“It may seem difficult at first, but everything is difficult at first.” — Miyamoto Musashi
Content
- That’s a lot of badges!
- Intro
- Learning
- Preparation
- Additional Resources
- Indexing
- Exam & CyberLive
That’s a lot of badges!
Intro
So whoami, you might ask! I’m currently working as a Detection & Response Engineer for a CSP. My experience with reversing malware is limited to some static analysis & relying on automated tools/sandboxes like Threat Grid, McAfee ATD, & Blue Coat MAA (is it even called that anymore?). Ever since I first started working in a SOC as a lowly L1 Analyst, malware analysis sandboxes have always fascinated me. I’d often manually analyse the scripts/macros used by malware to drop the subsequent payloads, and I used to have a ton of fun with deobfuscating and analysing these scripts. However, I quickly realised that manually analysing the binaries is not as trivial as analysing the scripts and wanting to upskill, I started looking for RE courses and came across the SANS FOR610 course page. I loved the syllabus, but the price was too rich for an L1 Analyst working a contract role. I learned a lot of different stuff, developed my skillset, & moved on from that role and organisation a while ago, but the want to build my reversing skills stuck with me.
Since I work as a Detection & Response Engineer, I often go through malware analysis reports and try replicating the analysis in my own lab. This is the extent of my hands-on reversing experience. I took C, C++, C#, & Java programming, as well as microprocessors and 8086 instruction set whilst earning a bachelors in CS Engineering, but that all seemed like a lifetime ago. That being said, I still use C once in a while, and I’m familiar with pointers; I do a lot of Python scripting, so I’m also pretty familiar with loops & stuff, so I was pretty confident that I had the prerequisite knowledge for FOR610. I’d also staggered halfway through the Practical Malware Analysis book, although I didn’t do any labs.
Whilst suffering an extreme case of imposter syndrome post analysing a ransomware sample, I decided to give in & purchase the FOR610 course. That was back in early 2022. I got the then-live version, the 2021 version (based on the copyright information found in the courseware). They added a couple of different stuff for the 2022 version (more on that later).
Now that I’ve earned my GREM certification, I feel a lot more confident analysing & reversing malware. I feel a meme coming.
Learning
I bought the ON DEMAND version taught by Lenny Zeltser — many people who’d done this course had recommended that I get Lenny’s version. Unfortunately, I didn’t bundle the exam, which in hindsight, was a mistake! I went through the course materials pretty quickly. I’ve never touched a debugger until that point, so the x64dbg stuff was pretty cool. Additionally, the course teaches you how to focus on API patterns and focus your analysis around the invocation of suspicious APIs.
I spent most of my time doing the practical exercises and redoing them again. If you’re like most people, you progress linearly — which, again, is a mistake. There’s one section I’d recommend you do in parallel along with the other sections, which is section 6 — FOR610.6: Malware Analysis Tournament. Once you’re halfway through section 2, I’d recommend that you start section 6 and try to put what you’ve learned to good use. If you wait until you’ve finished all the other sections, you might not have enough time to go through the challenges, particularly if you are preparing for the exam!
While going through the materials, you will be inundated with a lot of new information, so I recommend you consider what you’ve learned, reflect on it, and develop your methodology for analysing malware. The more you learn, you’ll have to come back to that initial methodology you had in your mind and rework it. Ask ‘why’ a lot. If the courseware talks about using a plugin, ask yourself why. Understand the relevance of that step and the tool/parameter/plugins involved. Never lose sight of the big picture. Sometimes, especially with malware analysis, it is easy to get bogged down in the details and waste a lot of time going down a rabbit hole. This can frustrate you if you don’t remind yourself to take a step back & think about the bigger picture. Don’t worry if this isn’t making any sense now. You’ll figure it out once you get more hands-on experience with RE.
Preparation
Whilst going through a section/book, ensure you take notes, ideally hand-written notes with figures, steps etc. For example, if you’re going through an exercise that details shellcode debugging, take note of the steps involved — the various tools utilised, the capabilities of the tools involved, the significance of any parameters, and the relevance of the output produced by a tool. Sometimes you might have to take the output produced by a tool and supply it as input to another tool.
Ensure you have an index dedicated to tools and their usage. For instance, I’d a separate index that detailed every single tool & associated arguments/switches/shortcuts that were demo’ed in the books. This will help you immensely whilst attempting the labs/malware tournament challenges. Not to mention nailing all the CyberLive questions.
If you’re learning process injection, note the various APIs involved. I cannot stress how important this is! Even if you don’t remember anything else from this blog, I implore you to take note of this. Not only for the exam, but it will also help you with your practical RE skills. For instance, write down the APIs involved in process injection on a post-it note and stick it on the monitor; you look at it every time you look at your monitor and slowly start to internalise it.
Another super important thing is to look at the stack and various registers whilst stepping through the debugger. This will lead you to ask many ‘why’ questions that I’d discussed earlier. Again, this is very critical. I recommend that you spend a fair amount of time debugging malware and, more importantly, looking at the various elements and observing how values change with every instruction executed.
As I mentioned, try to do the malware analysis tournament challenges in parallel — section 6 stuff. This will help you apply the knowledge you’ve gained and get your paws dirty. Yes, you might get stuck, but that’s okay; you might spot something in another section/book that might help you come back & solve the challenge.
Additional Resources
Try to solve some crackmes. If you get stuck, go through the write-ups. There’s a ton of free content on Cyberdefenders! I recommend following HEXORCIST on YouTube, as he posts malware-reversing walkthroughs. I’d also highly recommend following the OALabs YouTube channel, subscribing to his Patreon — tons of super excellent content, and joining their Discord server.
In the end, you need to put in the work. You’ll have to go through malware analysis reports and reversing deep dives and try to replicate the analysis in your lab. If you are particularly interested in reversing a sample, try vx-underground or download them from malware bazaar or from online sandbox platforms like any.run. It’s also worth joining this Telegram channel. The folks there can get the samples from VirusTotal if you ask nicely. Also, recommend checking out the unprotect project. They have code snippets and even YARA rules for detecting a specific technique.
If you feel like your lack of knowledge in C is hindering your reversing efforts or need a refresher on C Programming, check out these courses — C Programming: Getting Started, C Programming: Language Foundations, C Programming: Modular Programming and Memory Management, & C Programming: Pointers and Memory Management from edX.
Indexing
You don’t need to index every concept in the courseware. Although I tried to index most of the stuff when I started, I quickly realised this would only help you a little for the exam. Most of the questions in the exam are designed to test whether you can apply the knowledge that was taught. I’d recommend indexing the various sections in a book and essential topics like TLS callbacks, unpacking techniques, etc.
As I’d mentioned earlier, take copious notes — hand-written notes, and index the various tools & associated arguments/switches/shortcuts etc., since the CyberLive exams have practical questions. Take a printout of the cheatsheets made available by Lenny, and practise with the same whilst doing the labs.
Exam & CyberLive
Since I purchased the course in early 2022, I got the 2021 version which was the current version available back then. Later in the year, they updated the courseware and the exam for 2022. After purchasing the course and reviewing the materials, I kept deferring the exam due to personal issues and only took the exam in March 2023. Finally, when I decided to purchase the exam, I contacted GIAC to inquire about the possibility of buying the exam version associated with my course version. Unfortunately, this option wasn’t financially feasible and led me to purchase the current exam version. Unfortunately, if you buy a GIAC exam that’s not bundled with a SANS course, you don’t get any free practice exams which I learned the hard way. Instead, I had to shell out $399 for a single practice exam.
I purchased a practice exam and, without any preparation whatsoever, attempted it. I got 78%! This was attempted without an index or cheatsheets I’d made, mind you. I felt confident. I purchased a GREM exam attempt and scheduled it for five days later. I spent a lot of time revising and redoing the practical labs.
Then came exam day. Since this was my first-ever GIAC exam attempt, I was a bit nervous NGL. Got meself an Americano from Starbucks, had a siracha sandwich, prayed, and left for the exam centre. You could attempt it from home via ProctorU, but this involves removing certain apps from your computer, which I didn’t want to bother with. Good thing I left an hour early because there was traffic.
I got there with just enough time for ID verification, taking my picture, and signing stuff. I started the exam and immediately knew they had updated the courseware. I skipped a couple of questions for later. It was a bit difficult. Then came the CyberLive questions. The CyberLive questions were towards the end of the exam. So make sure you have at least an hour dedicated to the CyberLive bit. I loved it! It felt like I was breezing past the practical stuff. I hope they move away from the multiple-choice questions entirely. After I’d answered all the CyberLive questions, I then took my time to answer a couple of questions I had skipped earlier. I finished the exam with 48 minutes left on the clock, and this was the result.
Yep, 92%! I was overjoyed. I kept smiling all the way back home. My joy was inexplicable. I got back, opened LinkedIn and posted the exam results. A few days later, they sent an invite to join the invite-only forum — GIAC Advisory Board. Felt privileged to join such an esteemed forum.
Overall, it’s completely worth it: the cost, the time, everything. I feel less like an imposter now. I’d encourage anyone interested in malware reversing to take the course.
That’s it, folks. If you are curious about malware reversing and follow the guidelines detailed here, and all the other excellent blog posts/reviews — like this one from Stacktrac3, there’s a pretty good chance of you nailing the GREM exam.
Later, alligators.