Sample Lab from TCP/IP Weapons School 2.0 Posted

Several of you have asked me to explain the difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006, and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain the differences, with an added bonus.

  1. I have retired TWS, the class I taught from 2006-2008. I am only teaching TWS2 for the foreseeable future.

  2. TWS2 is a completely brand-new class. I did not reuse any material from TWS, my older Network Security Operations class, or anything else.

  3. TWS2 offers zero slides. Students receive three handouts and a DVD. The handouts include an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide. The DVD contains a virtual machine with all the tools and evidence needed to complete the labs, along with the network and memory evidence as stand-alone files.

  4. TWS2 is heavily lab-focused. I've been teaching professionally since 2002, and I've recognized that students prefer doing to staring and maybe listening! Everyone who leaves TWS2 has had hands-on experience investigating computer incidents in an educational environment.

  5. TWS2 is designed for beginner-to-intermediate attendees. Some advanced people will like the material too, although I can't promise to please everyone. I built the class so that the newest people could learn by trying the labs, but follow the teacher's guide (which they receive) if they need extra assistance. More advanced students are free to complete the labs any way they see fit, preferably never looking at the teacher's guide until the labs are done. This system worked really well in DC last week.

  6. TWS2 uses multiple forms of evidence. Solving the labs relies heavily on the network traffic provided with each case, but some questions can only be answered by reviewing Snort alerts, or session data, or system logs provided via Splunk, or even memory captures analyzed with tools like Volatility or whatever else the student brings to the case.

  7. TWS2 comes home with the student and teaches an investigative mindset. Unlike classes that dump a pile of slides on you, TWS2 essentially delivers a book in courseware form. I use (*gasp*) whole sentences, even paragraphs, to describe how to solve labs. By working the labs the student learns how to be an investigator, rather than just watching or listening to investigative theories. I am using the same material to teach analysts on my team how to detect and respond to intrusions.

To provide a better sense of the class, I've posted materials from one of the labs here. The .zip contains the student workbook for the case, the teacher's guide for the case, and the individual network trace file for the case. There is no way for me to include the 4 GB compressed VM that students receive, but by reviewing this material you'll get some idea of the nature of this class.

My next session of TCP/IP Weapons School 2.0 will take place in Amsterdam on 14-15 April 2009 at Black Hat Europe 2009. Seats are already filling.

The last sessions of the year will take place in Las Vegas on 25-26 and 27-28 July 2009 at Black Hat USA 2009. Registration for training at that location will open this week, I believe.

I am not teaching the class publicly anywhere else in 2009. I do not offer private classes to anyone, except internally within GE (and those are closed to the public).

If you have any questions on these classes, please post them here. Thank you.

Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.


Mads said…
Enough folks read your blog that you could probably .torrent that VM image and not kill your bandwidth...I'd be willing to seed it for a few days. Interested to see what's in there :-).

Thanks for the insight into the class!

Anonymous said…
This comment has been removed by the author.
I'm afraid the only way to get the DVD is to attend the class.
DaveB said…
Fantastic - thanks.

but i'm going to be cheeky ... now that you're no longer using TWS, how about releasing it freely for the hordes who can't make it to be with you in person?
Hi DaveB,

I'm considering options for the material, but haven't made any decisions yet.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by the author.
Claudiu Francu said…
I will agree with DaveB here, and I can't but only hope that you'll make TCP/IP Weapons School free available, since you yourself had said that 'I am only teaching TWS2 for the foreseeable future.' and 'I did not reuse any material from TWS, my older Network Security Operations class, or anything else.', so there's no danger in making the materials free for all.
Someone could argue that they've paid for those materials, but as arguments, I say this:

1) I'm a student from Romania, what chances do you think that i'll have to attend the class?; that being said, am I not entitled to the knowledge that comes from TWS, only after I myself have spend ~5-10 years in the field and learned that knowledge?

b)think about it as a notebook if you want; as the time passes by, eventough it's price was $800, now it values $400 for example [i don't mean to offend you in any way here, Richard, I'm just trying to point out that the value of things/information does in general decrease as the time passes by].

I'll still read you in the future regardless of the option that you'll make, and please keep up the good work!
Claudio, I hope you are just having a language issue here. I don't speak Romanian, so I can't ask you for clarification in your language. Obviously your English is much better than my Romanian! :)

Why do you think you are "entitled to the knowledge that comes from TWS"? I created the material. It's up to me to decide what to do with it. Right?
Claudiu Francu said…

Of course it's your 'baby' (so to say) and the phrase that I've used it's taken out of context.
The 2 cases that I presented were if someone that did paid for the TWS in the past comes and says that it's not ok to give it out for free, since they paid for it at that time.
My argument was that I have close to 0 chances to attend to your class, so it would be impossible for someone like me to benefit from your work.
After all it's your work and of course, you decide what happens to it and i'll keep reading you in the future, as stated in the end of my previous post.

PS: Sorry for the bad english in the previous post, it seems i've been watching to much 'Spooks' lately ;)
And BTW, it's Claudiu, not Claudio.
Anonymous said…
Hi Richard

Have you thought of perhaps selling copies of the course DVD and perhaps printed manuals?

I think the course sounds very interesting and I would really like to attend but the likelihood of me getting funding for a work sponsored training jaunt outside of Australia is not very high right now (or maybe ever). A torrented copy of the course DVD (as suggested by a previous poster) would also be cool but I understand if you want to be compensated for material that you obviously have put a lot of effort into preparing.

Selling the course material will potentially give access to a lot of people who otherwise would never be able to use this material you have developed.


Steve B
Anonymous said…
Hi Richard,

Went through your new material, and it looks great. I am planning to attend the class in Las Vegas.

Just a quick one, is the investigation guide on conceptual/theory of developing the mindset of an analyst?

Thanks. Look forward to meeting you in July.

Claudiu and anonymous,

I have been considering ways to deliver training outside of Black Hat, but it is not a priority for me right now. I have a full-time job and I take vacation to teach Black Hat. Still, I would like to reach a broader audience.

In the investigation guide I teach how to use various tools to investigate the first case. I provide ideas for how to examine various forms of evidence. I am also adding material (to first appear in Amsterdam) on overall detection and response processes (collection, analysis, escalation, and response).
Anonymous said…
Hi all,

I'd be very happy to have TWS first edition available on the web.
Printing and selling books would be a good idea too, but definitively the vmware image is really useful.

Hope this come to reality one day !!
Erik H said…
Thanks for posting this sample lab Richard!

I've posted my own analysis of the sample lab, see my blog post Analyzing the TCP/IP Weapons School Sample Lab
Ajith said…
Hi Richard,

The sample file's link seem to be broken. Can you please post an alternate link to the file?
I uploaded the file again. It's at the link in the post.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics