Skip to main content

NT 200 - Malicious Network Traffic Analysis

This course will teach you how to identify and analyze the most common types of reconnaissance, attack, lateral movement, exfiltration, and command and control traffic found in today’s networks. It covers a range of techniques from deep-packet analysis to statistical-flow analysis to open-source research and more, using tools such as Wireshark, Network Miner and RSA NetWitness Investigator as well as custom tools and scripts developed by our networking experts. Growing in complexity throughout the week, the course ends with a team exercise where you and your teammates will investigate and report on an extensive, multi-stage intrusion.

Request Course Details

Attending students will learn

  • „Strategic, Tactical and Operational Analysis
  • „Situational Awareness
  • „Current Networking Trends in Malware
  • „IDS / IPS evasion techniques
  • „Flow Analysis to help identify malicious behavior
  • „Coordinated Attacks
  • „Botnets
  • „Browser Attacks (Javascript, Obfuscation)
  • „Drive-By-Downloads
  • „OSI Layer 2,3,4,5,6,7 Attacks
  • „Social Engineering and Phishing Attacks
  • „Tunneling and Advanced Tunneling

Who should attend

  • „Threat operation analysts seeking a better understanding of network-based malware and attacks
  • „Incident responders who need to quickly address a system security breach
  • „Forensic investigators who need to identify malicious network attacks
  • „Individuals who want to learn what malicious network activity looks like and how to identify it


  • „Knowledge of IPv4 networking protocols is required
  • „Skills and experience with Wireshark display filtering is required
  • „Knowledge of RSA Netwitness is recommended
  • „Attending students should have a thorough understanding of Microsoft Windows
  • „Python scripting abilities would be beneficial
  • „CompTIA’s Network+ and Security+ certifications would be beneficial but not required

Course Outline

Day 1

  • „What Constitutes Malicious Traffic
  • „Network Attack Lifecycle
  • „OSI Layer Attacks
  • „Targeted Attack vs. Large Scale Attack
  • „Network Intrusion Analysis Process
  • „Analytical Tools of the Trade
  • „Beginning Phase of Attacks - Recon
  • „NMAP Port Scans
  • „Afternoon Labs

Day 2

  • „Vulnerability Discovery Phase
  • „User Layer Attacks
  • „Application Layer Attacks
  • „Presentation Layer Attacks
  • „Session Layer Attacks
  • „Transport Layer Attacks
  • „Network Layer Attacks
  • „Data Link Layer Attacks
  • „Physical Layer Attacks

Day 3

  • „Botnet History and Evolution
  • „Botnet Architectures and Design
  • „Malicious Uses
  • „Botnet Communications
  • „Bot Evasion and Concealment
  • „Identification Challenges
  • „Fast Flux Service Network
  • „Double Flux Services
  • „Analysis Techniques
  • „Black Energy Walkthrough
  • „Zeus Walkthrough

Day 4

  • „Covert Communication Methods
  • „Network Layer Tunneling
  • „Transport Layer Tunneling
  • „Application Layer Tunneling
  • „Traffic Cloaking

Day 5 – Student Practical Demonstration

„Using the tools, skills, and methodologies taught in Days 1 through 4 of the class, students will uncover and analyze a multi-part network intrusion. In the intrusion capture file, there will be at least 3 Application Layer attacks, 2 Advanced Communications Methods, and a hacker toolkit to discover. Students will have to prepare a report detailing the attack from start to finish, documenting what things the hacker did and what information was leaked, if any.

Courses That Follow This Course

Request More Info About This Course

contact Focal Point

tweets by @FocalPointDR

Loading Tweets...