Network monitoring and detection
A practical workshop focusing on communication forensics and incident response.
40 Hours
Blue Team
40 Hours
Blue Team


Very few forensic investigators gather network captures when investigating cyberattacks. Collecting memory samples from the hard drive, the copy service, and event logs is common after an attack. But the majority do not examine or even record network traffic during a security incident. Despite the many valid explanations, the lack of storage space, or the challenge of decrypting encrypted information, skipping this vital step results in a substantial loss of information for researchers.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Why bother parsing network traffic?
  • Anatomy of targeted attacks (MITRE ATT&CK)
  • Types of digital evidence
  • Post-mortem forensics vs. (near) real-time analysis
  • Enterprise-scale network captures (and the storage dilemma)
Networking 101
  • OSI and TCP/IP
  • Network traffic analysis with Wireshark
  • Ethernet PDUs
  • IP, PDU, and ARP
  • TCP and UDP
  • DHCP, DNS, and ICMP
  • Applications: HTTP, SSL, and SMB
Parsing traffic with Linux shell
  • Getting to grips with Linux shell
  • Using tcpdump
  • Text processing with grep
  • Regular expressions
  • Bash tools: wc, sort, cut, uniq
  • Tshark: tcpdump on steroids
  • Visualizing traffic
Indexing and generating statistics
  • Timeframes
  • Packet rates and data rates
  • Endpoints (L2, L3)
  • Conversations
  • Protocol hierarchy
  • IO stats
  • Fingerprinting hosts and users
  • Enumerating domains
Parsing the higher layers
  • TCP stream reassembly
  • File carving with magic numbers
  • Manual carving
  • Foremost with assembled data streams
  • File carving through protocol analysis (bro)
  • Other protocol parsers
Case #1: Mail harassment
  • Case description
  • Reducing investigation surface
  • Mapping: Who is who and what’s what
  • Anchor: correlate evidence with story
  • The application layer: http header analysis
  • The application layer: Plain-text user inputs
  • The application layer: Session cookies and unique identifiers
  • Bonus: The bottom-up approach
Introduction to malware and targeted attacks
  • Code vulnerabilities
  • What are exploits?
  • Exploit kits and custom malware
  • What are payloads?
  • What are C2s (control connections)?
  • Demo: Boot2Root
  • Anatomy of an attack
Case #2: Simple exploitation
  • Aurora (CVE-2010-0249) case study
  • Evidence scoping
  • Extracting malware
  • Reading (obfuscated) code
  • Signature-based screening
  • Static and dynamic analysis
  • (Re)constructing attack flows
Big Brother tactics
  • Sniffers, sensors and taps, and protocol analyzers
  • Deploying Security Onion sensor
  • HW/SW requirements (and myths)
  • IDS, IPS, monitoring, and network security analytics
  • Snort/Suricata concepts, config, and common rule sets
  • Writing IDS rules
  • Catching “zero days” with Snort
Case #3: New perspectives
  • Extracting malware from pcap
  • Scanning for propagation
  • Malware detection with anti-malware
  • Malware detection with IDS
  • Static malware analysis
  • Dynamic malware analysis
  • Remote administration tools (RATs)
Don't touch this tab

SOTERIA Global is a global leader in cyber-security training solutions and services.

The cyber world is now a part of our everyday life. New technology emerges daily, and as opportunities increase, so do cyber risks. Threats constantly evolve, and we must protect our valuable assets.

A successful cyber defense has many factors, but they all have one thing in common: dedicated, skilled individuals.

SOTERIA Global experts develop our solutions and rely on the best technological assets in the market. Our impressive global presence expands over four continents, giving us access to the best cybersecurity professionals.

Our solutions range from customized training programs to developing cyber-oriented facilities, ensuring that individuals and organizations are ready to face real-world threats. Over the years, we have worked with various organizations across many sectors, giving us the skillset to shape and adapt our solutions to meet our client’s needs.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • User-level familiarity with operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods
    • Prior knowledge of Linux and bash is advantageous
    • Basic networking knowledge
    • Analyzing communication files using common tools
    • Identifying threats in network traffic