Jonathan Ham on the web
This is the canonical site for all courseware for “Threat Hunting with Packet Analysis” for USCC Cyber Camp, Eastern Region, 2021. Links to course materials will be posted here as they become available.
If there’s something we’ve said we’d post and you don’t see it here, check back, or please email or tweet @jhamcorp!mailto:info@jhamcorp.com?subject=jhamcorp.com%20web%20referral:https://twitter.com/jhamcorpshapeimage_7_link_0shapeimage_7_link_1
USCC Cyber Camp, 2021 Things like recommended reading lists, etc., coming soon here! Quick Links Threat Hunting With Packet Analysis
 jham corp.
406-360-0396
info@jhamcorp.com
twitter: @jhamcorpmailto:info@jhamcorp.com?subject=jhamcorp.com%20web%20referral:https://twitter.com/jhamcorpshapeimage_13_link_0shapeimage_13_link_1
Abstract:
"Threat Hunting" is most definitely all the rage. The idea is to take the fight to the Evil, rather than waiting for the Evil to politely inform us that our assets are pwnd (and kindly cough up some Bitcoin please). But how to accomplish this? Unfortunately what's finally in vogue is still pretty vague.
Before warriors can -- or at least should -- take the field of battle, they had better understand how their weapons work. That's what this course is for: understanding the mechanics behind the firing pin. We'll cover the fields of protocol structures: what they're for, how they work, how they can be subverted, and -- and most importantly -- how to tell the difference. What is it about the way that DNS works that makes it such a fantastic protocol to abuse? What secrets can hide in a simple TCP 3-way handshake? Why would I care about an ICMP type 3 code 12 message?
We'll also cover the basics of the tools of the trade, and how they work as well. libpcap, tcpdump, tshark, Zeek, Suricata, with actual nuts and bolts. Also  why the bolts get stripped and the nuts don't screw on quite right. 
If you can tell why 1165388140 is not likely to be a normal TCP acknowledgement number, then get back to work. If you're supposed to be hunting threats today, and you're not sure about that question, then register for this course.


Course Materials/Requirements:
The virtual machine is a slightly modified version of Security Onion, v16.04.6.4, built on VMware Workstation 16 Pro. It should run just fine in either VMware Workstation or Player (other hypervisor platforms may work but have not been tested). The VM has been configured to expect:
64GB HDD space (split files)
4GB RAM
2 CPU cores
Bridged networking, with 
DHCP available on the local LAN/WLAN.
The files to download are jhc_SO-16.04.6.4.ova and jhc_SO-16.04.6.4.ova.sha256.
I advise you to download it and test it out in advance. It is ~3.7GB. The username is “student” and the password (including for “sudo”) is “jhc_packets”.
Whatever you do, please do not update or upgrade anything prior to class, as this may break the labs in unknown ways.

The optional course textbook is Network Forensics: Tracking Hackers Through Cyberspace.

The lecture/lab slides are jhc_USCC21.pdf. Yes, it is password protected, so see the slack channel for that. :-)
https://jhamcorp.com/Downloads/jhc_SO-16.04.6.4.ovahttps://jhamcorp.com/Downloads/jhc_SO-16.04.6.4.ova.sha256https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718https://jhamcorp.com/Downloads/jhc_USCC21.pdfshapeimage_15_link_0shapeimage_15_link_1shapeimage_15_link_2shapeimage_15_link_3
Google Jonathan
Jonathan on LinkedIn
Jonathan on Amazon
@jhamcorp on Twitter
The SANS Institute
https://www.google.com/search?q=%22Jonathan+Ham%22++securityhttps://www.linkedin.com/in/jhamcorphttps://www.amazon.com/default/e/B008GW018Ahttps://twitter.com/jhamcorphttps://www.sans.org/instructors/jonathan-hamshapeimage_17_link_0shapeimage_17_link_1shapeimage_17_link_2shapeimage_17_link_3shapeimage_17_link_4