Actions Panel
Malware Traffic Analysis Workshop with Brad Duncan
Come join us for a full day malware traffic analysis workshop delivered by Brad Duncan, author of the Malware Traffic Analysis Blog.
When and where
Date and time
Location
EY Tower 100 Adelaide Street West 31st Floor Toronto, ON M6J 2L3 Canada
Map and directions
How to get there
Refund Policy
About this event
DEFCON Toronto is excited to bring to you a full day malware traffic analysis workshop hosted at the EY Tower at Bay/Adelaide.
This workshop is sponsored by EY and Elevated Prompt!
Individuals of all skill levels are encouraged to attend!
Lunch will be provided.
Purchase of a ticket for this workshop will contribute to the costs of facilitator's travel, the venue, and food.
Bio on Workshop Facilitator (Brad Duncan):
After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 140 diaries at isc.sans.edu. Brad routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he provides traffic analysis exercises and over 1,600 malware and pcap samples to a growing community of information security professionals.
Workshop Details:
This training is a one day workshop that provides a foundation for investigating packet captures (pcaps) of malicious network traffic. The workshop begins with basic investigation concepts, setting up Wireshark, and identifying hosts or users in network traffic. Participants then learn characteristics of malware infections and other suspicious network traffic. The workshop covers techniques to determine the root cause of an infection and determining false positive alerts. This training concludes with an evaluation designed to give participants experience in writing an incident report.
Participant Requirements/Preparation Instructions:
- Personal laptop running a non-Windows OS or a Virtual Machine running a non-Windows OS
- Recent version of Wireshark installed (at least version 2.2 or later)
- PCAPs and presentation slides to be posted here in advance of the workshop (Will be announced when content is up and finalized)
- To get familiar with the types of exercises that will be done in the workshop, participants can review previously posted training exercises on Brad's blog here: https://www.malware-traffic-analysis.net/training-exercises.html
Workshop Schedule:
8:00AM-830AM - Registration & Breakfast Refreshments
830AM-10AM - Intro & setting up Wireshark (1 hour 30 minutes)
10AM-11AM - Identifying hosts & users (1 hour)
11AM-11:15AM - Bio Break
11:15AM-12:15PM - Non-malicious activity (1 hour)
12:15PM-1PM - Lunch
1PM-2PM - Windows malware infections (1 hour)
2PM-2:45PM - Bad web traffic & policy violations (45 minutes)
2:45PM-3PM - Bio Break
3PM-4PM - Researching indicators & false positives (15 minutes)
4PM-5PM - Writing incident reports (1 hour 15 minutes)
5PM-5:45PM - Evaluation (45 minutes)