Who should attend: IT security professionals, system administrators, and network administrators who want to learn the inner workings of botnets and how to defend against them.

Described by some as the largest threat to the global Internet, botnets are largely hidden from the average Internet user. Botnets have a long legacy and initially were not used for malicious purposes. However, as bots have evolved, they have taken on sinister uses. Using thousands of compromised machines, botnets can be used for a variety of tasks including sending mountains of spam, launching crushing denial-of-service attacks, and harvesting massive amounts of personal information. One of the unfortunate aspects of botnets is that many individuals are active participants in botnets and do not even know it. Bots have become very sophisticated at hiding themselves from anti-virus and security programs. Also, many bots have even become resilient to large-scale network security systems and represent problems to not just home users but to large enterprises as well.

Take back to work: A broad understanding of the current threat from botnets, how they work, and how to defend against them.

Topics include:

• History of botnets: From their innocuous roots to the current worldwide threat
• Botnet uses: A broad view of the actual threats from current bots, including network and system analysis
• Scope of the current botnet problem: The current problem is larger than you may think
• Botnet communications: Command and control of botnets exposed
• Internal structure: A breakdown of the functionality of modern botnets, including hiding, propagation, and modularity
• Examination of some standard bots: We will look at some of the classic bots (Agobot, SDBot, Storm, etc.) in order to gain a better understanding of what we're defending against
• Host-based botnet defenses: Practical guidance on what can really be done to detect and defend against bots at the host level
• Networked-based botnet defenses: More practical guidance, but this time at the network level
• Future of botnets: A brief discussion of where bots are going so that we can arm ourselves against future outbreaks

Who should attend: IT security professionals, network engineers, and IT managers who want to learn how to analyze and learn from the traffic on their networks.

Take back to work: An understanding of how to deploy NetFlow capability within your network, as well as tools and techniques for analyzing the resulting data.

We put a great deal of effort into controlling the data we have on our networks. Firewalls attempt to keep out the bad guys, proxies inspect traffic that goes in and out of the enterprise, and intrusion detection systems attempt to find attacks as they occur. But do you know what's really going on inside your network? Are your policies and protections keeping out the bad guys, or do you have problems that you are unaware of?

Most modern networks have the ability to view deep into your traffic, but many organizations don't even know it. Most routers and even some firewalls can export network flow data, information about the type of traffic, and where it's going. By analyzing this data, you can quickly find interesting traffic including use of unauthorized software, malware, and malfunctioning systems.

This tutorial will guide attendees through the basics of network flows, how to configure systems to export flow data, and how to examine flows to look for anomalous and malicious behavior.

Topics include:

• Network analysis basics: What network analysis is, when it is appropriate, and its role in IT security
• Understanding NetFlow: A primer on Cisco's NetFlow implementation, the various NetFlow versions, and other flow-based architectures
• NetFlow sensor placement: Where to deploy NetFlow sensors for maximum effectiveness
• Configuring Cisco devices for NetFlow: How to configure and customize various versions of NetFlow using a Cisco router
• Using softflowd on Linux: For times when you don't have access to a NetFlow-capable router, the OSS package softflowd can do the job instead
• NetFlow analysis with Psyche: Psyche is an OSS tool for basic statistical analysis of NetFlow; the tutorial will include analysis of "known bad" data
• NetFlow analysis with SiLK: SiLK is a more advanced NetFlow tool; the tutorial will including analysis of more "known bad" data
• Future ideas: A brief discussion on other uses for NetFlow in your network