This course covers the fundamentals and concepts of network traffic analysis—how to search, filter, analyze, reconstruct, and preserve network traffic; and how to apply techniques learned to conduct a network forensics investigation utilizing the Trellix Network Forensics solution.

Hands-on activities include building an analysis dashboard, executing queries, filtering results, and reconstructing network traffic. On Day 2, learners will pursue an alert and identify anomalies in network traffic to uncover and document indicators of compromise (IOCs) that build a case for a real-world advanced threat.

• Describe networking models, network data, critical application protocols, network flow, and common attacks on protocols
• Perform network traffic analysis and investigations using Trellix Network Forensics
• Customize the analysis environment with dashboards, network visualizations, scheduled queries, and lists
• Reconstruct carved artifacts/files from network packet data and submit them for malware analysis
• Investigate an advanced persistent threat (APT) attack based on aggregated alerts and network traffic anomalies

Day 1: Fundamentals

Appliance Overview and Network Placement

• Trellix Packet Capture
• Trellix Investigation Analysis
• Analysis workflow example
• The Trellix Packet Capture and Trellix Investigation Analysis relationship
• Common deployments

Network Traffic Analysis Foundations

• Network models and encapsulation: TCP/IP, UDP
• The three-way handshake
• Network forensics data
• Packet captures
• Flow data
• Network flow analysis
• Critical application protocols
• Protocols in the TCP/IP stack
• Common attacks on protocols

Queries, Reconstruction and Alerts with Investigation Analysis

• Working with dashboards
• Searching for network data
• Constructing queries
• Network metadata analysis
• Stacking metadata
• Filtering traffic using network metadata
• Scheduling queries and reporting
• Lists
• Extracting endpoint information
• Trellix alerts from integrated appliances
• Configuring event-based capture rule sets
• Working with rule sets
• Network data reconstruction

Day 2: Investigation Workshop

Network Investigation Scenario

• Investigation tools
• Six steps of an attack
• Common indicators of compromise
• Threat group overview
• Trellix Network Forensics investigations
• Documenting the investigation
• Threat group intelligence
• Attack phases covered in class
• Investigation labs overview

Starting with Leads

• Alerts on Trellix Investigation Analysis
• Alerts on Trellix Network Security
• Unusual HTTP user agents
• Unusual POST requests
• Trellix Investigation Analysis components
• Other possible leads

Investigating the Leads

• Dive deeper
• HTTP artifacts analysis
• Encrypted flows
• Email analysis

Investigation Summary and Conclusions

• Investigation summary
• Stages of the attack
• Creating a case

Network security professionals and incident responders who use Trellix Packet Capture and Investigation Analysis appliances to analyze cyber threats through packet data.

A working understanding of networking and network security, knowledge of Wireshark recommended.