Threat Hunting with Wireshark for SecOps
Published by Pearson
Learn to spot suspect traffic
- Learn how to analyze network traffic, a critical skillset for all cybersecurity professionals
- Don’t wait for alerts from your IDS/IPS systems to hunt for threats in network traffic
- Capture, analyze, and isolate suspect traffic and indicators of compromise with Wireshark
The field of cybersecurity has grown tremendously in the past few years. With every new breach, we realize just how important analysis skills have become in identifying, mitigating, and protecting networks. Wireshark is one of the most important tools in the toolbox for identifying threats, spotting unusual behavior, and analyzing malware behavior; you just need to know how to use it.
In this class, we dive deep into traffic flows to learn how Wireshark can be used to analyze different steps in the Cyber Kill Chain. This is a lab-driven course, with plenty of hands-on, to learn about:
- Creating a security profile
- Filters to spot abnormal traffic patterns
- Analyzing scan activity
- Malware analysis
- How to spot data exfiltration
- Finding traffic from unusual sources with GeoIP
- Analyzing a brute-force attack
What you’ll learn and how you can apply it
- Where to look on the network for threat hunting
- How nmap scans work and other active recon tools
- How attackers move laterally and exploit network vulnerabilities
And you’ll be able to:
- Quickly analyze network traffic to spot nmap scan activity
- Analyze malware behavior and spot indicators of compromise
- Isolate traffic patterns at all stages of the MITRE ATT&CK Framework and Cyber Kill Chain
This live event is for you because...
- This course is targeted toward network engineers or SOC analysts who are responsible for analyzing traffic with Wireshark.
- Beginners will learn how to be more comfortable with the Wireshark interface and how attacks look in the packets. Intermediate/advanced analysts will pick up some new tips to identify and isolate suspect traffic quickly.
Prerequisites
- Familiarity with networking concepts: routing, switching, firewalls, and the basics of how packets flow through a network. It is not required to have a CCNA level of experience, but it would be a good starting point.
Course Set-up
- Download Wireshark from wireshark.org
Recommended Preparation
- Attend: TCP/IP Deep Dive with Wireshark for NetOps and SecOps by Chris Greer
- Read: Wireshark Fundamentals: A Network Engineer’s Handbook to Analyzing Network Traffic by Vinit Jain
Recommended Follow-up
- Read: CCNA 200-301 Official Cert Guide Library by Wendell Odom
- Watch: CCNA 200-301 by Kevin Wallace
- Watch: CompTIA Security+ SY0-601 by Sari Green
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Day 1
Segment 1: What Is Threat Hunting? (60 minutes)
- How and where to capture data on the network
- Where are the blind spots?
- How to search, even when there is no alert
- Lab 1 – Set Up a Security Profile in Wireshark (10 minutes)
- Lab 2 – Configure GeoIP Resolution (10 minutes)
- Break (10 minutes)
Segment 2: Analyzing a Scan Activity (120 minutes)
- Nmap scans
- OS enumeration
- Spot the bot
- Lab 3 – Digging into a Botnet (10 minutes)
- Lab 4 – Nmap Signatures (10 minutes)
Q&A (10 minutes)
Day 2
Segment 3: Malware Analysis (120 minutes)
- Initial infection
- Malware behavior
- How to spot C2 traffic
- Lab 5 – Emotet Analysis (10 Minutes)
- Lab 6 – How a Reverse Shell Works (10 Minutes)
- Break (10 Minutes)
Segment 4: Data Exfiltration and Brute-Force Behavior (60 minutes)
- How data can be exfiltrated from key systems
- Pivoting from vulnerable systems
- Spotting unusual TCP ports and conversations
- Lab 7 – Analyzing OS Enumeration (10 Minutes)
- Lab 8 – Exfil over DNS (10 Minutes)
Course wrap-up and next steps (10 minutes)
Your Instructor
Chris Greer
Chris Greer has traveled the world teaching Wireshark and the principals of protocol analysis to engineers of all experience levels. He is a Packet Analyst and Trainer for Packet Pioneer, a Wireshark University partner, and has a passion for digging into the packetweeds and finding answers to network and cybersecurity problems. Chris has a YouTube channel where he focuses on videos showing how to use Wireshark to examine TCP connections, options, and unusual behaviors, as well as spotting scans, analyzing malware, and other IOCs in the traffic. His approach to training is that if you aren’t having fun doing something, you won’t retain what you are learning, so he strives to bring as much hands-on and humor to the classroom as possible. Chris remembers what it was like to look at Wireshark for the first time and knows how complicated packet analysis can be. With that in mind, he has designed an easy-to-follow course that will appeal both to the beginner and more advanced packet person. Find Chris on YouTube at https://www.youtube.com/c/ChrisGreer