Malware Analysis: Black Hat Edition
MANDIANT - Steve Davis & Michael Sikorski
|// july 24 - 27|
USA 2010 Weekend Training Session //July 24-25
USA 2010 Weekday Training Session //July 26-27
Almost every Incident Response involves some Trojan, back door, virus component, or rootkit. Incident Responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. This course provides a rapid introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems. Students will learn to infer the functionality of a program by analyzing disassembly and by watching how it changes a system as it runs. They will learn how to extract investigative leads from host and network-based indicators associated with a malicious program and how to identify specific coding constructs in disassembly. They will be taught the art of dynamic analysis, and they will be taught about several Windows APIs most often used by malware authors. Each section is filled with in class demonstrations, exercises where the students follow along with the instructor, and labs where the students practice what they have learned on their own.
What You Will Learn:
- How to create a safe malware analysis environment
- Malware analysis shortcuts
- Static Program Analysis Methodology
- Dynamic Program Analysis Methodology
- Methodologies-differences between static and dynamic analysis
- Bits, bytes, binary, decimal, hexadecimal and converting values between the various numbering conventions
- The fundamentals of assembly language programming
- How to perform dynamic analysis using system monitoring utilities to capture the system, registry and network activity generated during malware analysis
- Windows Internals and APIs
Who Should Attend the Class:
Information technology staff, information security staff, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in Malware Analysis.
What to bring:
Students must bring their own Laptop with VMWare Workstation or Server installed. Laptops should have 10GB of free space.
Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at firstname.lastname@example.org to see if a laptop can be provided for you.
What You Will Get:
- Student Manual
- Class handouts
- MANDIANT gear
- Free Tools CD with course tools and scripts
- Excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended.
Steve Davis is a Senior Consultant in MANDIANTís Alexandria, Virginia office. Mr. Davis specializes in network and application vulnerability assessments including exploitation activities and exploit research.
Prior to joining Mandiant, he was a Consultant with Booz Allen Hamilton in the Assurance and Resilience section. There, Mr. Davis performed black box/white box penetration tests on various operating systems and architectures and provided consultation on vulnerabilities in client products discovered through exploitation and vulnerability testing.
Before working with Booz Allen, Mr. Davis worked with CIGNA Corporation. At CIGNA his work focused on vulnerability assessment and risk mitigation. He was responsible for assessing and reporting on network vulnerabilities and reviewing and approving requested exceptions to the companyís Information Protection Policy.
Mr. Davis is a 2007 graduate of The Pennsylvania State University, where he received a Bachelor of Science in Information Sciences and Technology.
Michael Sikorski is a Principal Consultant at Mandiant. He provides specialized research and development security solutions to the company's federal client base, reverse engineers malicious software discovered by incident responders, and has helped create a series of courses in malware analysis (from Beginner to Advanced). He has taught these classes to a variety of audiences including the FBI, the National Security Agency (NSA), and BlackHat.
Mr. Sikorski has over 10 years of experience in the field of computer security and seven years of experience in technical development supporting government computer network operations (CNO).
He came to Mandiant from Massachusetts Institute of Technology's (MIT) Lincoln Laboratory. While there, he conducted research and development on tools for passive network mapping; provided Red Team services on automated intrusion detection and response systems for mobile ad hoc networks; and built automated attack graphs for network security. Mr. Sikorski also contributed to multiple publications and served as a liaison between MIT and the NSA, providing mission critical tools to the agency.
Mr. Sikorski is a graduate of the NSA's three-year Systems and Network Interdisciplinary Program (SNIP). This elite technical development program is designed to train NSA personnel in the art and science of system and network defense and exploitation. While at the NSA, he contributed to research in reverse engineering techniques, received multiple invention awards in the field of network analysis and led a team in the development of the host-based component of an active network defense system.
Mr. Sikorski holds a Bachelor of Science degree in Computer Engineering (with minor in Economics) from Columbia University and a Master of Science degree in Computer Science from Johns Hopkins University. He currently holds a Top Secret security clearance.
Mr. Sikorski is an avid triathlete and ice hockey player & referee.