|22 August||Monday||09:00-17:00 SGT/GMT +8||8 Hours|
|23 August||Tuesday||09:00-17:00 SGT/GMT +8||8 Hours|
This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviours from malicious behaviours, how to recognize anomalous patterns and how to deal with large amounts of traffic. Only analysing malware traffic may not be complex, but accurately separating it from normal traffic is much harder.
Module 1 – Networking and Security
Goal: To give the basic principles of network security topics so everybody is on the same page. The concepts of networking are displayed from a security point of view. You should finish the module knowing what we are doing, why and how to approach the network analysis.
Module 2 – Fundamentals on Tools and Analysis Methodology
Goal: To introduce the core methodology of malware traffic analysis, what questions need to be answered, and the core tools that can be used to answer those questions.
Module 3 – Threat Intelligence For Malware Traffic Analysis
Goal: To introduce concepts of cyber threat intelligence to the analysis of malware traffic. Learning to search for information using OSINT, and other sources of intelligence. You should finish the module knowing how to determine who is attacking, how they are attacking, and having a clear understanding of the adversaries.
Module 4 – Detecting High-Risk Malware Attack and Ransomware
Goal: To learn how to quickly identify and detect high-risk malware that may drop ransomware and how to identify ransomware lateral movement in a local network.
Module 5 – Real-Time Exploit Attacks on the Network
Goal: To learn how a real attack looks in the network by attacking each other. To realise how complex and difficult it can be to separate the normal from the attack in a real life scenario of a local computer attacking others.
Module 6 – Network Flows, Uninformed Decisions with Good Inference
Goal: To analyse the traffic when you can not access packets and how to deal with inference based on scarce data. To learn how flows work and what can be done with them to aid the analysis.
Module 7 – Threat Hunting on a SIEM
Goal: To give participants real hands-on experience on how to hunt down malware on a SIEM. To learn to think like an attacker and start looking for more complex behaviours in the network.
Module 8 – Machine Learning to Detect Advanced Attacks
Goal: To work through the analysis of captures that pose a different perspective on the malware behaviour. Tools can not help us so much and we need a deeper understanding of the common behaviours to spot any discrepancy.
Module 9 – Executing Malware to Understand how to Detect it (with authorization only)
Goal: To learn the methodology of how to execute real malware, how to capture its traffic and how to use the intelligence that such activity generates to better understand the malware and think of better defences.
Attendees are required to have a medium knowledge on TCP/IP, and common network protocols.
Attendees are also required to have:
Laptop + Power cord
Minimal tools installed: wireshark, tcpdump
Sebastian is a malware researcher and security teacher with extensive machine learning experience applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect civil society. He likes to analyze network patterns and attacks with machine learning.
As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments.
He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace, he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra), and biohacking.
Veronica is a researcher and intelligence analyst from Argentina. Her research strongly focuses on helping people. A jack of all trades, she currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has presented her research at international conferences such as BlackHat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. She is currently the director of the Civilsphere project at the Czech Technical University, dedicated to protecting civil organizations and individuals from targeted attacks. She’s also the project leader at the Stratosphere Laboratory, a research group in the Czech Technical University dedicated to study and research in cybersecurity and machine learning.