SANS FOR610(GREM) Course Review
My experience at SANS FOR610 - Reverse Engineering Malware (GREM) Course.
Introduction
The GIAC Reverse Engineering Malware (GREM) is designed for technologists who protect the organization from malicious code. Certified GREM possess the knowlegdge and skills to reverse-engineer malicious software(malware) that targets common platforms, such as Microsoft Windows and web browser.
Course
This is my second time attending the SANS course and it has always been a joy to attend a SANS course. You meet many different industry fellows and expand your connections. Great food for lunch and snack at breaktime.
The SANS FOR610 - Reverse Engineering Malware Training Course is a span of 6 days, which includes a CTF on day 6. During the day 1 - 5 you will learn malware analysis fundamental, tools and techniques use to analysis a malware.
You will be given a USB thumbdrive with all the Virtual Machine and malware sample used in the course.
The course pace was really good and the instructors was very knowledgeable in the field of reverse engineering. He will teach you tips and tricks to find out if it’s a malware. But still taking the course does not make you an malware analyst immediately but have given you the direction and steps to move further.
Day 1
During the first day, you are required to come early and set up your environment for the malware analysis. The book in day one teaches you the fundamentals of reverse engineering malware, the difficulty of techniques and such.
You touch abit of Static properties, behavior analysis, code analysis. This is just a basic touch and go and will go in-depth for the other days.
Day 2
Day 2 was crazy. Introducing us to assembler and assembly language. If you do not have a programming background or understanding of how coding logic works. Day 2 will be tough for you, but do not give up. Do not question yourself on the career choices you made. You need to have determination to get through day 2!
Day 3
Day 3 we will focusing on PDF and office-based malware where we learn memory forensics to analyze the documents, de-obfuscating the javascript and finding out where does the malicious code reside in.
Day 4
Day 4 was all about In-Depth Malware analysis. We look at packed malware that are packed with UPX, custom packers and such. We learn how to intercept network connection to trick the malware to think it is actually connecting to its C&C server. It was fun and you will learn alot.
Day 5
Day 5 is learning about malware that are able to detect you are analyzing them using debugger, disassembler or even in a virtual environment. We learn techniques to defeats those including editing in debugger and repacking those malware.
Day 6
CTF day. Using the netwars challenge scoreboard system. It is a jeopardy style CTF which test your knowledge on the course. The malware samples used on Day 6 are different from the other days and it was fun playing the CTF. Sadly i did not win a coin and only gotten #8 place. but the most important is the journey learning rather than gaining the coin.
Confusing
The most confusing part of the course is understanding assembly languages. If you have no prior experience or have not done it before. It will be very difficult to understand. This require extensive practice and reading, you will not be able to gain just by heading to the course.
Moving on
Having completed the course. I am aiming to complete my certificate in 3 months and practice reverse engineering malware. There are alot of good resources for malware samples and workshop. I highly recommend malware unicorn for their RE101, awesome malware analysis github pages for tools and resources. There are many place with malware samples you can obtain like hybrid analysis, malware traffic analysis and several github pages.
Links:
Malware Unicorn
awesome malware analysis
Malware Traffic Analysis
Fabricmagic72 malware sample
InQuest malware sample