for advanced attackers in network traffic
  • Validating activity found during hunts using open source intelligence
  • Identifying, maintaining, and deploying indicators of compromise discovered during hunts
  • Carving data out of network traffic (malware, exfiltrated sensitive data)
  • Writing Bro scripts for targeted activity discovered during hunts
  • Writing ChopShop network decoders for activity discovered during hunts
  • Designing and deploying optimal NSM systems

Who Should Take this Course

Intermediate and experienced NSM analysts, incident responders, and security professionals comfortable with network forensics that are tired of relying on intrusion detection and AV alerts. The course is designed for professionals who want to improve their skill set in attacker hunting and detection, gain experience in Bro and ChopShop development, and learn about NSM system design and deployment.

Student Requirements

This course is targeted at existing NSM practitioners and professionals with a technical understanding of network protocols and experience with network forensics tools and techniques. Students should have some incident response or network defense experience.

What Students Should Bring

Students should bring a laptop that meets the following requirements:
  • At least 55 gigabytes of hard drive space available
  • At least 4 gigabytes of RAM installed
  • VMware virtualization software installed
  • At least one available USB port

What Students Will Be Provided With

A USB thumb drive containing slides, lab guides, virtual machines, and tools used during class.


Josh Liburdi is a Senior Consultant for CrowdStrike with nearly three years experience in computer security. He specializes in network forensics, log analysis, and network threat detection. Prior to his work at CrowdStrike, Josh was a Detection Analyst on the General Electric Computer Incident Response Team (GE-CIRT). In this role, he was responsible for the creation of scalable, advanced network detection and supporting incident handlers during active security breaches. His work helped secure the General Electric enterprise, including businesses in the aviation, healthcare, and energy sectors. Josh has a bachelor's degree in information assurance from Eastern Michigan University. He has been a featured speaker on topics including threat detection and is an active contributor to the Bro network analysis framework.

Andy Schworer became a Principal Consultant at CrowdStrike after a seven-year career with the United States Department of Defense as a Global Network Exploitation and Vulnerability Analyst. At CrowdStrike, he maintains a docket of cyber security casework including: compromise assessments, incident response, IR program development, next generation penetration testing, and remediation work. In addition, he leads the development of CrowdStrike Services' Falcon Network detection capabilities. Over the course of his career at the Department of Defense, Andy led network vulnerability assessments and incident response missions around the world evaluating the security posture of networks as a member of the Blue Team and HUNT Team. He developed proprietary tools and deployed systems to perform host forensics, network traffic analysis, and malware analysis. As a member of the Red Team Andy performed operational network penetration tests and developed custom penetration testing tools. As a result of his service, Mr. Schworer was awarded the Global War on Terrorism Civilian Service Medal and received multiple letters of commendation. Andy received a Bachelor of Science in Computer Science from the University of Dayton, a Master of Science in Computer Science from the University of Hawaii at Manoa, and ABD toward a Ph.D. in Computer Science at the University of Hawaii at Manoa. He maintains a number of professional certifications including the Certified Information Systems Security Professional (CISSP), GIAC Certified Forensic Analyst (GCFA), and Cisco Certified Network Associate (CCNA).