Prove Skill Mastery with GIAC Certs - Free Cert Attempt Included with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

How to Spot C2 Traffic on Your Network

  • Tuesday, May 25, 2021 at 10:30 AM EDT (2021-05-25 14:30:00 UTC)
  • Vincent Stoffer, Matt Bromiley


  • Corelight

You can now attend the webcast using your mobile device!



Attackers often hide their command and control (C2) activity using techniques like encryption, tunneling in noisy traffic like DNS, or domain generation algorithms to evade blacklists.

Reliably spotting C2 traffic requires a comprehensive network security monitoring capability like open source Zeek that transforms packets into connection-linked protocol logs that let analysts make fast sense of traffic. Corelights commercial NDR solutions generate this Zeek network evidence and also provide dozens of proprietary C2 insights and detections.

Tune into this webcast for technical demonstrations of how security analysts can use Zeek logs and Corelight insights to identify dozens of C2 techniques in their environment.

Speaker Bios

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Vincent Stoffer

Vince Stoffer is Sr. Director of Product Management at Corelight and previously held security engineering and network management positions at Lawrence Berkeley National Laboratory and before that served as a network security engineer at Reed College. Vince holds the CISSP, GCIH and GCIA certifications.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.