BSidesKC Security Conference | April 20-21, 2018 | Cerner Innovations Campus, KC, MO

Advanced Implant Detection with Bro & PacketSled

Friday 8:30-11:30
**All Proceeds go to CTF prizes!
Bro is a powerful network analysis framework that allows for customized development via an internal scripting language that allows the creation of highly powerful detections via metadata extraction events. With the release Double Pulsar by the Shadow Brokers malicious software ranging from EternalBlue, WannaCry, to the more recent (Not)Peyta cyberattacks have necessitated a deeper understanding of the SMB protocol found in virtually every network in the world. Given the extreme complexity of SMB it is very easy for C&C activity to go undetected due to the shear signal-to-noise ratio present in the protocol and the high volume of activity that it generates on a network without malicious activity being present. For this PacketSled extended the SMB analyzer in Bro to facilitate the detection of, what would generally be, anomalous behavior of the protocol itself, bringing the noise floor down and allowing for the detection of anomalous activity.


Course Learning Objectives:


Course Prerequisites:

Basic security experience and familiarity with common security terminology is recommended. Experience analyzing network protocols helpful. 

This course was designed for the following roles in mind:

  • Security Administrators
  • Security Analysts
  • Incident Response


Student Requirements (to participate in hands on):

  1. Fully functional laptop with access to WiFi
  2. Chrome Browser Preferred.



PacketSled, the network analytics platform of choice for security experts, automates incident response by bringing together business context, AI, entity enrichment and detection with network visibility. Used for real-time analysis and response, PacketSled’s platform leverages continuous stream monitoring and retrospection to provide network forensics and security analytics. Used by response teams worldwide, security analysts and SOC teams can integrate PacketSled’s deep network context into their playbooks, SIEMS, or independently to dramatically reduce investigation time, cost and expertise required to respond to persistent threats, malware, insider attacks, and nation state espionage efforts.