Technical Courses /

Botnet Mitigation Course, February


18-22 Feb 2019

Registration deadline:

7 Jan 2019



Tallinn, Estonia

Participation fee:

€300 (the first seat is free for SNs, CPs and NATO bodies)

This  training  focusses  on  infiltration  and  mitigation  of  botnets.  This  very  hands‐on  5‐day intermediate course introduces state‐of‐the‐art botnet concepts and teaches how the botnet threat can be countered. Since most modern botnets are designed as spyware, this course focusses on the detection of data‐exfiltration and modern IDS evasion techniques.

Learning Objectives

Goal of this course is to deliver to the participants following skills and knowledge:

  • Understanding botnets: life-cycle and motivation of their creators.
  • Identifying botnet related activity in endpoints and on wire.
  • Autonomously collect information and analyze samples from multiple stages of malware.
  • Producing and using indicators of malware related activity.
  • Work as team while mitigating botnet originated cyberattack.



  • Cybersecurity incident life cycle; Lockheed Martin Kill Chain.
  • Botnet mitigation related legal issues.
  • Preparing the lab
    • Tools and skills; safety
  • ”Black box” analysis
    • Monitoring host activity
    • Monitoring network activity
    • Collecting and selecting meaningful observable indicators
  • Botnet C2
  • Securing channel with cryptography
  • C2 disruption mitigation techniques
  • Covert channels
    • Using legitimate channels for extracting data
    • Hiding data in multi-protocol network traffic
  • Reverse Engineering Basics
    • Introduction into Assembly
  • Familiarizing reverse engineering
    • Android malware disassembly
    • De-obfuscating first stage loaders and infection scripts
  • Static analysis (IDA Pro)
  • Dynamic analysis (OllyDbg, WinDgb)
  • Writing IOCs
    • Yara rules
  • Making systems more resilient to the attacks
    • Collecting and sharing IOCs
    • Network architecture
    • Endpoint security
    • Automating mitigation
  • Practice: teamwork with parallel tasks for solving malware activity related incident


Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics.



  • Good work/administration experience in Linux (as the work environment) and Windows (as the malware environment).
  • Basic understanding of network traffic and malware.
  • Ability to use virtual machine technology (Virtualbox or similar).
  • Experience with firewalls and network traffic analysis (Wireshark and similar).
  • Basic understanding of assembler and higher programming languages.
  • Scripting language skill (Python, Visual Basic, Bash).
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the strong technical nature of this course. It is not intended for inexperienced IT security specialists.

Pre-study e-Learning material

ADL 348 (Fighting a Botnet Attack: a Case Study) and ADL 349 (Systematic Approaches to the Mitigation of Cyber Threats) on the NATO e-Learning website (JADL -

Registration info

Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Please use the registration code provide by your National POC. Should you have any questions, please contact: events -at- 
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website