Saturday, March 05, 2011

Bejtlich Teaching Two Sessions at Black Hat USA 2011

In January I taught the first TCP/IP Weapons School 3.0 class at Black Hat DC 2011. This is a completely new class written from the ground up. I'm very pleased with how it has developed and the students enjoyed the new content. For example, one of the feedback comments was the following:

"I felt that the pace and level of difficulty was well managed, and the defense-then-offense aspect was a great way to learn!"

I'm happy to announce that registration for TCP/IP Weapons School 3.0 at Black Hat USA 2011 is now open. I will teach two sessions, on 30-31 July and 1-2 August in Las Vegas.

Black Hat has four remaining price points and deadlines for registration.

  • Early ends 30 April

  • Regular ends 15 June

  • Late ends 29 July

  • Onsite starts at the conference

Seats are filling -- it pays to register early!

While keeping the distinctions from other offerings that I described last year, I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform.

The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs.

Defensive aspects of the labs emphasize how to discover suspicious and malicious activity in network and log evidence. Offensive aspects of the labs offer the student a chance to do the same sorts of actions that caused the suspicious and malicious activity in the labs. I encourage students to keep an open mind and feel free to expand their interaction with the labs beyond the required material. Take advantage of this time away from the office to enjoy defensive and offensive aspects of the digital security arena!

I do not have any other classes scheduled, although my training page lists a few other possibilities.


S41ph3R said...

I'm thinking of signing up for the TCP/IP Eapons School at BH2011. How much linux should I know?

Richard Bejtlich said...


It helps to be comfortable with the Linux environment. Your analysis platform for the class is a version of Doug Burk's excellent SecurityOnion ( The victim is a Windows systems. The evidence on the Linux system is available to be analyzed with Sguil, Splunk, and/or any other tools you want to use on Linux.