Network Forensics Master Course

Network forensics is a cornerstone activity of any security operations team. In this Master Course, we impart how to detect common and advanced attack techniques through a systematic review of network traffic and host logs. Dozens of exercises will be provided which will challenge and impart new knowledge to students of all skill level.
Theoretical knowledge makes up 40% of the class, and the other 60% consists of practical exercises. At the end of the course, a large-scale network forensics exercise is conducted that can be reproduced at your workplace.

Course Outcome
By the end of this course, students should be feel confident that they can deploy network security monitoring on any network (corporate, DMZ, OT, or in the Cloud) and detect attacks across the entire kill chain. Amongst the attack scenarios students would have learnt during the course are:
  • Detect data breaches due to web application vulnerabilities
  • Detect lateral movement into segmented networks and unauthorized access to critical devices
  • Detect stealthy espionage campaigns that make use of covert channels
  • Detect unauthorized privilege escalation and compromised user accounts
  • Detect man-in-the-middle attacks against local networks
  • Detect advanced taken-down strategies and devise strategies to defeat them
  • Reverse engineer custom network protocols and devise strategies to block them
  • Build custom incident detection tools to automate the incident detection process

Intended Audience
Security analysts, forensics investigators, incident responders, and incident handlers with at least 2 years of professional experience detecting and responding to security incidents.

Instructor(s)
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Course Outline:

Module 1: Mastering The Packet Analysis Tools
This module imparts all the packet analysis tools necessary for network forensics! Wireshark, libpcap, winpcap, the BPF language, tcpdump, tshark, dumpcap, ngrep, tcpflow, pcapcat, tcpxtract, tcpflow, scapy, NetworkMiner and many other packet analysis tools you should know about!
We will also teach the PCAP file format itself. Just in case you ever need to build your own PCAP parsing tools.

Module 2: Host Analysis
We impart how to analyse logs generated on servers and workstations. Students will learn how to detect and investigate SQL injection attacks, brute forcing, code injection, command injection, path traversal, cross-site scripting, session hijacking, PAM user compromise, Windows privilege escalation, lateral movement across Windows and Linux, and much more!

Module 3: The Advanced Topics
In this module, we go over how to detect advanced network tunneling and reverse engineer custom network protocols. This includes topics such as: ICMP tunnels, DNS tunnels, TCP sequence numbers, Protocol 41, IP fragmentation, secret handshakes, steganography, compression and encryption.
We also explore attack techniques intended at preventing take-downs: DGA, domain fronting, peer-to-peer networks, and C&C over popular websites.

Module 4: Network Design & Architecture
We go over best practice approaches to implement network security monitoring in corporate, DMZ, cloud and OT networks. We impart the type of forensics data to capture, how much of it, how to turn on logging on Windows and Linux machines, and how to automate data collection and parsing activities.

Module 5: Theatre Exercises
In the final module, we deploy a randomly generated network and launch semi-automated attack campaigns against it. For a whole day, students are tasked with reviewing as many log files as possible for indicators of attacks and compromise and write technical threat reports.

Enrol


Fees
  • Ticket: $5,000.00 AUD including GST.

Enrolment
No open registration programmes scheduled. Contact us to run this learning programme onsite.
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

Software Requirement
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.