Wednesday, February 13, 2019

My Plan and Resources for GIAC GREM Prep




A lot has happened to me as of late. I accepted a role on a DoD DTS contract and got accepted into the UMCP Honors college. But the year is not over for me yet. Before I rest on my laurels, I still need to do something I've been meaning to do for a long time, and get my GIAC Reverse Engineering of Malware (GREM) certification. I need to start getting roles on some higher value bigger contracts, and I want to get a SECRET clearance or better before the end of my freshman year of college. Been working on learning x86/x64 MASM for Windows and messing with Fireye's FLARE VM and IDA Freeware, but I think it's time to take it up a notch. Compiled a list of books recommended by current GREM holders:
  • The Malware Analyst's Cookbook  (Mainly for material relevant to learning, skipping OSINT and VM automation, will come back to them in future)
  • Practical Malware Analysis (Mainly material not covered by the Cookbook)
  • The IDA Pro Book
  • Practical Reverse Engineering - Will be my assembly refresher book
  • The Art of Memory Forensics
  • Reversing

Currently following along with both Modern x86 assembly and The Malware Analyst's Cookbook because they appear to cover a lot of the concepts in Practical Malware Analysis and use modern tools. After them I'll be moving on to Practical Malware Analysis and Practical Reverse Engineering before my exam.

Going to deviate a bit from the lab setups in the books. Here's what I have planned:
Linux Box:
- Kali-linux-full install (includes forensics tools and yara)
- Clamav
- Tools provided by the Malware Analyst's Cookbook CD

Windows Box:
- Windows 7 x64 SP1
- FLARE VM - Great malware analysis toolkit - https://github.com/fireeye/flare-vm
- Bindiff
- IDA Freeware 7.0 (Flare VM only comes with 5.0)
- OWASP ZAP - My primay traffic proxy
- Tools provided by the Malware Analyst's Cookbook CD
- This old trick I learned to cut any Virtualbox off from the net while still allowing fakenet to operate (No adapter but attach the adapter)

Currently brushing up on my x86 ASM using this tutorial: https://0xax.github.io/asm_3/
Learning how to index GIAC style and do writeups may be trouble, but luckily I have some resources at my disposal:
  I also want to try my hand at some malware analyses and post some formal write-ups here and some yara/clamav rules to my github (coming soon) just for extra prep. Resources I'm using for that:
 https://zeltser.com/malware-analysis-report/

I might post some progress before I finish prep for the exam. Until then! - Elias Augusto

Update: The Malware Analyst's Cookbook feels like a very superficial guide filled with many tools that do not even exist anymore and confusing elements. Moving on to practical malware analysis.

No comments:

Post a Comment

Finding Undocumented Intel Atom MSR's in the Viliv S5 Pt 2: Software RE

Sandsifter  logs were a bust, was unable to get the summarize started so I decided to try other  means of finding MSR's. I decided ...