Rapid Reverse Engineering by Attack Research

Trainer: Russ Gideon, Attack Research

Course Description:

Rapid Reverse Engineering is a requirement nowadays with APT style attacks and advanced adversaries. The rate at which malicious software is thrown at an organization is astounding and getting more and more frequent. These malicious files can range in complexity from having complex string obfuscation to advanced command and control channels.

This class combines deep reverse engineering subjects with rapid triage techniques to provide students with a broad capability when performing file analysis. Traditional classes taught are usually not tailored to a rapid assessment of a file. This class is designed to equip reverse engineers with advanced out of the box techniques to working with malware that ranges from nation state samples to crime ware.

The techniques taught in this class will help students know how to use all the tools at their disposal from assorted debuggers and advanced scripting techniques to simple custom written tools. Students will walk out of the class understanding how to handle a barrage of advanced techniques in handling malware.

The approach to the class utilizes a unique dynamic and static combination of styles for reversing malware. These techniques have been utilized by Attack Research professionals to rapidly get answers that matter during reversing for incident response. Students will leave the class having an understanding of:

how real world attacks are carried out
advanced file triage analysis
intel/threat assessment of a file
how to really generate and use indicators of compromise
advanced binary de-obfuscation techniques
rapid C2 isolation and reversing
documentation and notification techniques as well

Students will spend a significant amount of time creating their own custom tools in a lab environment. The skills learned and retained from this heavy hands on environment will enforce the skills learned from the class for maximum knowledge retention.

Student Requirements:

Student machines must be able to run at least 2 virtual machines utilizing VMWare Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig’s of memory is needed.

Student laptops must be running either OSX, Linux, or Windows and they must have the ability to disable all antivirus on the machine. You must have administrative access on your machine for sniffing traffic, adjusting firewalls, adjusting anti-virus, etc.

Students must have:

a concept of scripting languages such as Python/Perl/Ruby
This is an intermediate level class so having a concept of malware analysis and reverse engineering is suggested.
A familiarity with Windows administration.
Programming in C and previous knowledge of assembly will help students, but is not a must.

Instructor:

Russ Gideon

Russ has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research, LLC.

Minimum Class Size:

We require 5 students to run this class.

Company Background:

Attack Research was founded by Val Smith, a well-known figure in the security research community who has been known for working on the Metasploit project, conducting and publishing large scale malware research, and working with international researchers on ERP, SCADA and other areas. Attack Research has been providing high end security services to Fortune 100 and 500 companies since 2009. With 8 employees AR has provided services such as proprietary product reverse engineering to Avionics Manufacturers, to APT incident response to the Oil and Gas industry.