Students will be taught the fundamentals of malicious code analysis beginning with the configuration of a malware analysis lab in order to gain an understanding of the components of a malware analysis toolbox and to discover each component that contributes to either behavioral or code analysis techniques. In most instances, one is unlikely to have the source code to a piece of malware. To understand malicious code at its core, students will use a disassembler to decompose, execute, and trace each step of the program. Students will then learn how to patch the executable and change its behavior for a more advantageous outcome. Malware analysis is not just about tracing code, but also about understanding the effect on its environment. Hands-on exercises are used throughout the course to examine the effects of various types of malware that run natively on a Windows platform, such as botnets and rootkits. Students will trace back the infection and identify the initial vulnerability that was used to exploit and implant the malware within the system. Students will be challenged to analyze the entirety of an event. Using behavior analysis techniques, Students will be able to not only create signatures based off the malicious code, but also develop techniques to discover and prevent this type of malicious code in their own networks.

This 5-day course will cover the basic of malware analysis from both static and behavioral perspectives. Students will learn to identify, hash, retrieve, and determine what threats and capabilities the malware presents on target hosts.

This rigorous, hands-on course is designed to take students through a wide variety of topics relevant to operationally-focused cyber missions within the offensive and defensive arena. This
course focuses heavily on deep packet inspection, statistical flow record analysis, post-exploitation forensics, intrusion detection, network tunneling, and malware network behavior. Extensive network analysis is conducted throughout each stage of the hacker methodology to include packet capturing of scanning, service enumeration, exploitation, man-in-the-middle techniques, and
tunneling. Deep packet inspection is performed on the newest remote and client-side exploits and C&C communications. Forensic analysis using IDS logging and network signatures are used to find, preserve, and extract evidence of intrusion. Students will gain an extensive understanding of each packet transmitted on the wire from the very first scan, up to and after successful (or unsuccessful) compromise of the remote system using a variety of tools to include but not limited to Wireshark, Snort, BRO, Security Onion, and Metasploit. During the course, students will learn exploitation skills, both remote and client-side attacks, through extensive hands on exercises. A 2-day intense culmination exercise designed to replicate real-world operational challenges in both offensive and defensive space reinforces topics taught throughout the course.

This course is focused on the methodologies and processes used by professional "Hunt" teams in corporate and government spaces. Instructors, with multiple years of Hunt experience, use open-source tools to teach students the necessary skills to successfully identify malicious behavior not caught by traditional security products. Students will set up security products and use analytic tools on a mock network to ensure they understand the capabilities of traditional security measures, as well as the gaps. Students will learn how to implement signatures and analyze heuristics to identify anomalous behavior. They will provide written reports for each behavior they identify and build actor profiles based off their findings. They will use timeline analysis and log analysis to map out the incident. Using incident response techniques, they will take the data collected and implement real-time solutions to the customer while providing risk management analysis to help protect networks in the future.