TCP/IP Weapons School 3.0: Black Hat Edition

Richard Bejtlich, TaoSecurity

Register Now for Black Hat DC 2011

DC 2011 Training Session // january 16 - 17


Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you need answers to these questions, TCP/IP Weapons School 3.0 (TWS3) is the Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. TWS3 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.

What You Will Learn

My goal is for students to be able to leave this class and immediately implement what they've learned in their own enterprise. The course outline includes:

  1. Collection: What data do you need to detect intruders? How can you acquire it? What tools and platforms work, and what doesn't? Can I build what I need?
  2. Analysis: How do you make sense of data? If intrusion detection systems are dead, what good are they? What is Network Security Monitoring (NSM)? How can I perform network forensics?
  3. Escalation: What do you do when you suspect an intrusion? How can you confirm a compromise? How should you act?
  4. Response: You're owned -- now what? Do you contain, remediate, or play dead? How do intruders react to your actions? Can you ever win?

Course Structure

TWS3 consists of a series of data-driven scenarios where students must interpret evidence in order to identify suspicious and malicious activity. The purpose of the exercises is to develop an investigative mindset, independent of any specific tool or vendor. Students will be given advice on how to perform forensic and intrusion analysis and then allowed to form conclusions through hands-on inspection.

Who Should Take This Course

TWS3 is designed for basic to intermediate network security personnel. This course is an excellent way for someone with general security knowledge to enter the incident response field. Investigators with a background in hard disk forensics but little experience with intrusion analysis will also find this course a great way to expand their horizons. Because this course addresses the entire incident detection and response process, students should not expect extremely advanced material in any single area (such as memory forensics), although the instructor is willing to discuss network-centric issues beyond the intermediate level if questioned.

If you have taken Richard Bejtlich's TCP/IP Weapons School at USENIX or Black Hat before, TWS3 is DIFFERENT. Richard Please join Richard for a class unlike previous versions of TCP/IP Weapons School! Richard wrote new labs and exercises for TWS3, so if you've attended TWS1 or TWS2, you'll find new material in this third version of the class.


Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Students must have at least basic familiarity with TCP/IP networking and packet analysis. Students must bring their own laptop; see What to Bring for details.

Course Length

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered.

What to bring:

Students MUST BRING a laptop with at least 10 GB free and a DVD drive. The laptop MUST HAVE a VMware product installed prior to class. Other virtualization technologies such as Virtualbox are NOT supported by the instructor.

The instructor tests the VMs with several VMware products and operating systems. The instructor expects the VMs to work on VMware Player (free), VMware Workstation (not free) and VMware Fusion (not free), although not all combinations can be tested.


Richard Bejtlich is Director of Incident Response for General Electric, and leader of the GE Computer Incident Response Team (GE-CIRT, Prior to GE, Richard operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation. Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real
Digital Forensics." He also writes for his blog ( and teaches for Black Hat.

Super Early:
Ends Oct 15

Ends Nov 15

Ends Dec 15

Ends Jan 15