Brad Duncan
Palo Alto Networks Unit 42
After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 100 diaries at Brad routinely blogs technical details and analysis of infection traffic at, where he provides traffic analysis exercises and over 1,000 malware and pcap samples to a growing community of information security professionals. Brad-Duncan_2018-Traffic-Analysis-Workshop-for-AusCERT2018

TUTORIAL: Traffic Analysis Workshop

For different reasons, many organizations do not have full packet capture of network traffic for security monitoring. Because of this, many security professionals involved in near-real-time detection of malicious activity do not have experience in analyzing malicious network traffic. However, analyzing packet captures (pcaps) of network traffic provides a better understanding of malicious activity. Pcap analysis can provide insight to security professionals responsible for near-real-time detection of malicious activity, incident response, and threat research. This training is a one day workshop designed to provide people with a minimal knowledge of traffic analysis a basic foundation for invesitgating malicious network traffic. The workshop begins with basic investigation concepts for packet captures (pcaps), setting up Wireshark in a manner better suited for security analysts, and identifying hosts or users in network traffic. After these basic concepts, the workshop covers characteristics of malware infections and other suspcious network traffic. Participants will learn techniques to determine the root cause of an infection and assessing false positive alerts. The worksop concludes with an evaluation designed to give participants experience in writing an incident report. This training is a mix of classroom discussion and hands-on exercises. Participants need a laptop with Wireshark installed to proceed with the workshop. The course involves 7 hours of instruction and 1 hour for a final traffic analysis exercise and evaluation. The training outline consists of the following: I. Introduction to investigating network traffic (1 hour) II. Wireshark setup (1 hour) III. Identifying host and users in the traffic (1 hour) IV. Malware infection traffic (1 hour) V. Malicious web traffic (30 minutes) VI. Policy violations (30 minutes) VII. Finding the root cause (1 hour) VIII. Drafting incident reports (1 hour) IX. Evaluation (1 hour)