With access to a router, an attacker can control the network and
manipulate and copy traffic as needed. Router implants such as SYNful
Knock, a serious and imminent threat, can be difficult to detect and
analyze due to their location within the network. A direct analysis of
the router image may be critical to mitigate a router-based attack,
especially for edge routers positioned outside of network monitoring devices.
This course explains the purpose of the Cisco IOS image format, as
well as how to modify the image. It describes how to effectively
dissect an IOS image using IDA Pro for static analysis and how to
debug a running router for active analysis. Course topics include how
to configure and load a router for analysis, and take and analyze core
Learners will perform hands-on analyses of Cisco IOS images using a
live router running in a lab environment. Hands-on labs include an
opportunity to analyze and determine the function of backdoored router firmware.
After completing this course, learners should be able to:
- Conduct hands-on Cisco IOS malware analysis
- Understand the MIPS architecture
- Understand Cisco IOS
image formatting and how routers load the images
- Analyze an
IOS image using IDA Pro
- Identify modifications to a Cisco
IOS image and focus analysis efforts
- Obtain and analyze
memory dumps of a running router
- Perform dynamic analysis
on a live system
Who Should Attend
Intermediate-to-advanced malware analysts, information security
professionals, forensic investigators and others who need to
understand how to overcome difficult and complex challenges in malware analysis.
Intermediate to advanced malware analysis skills, computer
programming experience and comfort with IDA Pro.
What to Bring
Laptop with VMware Workstation, Server or Fusion (VMware Player is
acceptable, but not recommended), and at least 20 GB of free HDD
space. A licensed copy of IDA Pro that supports the MIPS architecture
is required; the free version of IDA Pro will not suffice. If
purchasing, the IDA Professional Edition is needed.