Cyber Defence Monitoring Course: Module 3

The Locked Shields technical environment is very complex and Blue Teams need a network traffic overview to plan their strategy. It is also essential to have an overview of what happened in the network during execution. This course will make use of the latest Locked Shields execution network traffic capture as a learning material.

This intensive hands-on course concentrates on a single solution out of several important Cyber Defence Monitoring techniques and solutions. We will focus only on packet capture and analysis. It is not meant to replace IDS engines, but instead work alongside them to store and index all the network traffic and providing fast access to the captured data. We use Moloch, an open-source free software tool, to build network security monitoring for different scales, from SOHO/SME up to enterprise level.


Due to the COVID-19 situation this course MIGHT be held as an online course and in that case the confirmed students DON’T HAVE TO TRAVEL to Estonia, and in that case they don’t have to buy flight tickets and don’t have to book accommodation in Tallinn. 

If the course will be held online, then all of the technical details to join the course will be shared with the confirmed participants until 24th of May, 2021 and the Administration fee will be reimbursed for the participants.

Learning Objectives

The course demonstrates how Moloch is a perfect fit into modern network security monitoring. Attendees gain practical experience of how to build up a scalable system and how challenging the security-engineering and analysis process can be.


Target Audience

  • Locked Shields Blue Team members and/or national representatives.



  • Methods used to conduct network traffic analysis.
  • Installing a single instance for small office network.
  • Building from source to get a custom set of required features.
  • Controlling a large setup.
  • Using APIs for integration.
  • Using proxies/aggregators to get data from external sources.
  • Scaling up to 10Gb+.
  • Scaling up months of history.
  • Separation concerns.


On this course, we will work with network traffic from the recent Locked Shields, which means that the traffic will have real intrusions.



  • Good understanding of TCP/IP networking and network and system administration.
  • Recent everyday network/system administrator’s work experience for at least 2 years in UNIX environments.
  • Previous detailed knowledge on the following topics:
  • work principles of UNIX operating systems and UNIX file system layout;
  • common UNIX shells (e.g., sh, bash);
  • common UNIX user tools (e.g., ls, ps, kill); and
  • common UNIX system administration utilities.
  • Scripting experience is required.
  • Basic Python skills are required: ability to write a function, for loop, invoke standard library and use core data.
  • English language skill comparable to STANAG 6001,


NB! We most strongly discourage the participation of students who do not fulfil these prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.


Course materials:

The lecture and lab materials for this course are publicly available on the following GitHub page:

Materials will be updated prior to each course.

Recommended for attendees without prior system or network monitoring experience:

ADL 345 Network and Log Monitoring on the NATO e-Learning website (JADL – )


Registration opens on 5th of March, 2021. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]