Black Hat West Coast Trainings Home Black Hat West Coast Trainings Home Black Hat West Coast Trainings Registration Black Hat West Coast Trainings Registration Black Hat West Coast Training Black Hat West Coast Trainings Summit Black Hat West Coast Trainings Schedule Black Hat West Coast Trainings Schedule Black Hat West Coast Trainings Sponsors Black Hat West Coast Trainings Sponsors Black Hat West Coast Trainings Venue Black Hat West Coast Trainings Venue

On This Page

The Black Art of Malware Analysis

Scott Lambert | December 9-12



Ends Oct 24
11:59PM EST



Ends Dec 5
11:59PM EST



Ends Dec 12


Malware is at the epicenter of cybercriminal activity. It is used to perform service disruption, fraud, intellectual property theft and other nefarious activities. For those charged with defense, it is critical to master the skills necessary to rapidly understand malware’s underlying capabilities. Sophisticated malware samples like those found in today’s headlines, often employ anti-analysis techniques to inhibit researchers’ abilities to quickly respond to and regain control after a compromise.

This four-day course has been designed for those aspiring security researchers looking to break into the fields of incident response, network security or anti-malware. The class makes no assumptions about your knowledgebase of x86 or x64 assembly, operating systems internals or programming experience. We take you on the path from entry-level to practiced-professional in all core areas related to those critical disciplines.

This class focuses on teaching attendees the steps required to understand the functionality of any given Windows binary. You will learn to dissect and extract both endpoint and network footprints while defeating any anti-analysis techniques thrown your way. You will also be taught how to take this knowledge and translate it into actionable threat intelligence using industry standard formats such as MAEC and OpenIOC.

This is a hands-on course. Attendees will work on real-world malware through a series of hardcore lab exercises designed to build expertise in the complete analysis process.

What Makes Your Course Unique?

This course is technically the most comprehensive for taking students from entry-level malware analysis to building expertise in dealing advanced malware obfuscation. No other course offers the same the breadth and depth of content from industry experts hailing from the anti-malware space. In other words, unlike service-based companies who have been exposed to only a fraction of the malware ecosystem via customer engagements our instructors bring an order of magnitude difference in terms of exposure to the threats that plague both the enterprise and consumer space alike. Translate that exposure and experience into slide content and real-world hands-on exercises and you will find there is no comparison.

Who Should Take This Course

This class is for security analysts who wish to learn how to statically and dynamically analyze malware to understand its functionality. Previous experience is not required with reverse engineering or Windows internals.

Student Requirements

Basic IT experience using Microsoft Windows.

What Students Should Bring

Attendees must bring their own laptop with a 32-bit version of Windows XP installed inside a virtual machine (such as Microsoft Virtual PC 2007 or VMware Workstation). Laptops must have a wireless network card that can be used for network access during the class.

Prior to the first day of the class, attendees should install the following software in a virtual machine

What Students Will Be Provided With

Hard copies of lecture slides and lab exercises. A CD containing all of the freely distributable tools that will be used in the course.


Scott Lambert is director of Threat Research for HP Security Research (HPSR). In this role, he is responsible for developing and driving the overall threat research strategy in the domains of malware, vulnerability and rapid threat information exchange. This includes HP’s Zero Day Initiative program, which augments HP DVLabs with zero-day research by a growing network of researchers in the IT community at large.

In his current role, Lambert focuses on developing and implementing strategies that enable HP to mine large data sets and generate actionable threat intelligence to power the HP Security Intelligence and Risk Management platform. Lambert’s current research centers around reducing the time of breach detection and response.

Prior to joining HP, Lambert developed, maintained and supported numerous computer security applications ranging from vulnerability assessment and risk management software to network and host-based intrusion detection/prevention systems, and related technologies for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and Microsoft.

Jason Geffner joined CrowdStrike in 2012 as a Sr. Security Researcher, where he performs in-depth reverse engineering of highly complex malware and exploits developed by nation-states and organized crime groups. His intelligence research attributes malware, exploits, lateral movement tools, and command-and-control protocols to unique actors. Jason authors comprehensive reports for the technology, industrial, financial, energy, and government sectors to provide actionable intelligence for customers to understand who is attacking them, how they’re being attacked, what information is being stolen, and how to defend their systems and raise the bar against the attackers.

Before joining CrowdStrike, Jason worked for NGS Secure from 2007-2012 as a Principal Security Consultant. He focused on performing security reviews of source code and designs, reverse engineering software protection methods and DRM protection methods, penetration testing web applications and network infrastructures, and developing automated security analysis tools.

Prior to joining NGS, Jason spent three years as a Reverse Engineer on Microsoft Corporation’s Anti-Malware Team, where his work involved analyzing malware samples, de-obfuscating binaries, and writing tools for analysis and automation. He was the Security Research & Response Team owner of the Windows Malicious Software Removal Tool (MSRT). During his stewardship of this tool, which was and continues to be deployed to all Windows users around the world every month, Jason chose which new malware families the MSRT was to detect and clean each month based on his analysis of the telemetry and trends of the underground malware community. Jason has authored tens of thousands of malware signatures and dozens of malware analyses based on static and dynamic analyses of obfuscated binaries. His work on the MSRT helped hundreds of millions of Windows users each month keep their computers safe and secure.

While at Microsoft, Jason was recognized for his reverse engineering skills and for his efforts to drive awareness of reverse engineering practices throughout the company by being given the formal job title ""Reverse Engineer."" He was the only Microsoft employee with this title.

Jason holds several patents in the fields of reverse engineering and network security. He has a been a Program Committee member of the Reverse Engineering Conference (REcon) and of the International Conference on Malicious and Unwanted Software. He’s a regular trainer at Black Hat and other industry conferences, is often credited in industry talks and publications, and has been actively reverse engineering and analyzing software protection methods since 1995.