Getting Your Hands Dirty: Understanding & Hunting Down Malware Attacks in Your Network | Nullcon Berlin 2022

Trainer Name: Veronica Valeros , Sebastian Garcia

Title: Getting Your Hands Dirty: Understanding & Hunting Down Malware Attacks in Your Network

Dates: April 5, 2022 To April 7, 2022

Time: 9 a.m. To 5:30 p.m. CEST

Venue: NH Hotel, Alexanderplatz, Berlin-Germany




Note: Regarding COVID-19 safety, Nullcon will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Nullcon will follow all applicable health regulations required by the local and government authorities.

Training Objective

This hands-on training aims at delivering the experience and knowledge of how to detect attacks in your network regardless of the tools you use. It teaches the essential know-how of malware traffic analysis: the experience and knowledge of understanding malware behaviors on the network, and how to differentiate them from normal traffic. The core of the training is not about the tools, but the experience transmitted and gained by students. Students should leave with the knowledge to recognize malicious actions of malware in the network, including advanced malware such as RATs and manual attacks.

Our training platform and our diverse exercises aim to teach students an analysis methodology to recognize malicious connections, distinguish normal from malicious behaviors, and deal with large amounts of traffic. Specifically, how the malware hides in the network, how to hunt it down, to analyze traffic patterns, and to discard false positives connections. Students will execute their own malware, exploit active services, capture the traffic, and analyze it. It focuses on giving students knowledge of machine learning, SIEM analysis, and modern malware attacks.

Training level: Intermediate to Advanced

Training outline

This training is designed to be highly hands-on, and from module 2 to 9 all include several practical exercises. A high-level overview of the modules we will cover in this training are:

  • Introduction to the Training
  • Module 1 - Networking and Security
  • Module 2 - Fundamentals on Tools and Analysis Methodology
  • Module 3 - Threat Intelligence For Malware Traffic Analysis
  • Module 4 - Detecting High-Risk Malware Attack and Ransomware
  • Module 5 - Real-Time Exploit Attacks on the Network
  • Module 6 - Network Flows, Uninformed Decisions with Good Inference
  • Module 7 - Threat Hunting on a SIEM
  • Module 8 - Machine Learning to Detect Advanced Attacks
  • Module 9 - Executing Malware to Understand How to Detect it


What to Bring

  • Laptop + Power cord
  • Minimal tools installed: Wireshark

Training Prerequisites

  • Knowledge of Linux systems
  • Basic knowledge of Internet operations and Networking

Who Should Attend

This course is ideal for individuals working in blue teams, incident response, and researchers. All those in charge of their organization's network security and they need to know how, when and who is attacking them. This training is for those wanting to take their network traffic analysis skills to the next level, and learn to identify and recognise normal and malicious behaviours on the network to better protect their organisations.

What to expect

This training is designed to give participants hands-on experience in malware traffic analysis. It combines theory with hands-on exercises to boost the participants' skills. We provide a full cloud environment, real malware captures (no simulations or specially crafted scenarios), and step-by-step guides for students to focus on learning from real scenarios that they may encounter in their everyday jobs.

What attendee will get

Students will get the complete booklet (PDF) of the course online, together with the solutions of each exercise. They will also have a sample of malware binaries to execute. Printed malware infection methodology cheat sheet.

What not to expect

Students should not expect a only-theory type of lecture. This is an intense hands-on training where the goal is to gain experience in real malware traffic detection. No simulations are done. All the training requires them to actively participate in the labs. Students should come with a basic knowledge of how networks work and a basics of Linux commands.

About the Trainer

Veronica Valeros (@verovaleros), Czech Technical University Veronica is a researcher and intelligence analyst from Argentina. Her research strongly focuses on helping people. A jack of all trades, she currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has presented her research at international conferences such as BlackHat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. She is currently the director of the Civilsphere project at the Czech Technical University, dedicated to protecting civil organizations and individuals from targeted attacks. She's also the project leader at the Stratosphere Laboratory, a research group in the Czech Technical University dedicated to study and research in cybersecurity and machine learning.

Sebastian Garcia (@eldracote), Czech Technical University Sebastian Garcia is a security researcher and security teacher with vast experience in applied machine learning on network traffic and malware detection. He founded the Stratosphere Laboratory to do impactful security research to help others using machine learning in security. As Assistant Professor and researcher, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He researches on machine learning for security, honeypots, malware traffic detection, social networks security detection, distributed scanning (dnmap), keystroke dynamics, fake news, Bluetooth analysis, privacy protection, intruder detection, and microphone detection with SDR (Salamandra). He taught in several Universities and worked on penetration testing for both corporations and governments. He talked in conferences such as BlackHat, Defcon Villages, Ekoparty, DeepSec, Hackitivy, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCon, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, AAMAS, Kavacon, 8.8, etc. He co-founded the MatesLab hackspace in Argentina and co-founded the Independent Fund for Women in Tech.