Botnet Mitigation

The Botnet Mitigation Course focuses on the infiltration and mitigation of botnets.  As a hands‐on 5‐day intermediate course on the state‐of‐the‐art botnet concepts, this course teaches how the botnet threat can be countered. Since most of the modern botnets are designed as spyware, this course focuses on the detection of data‐exfiltration and modern IDS evasion techniques. An introduction to botnet concepts and structures reflecting on the history of botnets and their role in the cyber conflict is followed by practical examples: simple botnet structures are demonstrated and tested in practice. Modern botnets usually hide their traffic by blending and encryption techniques. Accordingly, participants will receive overview of crypto breaking and polymorphic blending attacks accompanied with examples of recently detected malware such as Operation Red October, Zeus and Zero Access Botnet.

Having detected botnet activity, the challenge of botnet infiltration is a botnet takeover which requires a detailed understanding of the command and control (C&C) functions implemented. On this course, we decode real botnet traffic and show the botnet C&C functionality by creating our own classroom botnet with the help of construction kits.

Learning Objectives

The course demonstrates how modern botnets work. Attendees gain practical experience on how malware analysts work in a lab environment and how challenging the re‐engineering process can be. During hands‐on exercises, students learn the basic concepts of both data‐exfiltration  and  infiltration.  The  course  focusses on dynamic analysis approaches such as applied black boxing and protocol re‐engineering. In this course, we work with real malware. Samples of existing botnets are analysed and obfuscation techniques are experienced with some quite challenging examples.

Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to familiarize themselves with malware analysis and related topics.


  • Botnet introduction
  • Re‐engineering overview
  • Applied black boxing
  • State‐of‐the‐art malware self‐protecting mechanisms
  • Crypto‐breaking introduction and exercise
  • Peer‐2‐peer botnets ‐ analysis and mitigation
  • Attacking peer‐2‐peer botnets
  • Peer‐2‐peer botnet mitigation exercise
  • Advanced persistent threat & cyber espionage campaigns
  • Introduction into intrusion detection systems
  • Polymorphic blending techniques
  • Exfiltration exercise
  • Botnet creation kits
  • Command & control with remote access tools.


  • Good  work/administration  experience  in  Linux  (as  the  work  environment)  and Windows (as the malware environment)
  • Basic understanding of network traffic and malware
  • Able to use virtual machine technology (Virtual Box or similar)
  • Experience with firewalls and network traffic analysis (Wireshark and similar tools)
  • Basic understanding of assembler and higher programming languages (optional)
  • Programming experience in assembler, C(++) or PYTHON (optional)
  • English language skill comparable to STANAG 6001,

NB!  Please be aware of the highly technical nature of this course. It is not intended for inexperienced IT security specialists.


An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]