The course in Orlando was taught by Lenny Zeltser. One of the things I find most challenging when teaching is taking highly complex subject matter and breaking it down in such a way that it is understandable. Being able to do this effectively is one of my primary criteria for defining a good instructor. He took all of the highly complex concepts and broke them down in such a way that they were understandable at some level for every one in the class.
|Published (Last):||16 April 2010|
|PDF File Size:||20.88 Mb|
|ePub File Size:||10.66 Mb|
|Price:||Free* [*Free Regsitration Required]|
The course in Orlando was taught by Lenny Zeltser. One of the things I find most challenging when teaching is taking highly complex subject matter and breaking it down in such a way that it is understandable.
Being able to do this effectively is one of my primary criteria for defining a good instructor. He took all of the highly complex concepts and broke them down in such a way that they were understandable at some level for every one in the class. His depth of knowledge on the subject was very apparent and appreciated.
The course really has two distinct sides to it: behavioral analysis and code analysis. Depending on your background, you may find this course very difficult at times and easier at others. That being the case, I had a harder time with the code analysis portions of the course. On the other side of the coin, I had no problems whatsoever with the behavioral analysis instruction and labs, but I could tell that several other people in the class did.
The course is touted as not requiring any previous programming experience, but I think to get the full benefit from the class, you should at least be familiar with core programming concepts, preferably in an object oriented language. The course was 5 days long and covered a variety of topics. The first half of the first day was devoted to the setup of the virtual malware analysis lab used in the course. This is done in such a way so that the virtual lab can be used after you leave the class to do real world malware analysis in your organization using the virtual infrastructure.
This day was devoted to code analysis. We were introduced to assembly and spent a great deal of time looking at commonly identifiable assembly patterns used in malware. This was one of the most useful parts of the class for me. We also looked a bit at anti-disassembling techniques that malware authors use.
New Skills I Gained: Enhanced understanding of assembly. A plethora of anomalies to look for in assembly level code analysis of malware. Patching code at the assembly level to get a desired outcome. The fourth day focused on analysis of malware that was designed to prevent itself from being analyzed. We looked at packers and learned how to manually step through malware code to unpack it for analysis.
The day ended with an detailed and highly valuable look into deobfuscating malware in browser scripts. New Skills I Gained: Detailed understanding of assembly for malware analysis. Manual extraction of unpacked code from packed executables.
The final day of the course was another one of the most useful parts of the course for me. This first half of this day focused on analysis of malicious Microsoft Office files and malicious PDFs. After lunch, we covered shellcode analysis and memory analysis. Better understanding of PDF file structure. Extraction of malware running in memory. The labs were an integral part of the course. In the labs we analyzed real malware samples in our virtual analysis lab.
Doing things this way we got to see how attackers will often take shortcuts or write bad code that we have to sort through rather than just dissecting cookie cutter malware with no imperfections.
The labs served their purpose, helping reinforce new concepts in a practical manner. During the course, everyone had their laptops open and two virtual machines running at all times as we would dive into them for exercises very frequently. Although I was very pleased with the labs in some ways, I am critical of them for a few other reasons. Prior to the class, you are provided some instructions on how to setup a single Windows based VM that is destined to be infected with malware repeatedly throughout the class.
In addition, the instructions said we would be given a version of Remnux, the reverse engineering malware Linux distribution created by Lenny, to use during the class when we got there. I got this all up and running without any problems, but I was pretty upset when I got to the class to find out that there was quite a bit more setup to do.
As a matter of fact, almost the entire first half of the first day of instruction was taken up by additional lab configuration. I think all in all, we had to install about 25 different tools. Although I can respect the comments in support of this, I think providing these tools prior to the class along with the other instructions would allow for better use of time.
At lunch the first day I felt a bit cheated as my company had paid for an expensive course where I was just sitting around installing software. Providing this software prior to the course and having people come prepared would have allowed for a whole half day of additional instruction which would have been incredibly valuable. The other primary issue I had with the labs was the format in which they were laid out. In most of the labs, Lenny would teach us a concept and then step through the process on his own system.
Then he would turn us loose on our systems to work on the same example he just walked through. In that course, students are given a workbook with lab exercises. The instructor there would teach a concept, go through a lab on screen, and then turn students to the workbook and give them some time to work through similar, but different examples.
This format provided a great deal more value because we had to do quite a bit more thinking to get through the examples on our own, rather than just recreating what the instructor did. I walked away with a lot of new skills and am able to provide a lot of value to my organization as a result. I now feel completely comfortable performing code analysis of malicious binaries.
I also learned more assembly than I ever thought I would and feel like I could even write some simple programs in assembly should I choose to punish myself in that manner. I also gained a greater understanding of lower level operating system components which will prove useful in several cases. Make no mistake, this is a very difficult course, which is why ways numbered it so high. It is the highest level forensics course they teach, and it will challenge you.
However, if you are up to it, there is a lot to be learned here, and I have no doubt that it is the best malware analysis course you will find.
Thank you for your insight on the course. Thank you for this review Chris,I have found it very helpful as I want to take this course early next year. Your email address will not be published. Notify me of follow-up comments by email. Notify me of new posts by email. This site uses Akismet to reduce spam. Learn how your comment data is processed. Twitter LinkedIn Email feed. Posted on April 9, April 9, Instructor The course in Orlando was taught by Lenny Zeltser.
Difficulty The course really has two distinct sides to it: behavioral analysis and code analysis. Course Content The course was 5 days long and covered a variety of topics. Day 1 The first half of the first day was devoted to the setup of the virtual malware analysis lab used in the course.
New Skills I Gained: Knowledge of new malware analysis tools. Day 2 This day built upon our knowledge of behavioral analysis and introduced new concepts related to that. Day 3 This day was devoted to code analysis. Day 4 The fourth day focused on analysis of malware that was designed to prevent itself from being analyzed.
Day 5 The final day of the course was another one of the most useful parts of the course for me. Labs The labs were an integral part of the course. Prev Collecting Threat Intelligence. Leave a Reply Cancel reply Your email address will not be published. Search for: Search.
SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Learn to turn malware inside out! This popular reversing course explores malware analysis tools and techniques in depth. FOR training has helped forensic investigators, incident responders, security engineers, and IT administrators acquire the practical skills to examine malicious programs that target and infect Windows systems. Understanding the capabilities of malware is critical to your ability to derive threat intelligence, respond to cybersecurity incidents, and fortify enterprise defenses.
News Source For The Physical Security Industry
Over the years, the set of skills needed to analyze malware has been expanding. After all, software is becoming more sophisticated and powerful, regardless whether it is being used for benign or malicious purposes. The expertise needed to understand malicious programs has been growing in complexity to keep up with the threats. That was one of my first professional speaking gigs.
Teaching Malware Analysis and the Expanding Corpus of Knowledge