DEFCON Toronto is excited to bring to you a full day malware traffic analysis workshop hosted at the EY Tower at Bay/Adelaide.

This workshop is sponsored by EY and Elevated Prompt!

Individuals of all skill levels are encouraged to attend!

Lunch will be provided.

Purchase of a ticket for this workshop will contribute to the costs of facilitator's travel, the venue, and food.

Bio on Workshop Facilitator (Brad Duncan):

After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 140 diaries at isc.sans.edu. Brad routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he provides traffic analysis exercises and over 1,600 malware and pcap samples to a growing community of information security professionals.

Workshop Details:

This training is a one day workshop that provides a foundation for investigating packet captures (pcaps) of malicious network traffic. The workshop begins with basic investigation concepts, setting up Wireshark, and identifying hosts or users in network traffic. Participants then learn characteristics of malware infections and other suspicious network traffic. The workshop covers techniques to determine the root cause of an infection and determining false positive alerts. This training concludes with an evaluation designed to give participants experience in writing an incident report.

Participant Requirements/Preparation Instructions:

1. Personal laptop running a non-Windows OS or a Virtual Machine running a non-Windows OS
2. Recent version of Wireshark installed (at least version 2.2 or later)
3. PCAPs and presentation slides to be posted here in advance of the workshop (Will be announced when content is up and finalized)
4. To get familiar with the types of exercises that will be done in the workshop, participants can review previously posted training exercises on Brad's blog here: https://www.malware-traffic-analysis.net/training-exercises.html

Workshop Schedule:

8:00AM-830AM - Registration & Breakfast Refreshments

830AM-10AM - Intro & setting up Wireshark (1 hour 30 minutes)

10AM-11AM - Identifying hosts & users (1 hour)

11AM-11:15AM - Bio Break

11:15AM-12:15PM - Non-malicious activity (1 hour)

12:15PM-1PM - Lunch

1PM-2PM - Windows malware infections (1 hour)

2PM-2:45PM - Bad web traffic & policy violations (45 minutes)

2:45PM-3PM - Bio Break

3PM-4PM - Researching indicators & false positives (15 minutes)

4PM-5PM - Writing incident reports (1 hour 15 minutes)

5PM-5:45PM - Evaluation (45 minutes)