Malware analysis?

fabostrongfabostrong Member Posts: 215 ■■■□□□□□□□
To anyone that does malware analysis, do you feel it's helped your career?

How did you get started or how did you learn? I've looked around a bit and it seems that Practical Malware Analysis and the Malware Analyst's cookbook are the most popular books or learning methods. There's GREM but in no way can I afford that.

Thanks

Comments

  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,044 ■■■■■■■■□□
    I just finished the GREM course in July, it has yet to have any significant impact on my career, but assuming I obtain my GREM certification, I expect it will when I get my next job. I got involved with malware analysis because I volunteered for an Incident response team at my company to evaluate programs that are flagged as Suspicious by AV engines. I contributions to this team have been modest so far, but I expect with the training I have and practice I'll be able to significantly improve my standing in the group.
    Still searching for the corner in a round room.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    I took GREM course this May (plan to take the exam in Sept) because my job paid for it.

    Surprisingly, I've found that I did pretty much what the course author (Lenny Zeltser) does with a few little differences here and there.

    It's certainly not enough to be a good reverse engineer on the level of folks who work for AV vendors, but GREM course + few years of dissecting malware practice can help. Unfortunately, these jobs don't pay as high IMO, while require a lot of effort learning rather weird things such as x86 assembly and windows internals. I'd say it's a job for people who are really passionate about reverse engineering which allows them to devote endless hours in this. I say it's a lifetime career and requires 5-10 years of dedicated and deliberate practice to become proficient enough.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,281 Mod
    so if work pays for GREM do you guys recommend it? or do you think something like GPEN or GNFA is a better investment?
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    @UnixGuy, only if you deal with malware as a part of your job or intend to on a deep level, otherwise it's too deep into things regular people never look into, like do you really need to learn assembly and learn how to debug malware with a disassembler, it's very time consuming and usually not worth the effort for the purpose of incident response

    the course itself is great, top quality SANS material

    GCIH course for example is something I'd say much closer to what real world infosec engineers do and are paid for
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,281 Mod
    I learned Assembly, machine code, ..etc 10 years ago in uni..not for security just part of my engineering degree

    true I don't think I'll need to deal with Malware reversing, but I feel GCIH is pretty basic as I've in and out of SOCs. I was thinking GCFA/GCIA/GREM would be a good combination/base and a level up in skills for incident response/blueteam/assurance etc?
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • ITSec14ITSec14 Member Posts: 399 ■■■□□□□□□□
    I feel malware analysis is a skill that only certain organizations might take seriously and want to invest in. Because we have a small team at my company and we cover a lot of areas, management doesn't see a strong need for that skill. A huge organization would probably want that skill though because they often have bigger security teams and each person has a more defined area of focus. Really just depends I guess.
  • ramrunner800ramrunner800 Member Posts: 238
    UnixGuy wrote: »
    I learned Assembly, machine code, ..etc 10 years ago in uni..not for security just part of my engineering degree

    true I don't think I'll need to deal with Malware reversing, but I feel GCIH is pretty basic as I've in and out of SOCs. I was thinking GCFA/GCIA/GREM would be a good combination/base and a level up in skills for incident response/blueteam/assurance etc?

    I have somewhat different recommendations than gespenstern. I do agree that if you don't deal with malware every day, or desire to in the future, GREM is probably not the best choice. I would also qualify that though, as I think there are several roles people might not think of as 'dealing with malware' that actually do. GREM is highly useful for network security monitoring and incident response, in addition to pure malware analysis roles. The content on script deobfuscation and document analysis are required knowledge for anyone in an operational security role. It also provides useful knowledge for anyone who spends any amount of time reading reports from sandboxes or advanced network sensors. Basically any kind of Secops, NSM, IDS Analysis, or IR would benefit from GREM. I honestly found the cert to be much more useful for malware analysis than malware reversing. It's a good teaser of reversing, but they really just give you the beginning tools that you need to go learn more yourself.

    As far as cert recommendations, I agree that GCIH is too basic. SANS really should not number it 504, because it is certainly not a 500 level class. It's the course my org sends managers new to security and tech writers to, to get them a flavor of things. I agree with you that GCFA/GCIA/GREM is an excellent blue team base to build from. I have not taken either GCIA or GNFA, but work with lots of folks who have. GCIA receives universal praise. GNFA tends to get mixed reviews, some love it, some hate it. I have also heard that the exam is very challenging.
    Currently Studying For: GXPN
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,281 Mod
    Thanks @ITSec14

    @Ramrunner800: I think I tend to lean more to your view on this. From the course description I got the idea that GREM was more Malware analysis (behaviour) with a small intro to reversing. I think if I get an option where work can pay for a SANS it will be the GREM next. For pentesting I can always do offensive security or eLearnSecurity and get better ROI.


    Great answers!
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • ITSec14ITSec14 Member Posts: 399 ■■■□□□□□□□
    Ramrunner800 makes some great points. While the cert itself may or may not be beneficial to everyone, the knowledge certainly doesn't hurt to have. Especially in an operational role.

    The way I see it...if there's a topic that interests you, then why not learn about it! You may just find a new passion.
Sign In or Register to comment.