On This Page

Adversary Hunting And Incident Response: Network Edition

CrowdStrike | July 30-31 & August 1-2


Focusing on network security monitoring (NSM) and incident response, this course will teach you techniques for hunting advanced adversaries in network traffic. Topics include methods of hunting for adversary activity in Bro IDS logs, identifying indicators of compromise, and how to get started writing Bro scripts and ChopShop modules.

Course topics:
  • Overview of key NSM concepts and technologies
  • Leveraging Bro to hunt for advanced attackers in network traffic
  • Validating activity found during hunts using open source intelligence
  • Writing Bro scripts for targeted activity discovered during hunts
  • Writing ChopShop network decoders for activity discovered during hunts

Who Should Take this Course

Intermediate and experienced NSM analysts, incident responders, and security professionals comfortable with network forensics that are tired of relying on intrusion detection systems and AV alerts. The course is designed for professionals who want to improve their skill set in attacker hunting and detection, gain experience in Bro and ChopShop development, and learn about hunting tools and techniques.

Student Requirements

This course is targeted at existing NSM practitioners and professionals with a technical understanding of network protocols and experience with network forensics tools and techniques. Students should have some incident response or network defense experience and experience with Linux command line tools. Students already familiar with Bro IDS and Splunk will get the most out of this course.

What Students Should Bring

Students should bring a laptop that meets the following requirements:
  • At least 60 gigabytes of hard drive space available
  • At least 4 gigabytes of RAM installed
  • VMware virtualization software installed and functional
  • At least one available USB port

What Students Will Be Provided With

A USB thumb drive containing slides, lab guides, virtual machine, and tools used during class.


Andy Schworer became a Principal Consultant at CrowdStrike after a seven-year career with the United States Department of Defense as a Global Network Exploitation and Vulnerability Analyst. At CrowdStrike, he maintains a docket of cyber security casework including: compromise assessments, incident response, IR program development, next generation penetration testing, and remediation work. In addition, he leads the development of CrowdStrike Services' Falcon Network detection capabilities.

William Tan conducts incident response investigations to determine the extent and scope of compromises, preforms network log analysis, and emulates adversary tatics for next generation pentration testing. Previously William was a Network Incident Analyst at Mandiant where his focus was identifying intrusions from advanced adversaries. William has front-line experience with the tools, tatics and procedures of many adversaries and has developed many capabilites to detect malicious adversaries within network activity. William has a Bachelor's degree in Computer Engineering and a Masters in Information Security Management from Syracuse University.

Ashley Nuckols is a Senior Consultant with CrowdStrike with l0 years of previous US Department of Defense experience. With her strong skills in Bro IDS, Splunk, and conducting net flow analysis; she contributes to CrowdStrike's network analysis capabilities. She currently leads compromise assessments,penetration testing and other proactive services. Prior to CrowdStrike, Ashley worked with the DoD supporting offensive and defensive network security initiatives. Ashley has a bachelor's degree in electrical engineering with a concentration in digital systems from the University of Virginia and a master's degree in computer engineering with a concentration in networking from the George Washington University.