Loading Events

« All Events

  • This event has passed.

Network Forensics: Hunting with Packets

November 2 @ 11:00 am - November 5 @ 4:00 pm EDT


Threat hunting is all the rage! The idea is to take the fight to Evil, rather than waiting for Evil to inform us that our assets are pwnd (and kindly cough up some Bitcoin, please). But how do we accomplish this? Unfortunately, what’s finally in vogue is still pretty vague in practice.

Generally, hunting is fundamentally about identifying and understanding our quarry, the field within which it dwells, the ways in which it can be found and positively identified, and successfully taking it out of the field. In Montana, we then typically fieldstrip it and put it in our freezers, but that’s a very specific case generally involving only elk and deer.

That’s what this course is for: understanding the mechanics behind the field, the quarry, the scopes, and the firing pins. Because let’s face it: if your quarry knows the hunt better than you, and they typically do, you’ll never succeed.

We’ll cover the TCP/IP protocol structures mechanically: what they are for, how they work, how they can be subverted, and most importantly, how to tell the difference. What is it about the way that name resolution protocols work that make them such fantastic protocols to abuse? And in so many ways? What secrets can hide in a simple TCP 3-Way Handshake? Why would I care about an ICMP type 3 code 12 message?

We’ll also cover the basics of the tools of our tradecraft, and how they work as well: libpcap, Berkeley Packet Filtering (BPF), tshark, Zeek, Snort, etc., with actual nuts and bolts. Also, we’ll review why sometimes the bolts get stripped and the nuts don’t screw on quite right.

If you’re looking at packets in hex, and you notice that a TCP acknowledgement number of 0xC0A80A64 seems sort of suspicious, then get back to work. If you’re supposed to be hunt-ing threats today, and you’re unsure why a TCP acknowledgement number of 0xC0A80A64 might seem suspicious, then register for this course.

Learn More  |  Register Now


November 2 @ 11:00 am EDT
November 5 @ 4:00 pm EDT
Event Categories:
, , ,
Event Tags:
, , ,




Antisyphon Training