HBFITES Data Center, Collaboration, Security, Storage, Wireless, Telepresence Training +91-9886770046 info@hbfites.com

MNTA - Malicious Network Traffic Analysis

Description

There are a tremendous amount of network based attacks to be aware of on the internet today and the number is increasing rapidly. You can't defend against these lethal network attacks if you don't know about them or if you've never seen what it looks like at the packet level. This course teaches you how to analyze, detect and understand all the network based attacks that we could find being used today in modern networkwarfare.

From layer two attacks against network devices through complex botnets and specific application vulnerabilities this class will fulfill your desire to see what these attacks look like. We even show you how to detect attacks using Flow Analysis if you don't have network packets to analyze or you only have statistical information at your disposal. We'll use the popular protocol analyzer Wireshark and session analysis toolNetwitness alongside custom tools developed by ANRC networking experts to show you how to detect these network attacks and be prepared to handle them.

Course Details:

  • 70% Labs, 30% Lecture using real-world network attack captures
  • Laptops are provided during the class
  • Students receive USB Flash drives of all attack captures and student labs

Objectives

Attending students will learn:

  • Strategic, Tactical, and Operational Analysis
  • Situational Awareness
  • Current Networking Trends in Malware
  • IDS / IPS evasion techniques
  • Flow Analysis to help identify malicious behavior
  • Coordinated Attacks
  • Botnets
  • Browser Attacks (Javascript, Obfuscation)
  • Drive-By-Downloads
  • OSI Layer 2,3,4,5,6,7 Attacks
  • Social Engineering and Phishing Attacks
  • Tunneling and Advanced Tunneling

Prerequisites

You should possess knowledge of the following:

  • Knowledge of IPv4 networking protocols is required
  • Skills and experience with Wireshark display filtering is required
  • Knowledge of RSA Netwitness is recommended
  • Attending students should have a thorough understanding of Microsoft Windows
  • Python scripting abilities would be beneficial
  • Comptias Network+ and Security+ certifications would be beneficial but not required

Who Should Attend

  • Threat operation analysts seeking to have a better understanding of network based malware and attacks
  • Incident responders who need to quickly address a system security breach
  • Forensic investigators who need to identify malicious network attacks
  • Individuals who want to learn what malicious network activity looks like and how to identify it

Outline

Analyzing Reconnaissance

  • What Constitutes Malicious Traffic?
    • Malicious traffic generators
    • Recent trends in Malware Networking
      • Malvertising
      • Drive-By-Downloads
      • Social Network propagation
      • Scareware
      • Trusted site utilization
      • Organized crime
      • Social engineering / phishing
    • Network Attack Lifecycle
      • Reconnaissance Phase
      • Attack Phase
      • Proliferation Phase
    • OSI Layer Attacks
      • User Layer Attacks
      • Application Layer Attacks
      • Presentation Layer Attacks
      • Session Layer Attacks
      • Transport Layer Attacks
      • Network Layer Attacks
      • Data Link Layer Attacks
      • Physical Layer Attacks
    • Targeted Attack vs. Large Scale Attack
    • Network Intrusion Analysis Process
      • Strategic Analysis
      • Tactical Analysis
      • Operational Analysis
      • ANRC Network Intrusion Analysis Process
    • Analytical Tools of the Trade
      • IDS / IPS Technologies
      • Flow Analysis Tools
      • Network Flows Overview
      • Protocol Analysis Tools
      • Logs
      • Other information sources
    • Beginning Phase of AttacksRecon
      • Types of Recon
        • Social Engineering
        • Visual Observation
        • Search Engines
        • Website Mining
        • Network Tools
        • Port Scanning
        • Banner Grabbing
        • Web Application Fuzzing
    • NMAP Port Scans
      • Host discovery
      • TCP Ping Sweep
      • TCP Connect Scan
      • XMAS Tree Scan
      • SYN Stealth Scan
      • UDP Scan
      • O/S Discovery Scans
  • Afternoon Labs

OSI Layer Attack Types

  • Vulnerability Discovery Phase
    • Vulnerability Analysis Tools
    • Vulnerability Analysis Detection
  • User Layer Attacks
    • Phishing
    • Spear Phishing
    • Whaling
    • Social Engineering Emails
    • User Layer Analyst Takeaways
  • Application Layer Attacks
    • Input Validation Attacks
    • SQL Injection
    • Brute Force Attacks
    • Browser Attacks
      • Drive-by-downloads
      • XSS
      • Flash, Active X, Javascript
    • IE and Firefox Exploits
    • Application Layer Analyst Takeaways
  • Presentation Layer Attacks
    • SMB MS08-067 study
    • ASN Attack study
    • Presentation Layer Analyst Takeaways
  • Session Layer Attacks
    • Man-in-the-middle (MITM)
    • Arp Poisoning / Spoofing
    • Session Layer Analyst Takeaways
  • Transport Layer Attacks
    • TCP Sequence Prediction
    • TCP Redirection
    • Denial of Service Attacks
    • Tunneling
    • Transport Layer Analyst Takeaways
  • Network Layer Attacks
    • ICMP Redirects
    • DHCP Poisoning / Spoofing
    • Network Layer Analysis Takeaways
  • Data Link Layer Attacks
    • ARP Poisoning
    • ARP Poisoning One Way
  • Physical Layer Attacks
    • Theft
    • Power Outages
    • Loss of Environmental Control
    • Unauthorized data connections
    • Physical Network Taps
    • Physical Network Redirection

Botnets

  • Botnet History and Evolution
    • Botnets 2003 to the present
    • AgoBot
    • Operation b49
  • Botnet Architectures and Design
    • Command and Control Structures
      • Central
      • Peer-to-peer
      • Hybrid
    • Lifecycle Stages
      • Initial Infection
      • Secondary Infection
      • Malicious Activity
      • Maintenance and Upgrade
  • Malicious Uses
    • Port Scanning
    • Exploitation
    • DNS Proxy (Fast Flux Service Networks)
    • Web Services
    • Spam Services
  • Botnet Communications
    • Botnet Recruitment
    • Communication protocols
      • IRC, P2P, HTTP/HTTPS
      • Twitter
      • ICMP
      • DNS / DDNS
  • Bot Evasion and Concealment
  • Identification Challenges
  • Fast Flux Service Network
  • Double Flux Services
  • Analysis Techniques
    • Baselining Network Activity
    • Situational Awareness
    • Ingress and Egress SMTP and HTTP
    • FFSN Activity
    • Flow Analysis
  • Black Energy Walkthrough
  • Zeus Walkthrough

Advanced Communication Methods

  • Covert Communication Methods
    • Data Exfiltration
    • Command and Control
    • Methods
      • Tunneling
      • Encryption
      • Both Tunneling and Encryption
  • Network Layer Tunneling
    • IPv6 Tunneling
      • Incomplete support for IPv6
      • IPv6 auto-configuration
      • Malware that enables IPv6
    • ICMP Tunneling
    • Analyst Takeaways
  • Transport Layer Tunneling
    • TCP / UDP Tunneling
    • Analyst Takeaways
  • Application Layer Tunneling
    • HTTP Tunneling
    • DNS Tunneling
    • DNSCat
    • Analyst Takeaways
  • Traffic Cloaking
    • Using websites to conceal malicious activities
    • Limited attribution
    • Social Networking and Encryption benefits
    • Cloud Computing Data Centers

Student Practical Demonstration:

  • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will uncover a multi-part network intrusion. In the intrusion capture file there will be at least 3 Application Layer attacks, 2 Advanced Communications Methods, and a hacker toolkit to discover. Students will have to prepare a report detailing the attack from start to finish as well as document what things the hacker did as well as what information was leaked if any.

Lab Outline

  • Day 1
    • Netflow Analysis Tools Lab
    • Wireshark Exercise Part 1
    • Wireshark Exercise Part 2
    • Lab 01 - Identify the Reconnaissance #1
    • Lab 02 - Identify the Reconnaissance #2
    • Lab 03 - Identify the Reconnaissance #3
    • Lab 04 - Identify the Reconnaissance #4
    • Lab 05 - Identify the Reconnaissance #5
    • Lab 06 - Identify the Reconnaissance #6
    • Lab 07 - Identify the Reconnaissance #7
  • Day 2
    • Lab 08 - Identify the OSI Layer Intrusion #1
    • Lab 09 - Identify the OSI Layer Intrusion #2
    • Lab 10 - Identify the OSI Layer Intrusion #3
    • Lab 11 - Identify the OSI Layer Intrusion #4
    • Lab 12 - Identify the OSI Layer Intrusion #5
    • Lab 13 - Identify the OSI Layer Intrusion #6
    • Lab 14 - Identify the OSI Layer Intrusion #7
    • Lab 15 - Identify the OSI Layer Intrusion #8
    • Lab 16 - Identify the OSI Layer Intrusion #9
  • Day 3
    • Lab 17 - Identify the Botnet #1
    • Lab 18 - Identify the Botnet #2
    • Lab 19 - Identify the Botnet #3
  • Day 4
    • Lab 20 - Find and decrypt the covert channel
  • Day 5 Student Practical Demonstration:
    • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will uncover a multi-part network intrusion. In the intrusion capture file there will be at least 3 Application Layer attacks, 2 Advanced Communications Methods, and a hacker toolkit to discover. Students will have to prepare a report detailing the attack from start to finish as well as document what things the hacker did as well as what information was leaked if any.