Botnet Mitigation

The Botnet Mitigation Course is in constant transformation as the hot issues related to botnets and malicious code are changing in a fast pace. In 2019, the focus of the course is on reverse engineering skills, information exchange and building skills for improving existing response infrastructure with real-time event processing technology.

Learning Objectives

The Botnet Mitigation Course provides participants with following skills and knowledge:

  • Understanding botnets: life-cycle and motivation of their authors
  • Identifying botnet related activity in endpoints and on wire
  • Autonomous collection of information and analyzing samples from multiple stages of malware
  • Producing and using indicators of malware related activity
  • Work as a team in mitigating botnet originated cyberattack


  • Cybersecurity incident life cycle; Lockheed Martin Kill Chain.
  • Botnet mitigation related legal issues.
  • Preparing the lab
    • Tools and skills; safety
  • ”Black box” analysis
    • Monitoring host activity
    • Monitoring network activity
    • Collecting and selecting meaningful observable indicators
  • Botnet C2
  • Securing channel with cryptography
  • C2 disruption mitigation techniques
  • Covert channels
    • Using legitimate channels for extracting data
    • Hiding data in multi-protocol network traffic
  • Reverse Engineering Basics
    • Introduction into Assembly
  • Familiarizing reverse engineering
    • Android malware disassembly
    • De-obfuscating first stage loaders and infection scripts
  • Static analysis (IDA Pro)
  • Dynamic analysis (OllyDbg, WinDgb)
  • Writing IOCs
    • Yara rules
  • Making systems more resilient to the attacks
    • Collecting and sharing IOCs
    • Network architecture
    • Endpoint security
    • Automating mitigation
  • Practice: teamwork with parallel tasks to tackle malware activity related incident

Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics.


  • Good work/administration experience in Linux (as the work environment) and Windows (as the malware environment)
  • Basic understanding of network traffic and malware
  • Ability to use virtual machine technology (Virtualbox or similar)
  • Experience with firewalls and network traffic analysis (Wireshark and similar)
  • Basic understanding of assembler and higher programming languages
  • Scripting language skill (Python, Visual Basic, Bash)
  • English language skill comparable to STANAG 6001,

 NB! Please note that this is a highly technical course and might not be suitable for the less experienced IT security specialists.

Pre-study e-Learning material

ADL 347 Critical Infrastructure and Industrial Control Systems (Pre-study material for Industrial Control Systems Security Course) on the NATO e-Learning website.


Registration opens on 19 November 2018. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]