Brad Duncan
Palo Alto Networks Unit 42
After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42.

Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 140 diaries at Brad routinely blogs technical details and analysis of infection traffic at, where he provides traffic analysis exercises and over 1,600 malware and pcap samples to a growing community of information security professionals.

TUTORIAL: Malware Traffic Analysis Workshop
Technical Level (3 being the highest score): 2

For different reasons, many organizations do not have full packet capture of network traffic for security monitoring. Because of this, many security professionals involved in near-real-time detection of malicious activity do not have experience in analyzing malicious network traffic. However, analyzing packet captures (pcaps) of network traffic provides a better understanding of malicious activity. Pcap analysis can provide insight to security professionals responsible for near-real-time detection of malicious activity, incident response, and threat research. This training is a one day workshop designed to provide people with a minimal knowledge of traffic analysis a basic foundation for investigating malicious network traffic.

The workshop begins with basic investigation concepts for packet captures (pcaps), setting up Wireshark in a manner better suited for security analysts, and identifying hosts or users in network traffic. After these basic concepts, the workshop covers characteristics of malware infections and other suspicious network traffic. Participants will learn techniques to determine the root cause of an infection and assessing false positive alerts.

The workshop concludes with an evaluation designed to give participants experience in writing an incident report. This training is a mix of classroom discussion and hands-on exercises. Participants require a laptop, preferably running a non-Windows OS (a Windows laptop using a virtual machine running Linux will work for this). Participants also require a recent version of Wireshark, at least version 2.4.x or later, and an Internet connection to download pcaps used for this tutorial.

The training outline is as follows:

I. Introduction and setting up WIreshark
II. Identifying host and users in the traffic
III. Malware infections
IV. Bad web traffic
V. Policy violations
VI. Root causes and false positives
VII. Drafting incident reports
VIII. Evaluation