Focal Point - Malicious Network Traffic Analysis Course Details:

There are a tremendous number of network-based attacks occurring every day, and that number is increasing rapidly. To defend against these attacks, they must be understood at the packet level. This course teaches you how to analyze, detect, and understand the network-based attacks that have become pervasive on today’s Internet.

By learning to identify statistical patterns and isolate events of interest, students will gain the skills needed to perform critical, real-time analysis in a production environment. Malicious Network Traffic Analysis employs several traffic analysis tools including Wireshark, Network Miner and RSA’s NetWitness Investigator alongside custom tools and scripts developed by our networking experts to train students how to detect and analyze these network attacks.

Student Practical:
Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will uncover a multi-part network intrusion. In the intrusion capture files there will be multiple application-layer attacks, multiple advanced communications methods, and a hacker toolkit to discover. Students will have to prepare a report detailing the attack from start to finish as well as document what things the hacker did as well as what information was leaked if any.

    No classes are currenty scheduled for this course.

    Call (919) 283-1653 to get a class scheduled online or in your area!

*Please Note: Course Outline is subject to change without notice. Exact course outline will be provided at time of registration.

In this class you will come away with the following knowledge:

  • Identify and analyze attacks across the various layers of the network stack
  • Identify signs of reconnaissance being conducted against a network and recommend mitigation steps to limit the data provided to attackers
  • Perform flow analysis to uncover anomalous and malicious activity at a statistical level
  • Detect and investigate tunneling, botnet command & control traffic, and other forms of covert communications being utilized in a network
  • Accurately correlate multiple stages of malicious activity in order to build a complete picture of the scope and impact of a coordinated network intrusion

Course Outline:

Analyzing Reconnaissance

  • What Constitutes Malicious Traffic?
  • Malvertising
  • Drive-By-Downloads
  • Social Network propagation 
  • Scareware
  • Trusted site utilization
  • Organized crime
  • Social engineering / phishing
  • Network Attack Lifecycle
  • OSI Layer Attacks
  • Targeted Attack vs. Large Scale Attack
  • Network Intrusion Analysis Process
  • Process
  • Analytical Tools of the Trade
  • Beginning Phase of Attacks 
  • Social Engineering
  • Visual Observation
  • Search Engines
  • Website Mining
  • Network Tools
  • Port Scanning
  • Banner Grabbing
  • Web Application Fuzzing
  • NMAP Port Scans

OSI Layer Attack Types

  • Vulnerability Discovery Phase
  • User Layer Attacks 
  • Application Layer Attacks
  • Drive-by-downloads
  • XSS
  • Flash, Active X, JavaScript
  • Browser Exploits
  • Application Layer Analyst Takeaways
  • Presentation Layer Attacks
  • Takeaways
  • Session Layer Attacks
  • Transport Layer Attacks
  • Network Layer Attacks
  • Data Link Layer Attacks
  • Physical Layer Attacks


  • Botnet History and Evolution
  • Botnet Architectures and Design
  • Central
  • Peer-to-peer
  • Hybrid
  • Initial Infection
  • Secondary Infection
  • Malicious Activity
  • Maintenance and Upgrade
  • Malicious Uses
  • Botnet Communications
  • Twitter
  • ICMP
  • DNS / DDNS
  • Bot Evasion and Concealment
  • Identification Challenges
  • Fast Flux Service Network
  • Double Flux Services
  • Analysis Techniques
  • Black Energy Walkthrough
  • Zeus Walkthrough

Advanced Communication Methods

  • Covert Communication Methods
  • Tunneling
  • Encryption
  • Both Tunneling and Encryption
  • Network Layer Tunneling – IPv6 Tunneling
  • Incomplete support for IPv6
  • IPv6 auto-configuration
  • Malware that enables IPv6
  • Transport Layer Tunneling
  • Application Layer Tunneling
  • Traffic Cloaking


  • Wireshark Exercise Part 1
  • Wireshark Exercise Part 2
  • Metadata Analysis
  • Reconnaissance #1
  • Hard NOC Life
  • Reconnaissance #2
  • Reconnaissance #3
  • Big Bad Recon Scan
  • Global Consulting Intrusion #1
  • Global Consulting Intrusion #2
  • Holophone Intrusion #1
  • Holophone Intrusion #2
  • Multi-Stage #1
  • Holophone Intrusion #3
  • Holophone Intrusion #4
  • Advanced Persistent Threat
  • Global Consulting Intrusion #3
  • Data Mining
  • Johnson Trucking
  • Final Scenario
  • Threat operation analysts seeking a better understanding of network-based malware and attacks
  • Incident responders who need to quickly address a system security breach
  • Forensic investigators who need to identify malicious network attacks
  • Individuals who want to learn what malicious network activity looks like and how to identify it

Ready to Jumpstart Your IT Career?