Digital Threat Digest Insights Careers Let's talk

Network Intrusion Specialist (CREST CNIA)

Our CREST-aligned Network Intrusion Specialist training provides the expert level knowledge and skills required for experienced cyber security professionals to conduct advanced network investigations, within a security operations centre (SOC) or incident response function.


Training is aligned to support individuals seeking to undertake the CREST Certified Network Intrusion Analyst (CCNIA) exam.

This training can be delivered virtually, at our London or Bristol facilities, or at our clients’ premises; training is typically for group bookings only.


CREST Certified Network Intrusion Analyst (CCNIA)


By the end of this training, you will have expanded your technical understanding of the types of evidence and resources available for in-depth analysis to be able to lead on the hunt for typical data that can be gathered from a network under investigation.


Senior practitioner-level cyber security professionals who wish to understand how to conduct in-depth network intrusion analysis. Example roles might include:

  • Incident Response practitioners
  • Digital Forensics practitioners
  • SOC Analysts
  • Cyber Crime Investigators
  • Security Analysts
  • Malware Reverse Engineers
Learning outcomes
  • Critically evaluate processes for reporting cyber security incidents.
  • Analyse different types of network communication.
  • Understand threat intelligence sources, capabilities, and limitations.
  • Identify, capture, contain and report malware.
  • Develop and deploy signatures.
  • Competently use intrusion detection technologies to detect host and network-based intrusions.
  • Appropriately tune sensors.
  • Effectively use protocol analyzers.
  • Configure and implement network analysis tools to identify vulnerabilities.
  • Perform packet-level analysis.
  • Recognise and interpret malicious network activity in traffic.
  • Effectively and efficiently interpret metadata.

Ideally, five or more years practical experience in a digital forensics and/or incident response role and CREST Registered Intrusion Analyst (CRIA) qualification or training. As a minimum, at least 12 months’ hands on experienced once CRIA has been achieved.

Knowledge of:

  • Network components, their operation and appropriate network security controls and methods.
  • Likely operational impacts on an organisation of cyber security breaches.
  • Incident categories, incident responses and timelines for responses.
  • Host-based and network-based intrusion detection methodologies and techniques.
  • Network traffic protocols, methods, and management.
  • Different types of network communication.
  • Types of digital forensics data and how to recognize them.
  • Relevant legislative and regulatory requirements.
  • Networking protocols.
  • Software reverse engineering techniques.
  • Impacts of signature implementation on viruses, malware, and attacks.
  • Relevant laws, legal authorities, restrictions, and regulations that govern and are applicable to cyber security activities
  • Malware analysis concepts and methodologies.
  • Operating system command-line tools.
  • Penetration testing and red teaming principles, tools, and techniques.
  • Best practice auditing and logging procedures.
  • Concepts and practices of processing digital forensic data to ensure admissibility of evidence.
  • Obfuscation techniques.
  • Computer programming concepts, including computer languages, programming, testing, debugging, and file types.
  • Processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
  • Types of persistent data and how to collect them.
  • Electronic evidence law.
  • Malware reverse engineering concepts.
  • Anti-forensics tactics, techniques, and procedures.
  • Forensics lab design configuration and support applications.
  • Debugging procedures and tools.
  • How and why adversaries abuse file type.
  • Malware analysis tools.
  • How malware evades virtual machine detection.
  • Binary analysis.
  • Common computer and network infections and their methods.

Skills in:

  • Developing and deploying signatures.
  • Using intrusion detection technologies to detect host and network-based intrusions.
  • Performing packet-level analysis.
  • Recognizing and interpreting malicious network activity in traffic.
  • Analyzing memory dumps to extract information.
  • Identifying and extracting data of forensic interest in diverse media.
  • Using forensic tool suites.
  • Deep analysis of captured malicious code.
  • Determining if anomalous code is malicious or benign.
  • Analyzing volatile data.
  • Identifying obfuscation techniques.
  • Analyzing malware.
  • Conducting bit-level analysis.
  • Reverse engineering to identify function and ownership of remote tools.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Record Keeping

  • Refresh of reporting requirements
  • Incident Chronology
  • How to report an incident

Threat Assessment

  • Understanding threats and business context
  • Methodologies of threat assessments
  • Attribution and motivation of attacks
  • Attack Victims

Emails and Browser Activity

  • Understanding user activity as it traverses a network
  • Users becoming victims by downloading malware

Identifying Suspect Files

  • Hashes of common malware
  • Malware signature analysis
  • File permissions
  • Strings
  • Network Log Sources: Reviewing different log sources to understand a threat/attack
  • Network Access Control – a review of FW and ACLs
  • Log types which can show the process of an attack

Document Metadata

  • Review of metadata
  • Understanding how metadata supports an investigation

.pcap Analysis

  • Analysis of .pcap data to identify normal and abnormal traffic
  • Pull data from .pcap files
  • Identifying potential actions of a malicious actor
  • Data Carving to access files from pcaps


  • Understanding Beaconing and its use
  • Identifying a beaconing host


  • Review of encryption
  • Review of encrypted traffic
  • Identifying and decrypting encrypted traffic

Command and Control Communication

  • Understanding Command and Control processes
  • Understanding different types of Command and Control methods
  • Identifying Command and Control communication
  • Using public resources to determine Command and Control nodes

IDS Rules

  • Common IDS systems
  • How IDS systems can lead to false positives and false negatives
  • Tuning IDS systems

Data Exfiltration

  • Identify data leaving networks
  • Identify sensitive data leaving the network

Lateral Movement

  • Identify the lateral spread of an attack
  • Identify the attack path used by a malicious actor

Exam Preparation