Hands-on Malware Analysis & Incident Response Training

By Amr Thabet

Elevator Pitch

This training is a hands-on training that covers targeted attacks, Fileless malware, and ransomware attacks with the best practices to respond to them.

You’ll experience hands-on labs on performing malware analysis, memory forensics, and full attack investigations with different real-world samples.

Description

The number of cyberattacks is undoubtedly on the rise, targeting government, military, public and private sectors. These cyber-attacks focus on targeting individuals or organizations with an effort to extract valuable information, gain money through a ransom or damage their reputation. 43% of cyber attacks these organizations are facing are Advanced Malware, APT Attacks, or zero-day attacks.

With adversaries getting sophisticated and carrying out advanced malware attacks, detecting and responding to such intrusions is critical for cyber security professionals. The knowledge, skills, and tools required to analyze malicious software are essential to detect, investigate and defend against such attacks.

This training takes you on a journey in the topic of malware analysis covering targeted attacks and ransomware attacks with their techniques, strategies and the best practices to respond to them. The training is full of hands-on labs on performing malware analysis, Rootkit analysis and full attack investigations with different real-world samples.

What previous attendants said about this training:

“I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyze it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad

LEARNING OBJECTIVES:

  • Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
  • Know the steps to take when you discover malware in your network.
  • Perform basic static & behavioral analysis of malware in an isolated virtualized environment
  • Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
  • Understand the basics of the x86 assembly language
  • Learn how to detect and analyze a malicious document with embedded macros
  • Learn to extract the network and host-based indicators of compromise
  • Able to analyze downloaders, droppers, keyloggers, fileless malware, HTTP backdoors, etc.
  • Perform memory forensics on an infected machine and extract the malware artifacts from its memory.
  • Perform in-depth investigation on an infected machine, extract the suspicious volatile and non-volatile artifacts
  • Understand Threat hunting and able to build a threat hunting process.

PROGRAM OUTLINE

DAY 1

APT Attacks & Malware Analysis:

  • What is an APT Attack
  • What are the Attack Stages?
  • The APT Attack Vectors
  • Types of Malware
  • Why Malware Analysis
  • Types of malware analysis
  • Setting up an isolated lab environment

Basic Static Analysis:

  • Fingerprinting the malware
  • Extracting strings
  • Determining File obfuscation
  • Unpacking Packed Malware
  • Understanding PE File characteristics
  • Hands-on lab exercise involves analyzing a real malware sample

Behavioral Analysis & Sandboxing:

  • Understanding Behavioral Analysis tools
  • Monitoring process, file system, registry, and network activity
  • Determining the Indicators of compromise (host and network indicators)
  • Custom Sandbox Overview
  • Working of Sandbox
  • Sandbox Features
  • Hands-on lab exercise involves analyzing a real malware sample

Spear-phishing Attacks with Malicious Documents:

  • Examining a malicious office document packed with VBScript macros
  • Examining & Dissecting malicious pdf files
  • hands-on labs to examine documents packed with malicious macros (real attacks)

DAY 2:

Intro To x86/x64 Assembly:

  • Understanding CPU registers and assembly instructions
  • Dive deeper in the assembly language and memory handling
  • Reversing assembly code blocks into a higher-level language (C++)
  • Dealing with local & global variables

Brief Intro to Code Analysis & Malware Functionalities:

  • Intro to code analysis
  • Droppers & Downloaders
  • Maintaining Persistence
  • Keylogging
  • Banking Trojans & Man in The Browser (MiTB)
  • Point of Sale Malware (POS)
  • Understanding Indication of Comprise
  • Write your own YARA rule

Static & Dynamic Code Analysis In-Depth:

  • Basics of IDA Pro
  • Demo: Hands-on labs for static code analysis (Hands-on Practice)
  • Basics of Ollydbg/x64dbg
  • Demo: Hands-on labs for dynamic code analysis (Hands-on Practice)
  • Investigating the windows commands calls (API calls)
  • What to look for while performing code analysis
  • Hands-on lab exercise involves analyzing a real malware sample

Encryption, Packing & Obfuscation

  • Understanding different encryption algorithms
  • Demo: Examining RC4 encryption algorithm
  • Learning 4 different manual unpacking techniques for custom unpacking
  • Manually unpacking a malware using memory breakpoint on execution
  • Hands-on Practice on unpacking malware

DAY 3:

Windows Forensics & Timeline Analysis

  • Why performing digital forensics and timeline analysis?
  • Disk image acquisition techniques
  • Analyzing NTFS Master File Table and extracting deleted files & timestamps
  • Analyzing Prefetch files to detect loaded processes
  • Analyzing registry hives & detect persistence malware samples
  • Creating the attack timeline & understanding its root cause
  • ​hands-on labs on a real ransomware attack

Memory Forensics & Volatility Overview:

  • What is Memory Forensics
  • Why Memory Forensics
  • Steps in Memory Forensics
  • Memory acquisition and tools
  • Volatility basic commands
  • Process memory Internals
  • Listing DLLs using Volatility
  • Identifying hidden DLLs
  • Dumping malicious executable from memory
  • Dumping DLLs from memory
  • Scanning the memory for patterns (yarascan)
  • Volatility plugins to identify process injections and API hooking
  • Hands-on lab exercise (scenario-based) involves investigating malware-infected windows 10 memory image

Advanced Techniques: Fileless Malware & API Hooking

  • ​Understanding Process Internals
  • ​Process & Thread Environment Block Structure
  • ​Detect & investigate code injection
  • ​Remote DLL & shellcode injection​
  • ​Process Hollowing (Stuxnet Technique)
  • ​API Hooking & IAT Hooking​
  • ​Hands-on lab exercise involves investigating malware memory image

Intro to Threat Hunting:

  • ​What’s Threat hunting & why threat hunting
  • ​Types of Threat hunting
  • ​How to perform threat hunting
  • ​Practical example on Endpoint threat hunting using sysmon​
  • ​Writing your own Sigma rules

Who Should Attend

This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics.

Materials Provided:

  • Training Prerequisite & Lab Setup Guide: a step by step guide for preparing your isolated virtualized environment for executing and analyzing malware
  • Malware Analysis Lab VM (Windows 10 VM) with all required tools pre-installed. It will be provided in .ova format
  • The labs/exercises samples and memory images.
  • An ebook version of the Malware Analysis & Incident Response Workbook which includes all the exercises taught in the training with step-by-step solutions to them.

Delegate Requirements:

  • Should be familiar with using Windows/Linux
  • Should have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements:

  • Laptop with minimum 8GB RAM and 80GB free hard disk space
  • Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
  • VMware Workstation or VMware Fusion (even trial versions can be used).
  • Delegates must have full administrator access to the Windows operating system.

Note: VMware Player or Virtual Box is not suitable for this training.

DURATION:

3 Days

Notes

The training has been updated from last year’s version and it’s constantly getting updated. I added into consideration all the feedback I received during the last year training and added more on what worked well.

This year I added the incident response part as I see it’s more requested from the audience to not be just malware analysis but malware analysis in the context of an incident response investigation and what should be done to mitigate the whole attack. Also, if you want to keep the previous title “Hands-on Malware Analysis & Reverse Engineering” I have no issues with that