Don't Miss: MacBook Air, Surface Pro 7, or $350 Off with SANS Online Training - Register Now!

Open-Source Intelligence Summit - Live Online

Virtual, US Eastern | Mon, Feb 8 - Sat, Feb 20, 2021

Get a 13" MacBook Air, a Microsoft Surface Pro 7, or Take $350 Off with ANY qualifying 5- or 6-Day Course through December 9.

View offer details for special codes to use during registration.

SEC582: Mastering TShark Packet Analysis New

Tue, February 9 - Wed, February 10, 2021

Course Syllabus  ·  12 CPEs  ·   Lab Requirements
Instructor: Nik Alleyne  ·  Price: 2,100 USD

With system compromises and data breaches being reported almost daily and more of our activities are moved online, it is imperative that network defenders ensure they have the relevant tools and skillset to detect these compromises sooner rather than later. While attackers (advanced or not) may make every attempt to hide their suspicious activities on the compromised host, the reality is, all their activities leave breadcrumbs on the network. This is true whether reconnaissance activity is being performed or actions and objectives are being achieved, according to the Lockheed Martin Cyber Kill Chain. Basically, there are packets or it did not happen.

With SEC582, you will master performing packet analysis through TShark and learn how to solve real-world problems through 19 different labs, demos, and challenges. This is the most in-depth, hands-on packet analysis course available.

Course author Nik Alleyne has hands-on experience supporting and monitoring network infrastructures in organizations that spans verticals such as financial, education, media, scientific services, etc., using both commercial and open-source solutions to detect threats. In this course, he teaches you how to use one of his favorite tools, TShark. Using TShark, he moves you from beginner level, where you capture your first packet, to more advanced level, where you are detecting buffer overflows, exfiltration, passwords, decrypting TLS and WPA2-PSK traffic, along with setting up TShark for continuous monitoring and ultimately, using TShark along with Python to perform threat intelligence against packet data.

Course Syllabus


Nik Alleyne
Tue Feb 9th, 2021
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

On day one, we start off from the basics moving through decoding protocols and services, all the way to hiding behind non-standard ports. This provides us insight into what we should expect as normal versus abnormal. Part of what we do when supporting a network is to look for deviations from norm or better yet, look for the anomalies. As we go through the day, there are a number of labs that reinforce the content just learned.

Exercises
  • Capturing basics
  • Leveraging BPF filters
  • Spanning bytes
  • Decoding packets
  • Decrypting encrypted traffic

CPE/CMU Credits: 6

Topics

Course Outline and Lab Setup

  • Lab 0: Preparing for success
  • Module 1: Packet capturing basics
  • Module 2: TShark basics
  • Module 3: TShark configuration basics
  • Module 4: Capturing live traffic
  • Lab: capturing live traffic
  • Module 5: BPF filters and TShark
  • Lab: Monitoring hosts networks and ports
  • Module 6: BPF filters and TShark - not so basic filters
  • Lab: Spanning bytes
  • Module 7: Continuous "hands-free" monitoring
  • Lab: Hands-free monitoring
  • Module 8: Reading PCAPS
  • Lab: Controlling packet count and time format
  • Module 9: TShark statistics
  • Module 10: Exporting objects
  • Lab: Exporting objects
  • Module 11: Hiding behind other services/protocols
  • Lab: Decoding as
  • Module 12: Not so basic tricks
  • Module 13: Decrypting and analyzing SSL/TLS
  • Lab: Decrypting TLS
  • Module 14: Decrypting and analyzing WPA2

Nik Alleyne
Wed Feb 10th, 2021
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Overview

On day 2 we begin moving way beyond the basics of TShark. We transition into the realm of automating packet intelligence by leveraging Python in combination with TShark. We then move to real-world challenges, where we solve real-world problems while solidifying our mastery of TShark. This day also has bonus content on how to edit, merge, and rewrite packets.

Exercises
  • Leveraging Python and TShark for packet threat intelligence
  • Real-world challenges

CPE/CMU Credits: 6

Topics

Common Delivery Mechanisms

  • Module 15: Beyond basics with Python
  • Lab: IP Threat Intelligence
  • Module 16: A touch of Lua
  • Module 17: The Final Cheat
  • Module 18: Real-world challenges with TShark
  • 10 Challenges

BONUS CONTENT

  • Module 19: Editing PCAPS
  • Module 20: Merging PCAPS
  • Module 21: Rewriting packets

Additional Information

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

You will need to run two copies of the supplied Linux VMware images on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

You can use any version of Windows, Mac OSX, or Linux, as long as your core operating system can install and run current VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 40 gigabytes of free hard disk space.

Please download and install one of the following: VMware Workstation or VMware Fusion on your system prior to the beginning of the class. If you do not own a licensed copy of VMware Workstation or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Operating System

Students must bring a laptop to class running any of the following OS families:

  • Windows 7, 8.1, or 10
  • MacOS Mavericks, Yosemite, El Capitan, or Sierra
  • Linux-based distributions
  • For troubleshooting reasons, please ensure you have local administrator privileges on your laptop

Hardware

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • A wireless network adapter
  • 10 GB available hard-drive space

As a best practice, it is strongly advised that you do not bring a system storing any sensitive data to this course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Network Forensic Analysts looking to improve their existing skillset or validate their existing knowledge. Especially if new to the role, this training will take you from zero to hero as you gain critical skills related to packet analysis.
  • Security architects and security engineers who want to better understand how to implement continuous monitoring
  • Red teamers and penetration testers who want to understand how their activities can be detected via both cleartext and encrypted protocols, basically how their breadcrumbs can be used by defenders.
  • Technical security managers who want to gain insights into how to take advantage of packet data
  • Security Operations Center analysts and engineers looking to understand packet analysis, so that they can provide the appropriate perspective on detected threats.
  • Individuals looking to expand their knowledge of TShark and or packet analysis.
  • Experience with Linux from the command line
  • A baseline understanding of cyber security topics
  • A baseline understanding of TCP/IP and networking concepts
  • A baseline understanding of application layer protocols
  • A baseline knowledge of packet capturing tools

32GB USB 3.0 stick that includes:

  • Virtual machines for training
  • Course workbook
  • Download link to the target VMs

SEC582 has 9 labs and 10 challenges each with sub-sections. The labs come after each section but the challenges are independent and are meant to teach you how to perform real-world detection. These labs are all done via the SEC582 machine. By leveraging a VM, you have an environment that allows you to learn during class as well as when you leave the classroom.

The practical labs and exercises you will complete in this course will enable you to:

  • Decrypt TLS - Live
  • Use Python and TShark for threat intelligence via packets - Live
  • Implement continuous monitoring
  • Leverage TShark fields to dig into protocols
  • Detect SMB versions
  • Find threats hiding behind services and or protocols not properly decoded by TShark
  • Detecting buffer overflows
  • Export objects
  • Identify and analyze IP, TCP, and UDP endpoints
  • Analyze IP, TCP, and UDP conversations
  • Detect buffer overflow
  • Detect passwords used for packaging data for exfiltration
  • Detect exfiltration

Author Statement

"While my career has spanned multiple verticals, it is without a doubt, that my past few years at a Managed Security Service Provider (MSSP) is what has given me the visibility across a larger set of organizations. This experience puts me in a position to gain insights into what is being done or not done for monitoring. It is as a result of this insight that Iâm ecstatic about leading a course which talks about monitoring using the free and open-source solution TShark.

SANS SEC582 is the course you need to give you the knowledge and confidence to perform packet analysis. This is true whether you are a network engineer or a network forensic analyst."

-- Nik Alleyne