Botnet Mitigation

The content of this course has been transforming over the time constantly as the current hot topics related to botnets and malicious code are constantly changing. Year 2020  iterations will be focused on reverse engineering skills, information exchange and building skills for improving existing response infrastructure with real-time event processing technology.

Learning Objectives

Goal of this course is to deliver to the participants following skills and knowledge:

  • Understanding botnets: life-cycle and motivation of their creators.
  • Identifying botnet related activity in endpoints and networks.
  • Autonomously collect information and analyse samples from multiple stages of malware.
  • Producing and using indicators of malware related activity.
  • Work as team while mitigating botnet originated cyberattack.


  • Cybersecurity incident life cycle; Lockheed Martin Kill Chain.
  • Botnet mitigation related legal issues.
  • Preparing the lab
  • Tools and skills; safety
  • ”Black box” analysis
  • Monitoring host activity
  • Monitoring network activity
  • Collecting and selecting meaningful observable indicators
  • Botnet C2
  • Securing channel with cryptography
  • C2 disruption mitigation techniques
  • Covert channels
  • Using legitimate channels for extracting data
  • Hiding data in multi-protocol network traffic
  • Reverse Engineering Basics
  • Introduction into Assembly
  • Familiarizing reverse engineering
  • Static analysis (IDA Pro)
  • Dynamic analysis (OllyDbg, WinDgb)
  • Writing IOCs (Yara rules)
  • Making systems more resilient to the attacks
  • Collecting and sharing IOCs
  • Network architecture
  • Endpoint security
  • Automating mitigation
  • Practice: teamwork with parallel tasks for solving malware activity related incident

Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics.


  • Good work/administration experience in Linux (as the work environment) and Windows (as the malware environment).
  • Basic understanding of network traffic and malware.
  • Ability to use virtual machine technology (Virtualbox or similar).
  • Experience with firewalls and network traffic analysis (Wireshark and similar).
  • Basic understanding of assembler and higher programming languages.
  • Scripting language skill (Python, Visual Basic, Bash).
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the strong technical nature of this course. It is not intended for inexperienced IT security specialists.

Pre-study e-Learning material

ADL 348 (Fighting a Botnet Attack: a Case Study) and ADL 349 (Systematic Approaches to the Mitigation of Cyber Threats) on the NATO e-Learning website (JADL –


Registration opens on 13th of July, 2020. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]