Road to RE, Ep2. FOR610/GREM Review
Introduction
Hey there, and welcome back to my “Road to RE” series! I’m excited to bring you the second episode of my journey into malware analysis and reverse engineering. If you missed the first episode, be sure to check it out.
In this series, I’ll be sharing my experiences and insights as I work to develop my skills in MA/RE. I’ll start with some basic concepts and progress to more advanced topics as I learn more. My hope is that these blogs will not only document my progress but also provide helpful information to others who are interested in the field.
For this episode, I won’t be reviewing a specific malware sample. Instead, I want to share my thoughts on the SANS Institute Forensics 610: Reversing-Engineering Malware course and its accompanying GIAC certification, GREM. As someone who is passionate about learning, I believe it’s important to review training materials to help others find the best resources out there.
I’ll be sharing my experience with the course and discussing the preparation process for the GREM exam. Whether you’re just starting out or are a seasoned professional, I hope you’ll find this episode informative and helpful.
Thanks for tuning in, and I’ll see you soon in the next episode of “Road to RE”!
Overview
You’ve probably heard of the SANS Institute. It’s a well-respected provider of cyber security training, covering everything from general security to cloud security and forensics/incident response.
Within the forensics/incident response category, there’s a course called Forensics 610: Reverse-Engineering Malware, or FOR610 for short. This course is developed and taught by two industry experts: Anuj Soni, Principal Threat Researcher at BlackBerry, and Lenny Zeltser, Chief Information Security Officer at Axonius.
Now, while FOR610 is one of the advanced 600-level courses in the SANS catalog, it’s designed for beginner MA/RE students. The prerequisites are pretty straightforward: you need a computer system that meets the laptop requirements and some basic familiarity with Windows and Linux operating environments, VMware, and programming concepts like variables and functions. However, the course material ramps up pretty quickly after Day 1!
FOR610 is a five-day course that covers everything from Malware Analysis Fundamentals to Reversing Malicious Code, Analyzing Malicious Documents, In-Depth Malware Analysis, and Examining Self-Defending Malware. In addition, there’s a “Malware Analysis Tournament” capstone exercise, which is like a fun final capstone.
FOR610 also includes over a dozen fully hands-on exercises throughout the course. These exercises help students understand the material at a proficient level, which is essential for MA/RE work.
Day 1 — Malware Analysis Fundamentals
On Day 1 of the FOR610 course, students are introduced to the fundamental concepts of malware analysis and reverse engineering. This section covers topics such as the tools commonly used by analysts, lab setup, and the difference between fully-automated and manual analysis tactics.
Additionally, students will be exposed to various tools that are useful for gathering basic information on malware samples. These include static property analyzers like PeStudio, as well as network traffic analysis tools like Wireshark. These tools can be especially helpful for beginners who are just starting to explore the field of malware analysis.
While Day 1 is relatively light on written material, with only around 130 pages of content, it provides a solid introduction to the topic of MA/RE. This section sets the stage for the more advanced material covered in subsequent days of the course.
Day 2 — Reversing Malicious Code
On Day 2 of FOR610, students dive headfirst into the foundational code concepts that are essential for conducting MA/RE. This includes a comprehensive understanding of x86 and x64 assembly code, as well as a thorough exploration of various programming structures such as Loops and control flows. Additionally, students gain an overview of Windows API calls, a crucial skill in this field.
A highlight of the day is the introduction of Ghidra, an open-source disassembler and the go-to tool for FOR610 when performing static code analysis. Students follow along with multiple malware samples to gain practical experience in navigating the tool and interpreting its output.
All in all this was a great day for those wanting to finally dissassemble malware.
Day 3 — Analyzing Malicious Documents
On Day 3, FOR610 took a dive into analyzing malicious documents, which was my personal favorite day. I found this day particularly valuable because my job often requires me to deal with malicious documents such as phishing PDFs, malicious macros, and decoding base64.
Unlike the previous days that focused on executables, Day 3 solely focused on parsing malicious documents using tools like pdf-parser and zipdump. Students were taught various techniques to decode multi-layered base64 code. The day was full of practical exercises and labs, and my notes were as large as multiple days’ notes combined.
The hands-on approach of Day 3 was highly rewarding as I could immediately apply the skills I had learned to my day-to-day responsibilities.
Day 4 — In-Depth Malware Analysis
Day 4 of FOR610 was an exciting day for me, as it delved into the world of debuggers which I personally find fascinating. The course uses x32/x64dbg as its preferred debugger, but the lessons are adaptable to other debuggers such as Ollydbg if a student wishes to use them outside of class.
On Day 4, students are introduced to packed malware, memory analysis, and dumping and repairing executables. Additionally, they also work with obfuscated JavaScript and PowerShell code. While these topics are quite extensive and cannot be fully covered in a single course, FOR610 does an excellent job of providing students with the fundamental methodologies used when examining and dumping packed malware.
Day 5 — Examining Self-Defending Malware
Day 5 of FOR610 can be quite challenging, but it is also the most complex. Students are introduced to advanced concepts such as SEH and TLS misdirection, as well as techniques used to debug self-defending malware executables and investigate process hollowing. While this day’s material was difficult to grasp at first, the sense of accomplishment from understanding these topics was great.
Malware Analysis Tournament
I must admit that I didn’t complete the tournament. As someone who takes SANS courses On-Demand and juggles various responsibilities, I find it challenging to make time for capstones. However, based on feedback from other students who completed the tournament, it appears to be a highly enjoyable and valuable opportunity to practice the techniques learned in the course.
GREM
The GREM certification is the accompanying certification for FOR610. To obtain this certification, a 2–3 hour on-site or remotely proctored exam with 66–75 questions must be passed. The exam questions cover a range of formats, including multiple choice and hands-on through the use of GIAC’s CyberLive platform. CyberLive questions are particularly engaging as they present scenario-based questions and provide an in-browser virtual machine that contains all the course tools to help test-takers find the correct answer. In my opinion, CyberLive questions are an excellent way to demonstrate one’s understanding of the course material.
To prepare for the GREM exam, I followed the process that I outlined in my YouTube video “Indexing for GIAC Exams.” I am pleased to say that I passed the GREM exam on March 30th, 2023, with a score of 85%, which was higher than I had anticipated halfway through the test.
Verdict
In rating FOR610/GREM on a scale of 1 to 5, where 1 is considered to be worthless and 5 is considered the best course available in the market, I would give it a 4. This course is excellent as a comprehensive introduction to MA/RE. However, I do wish that it covered a few additional topics like YARA rules, code patching, or different malware architectures like GO or C#. Nonetheless, I recognize that the course is already packed with an abundance of useful material, and it’s understandable that these topics may not have been included due to time constraints.
Overall, I strongly recommend FOR610 to anyone looking to learn MA/RE, provided they have access to employer funding.