HITB-Invoice-Logo

deep knowledge technical trainings

AUGUST 22 / 23 / 24 / 25 @ INTERCONTINENTAL SINGAPORE

Hands-on Advanced Malware Traffic Analysis

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one.

$3,299.00

Duration

2-day

Delivery Method

In-Person

Level

advanced

Seats Available

20

REGISTRATION CLOSED

DATE: 22-23 August 2022

TIME: 09:00-17:00 SGT/GMT +8

Date Day Time Duration
22 August Monday 09:00-17:00 SGT/GMT +8 8 Hours
23 August Tuesday 09:00-17:00 SGT/GMT +8 8 Hours


Detection of attacks and malware infections in the network is a cornerstone of protecting any organisation and device. Many tools exist giving us alerts and information, many threat intelligence feeds are available. However, without the proper experience and knowledge of how to know what is malicious and what is benign, it is very hard to make any productive decisions and apply real protection and defence. Tools are useless without an understanding of what to expect and what can happen in your network.

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviours from malicious behaviours, how to recognize anomalous patterns and how to deal with large amounts of traffic. Only analysing malware traffic may not be complex, but accurately separating it from normal traffic is much harder.

The most important lesson is not about how to use wireshark or tcpdump. It is about obtaining the knowledge and experience of recognizing real malicious actions in the network. Specifically, how malware hides, how to recognize encryption, how to analyse web patterns and how to discard false connections.

Agenda

Module 1 – Networking and Security

Goal: To give the basic principles of network security topics so everybody is on the same page. The concepts of networking are displayed from a security point of view. You should finish the module knowing what we are doing, why and how to approach the network analysis.


Module 2 – Fundamentals on Tools and Analysis Methodology

Goal: To introduce the core methodology of malware traffic analysis, what questions need to be answered, and the core tools that can be used to answer those questions.


Module 3 – Threat Intelligence For Malware Traffic Analysis

Goal: To introduce concepts of cyber threat intelligence to the analysis of malware traffic. Learning to search for information using OSINT, and other sources of intelligence. You should finish the module knowing how to determine who is attacking, how they are attacking, and having a clear understanding of the adversaries.


Module 4 – Detecting High-Risk Malware Attack and Ransomware

Goal: To learn how to quickly identify and detect high-risk malware that may drop ransomware and how to identify ransomware lateral movement in a local network.


Module 5 – Real-Time Exploit Attacks on the Network

Goal: To learn how a real attack looks in the network by attacking each other. To realise how complex and difficult it can be to separate the normal from the attack in a real life scenario of a local computer attacking others.ย 


Module 6 – Network Flows, Uninformed Decisions with Good Inference

Goal: To analyse the traffic when you can not access packets and how to deal with inference based on scarce data. To learn how flows work and what can be done with them to aid the analysis.


Module 7 – Threat Hunting on a SIEM

Goal: To give participants real hands-on experience on how to hunt down malware on a SIEM. To learn to think like an attacker and start looking for more complex behaviours in the network.ย 

Module 8 – Machine Learning to Detect Advanced Attacks

Goal: To work through the analysis of captures that pose a different perspective on the malware behaviour. Tools can not help us so much and we need a deeper understanding of the common behaviours to spot any discrepancy.

ย 

Module 9 – Executing Malware to Understand how to Detect it (with authorization only)

Goal: To learn the methodology of how to execute real malware, how to capture its traffic and how to use the intelligence that such activity generates to better understand the malware and think of better defences.

ย 

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Senior Security Researcher

Huajiang โ€œKevin2600โ€ Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Why You Should Take This Course

This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one.

Who Should Attend

The training is designed for professionals of security, company administrators, SOC and NOC operators, CERT members, government defence professionals, network administrators, forensic analysers, etc.

Key Learning Objectives

[“To identify malicious actions in the network independently of the tool used”,”To separate malicious actions in the network from normal actions accurately”,”To understand the complexity of the attacks, the malware and how they mix in the normal traffic”]

Prerequisite Knowledge

Attendees are required to have a medium knowledge on TCP/IP, and common network protocols.

Hardware / Software Requirements

Attendees are also required to have:

  • Laptop + Power cord

  • Minimal tools installed: wireshark, tcpdump