SANS courses are typically very expensive, I would not recommend paying the full price if it is out of pocket. There are other resources online, and books that deliver more bang for the buck. But many employers will pay for the course because there are few other places that will deliver as much practical knowledge within the time span of 1 week, and many of the concepts you learn can be applied immediately in your job.
The FOR610 course has been recently been rewritten and the authors have done a good job with updating the material to keep up to date. Fundamental reverse engineering and malware analysis techniques have stayed the same. However, I was surprised at the amount of changes made in the number of available tools. A major change was the use of x64dbg as a debugger over the classic Ollydbg.
Prereq's for the course
- Laptop
- Ethernet Jack
- VMware Pro
- 8gb Ram
- 128GB ssd
You do not need to have prior programming experience to take this course. However, I recommend people taking the course should have at least taken 1 semester of computer science / programming course. Knowing basic programming concepts such as switches, if statements, arrays, API calls, will help. To get the most out of the course you should also be able to read basic assembly. Know what registers are EDI, EAX, ESP, AL, EBP.... would greatly help on certain days.
I went into this course not coming from a developer or programming background nor doing malware or reverse engineering as part of my job.
Day 1
Overview of knowledge domain of malware analysis, and goes into dynamic analysis. There's some basic static analysis such as using strings or pestudio.
Day 2
Intensive day into Assembly. What does control flow, conditional statements look like in assembly.
Day 3
Analyzing pdf and word attachments, deobfuscating javascript
Day 4
Unpacking malware and using debugger to dump from memory
Day 5
Anti-analysis techniques implemented by malware. Different tricks malware authors will utilize to detect virtual environments.
Day 6
Capture the flag. This was a good exercise in putting the concepts we learned into practice. Not a necessary day since new material isn't covered. However, highly recommended.
Things missing from the course
This is not a hard core reverse engineering course. Kernel debugging isn't covered nor arm reverse engineering and analysis. Importing symbols also isn't covered.
Overall
I recommend this course to anyone that does Incident Response, reverse engineering, or malware analysis. The course has a good mix of dynamic and static techniques that will help improve your skills. I do recommend that people should have a basic programming background and/or have done malware analysis before. The learning doesn't stop once the course ends. The course authors have packed more material than there is time to present, there are exercises in the appendix to practice on your own time. I would have liked SANS modify the course to have 1 or 2 days of extended hours There is simply more material than there is time to cover on some days.
Resources for additional learning
Malware Unicorn's RE 101 course on her website provides very good material to learn and great graphics.
Practical Malware Analysis
Mandiant's Flare challenges
You are welcome to try course in reverse-engineering from AdaLogics
ReplyDelete