On This Page

Rapid Reverse Engineering

Attack Research | August 3-4



Overview

This course combines deep understanding of reverse engineering with rapid triage techniques to provide students with a broad capability to analyze malicious artifacts uncovered during incident response. By tailoring the instruction to rapid assessment of binaries, we equip students with the skills required to keep up with modern malware and rapidly extract the most valuable and pertinent data to their investigations, including Indicators of Compromise (IOCs). Rapid RE includes considerable lab time utilizing replicated enterprise networks and attacks as observed in the wild.

Students will leave with an understanding of:
  • How real world attacks are carried out
  • File triage processes and techniques
  • Intelligence extraction techniques from malware
  • How to deal with binary obfuscation techniques
  • How to get indicators from a file in a hurry

Students will spend a significant amount of time creating their own custom tools in a lab environment. The labs are designed around the students working through the following:
  • Recognizing file format infections from various sources
  • Advanced triage capabilities
  • Extract host and network indicators from file format exploits
  • Developing your own custom process trace capabilities for IOC extraction
  • Rapid shell code analysis using the not so common tools and techniques
  • Rapid binary de-obfuscation techniques with IDA Pro and Debuggers
  • Rapid unpacking techniques

Topics Covered:
  • Rapid inspection of various file formats
  • Assured Dynamic Analysis
  • Process Tracing for Rapid File Assessments
  • IDA Efficiencies
  • Unpacking

Who Should Take this Course

This course is well-suited to incident responders and reverse engineers. This class is designed for teaching techniques that will help incident responders get answers in a hurry.

Student Requirements

Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig's of memory is needed.

Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.

We encourage students to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

Students must have:
  • A concept of scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows administration.
  • A concept of malware analysis and reverse engineering malware processes
  • Programming in C and previous knowledge of assembly will help students, but is not a must.

What Students Should Bring

See Student Requirements

What Students Will Be Provided With

Students will walk away from the class with full documentation and the entire custom and non-custom tools that we have given them or they have designed in class. Students walk away from AR training sessions with more than just the "usual" training materials but a wealth of knowledge for defending networks.

Trainers

Russ Gideon (rgideon@attackresearch.com) Russ has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to running effective Red Teams from across the United States government. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research.

Colin Ames (amesc@attackresearch.com) Colin is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.