Several people have asked for additional detail on the sorts of topics covered in my Network Security Operations class. Having spent several minutes composing this response, I figured others might want to see what I teach.
Day one is all network security monitoring. This day is mainly based on material in The Tao of Network Security Monitoring. We start with a case study and then a theory section to provide background. I follow by discussing techniques to access wired and wireless traffic. That's about half of day one. The second half introduces four sections on tools to collect and analyze statistical, session, hybrid, and full content data. All of these sections conclude with hands-on labs using equipment I provide. By the end of day one students should know what network data to collect, how to access it, and what tools to capture and analyze it.
Day two is all network incident response. This day is based on material I wrote for Extrusion Detection. I start with a case study and then background theory. I combine the techniques and tools during this day, since the tools for network IR aren't as discrete as those for generic monitoring. I provide sections on incident detection, containment, and resolution. We discuss ways to limit an intruder's freedom of maneuver, how to perform first, live, and general response, and then how to reconfigure the network to reject the intruder. Again, each section is backed up by labs. By the end of day two students should know how to identify intrusions, what steps to take immediately thereafter, and how to win against a determined intruder.
Day three is all network forensics. This day is based on material I wrote for Real Digital Forensics. Network forensics is an expansion of the tools introduced in day one as applied during the steps in day two. I teach students how to collect, preserve, analyze, and present network traffic to support "patch and proceed" or "pursue and prosecute" actions. This day seriously focuses on network analysis, but I ensure students know how to take the proper steps to turn collected packets into real network-based evidence. By the end of day three students should know how to use network-based evidence to complement host-based evidence during incident response.
Day four is all labs -- live fire exercises, you might say. Students use new traffic not contained in days one, two, or three, and they work intrusions from detection through remediation and beyond. The labs in days one, two, and three are designed to introduce students to key techniques and tools. The labs in day four are designed to build confidence and familiarity so the lessons learned are immediately applicable outside the class. I want students to leave day four believing they can use this knowledge to prevent, detect, and investigation real intrusions.
If you have any questions, please contact me via richard at taosecurity dot com. Remember I am offering my only scheduled public class the last week in September, starting Tuesday 27 November. ISSA-NoVA members who sign up no later than Friday 16 September (next week) pay only $1995. See me at the next ISSA-NoVA meeting on Thursday 15 November for details if you like.
Some of you have asked me to describe the differences between this public class and my upcoming full-day tutorials at USENIX LISA 2005 in San Diego, CA, from 6-8 December 2005:network security monitoring, incident response, and forensics. At USENIX, I have to scale back the hands-on material because I can't provide laptops, and there are many more students at USENIX. My public and private classes max out at 15. Also, there is no all-lab day at USENIX.