How to Become a Certified Malware Analysis Expert
INTRODUCTION: Cyber Security, a term more commonly used in today’s ever-present battle to defend companies, governments, and personal computer networks. As stated, this is an ever-present and persistent problem in the security and Information Technology fields. Hackers continue to find new ways to attack networks and create new malicious applications that enable them to compromise a computer and maintain a shadow-presence on the system/network compromised. More and more Advanced Persistent Threats (APT) are identified and brought to light. However, in order to successfully, combat these APTs and threats, one must first learn how. Because these threats are so complex in nature, many courses have been developed to educate security practitioners to learn how to analyze threats and malicious software employed by hackers and APT actors. These courses tackle the problem head on by teaching analysts basic to advanced malware analysis and reverse engineering. There are multiple courses offered in this field and this article will attempt to present the most relevant and likely courses for the training.
LEARNING MALWARE ANALYSIS OR REVERSE ENGINEERING
Malware Analysis, or commonly referred to as reverse engineering, involves disassembling, debugging, de-obfuscation, unpacking, and characterizing malicious software. Malware authors constantly change infection vectors, techniques, and tools. Thus, it is imperative that those in the Information Technology (IT) and Security fields train and certify to combat the ever-growing threats from foreign adversaries, insider threats, and domestic hackers.
Although some security experts chose to learn the art of reverse engineering on their own, there are many different companies and institutes that offer training from beginner to advanced reverse engineering. This article will address four different vendors that offer this unique training as well as summaries of the courses to help you decide which course to take. In my experience, learning from experts in the field wins hands-down to self-study. Most of these courses will provide the necessary resources to help you get started with your own malware lab and ensure that you have taken the necessary precautions to protect yourself while analyzing malware samples. The courses will go into many different malware samples to include the following:
VM Aware Malware
This is by far not a comprehensive list of the types of malware in existence, but it will give you the understanding and ability to recognize and meet other threats head-on in order to effectively stop threat actors from gaining access to your networks and compromising the integrity of your company’s servers.
Let me start by saying that all of these course offerings have unique aspects to the training and I do not hold one over the other. However, there are some whose certificates hold more weight in the IT and Security communities, this will be addressed later in the article. Because of the unique relationship that Malware-Analyzer.com has with the training vendors, we are able to offer all of these courses at a discounted rate. The training is offered by four different vendors and the discount varies as seen below:
SANS Institute – 5% discount
EC-Council – 10% discount
Infosec Institute – 10% discount
TrainACE – 10% discount
Reverse Engineering (SEC-303) offers all of the basics of reverse engineering and begins going through advanced uses of debuggers and disassemblers such as OllyDBG, IDA Pro, and SoftICE. Some of the things you will learn in this course are:
Discovering Stack and Heap overflows
Create and Customize a Sandbox to isolate malware and protect your production system
Debugging and Disassembling .NET binaries.
Additionally, you will receive information to prepare for the Certified Reverse Engineering Analyst (CREA) certificate
Both Dynamic and Static Code analysis will be learned throughout the course.
The Reverse Engineering course provides all of the necessary ammunition you will need to successfully analyze malicious samples. Infosec Institute asserts that “All of the instructors for InfoSec Institute's Reverse Engineering course actively work in the field of incident response or security research. Our instructors have spoken at high-profile conferences (such as the Black Hat Briefings, the RSA Security Conference, and the Pentagon Security Forum) and industry events.”
Find out more here: http://www.malware-analyzer.com/certification/certification-infosec-institute/
Advanced Reverse Engineering (SEC503) also offered by Infosec Institute assumes that you already have an understanding of reverse engineering concepts and tools. In this course, the instructors will give hands-on instructions in analyzing rootkits and DLL injection techniques. The course also covers the following aspects:
IDA Pro scripts and plugins
Reversing advanced packers like Themida
Preparation for the Certified Expert Reverse Engineering Analyst (CEREA)certificate- Find out more here: http://www.malware-analyzer.com/certification/certification-infosec-institute/
Certified Hacking Forensics Investigator (CHFI) is EC-Councils own breed of forensic analysis training on both physical and virtual threats. According to EC-Council, “CHFI, [is] the most sought-after information security certification in the field of Computer Forensic Investigation. [The course is] designed to reinforce the skills of the new generation of cyber sleuths.
The course is designed to enable security analysts to successfully and methodically catalogue, investigate and report on cyber threats. You will learn to delve into various operating systems including OSX and Windows to recover elusive security breaches and find threats hidden deep in the core of the system. By the time you are finished with CHFI, you will have the basic understanding to successfully and thoroughly document forensics investigations and be familiar with the tools used to conduct those investigations. The following are just a few examples of things you will learn throughout this course:
Legal issues surrounding forensics investigations
Incident Response (IR) toolkit
Creating an analysis environment/lab
Recovering deleted files on multiple OS’s
Advanced use of FTK Suite and EnCase
Image file forensics (Steganography)
The course will also prepare you to take the CHFI exam to become a certified expert. While performing a simple keyword search on “indeed.com” 53 job openings throughout the country were listed with CHFI as a desired certification. These jobs had a median salary of $90k. As you can see, having this certification, while not ensuring a job, will put you on a new level of competition and prove to your “would-be” employer that you have the skills and expertise to excel in this field.
Find out more here: http://www.malware-analyzer.com/#!eccouncil/chzg
TRAINACE | ADVANCED SECURITY
Malware Reverse Engineering (MRE), offered by TrainACE, goes beyond the basics of malware analysis and delves into the dark recesses of malicious software. This course provides hands-on experience with well-known bots, Trojans, keyloggers, and downloaders. MRE is broken down into a five day course that addresses different aspects of malware analysis.
What has become accepted as “malware reverse engineering training” involves full-spectrum analysis of malicious code both dynamically (run-time) and statically (disassembly). What this means for “run-time” analysis is that you put the malware on a virtual machine and run a packet sniffer (like Wireshark), a registry monitor (like RegShot), a file monitor (like CaptureBat) and then a process monitor (like Process Explorer and Process Monitor). Debugging involves looking at the malware in a disassembler (like IDA Pro). The goal is to understand the code and its behavior in order to find the functionality and or obfuscation methods within the malicious binary.
Some common “reverse engineering” concepts attempt to answer the questions:
1. Where is it connecting to? 2. Does it modify the registry? 3. Does it modify the file system? 4. Does it modify any running processes or start any new ones? 5. Does it employ any forms of obfuscation? 6. What is the purpose the malware? (i.e. Does it steal user credentials, capture screenshots, exfiltrate files?)
The goal of our malware analysis and reverse engineering training class is to provide a methodical hands-on approach to reverse-engineering by covering both behavioral and code analysis aspects of the analytical process. We will also give ample time in practical labs that focus on specific malware reverse engineering concepts.
Find our more here: http://www.malware-analyzer.com/#!trainace/c14kd
SANS, along with Lenny Zeltser, has created a Linux based virtual image known as REMnux that is delivered with the course materials. This image contains a huge battery of reverse engineering and forensics tools used throughout the course. Many of the tools will be used in hands-on practice and exercises. The course is delivered in 5 modules:
Module 1: Basic Analysis Fundamentals
Module 2: Malware Analysis
More Behavioral analysis
Module 3: Code Analysis
In-depth look at x86 Assembly
Basic memory forensics with API hooking & DLL Injection Techniques
Module 4: Malware Obfuscation
Dealing with Packed executables
Working with encrypted/obfuscated code
Module 5: Memory Forensics & Advanced Document Analysis
Working with Shellcode
Advanced analysis of Microsoft and Adobe documents
Recently, SANS has released a new addition to the GREM course that revolves around a real-world like challenge to put the learned reverse engineering skills to practice. The students will need to put every aspect of the GREM course to practice. The successful challenger will be awarded the “SANS Digital Forensics Lethal Forensicator coin”.
The GIAC Reverse Engineering Malware (GREM) certification is one of the most recognized of the aforementioned certifications as it pertains to malware analysis and reverse engineering. Researching this certification, roughly 200 jobs were identified with salaries ranging from $50,000 to $140,000. This wide range reflects locality and experience. The higher paying positions are located in major hubs of cyber activity such as Washington D.C. or Silicon Valley, CA. The median salary for jobs requesting this security certificate is approximately $80,000.
Find out more here: http://www.malware-analyzer.com/certification/sans-giac-reverse-engineering-malware/
Although there are many different courses available to learn the ins and outs of malware analysis or reverse engineering, each course offers a unique approach and their own perspective to malware. Ultimately, you need to decide which one will help to further your skills in the desired career field. For instance, EC-Councils CHFI will help you to conduct forensics in not just software applications, but also hardware. Thus, CHFI enables a wider range of available jobs in media forensics and software reverse engineering. Whereas the SANS GREM course offers a very deep understanding of the x86 Assembly language and memory forensics to fill the role of extremely technically proficient software reverse engineer. Although more specialized, GREM will allow you to achieve a more senior level position and garner a higher salary for your expertise. All of these courses will enhance your career and bring a new level of understanding into malware and APTs.