TCP/IP Weapons School 3.0

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
I just got back from a two-day class taught by Richard Bejtlich at USENIX Security '11. If you're not familiar with him, he's the guy who does the TaoSecurity blog (TaoSecurity), currently the CSO of MANDIANT, former director of incident response at GE, and seems to have been involved in network security monitoring and incident handling since the day he was born. He is also the author of:
  • The Tao of Network Security Monitoring: Beyond Intrusion Detection
  • Extrusion Detection: Security Monitoring for Internal Intrusions
  • Real Digital Forensics: Computer Security and Incident Response
I'd have to take a big guess and say that he's probably qualified to talk about this subject.

TCP/IP Weapons School is a class that he's been teaching for some years now and the one I just attended is the third incarnation. On the surface, many might compare it to SANS 503 (Intrusion Detection In-Depth) or perhaps SANS 504 (Hacker Techniques, Exploits and Incident Handling), but in reality this is a much more hands-on and lab-driven experience. I'd say it's complementary to SANS 503 / 504 rather than a parallel. There's a mix of discussion thrown in, but it's mostly doing the actual investigation through a workbook and provided virtual machines.

In my experience taking information security classes, I found TCP/IP Weapons School to be quite unique. It is very practical, minimal theory, and a lot of "doing." Like math problems, one could carve out a solution through different means, but solid methodology is important. Otherwise, random vectors in approaching a target doesn't always hold up well when conducting an investigation.

From what I understand of the previous versions of the class, students were given a dozen or so cases where for each they were provided a scenario, general hints on what kind of things to be looking out for, evidence in different forms, and the necessary tools and methodology to correlate information. Version 3.0 is apparently a bit different. In the class I took, the approach was balanced between doing labs from a blue team perspective (looking at IDS alerts, parsing through traces, examining logged evidence) and then a corresponding counter-perspective by performing the attack which produces the events of interest just witnessed. It's a good mix of some protocol analysis, log review, and judgement calls. At the end of the day, one must be detail-oriented enough to piece together the puzzle and pronounce the existence of / extent of system compromise. Not just another reality show.

I felt this was a good way to gain insight on some common investigative methodologies as well as understanding what kind of footprints attackers leave, assuming proper visibility is in place for the network security team. However, I had hoped to go through at least several more cases from a defender's perspective. If the class were one or two days longer, I think it would be great.

One of the big value-adds the instructor brings to the table that should not be overlooked are the various ideas security professionals can use to better guard the network and its assets. There was plenty of open discussion regarding what kind of tools work, what doesn't work, what kind of techniques to apply in different situations, etc.. If you sign-up for this course, be sure to come to class with questions for which the answers could very potentially enhance your environment's security posture.

A sample of a lab from the 2.0 version of the course is available at:

Overall, I was very satisfied with the experience. I unsure what to expect, but if your line of work involves network administration, security, log monitoring, intrusion detection / prevention, or any combination of such roles, seriously consider this class. It is aimed at junior to mid-level analysts and doesn't necessarily get excruciatingly in-depth, but I felt it was worth my personal training dollars.
Hopefully-useful stuff I've written:


Sign In or Register to comment.