SEC503: Network Monitoring and Threat Detection In-Depth

Section one dives into TCP/IP fundamentals to build a deep understanding of network traffic and threat detection. Students learn packet analysis using Wireshark and tcpdump, explore real-world traffic, and practice identifying attacker behaviors through hands-on exercises and a Bootcamp-style challenge.

Section two wraps up "Packets as a Second Language" by diving into transport-layer protocols (TCP, UDP, ICMP) and advanced traffic analysis with Wireshark and tcpdump. Students filter large-scale data to spot threats, expand threat models, and practice real-world packet analysis through hands-on labs and Bootcamp-style exercises.

Section three shifts to application layer protocols and modern threat detection across cloud, hybrid, and traditional networks. Students learn to read/write Snort/Suricata rules, analyze protocols like DNS and HTTP(S), and their impact on signature-based detection systems.

Section four focuses on advanced behavioral detection using Zeek/Corelight. Students explore network architecture, TLS interception, encrypted traffic analysis, and scripting for anomaly detection. The section includes hands-on Zeek labs, Scapy use for testing, and evasion technique analysis, all leading into a real-world Bootcamp scenario.

Section five emphasizes hands-on practice in large-scale analysis using NetFlow/IPFIX, traffic analytics, and AI/ML for anomaly detection. Students apply zero-day threat hunting techniques and perform network forensics through real-world incident reconstructions using tools and skills developed throughout the course.

The course ends with a fun, hands-on capstone where students compete solo or in teams to analyze real-world data from a live-fire incident. Using tools and theory from the course, they answer questions in a timed "ride-along" challenge based on an investigation by professional analysts.