Network monitoring and detection
A practical workshop focusing on communication forensics and incident response.
40 Hours
Blue Team
40 Hours
Blue Team


Very few forensic investigators gather network captures when investigating cyberattacks. Collecting memory samples from the hard drive, the copy service, and event logs is common after an attack. But the majority do not examine or even record network traffic during a security incident. Despite the many valid explanations, the lack of storage space, or the challenge of decrypting encrypted information, skipping this vital step results in a substantial loss of information for researchers.

The course covers the following topics:


It’s important to improve the accordion’s behaviour

Why bother parsing network traffic?
  • Anatomy of targeted attacks (MITRE ATT&CK)
  • Types of digital evidence
  • Post-mortem forensics vs. (near) real-time analysis
  • Enterprise-scale network captures (and the storage dilemma)
Networking 101
  • OSI and TCP/IP
  • Network traffic analysis with Wireshark
  • Ethernet PDUs
  • IP, PDU, and ARP
  • TCP and UDP
  • DHCP, DNS, and ICMP
  • Applications: HTTP, SSL, and SMB
Parsing traffic with Linux shell
  • Getting to grips with Linux shell
  • Using tcpdump
  • Text processing with grep
  • Regular expressions
  • Bash tools: wc, sort, cut, uniq
  • Tshark: tcpdump on steroids
  • Visualizing traffic
Indexing and generating statistics
  • Timeframes
  • Packet rates and data rates
  • Endpoints (L2, L3)
  • Conversations
  • Protocol hierarchy
  • IO stats
  • Fingerprinting hosts and users
  • Enumerating domains
Parsing the higher layers
  • TCP stream reassembly
  • File carving with magic numbers
  • Manual carving
  • Foremost with assembled data streams
  • File carving through protocol analysis (bro)
  • Other protocol parsers
Case #1: Mail harassment
  • Case description
  • Reducing investigation surface
  • Mapping: Who is who and what’s what
  • Anchor: correlate evidence with story
  • The application layer: http header analysis
  • The application layer: Plain-text user inputs
  • The application layer: Session cookies and unique identifiers
  • Bonus: The bottom-up approach
Introduction to malware and targeted attacks
  • Code vulnerabilities
  • What are exploits?
  • Exploit kits and custom malware
  • What are payloads?
  • What are C2s (control connections)?
  • Demo: Boot2Root
  • Anatomy of an attack
Case #2: Simple exploitation
  • Aurora (CVE-2010-0249) case study
  • Evidence scoping
  • Extracting malware
  • Reading (obfuscated) code
  • Signature-based screening
  • Static and dynamic analysis
  • (Re)constructing attack flows
Big Brother tactics
  • Sniffers, sensors and taps, and protocol analyzers
  • Deploying Security Onion sensor
  • HW/SW requirements (and myths)
  • IDS, IPS, monitoring, and network security analytics
  • Snort/Suricata concepts, config, and common rule sets
  • Writing IDS rules
  • Catching “zero days” with Snort
Case #3: New perspectives
  • Extracting malware from pcap
  • Scanning for propagation
  • Malware detection with anti-malware
  • Malware detection with IDS
  • Static malware analysis
  • Dynamic malware analysis
  • Remote administration tools (RATs)
Don't touch this tab

About CYBERPRO was founded in cooperation with international information security and instruction authorities who bring to Israel world-leading cyber training technologies and a learning experience of the highest standard available today.

The partners include the IITC group which has been training graduates for the high tech industry for over 20 years, and was selected as the training center for the Cisco Company in Israel.

CYBERPRO’s advanced, sought-after training courses in the areas of infrastructures, information security and cyber are world famous. These training courses were developed by some of the best cyber experts in the world, for international security organizations that emphasize the high training capabilities, the professional learning methods and the unique training and practice technologies. Our connection with international groups allows our students to be exposed to unique employment opportunities in Israel and abroad.

The training and learning tracks are all based much hands-on practice and preparation for the industry and profession requirements, so they include technological labs and practice sessions using one of the most advanced simulators in the world.

    • Analysts
    • Security researchers
    • Forensics researchers
    • IT specialists
    • Incident response teams
    • User-level familiarity with operating systems
    • Familiarity with TCP/IP protocols
    • Familiarity with cyberwarfare methods
    • Prior knowledge of Linux and bash is advantageous
    • Basic networking knowledge
    • Analyzing communication files using common tools
    • Identifying threats in network traffic