Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize

Pre-Conference Training

Pre-conference training sessions will be held on Sunday, August 15 and Monday, August 16 from 9:00 a.m. – 5:00 p.m., unless otherwise noted. There is no fee to participate in pre-conference courses. Registrations for the courses are on a first-come, first-sign up basis. A separate confirmation email will be sent to registrants confirming a seat in the sessions.

Sunday, August 15, 9:00 a.m. – 5:00 p.m.

Session 1: Zeus Overview, Part I - SESSION FULL
Pre-registration required. Please note this is a two-day training and you must register for, and attend, both sessions.

Available seats: 40
Limited to government, military and law enforcement only (must have .gov or .mil email address)

Overview:
This session provides a detailed analysis of the history, distribution methods and behavioral patterns of the Zeus Crimeware kit. Participants will learn about the techniques used by criminals to collect, process and monetize information stolen during Zeus campaigns. The class will also cover detection and mitigation strategies to defend against this ever-morphing malware threat. Due to the sensitive nature of the class, participation is limited to government, military and law enforcement only (.gov or .mil email address required).

Course materials and laptops will be provided on site. Due to the nature of the course, external storage and media devices will not be permitted.

Instructor: Marita Fowler
Marita Fowler is the Section Chief for the Surface Analysis Group (SAG). Her team is responsible for the analysis and dissemination of information related to financially/ideologically motivated cyber activity and emerging threats. She has diverse background in intelligence, security engineering, space program security and cyber threat analysis.

Instructor: Jeff Brown
Jeff Brown, the lead crimeware analyst, is responsible for identifying emerging crimeware threats and coordinating efforts with law enforcement, foreign CERTS and other partners. Most notably, Jeff has been tracking recent shifts in techniques, tactics and procedures stemming from the criminal underground. He has a strong technical background founded in analysis and operations in both federal and local government cybersecurity by implementing detection environments and developing mitigation strategies.

Instructor: Tiffany Campbell
Tiffany Campbell is the Tactical Threats Team Lead for the Surface Analysis Group at US-CERT. Her team is responsible for exploits delivered to systems during financially motivated malware campaigns. These exploits include rogueware, crimeware kits, banking malware, etc. She has a strong background in government operations to include system administration, front end application security and cyber analysis.

Session 2: Cyber Readiness Exercise (CRX), Part I - SESSION FULL
Pre-registration required. Please note this is a two-day training and you must register for, and attend, both sessions.

Available seats: 50

Overview:
Cyber Readiness Exercise (CRX) is a series of competitive, technical hands-on exercises. This year’s focus is on technical, first-responder best practices in detecting, identifying, reporting, and attempting to mitigate network and system intrusions and compromises. Students will work together in teams to assess network conditions and respond to active/attempted remote attacks and insider events and anomalies. This course will be 90 percent hands-on in nature. CERT® instructors will provide the necessary training, facilitation and labs to prepare teams for the incident scenarios and conditions using available tools, resources and response best practices.

CRX is made up of three, focused training scenarios that will challenge students’ ability to detect, respond and analyze events within their teams’ isolated training networks. Teams will be assigned points for each challenge they correctly report via the CERT® XNET portal. Each day, scores will be posted, and at the conclusion of the session, winners will be announced and prizes will be awarded. Sample scenario topics include defense techniques against known attacks, network traffic analysis and insider threat.

Requirements:

  • Laptop, preferably with local administrator/root privileges
  • Wireless Ethernet Adaptor
  • Modern Web browser (IE 6+, Firefox 3+)
  • Java Runtime Environment installed

Instructor: Jeff Mattson
Jeff Mattson is the Cyber Exercise Team Lead for US-CERT’s Workforce Development program, a part the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU). After earning a Bachelor of Science degree in Computer Science from the United States Military Academy at West Point, New York, Jeff served as a U.S. Army Infantry Officer in the U.S. and Europe. He then re-engaged the IT industry as a software developer. Jeff’s responsibilities grew into a nexus of client programs, server applications and network administration, which drew him into the field of Information Security. He received a Master of Science degree in Information Security Policy and Management from CMU, and now works to build and deliver effective cyber security training materials.

Instructor: Robert Floodeen
Robert Floodeen is a Member of the Technical Staff, Workforce Development at CERT|SEI|CMU. Before joining CERT, Rob led teams performing Intrusion Detection at the Pentagon, Army Research Lab, and for the Defense Research and Engineering Network (DREN). Additionally, he spent several years managing CERT operations for the Defense Threat Reduction Agency (DTRA) and also served as an SEI Visiting Scientist. Rob holds degrees in Computer Science (Honors) from Old Dominion University and James Madison University and is Adjunct at CMU with the INI’s Forensic Track. Rob has been trained by the U.S. Army in system and network administration, computer network defense and the employment of “really big guns” on the tactical battlefield.

Instructor: Leena Arora
Leena Arora is a Member of the Technical Staff, Workforce Development at CERT|SEI|CMU. She has experience building Incident Response and Forensic Analysis training exercises. Before completing a Master of Science degree in Information Security Policy and Management from CMU, she worked as a Software Engineer with Tavant Technologies. Leena also holds a bachelor’s degree in Chemical Engineering from Thapar University, India.

Instructor: Brian Wisniewski
Brian Wisniewski is a Cyber Exercise Developer and Trainer with the Software Engineering Institute (SEI) at Carnegie Mellon University. Brian earned his Bachelor of Science degree from the University of Toledo and served as a U.S. Army Logistics and Signal Officer in the United States and Overseas. After earning his Master of Computer Resources and Information Management from Webster University, he spent several years in Information Technology Consulting as a software developer, systems and network analyst, and build and configuration manager for a variety of clients before entering academia as an Infrastructure Manager, Director and Chief Information Officer for a variety of Colleges and Universities. Brian now works to help develop and train cyber security professionals as a member of the Enterprise and Workforce Development team at SEI.

Session 3: Introduction to Network Forensics - SESSION FULL
Pre-registration required. Please note this is a two-day training and you must register for, and attend, both sessions.

Available seats: 24

Overview:
This hands-on lab is an introduction to Network Forensics. Designed for the incident responder, computer forensics practitioner or fraud investigator who has a need to learn how to perform basic network forensics work, this session covers current adversary attack methodologies and tools, network investigative and technical threat analysis best practices, and chain of custody requirements and evidentiary standards. The attendee will also be provided with a working knowledge of and experience with tools such as NetWitness Investigator Freeware, WinPcap, TCPDump, Wireshark and others. Using sample data obtained from actual commercial and U.S. Government cases, participants will be asked to perform incident and forensic analysis and make judgments regarding the detailed problems associated with the specific cases presented.

Through classroom instruction and practical hands-on exercises, this two-part workshop will teach you how to conduct basic and in-depth network forensic investigations to monitor and defend your agency’s network against advanced network attack methodologies. In addition, participants will learn to find the roots of external and internal security problems in the network data. Nation-sponsored and criminal attackers have moved away from direct attacks on network perimeters and are focusing their efforts on application layer attacks. Part one of this course provides the valuable knowledge needed to improve your incident response process by creating “situational awareness” within your incident response team, including the ability to expose covert network communications channels, detect data leakage, discover zero-day malware, and find other unauthorized network activity and advanced threats. At the end of this workshop, attendees will leave better equipped to identify and respond to advanced network attack activity, perform in-depth network-based investigations and analysis, continuously analyze the status of critical security controls, lower risk and save time and resources by resolving network security problems more quickly, and properly preserve evidence to assist management or law enforcement.

Instructor: Gabe Martinez
Gabe Martinez is the Vice President of Customer Success at NetWitness Corporation. With over 13 years in the security industry, Gabe has designed and implemented security solutions and performed risk assessments for every major vertical globally. Gabe is in charge of customer success at NetWitness, the world leader in network forensics and advanced threat analysis. Gabe also has over five years of experience consulting and implementing ArcSight and was a founding member of the Solution Team and Customer Success Organization at ArcSight.

Instructor: Ray Carney
Ray Carney is the Manager of NetWitness University at NetWitness Corporation. Ray brings 15 years of experience designing and delivering Information Security solutions to Global 1000 and Government organizations internationally, with a proven track record leading teams through all phases of the Information Security process, including audit and review, design and implementation, and development of custom software components. Prior to NetWitness, Ray held senior technical positions at Decurity, Splunk and ArcSight.

Session 4: Introduction to Malware Analysis - SESSION FULL
Pre-registration required.

Available seats: 25

Overview:
This one-day, hands-on course provides participants with an opportunity to learn best practices for analyzing malicious code. In addition to classroom instruction and hands-on exercises, attendees will be given real-world malicious code (malware) samples to dissect. Participants will acquire a fundamental understanding of a variety of malware analysis tools and techniques which can directly support their organization’s incident response efforts.

Participants will initially be introduced to the common terms used in the malware community and how those have evolved over the past few years. The focus will be on preparing participants to communicate effectively with peers and others in the security community when discussing malware. Exercises will include analyzing public malware reports, installing a rootkit and performing surface analysis of a well-known piece of malware. The latter half of the day will be devoted to run-time or dynamic analysis. Students will learn how to create a secure and trusted environment for performing analysis. Hands-on exercises will then give attendees the opportunity to develop a familiarity with the common monitoring tools that are available for the Windows platform and perform their own run-time analysis on malware samples from the wild.

Requirements:

Instructor: Catherine Dodge
Catherine Dodge is a Malicious Code Analyst at CERT|SEI|CMU. In this role, she primarily functions as a liaison to malicious code analysis efforts across U.S. Government agencies, providing tools and training to raise the skill level of those defending our federal IT infrastructure. Prior to joining SEI, Catherine worked for the National Security Agency for five years. She is a DEFCON black badge holder and a CISSP. Catherine received her bachelor’s in Mathematics from Wellesley College in Wellesley, Massachusetts and a master’s in Computer Science from the Naval Postgraduate School in Monterey, California.

Monday, August 16, 9:00 a.m. – 5:00 p.m.

Session 1: Zeus Overview, Part II - SESSION FULL
Pre-registration required. This is a continuation of Zeus Overview, Part I.

Session 2: Cyber Readiness Exercise (CRX), Part II - SESSION FULL
Pre-registration required. This is a continuation of Cyber Readiness Exercise (CRX), Part I.

Session 3: Advanced Network Forensics - SESSION FULL
Pre-registration required. This is a continuation of the course, Introduction to Network Forensics.

Overview:
This hands-on lab is the follow up to “Introduction to Network Forensics” and is designed for the incident responder, computer forensics expert, fraud investigator or auditor who has a good working knowledge and experience with tools such WinPcap, TCPDump, Wireshark and NetWitness Investigator Freeware. Attendees will perform in-depth studies of specific hands-on cases of beacon Trojans, BotNets and zero-day malware attacks; learn to recognize obfuscated JavaScript and other malcode; understand how to recognize non-standard network traffic operating over standard TCP and UDP ports; and learn scripting techniques to build network and application layer rules to mine data forensically in real time. Participants will use sample data obtained from actual commercial and U.S. Government cases to perform forensic analysis as well as make judgments regarding the detailed problems associated with the specific cases presented.

Session 4: Introduction to Control Systems Security for the IT Professional
Pre-registration required.

Available seats: 100

Overview:
This eight-hour course is designed for those with IT Security responsibilities or background, but with no previous experience in critical infrastructure control systems and their relationship to modern IT networks.

Four training sessions will guide attendees from basic definitions, components and protocols to the major applications and architectures within critical infrastructure and key resources (CIKR). Topics will include control system network architectures, cyber threats and vulnerabilities, and mitigations, as well as current and emerging government and industry activities that are addressing the issue of risk reduction.

Instructor: Jonathan Gray
Jonathan Gray is an instrument and controls system engineer in the Control Systems Security Program for the Department of Homeland Security Control Systems Security Program at INL. He has over 14 years of instrumentation and controls experience in industrial automation ranging from capital projects to contracting, technical training and support. He has performed work for mining, refining, specialty chemicals, food, pharmaceuticals, prisons, terminal facilities and pipelines.

Instructor: Mark Fabro
Mark Fabro has been supporting the DHS Control System Security Program for many years, and is a recognized expert in developing defensive and forensic computing strategies for SCADA and industrial control systems. As well as being the founder and chairperson of the Canadian Industrial Cyber Security Council, Mr. Fabro also sits on the UTC Smart Networks Security Committee, helped found the Repository for Industrials Security Incidents (RISI), and is a member of both ICSJWG and the NERC Smart Grid Task Force.

His projects have included working with most of the North American oil and gas super-majors, air and rail transportation providers, as well as several of the largest power and water utilities in the world. In addition to testifying to U.S. Congress on cyber threats to the North American Bulk Power System, his government work has been extensive and has included both U.S. and Canadian Departments of Defense, White House, RCMP, DHS, NSA and Department of State. He was a contributing specialist to the U.S National Strategy to Secure Cyberspace, the cyber annex to the National Response Framework, the post-Katrina control systems recovery plan for Oil and Gas, and several of the Recommended Practices for the DHS Control Systems Security Program. On the research side he is a contributing developer to the DHS CSET assessment capability, explores vulnerabilities in AMI and Smart Grid mesh communications, and is involved in several international working groups addressing ‘denial of control’ within the process control and SCADA domain. Mr. Fabro has a degree in applied physics and mathematics from the University of Guelph, and is currently working on his PhD in Electrical and Information Engineering. He has studied national security and counterterrorism at both the American Military University and the United Nations, and has taught cyber security theory at several universities around the globe. Previously, Mr. Fabro has held several senior-level consulting positions, including Chief Security Scientist in the Enterprise Security Group at American Management Systems (now CGI-AMS), as well as the Worldwide Director of Assessment Services for Secure Computing Corporation (now McAfee). Recently, for his work in cyber security and education, he was recognized as one of the ‘25 Most Influential Consultants’ in the world by the market leading Consulting Magazine.