|22 August||Monday||09:00-17:00 SGT/GMT +8||8 Hours|
|23 August||Tuesday||09:00-17:00 SGT/GMT +8||8 Hours|
This training is a hands-on deep dive experience on the reality of how malware and attackers work in the network. It provides comprehension on the behavioural patterns and complexities that go beyond static rule matching. The training uses real-life pcap captures of malware and normal traffic, it explores many malware samples and allows the students to analyse them one by one. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviours from malicious behaviours, how to recognize anomalous patterns and how to deal with large amounts of traffic. Only analysing malware traffic may not be complex, but accurately separating it from normal traffic is much harder.
Module 1 – Networking and Security
Goal: To give the basic principles of network security topics so everybody is on the same page. The concepts of networking are displayed from a security point of view. You should finish the module knowing what we are doing, why and how to approach the network analysis.
Module 2 – Fundamentals on Tools and Analysis Methodology
Goal: To introduce the core methodology of malware traffic analysis, what questions need to be answered, and the core tools that can be used to answer those questions.
Module 3 – Threat Intelligence For Malware Traffic Analysis
Goal: To introduce concepts of cyber threat intelligence to the analysis of malware traffic. Learning to search for information using OSINT, and other sources of intelligence. You should finish the module knowing how to determine who is attacking, how they are attacking, and having a clear understanding of the adversaries.
Module 4 – Detecting High-Risk Malware Attack and Ransomware
Goal: To learn how to quickly identify and detect high-risk malware that may drop ransomware and how to identify ransomware lateral movement in a local network.
Module 5 – Real-Time Exploit Attacks on the Network
Goal: To learn how a real attack looks in the network by attacking each other. To realise how complex and difficult it can be to separate the normal from the attack in a real life scenario of a local computer attacking others.
Module 6 – Network Flows, Uninformed Decisions with Good Inference
Goal: To analyse the traffic when you can not access packets and how to deal with inference based on scarce data. To learn how flows work and what can be done with them to aid the analysis.
Module 7 – Threat Hunting on a SIEM
Goal: To give participants real hands-on experience on how to hunt down malware on a SIEM. To learn to think like an attacker and start looking for more complex behaviours in the network.
Module 8 – Machine Learning to Detect Advanced Attacks
Goal: To work through the analysis of captures that pose a different perspective on the malware behaviour. Tools can not help us so much and we need a deeper understanding of the common behaviours to spot any discrepancy.
Module 9 – Executing Malware to Understand how to Detect it (with authorization only)
Goal: To learn the methodology of how to execute real malware, how to capture its traffic and how to use the intelligence that such activity generates to better understand the malware and think of better defences.
Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.
Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.
Attendees are required to have a medium knowledge on TCP/IP, and common network protocols.
Attendees are also required to have:
Laptop + Power cord
Minimal tools installed: wireshark, tcpdump