• Describe networking models, network data, critical application protocols, network flow, and common attacks on protocols
• Perform network traffic analysis and investigations using Trellix Network Forensics
• Customize the analysis environment with dashboards, network visualizations, scheduled queries, and lists
• Reconstruct carved artifacts/files from network packet data and submit them for malware analysis
• Investigate an advanced persistent threat (APT) attack based on aggregated alerts and network traffic anomalies

Day 1: Fundamentals

Appliance Overview and Network Placement

• Trellix Packet Capture
• Trellix Investigation Analysis
• Analysis workflow example
• The Trellix Packet Capture and Trellix Investigation Analysis relationship
• Common deployments

Network Traffic Analysis Foundations

• Network models and encapsulation: TCP/IP, UDP
• The three-way handshake
• Network forensics data
• Packet captures
• Flow data
• Network flow analysis
• Critical application protocols
• Protocols in the TCP/IP stack
• Common attacks on protocols

Queries, Reconstruction and Alerts with Investigation Analysis

• Working with dashboards
• Searching for network data
• Constructing queries
• Network metadata analysis
• Stacking metadata
• Filtering traffic using network metadata
• Scheduling queries and reporting
• Lists
• Extracting endpoint information
• Trellix alerts from integrated appliances
• Configuring event-based capture rule sets
• Working with rule sets
• Network data reconstruction

Day 2: Investigation Workshop

Network Investigation Scenario

• Investigation tools
• Six steps of an attack
• Common indicators of compromise
• Threat group overview
• Trellix Network Forensics investigations
• Documenting the investigation
• Threat group intelligence
• Attack phases covered in class
• Investigation labs overview

Starting with Leads

• Alerts on Trellix Investigation Analysis
• Alerts on Trellix Network Security
• Unusual HTTP user agents
• Unusual POST requests
• Trellix Investigation Analysis components
• Other possible leads

Investigating the Leads

• Dive deeper
• HTTP artifacts analysis
• Encrypted flows
• Email analysis

Investigation Summary and Conclusions

• Investigation summary
• Stages of the attack
• Creating a case

Network security professionals and incident responders who use Trellix Packet Capture and Investigation Analysis appliances to analyze cyber threats through packet data.

A working understanding of networking and network security, knowledge of Wireshark recommended.