Technical Courses /

Botnet Mitigation Course, Nov


5-9 Nov 2018

Registration deadline:

10 Sep 2018

This  training  focusses  on  infiltration  and  mitigation  of  botnets.  This  very  hands‐on  5‐day intermediate course introduces state‐of‐the‐art botnet concepts and teaches how the botnet threat can be countered. Since most modern botnets are designed as spyware, this course focusses on the detection of data‐exfiltration and modern IDS evasion techniques.

After an initial briefing on botnet concepts and structures reflecting the history of botnets and their role in cyber conflict, practical examples of easy botnet structures are demonstrated and tested in practice. Modern botnets usually hide their traffic by blending and encryption techniques, and so concepts of crypto breaking and polymorphic blending attacks are introduced and shown from recently detected malware samples such as Operation Red October, Zeus and Zero Access Botnet. 
Having detected botnet activity, the challenge of botnet infiltration is a botnet takeover which requires a detailed understanding of the command and control (C&C) functions implemented. On this course, we decode real botnet traffic and show the botnet C&C functionality bycreating our own classroom botnet with the help of construction kits.

Learning Objectives

The course demonstrates how modern botnets work. Attendees gain practical experience on how malware analysts work in a lab environment and how challenging the re‐engineering process can be. During hands‐on exercises, students learn the basic concepts of both data‐exfiltration  and  infiltration.  The  course  focusses on dynamic analysis approaches such as applied black boxing and protocol re‐engineering. 

In this course, we work with real malware. Samples of existing botnets are analysed and obfuscation techniques are experienced with very challenging examples. 

Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics. 


  • Botnet introduction
  • Re‐engineering overview
  • Applied black boxing
  • State‐of‐the‐art malware self‐protecting mechanisms
  • Crypto‐breaking introduction and exercise
  • Peer‐2‐peer botnets ‐ analysis and mitigation
  • Attacking peer‐2‐peer botnets
  • Peer‐2‐peer botnet mitigation exercise
  • Advanced persistent threat & cyber espionage campaigns
  • Introduction into intrusion detection systems
  • Polymorphic blending techniques
  • Exfiltration exercise
  • Botnet creation kits
  • Command & control with remote access tools. 


  • Good  work/administration  experience  in  Linux  (as  the  work  environment)  and Windows (as the malware environment)
  • Basic understanding of network traffic and malware
  • Able to use virtual machine technology (Virtual Box or similar)
  • Experience with firewalls and network traffic analysis (Wireshark and similar tools)
  • Basic understanding of assembler and higher programming languages (optional)
  • Programming experience in assembler, C(++) or PYTHON (optional)
  • English language skill comparable to STANAG 6001, 

NB!  Please be aware of the strong technical nature of this course. It is not intended for inexperienced IT security specialists. 

Registration info

Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Should you have any questions, please contact: events -at- 
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website