Course Description

Classes are completed in one day unless a different duration is specified.

General

• Duration: 1 day
• Session times: 9:00 a.m. - 4:00 p.m. (deliverable hours = 6.00)

Do you panic when you get a call from the MOREnet Security office? Do you have private IP addresses on your workstations and can never find the problem machine when MOREnet Security calls? Then this class is for you! We will cover how to use Wireshark, a network sniffer program, to look at traffic as it flows across your network. Using Wireshark, you can find problem machines, get a general idea of what traffic is on your network and yes, find machines that are infected with malware. In the afternoon, once we have tracked down an IP address to a specific workstation, we will look at tools that can be used on the workstation to find and remove malware. We will look at programs like SecCheck, VirusTotal, Rootkit Revealer and others as time allows.

Objectives

Given information and resources and through hands-on exercises, the participant should by the end of the class have a working knowledge of, or be able to

• Recognize the basic layout of Wireshark
• Define basic components of TCP/IP, including packet layout, IP addresses, ports, UDP and TCP
• Identify a three-way handshake
• Explain the importance of proper authorization
• Identify network traffic as good/normal or malware
• Recognize the different sections of SecCheck
• Create baselines of processes and services on machines
• Identify malware on a machine using VirusTotal
• Practice using ProcessMonitor and Rootkit Revealer

Prerequisites

Networking Basics or equivalent knowledge consisting of basic familiarity with networks, including IP subnetting, ports and basic TCP/IP skills, as well as a basic understanding of regedit and the Windows operating system.

Registration

To register, visit the Training Registration Request Form.