Recently, as part of ParaFlare’s regular program of upskilling our people, I was offered an opportunity to attend the SANS 610 Reverse Engineering Malware course.
I must admit, I have always been skeptical as to whether SANS courses would live up to their high reputation in the Info Sec community, given how much content is covered in such a short time. With that in mind I went into the course excited to both learn new skills and to find out what my opinions on SANS content would be at the end of the 5 days of instruction.
Firstly, allow me to let the cat out of the bag right away. I thoroughly enjoyed my time going through the SANS 610 content. Whilst it is true that SANS courses are priced higher than most other Information Security courses out there, I did not find myself questioning the value for money at all throughout the week.
The content was technical and well-paced, with new concepts being constantly introduced but also reinforced multiple times in future exercises.
We touched on various topics such as dynamic analysis, static analysis, x86 ASM, PDF/Word/Excel analysis and manually unpacking packed malware. None of the topics felt forced or out of place and they were delivered at a reasonable rate. I did not feel rushed during any part of the course to move on to the next topic before covering the previous topic well enough.
So, the question that I am sure a lot of people ask themselves. Do you need to know assembly language and/or how to program before doing this course? Well… no, and yes.
The course introduces all of the concepts you need to know, so you could definitely walk in without having touched programming or assembly before. However, I do not know that I would recommend that approach. Both programming and assembly have plenty of concepts that can take a while to wrestle with before you grasp them comfortably. I found myself very grateful that I already understood a lot of those concepts. So that I was able to focus my attention on reverse engineering, rather than focusing on how to understand what I was looking at in a disassembly graph.
To finalize my thoughts, I would recommend that anyone with even a passing interest in Malware RE to consider asking their employer if they would be willing to sponsor the next step in your education. As for myself, I am feeling more ready than ever to begin analyzing malware, building reports, and submitting indicators. For the numerous malicious samples that ParaFlare regularly encounters in our daily mission to protect our clients networks.