Nowadays there are a lot of tools to analyze traffic, but the most important thing to have is the experience and knowledge of a malware analyst. The goal of the workshop is to give a hands-on experience on analyzing the behavior of malware and botnet traffic in the network by studying their web patterns and their traffic behavior. The workshop will use both pcap files of real malware captures and real normal captures. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviors from malicious behaviors, how to recognize anomalous patterns and how to deal with large amounts of traffic. Analyzing only malware traffic may not be so complicated for some people, but accurately separating it from normal traffic is harder.
The most important lesson of the workshop is not how to use wireshark or tcpdump. The workshop transmits the experience of recognizing the malicious actions of malware in the network. How to identify when malware tries to hide, how to recognize the encryptions, how to discard false connections, etc. The participants should leave with a good set of knowledge about obtain an overall analysis picture of the traffic to recognize if there are malicious behaviors on it.