![[ Team Cymru Community Services ]](/images/csnav/community_off.png)
![[ Team Cymru Commercial Services ]](/images/csnav/commercial_on.png)
![[ Dragon Research Group ]](/images/csnav/drg_off.png)
Training Courses
Team Cymru currently offers courses and workshops in the following areas. We are very flexible in our approach and courses can be customized to meet participant needs. Courses can range in duration from 1 day to 3 days and combine material from the areas listed. Shorter tutorials and high level presentations and briefings are also available.
- Fundamentals of TCP/IP
- Introduction to Internet Forensics
- Understanding network attacks: Botnets and Analysing Botnet Traffic
- HTTP-based Bots
- Investigating a Malware Infection
- Analysing Malware
- Network Monitoring and Netflow Analysis
- Creating and Distributing Malware: Building a Remote Access Tool (RAT) Back Connect Infection (using Poison Ivy)
- Using BATTLE - Botnet Analysis and Tactical Tool for Law Enforcement
- Security for $1 a day: Using and Understanding Team Cymru Data Feeds and Tools
- Understanding Online Badness and the Underground Economy
- Investigative Processes - finding the Who and the Why
- Internet Fundamentals
- Fundamental Concepts of Computer, Infrastructure, and Network Security
- Introduction to IPv6 and IPv6 Security Considerations
Course Descriptions
Fundamentals of TCP/IP
Understanding the structure and operation of the TCP/IP protocols is fundamental to understanding the nature of Internet forensics. Without this, Internet traffic, behaviour and activity cannot be understood. This module will examine the main protocols' (IP, TCP, UDP, ICMP) headers, processes and interaction, and what these mean. Some overview will be given of major application layer protocols (HTTP and SMTP) as well. Basic principles of examining and analyzing Internet traffic using packet capture tools (Wireshark) will also be considered.
Introduction to Internet Forensics
This module will consider will outline what is implied by Internet Forensics, the information and insight we can derive from this, data sources used to collect network data, what data are commonly used in network forensics and the tools that are commonly used to collect this data.
Understanding network attacks: Botnets and Analysing Botnet Traffic
Botnets today are considered to be at the core of malicious Internet activity. The role and impact of botnets will be discussed and an overview of botnet operation, functionality and control presented. Participants will create and control an IRC based botnet and will use the botnet to initiate a DDoS attack with the participants taking on the role of the botherder and controlling the infected machines. The network traffic generated in these exercises will be examined to see how botnet activity can be identified.
HTTP-based Bots
HTTP controlled botnets are currently the most common method of managing botnet activity. This module looks at how an HTTP botnet is controlled and how it can be used to generate a DDoS attack and to steal credentials. Participants will interact with a ZeuS (ZBot) kit to create a botnet for credential theft and a BlackEnergy controlled botnet to create a HTTP bot DDoS attack.
Investigating a Malware Infection
Using several publicly available tools, participants will look at the traces that a malware infection can leave on an infected machine. These can include system changes and outgoing network traffic. The module will consider where these traces can be found and what they imply.
Analysing Malware
This module expands on the methods of investigating malware by actually looking at the malware and examining the type of digital fingerprints a piece of malware can leave, where they can be found, how they are collected and the type of information they provide in terms of understanding the behaviour of the malware. From this consideration will be given to what can be done to mitigate the activities of bots affected by the malware.
Network Monitoring and Netflow Analysis
Methods of monitoring network traffic and activity will be examined. Particular attention will be given to analyzing and understanding network flows, how these are generated, what information they provide and how this information can be used. Participants will look at netflow traffic using Nfsen and see how infected machines can be identified. The various features of Nfsen including alert configuration will be shown. This module will help participants understand netflow and how network monitoring can be used to help protect a network.
Creating and Distributing Malware: Building a Remote Access Tool (RAT) Back Connect Infection (using Poison Ivy)
This module looks at how malware can be built using readily available tools and delivered to a vulnerable machine through an appropriate exploit. Participants will create a back-connect trojan using a Remote Access Tool (Poison-Ivy). Using Metasploit, they will then build the exploit that will be used to infect the compromised machine (install the trojan) and deliver the exploit to the target machine (the bot). The functions that the RAT provides to control the bot via the back-connect will be examined.
Using BATTLE - Botnet Analysis and Tactical Tool for Law Enforcement
Note: This module is available to Law Enforcement ONLY
BATTLE is our free portal for international law enforcement. Through a web-based interface, this portal shows our botnet data (controllers, infected machines and botnet based malicious activity) on an interactive world map in near real time. It is intended to provide enough information to enable law enforcement to identify events of interest to them in their jurisdictions (botnets and attacks). The hope is that making this data available in this way will empower LE worldwide to more to tackle botnets more comprehensively from both a traditional investigative perspective as well as a disruptive approach. This module will provide an introduction and practical overview of BATTLE.
Security for $1 a day: Using and Understanding Team Cymru Data Feeds and Tools
Team Cymru provides a variety of reports, feeds and insight into malicious activity as well as a number of tools, templates and references which, when used appropriately and in an integrated manner, can provide a low-cost effective way of protecting your network. This module will provide an understanding of the various reports and tools available, how best to use them and make use of them, and suggests a strategic approach on how these can be deployed to provide the greatest benefit.
Where appropriate, these tools and reports are used in our hands-on exercises to both illustrate how they can be deployed and also to provide a practical approach to understanding, applying and using the concepts and information being presented.
Please note: While there are tools and reports that are freely available, others are only available to eligible subscribers or partners.
Understanding Online Badness and the Underground Economy
The Underground Economy is often used to describe that dark realm of the Internet engaged in cybercrime. Cybercrime is not just the act of compromising computers, but rather those actions that use the Internet, and exploit or subvert the activities that people engage in on the Internet, to leverage illegal or illicit gain. The Underground Economy then provides the framework and the context that facilitates this criminal behaviour. This module reviews how stolen goods (credentials, information) are advertised, traded, sold, ordered and bought, how products (malware, botnets, ddos attacks, spam distribution) are marketed and sold and how the activities of the Underground Economy are supported by various tools and services, such as financial and communication operations. As well, the discussion will look at who the perpetrators are, why are they doing this and how they operate.
This is a tutorial-based module that will focus on these questions and examine trends in the Underground Economy. It will also demonstrate how ISP networks are often the unwitting victims or enablers in this marketplace and consider how these activities can be mitigated.
Investigative Processes - finding the Who and the Why
Under development
Internet Fundamentals
This module provides an overview of the structure, management and operation of the Internet today and looks at the core technologies that drive the Internet including Internet address management, routing, DNS and IPv6. Fundamental concepts of computer, infrastructure and network security can also be included.
Fundamental Concepts of Computer, Infrastructure, and Network Security
Security pervades every aspect of computer-based activity. This module provides an introduction to basic security concepts and objectives, security policy, encryption technologies including an overview of IPSec, infrastructure and device security, network security and monitoring, ACLs and filtering, firewalls, and intrusion detection and prevention systems.
Introduction to IPv6 and IPv6 Security Considerations
As the Internet approaches the end of the pool of freely available IPv4 address allocation, IPv6 is taking on a greater imperative, particularly in regions where the Internet is rapidly growing such as in the Asia Pacific. Understanding IPv6 will therefore become essential if Internet activity based on IPv6 is to be understood, and malicious behaviour using IPv6 based communication seen and analysed. This module provides an overview of IPv6 including protocol structure and operation, new features and changes, address structure and configuration including auto-configuration, IPv4 and IPv6 co-existence and transitional technologies(dual-stack, tunneling mechanisms), deployment of IPv6 and IPv6 security considerations.
