Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Malware Analysis: Black Hat Edition

MANDIANT

Overview

Almost every Incident Response involves some Trojan, back door, virus component, or rootkit. Incident Responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. This course provides a rapid introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems. Students will learn to infer the functionality of a program by analyzing disassembly and by watching how it changes a system as it runs. They will learn how to extract investigative leads from host and network-based indicators associated with a malicious program and how to identify specific coding constructs in disassembly. They will be taught the art of dynamic analysis, and they will be taught about several Windows APIs most often used by malware authors. Each section is filled with in class demonstrations, exercises where the students follow along with the instructor, and labs where the students practice what they have learned on their own.

What You Will Learn:

• How to create a safe malware analysis environment
• Malware analysis shortcuts
• Static Program Analysis Methodology
• Dynamic Program Analysis Methodology
• Methodologies-differences between static and dynamic analysis
• Bits, bytes, binary, decimal, hexadecimal and converting values between the various numbering conventions
• The fundamentals of assembly language programming
• How to perform dynamic analysis using system monitoring utilities to capture the system, registry and network activity generated during malware analysis
• Windows Internals and APIs
• Debuggers

Who Should Attend the Class:

Information technology staff, information security staff, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in Malware Analysis.

What You Will Get:

• Student Manual
• Class handouts
• MANDIANT gear

• Free Tools CD with course tools and scripts

Prerequisites

• Excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended.

Trainers:

Steve Davis is a Consultant in Mandiant’s Alexandria, Virginia office. Mr. Davis specializes in exploit research and development, malware analysis, and application and network vulnerability assessments. He has developed internal tools to aid in penetration tests and malware analysis. Mr. Davis has instructed malware analysis and wireless security courses at industry standard conferences, to include Black Hat, and to private clientele.

Prior to joining Mandiant, he was a Consultant with Booz Allen Hamilton in the Assurance and Resilience section. There, Mr. Davis performed black box/white box penetration tests on various operating systems and architectures and provided consultation on vulnerabilities in client products discovered through exploitation and vulnerability testing.

Before working with Booz Allen, Mr. Davis worked with CIGNA Corporation. At CIGNA his work focused on vulnerability assessment and risk mitigation. He was responsible for assessing and reporting on network vulnerabilities and reviewing and approving requested exceptions to the company’s Information Protection Policy.

Mr. Davis is a 2007 graduate of The Pennsylvania State University, where he received a Bachelor of Science in Information Sciences and Technology.

Michael Sikorski is a Principal Engineer at Mandiant. As a member of the Federal Services Team, Mr. Sikorski provides specialized research and development security solutions to the company's federal client base. He Sikorski has five years of experience in technical development supporting government computer network operations (CNO) and nine years of experience in the field of computer security.

Mr. Sikorski came to Mandiant from Massachusetts Institute of Technology’s (MIT) Lincoln Laboratory where he conducted research and development on tools for passive network mapping; provided Red Team services on automated intrusion detection and response systems for mobile ad hoc networks; and built automated attack graphs for network security. He also contributed to multiple publications and served as a liaison between MIT and the National Security Agency (NSA), providing mission critical tools to the agency.

Mr. Sikorski is a graduate of the NSA's three-year Systems and Network Interdisciplinary Program (SNIP). This elite technical development program is designed to train NSA personnel in the art and science of system and network defense and exploitation. While at the NSA, he contributed to research in reverse engineering techniques, received multiple invention awards in the field of Network Analysis and led a team in the development of the host-based component of an active network defense system.

Mr. Sikorski holds a Bachelor of Science degree in Computer Engineering (with minor in Economics) from Columbia University and a Master of Science degree in Computer Science from Johns Hopkins University. He currently holds a Top Secret security clearance.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2000	$2100	$2300	$2500	$2800