Shall I cancel my SANS Malware Course and do the GCIH one instead?

I'm supposed to be doing FOR610 - Reverse Engineering Malware in a few months with Sans. This could in theory lead to the GREM certification.

However, I am not sure whether I should instead do the GCIH course instead which is the SEC504 - Hacker Techniques

The reason being is that I see tons of jobs asking for GCIH but none asking for GREM.

However I know that Malware is quite a specialist area and companies struggle to recruit those with experience/training and knowledge of reverse engineering.

Any thoughts?

Find more posts tagged with

Comments

JDMurray

How good are you already at Malware reverse engineering? Do you already know Intel or ARM assembly language and the operation of those CPUs? How up are you on all of the latest (and historical) Malware code obfuscation techniques? And most importantly for hiring purposes, what recent professional experience do you have at Malware reverse engineering?

If your answers to these questions range from "not much" to "none" then I would say 504 would be your best choice--assuming that you want to work in security operations (SOC, IR).

E Double U

I see that you already have OSCP. A former colleague also did GCIH after OSCP and he only found the first day useful because it covered incident handling steps. The remainder of the course focused on hacking techniques/tools he was already familiar with from OSCP. Granted the GCIH uses a blue team approach so it teaches you those techniques for the purpose of understanding how to defend them. Based on that I would say GREM. You could also just simply do whichever one interests you more or whichever provides immediate ROI. I am trying to give you advice without knowing what you do currently or what your future aim is.

CyberCop123

JDMurray said:

How good are you already at Malware reverse engineering? Do you already know Intel or ARM assembly language and the operation of those CPUs? How up are you on all of the latest (and historical) Malware code obfuscation techniques? And most importantly for hiring purposes, what recent professional experience do you have at Malware reverse engineering?

If your answers to these questions range from "not much" to "none" then I would say 504 would be your best choice--assuming that you want to work in security operations (SOC, IR).

Hi JD,

I have very limited experienced in Malware Analysis and reverse engineering.

I have done very basic stuff just around looking at Dynamic and Static anylsis. I know some theory, such as identifying the packers, looking at the DLL's being used, uploading to VirusTotal, MD5 and online research, then running the malware and checking registry changes, new processes, looking at new ports being used, etc...

Nothing about Intel or ARM assembly.

E Double U said:

I see that you already have OSCP. A former colleague also did GCIH after OSCP and he only found the first day useful because it covered incident handling steps. The remainder of the course focused on hacking techniques/tools he was already familiar with from OSCP. Granted the GCIH uses a blue team approach so it teaches you those techniques for the purpose of understanding how to defend them. Based on that I would say GREM. You could also just simply do whichever one interests you more or whichever provides immediate ROI. I am trying to give you advice without knowing what you do currently or what your future aim is.

Yea I was going to mention my OSCP.

I don't use this day-to-day as I work in law enforcement, I also don't really do much in the way of incident handling from an IT perspective, usually I talk to companies who are victims of an attack and ask for certain log files and things like that.

I'm concerned that GREM is too big a step.

I see GCIH on hundreds of job adverts however I never see GREM ... although I do sometimes see Malware Analysis listed. I don't want to be a Malware Analyst, that is a hugely specialised job... I don't mind doing a bit as an incident handler, digital forensics, general IT security and feel that my current level is probably more in line with that.

I think the best ROI is the GCIH as I feel I could do the course and learn without being just overwhelmed and out of my depth. I also think I could pass the exam too

LonerVamp

To be fair, if you don't want to do malware analysis, you probably won't ever find GREM on a job description, since that is one of the main areas that GREM-holders will go towards. You can still do the course and cert if you want to add to your own skillsets, but I dont know of any other blue or red team jobs that will be looking at GREM in particular. Maybe...maybe IR jobs, but honestly if they list GREM, they're looking for a malware analyst for a large part of that job duty. (I have a colleague taking GREM in a few weeks, so maybe my perspective might change, but I doubt it.)

GCIH is going to be more universal, but with your OSCP, I'd honestly suspect the GCIH may be a bit too accessible and easy. You might not learn much.

You're doing GNFA, I see. I'd almost suggest going with GCFA as well as a compliment. Honestly, you can't go wrong with the level of material you will get at SANS, but some of the courses definitely are specialized to certain areas. GCFA goes into system forensics, memory forensics lite, and threat hunting/IR.

But, if you're looking at something reocgnizable for job hiring filters, GCIH is probably easily doable for you. That said, you have CISSP which is *the* more recognizable cert for security, and you have OSCP, which is one of *the* more respected ones amongst those who know it. At this point, it won't much matter as long as you're learning skills and meeting people!

CyberCop123

LonerVamp said:

To be fair, if you don't want to do malware analysis, you probably won't ever find GREM on a job description, since that is one of the main areas that GREM-holders will go towards. You can still do the course and cert if you want to add to your own skillsets, but I dont know of any other blue or red team jobs that will be looking at GREM in particular. Maybe...maybe IR jobs, but honestly if they list GREM, they're looking for a malware analyst for a large part of that job duty. (I have a colleague taking GREM in a few weeks, so maybe my perspective might change, but I doubt it.)

GCIH is going to be more universal, but with your OSCP, I'd honestly suspect the GCIH may be a bit too accessible and easy. You might not learn much.

You're doing GNFA, I see. I'd almost suggest going with GCFA as well as a compliment. Honestly, you can't go wrong with the level of material you will get at SANS, but some of the courses definitely are specialized to certain areas. GCFA goes into system forensics, memory forensics lite, and threat hunting/IR.

But, if you're looking at something reocgnizable for job hiring filters, GCIH is probably easily doable for you. That said, you have CISSP which is *the* more recognizable cert for security, and you have OSCP, which is one of *the* more respected ones amongst those who know it. At this point, it won't much matter as long as you're learning skills and meeting people!

That makes sense, it was the way I interpreted it too.

The GNFA was OK but honestly I did struggle quite a lot after the 2nd day. Most of it was very difficult to keep up with. I'm no where near exam ready yet. I could do the GCFA which isn't a bad idea - it's an advanced digital forensics certification. I've done about 3 years of forensics so I probably would be OK adjusting to that.

GCIH was tempting only as I see it on almost EVERY incident response, cyber security, security engineer job I look at.

People recognise that more than OSCP it seems. Sometimes if I mention that, people say "Oh, so basically CEH then?"... haha

TechGromit

SANS 610 / GREM is a very specialized branch of cyber security, something you have to be your primary job focus on. I took the course because I was in my companies incident response team, I thought we were going to be given the time to really get in-depth with our analysis of malware, Unfortunately I have way too many other responsibilities to dedicate the time required to really analyze malware. Pretty much it's get the hash, compare it to virus total, **** it into fire-eye, get a answer and move on.