DEF CON Forum Site Header Art
DEF CON Forum Site Header Art


No announcement yet.

Modern Malware Analysis for Threat Hunters by Josh Stroschein at DEF CON 29

  • Filter
  • Time
  • Show
Clear All
new posts

  • Modern Malware Analysis for Threat Hunters by Josh Stroschein at DEF CON 29

    Modern Malware Analysis for Threat Hunters
    Josh Stroschein

    Prerequisites for students?:
    The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:
    • Basic familiarity with Linux and the terminal.
    • An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage will be helpful.
    Materials or Equipment students will need to bring to participate?:
    • Linux/Windows/Mac desktop environment
    • A laptop with the ability to run virtualization software such as VMWare or VirtualBox
    • Access to the system BIOS to enable virtualization, if disabled via the chipset
    • Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
    • A laptop that the attendee is comfortable handling live malware on
    • Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used
    What level of skill is required for your targeted audience (Beginner/Intermediate/Advanced)?
    This course is designed for a beginner to intermediate audience.

    Malware authors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion and maintain persistence to compromise an organization. To achieve this, malware authors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. In this workshop, you will get hands-on with real-world malware and learn how to identify key indicators of compromise (IOCs)/indicators of attack (IOAs), apply analysis to enhance security products to protect users and infrastructure and gain a deeper understanding of malware behavior through reverse engineering.

    This workshop will utilize open-source and limited use tools such as Ghidra, IDA Pro Free/Demo, Oledump/OleVBA, PE Studio, and Suricata to perform deep technical analysis of malware, focusing on developing effective strategies to maximize your time spent. By the end of this workshop, you will be able to analyze malicious office documents, identify signs of packing, defeat obfuscation and other anti-analysis techniques and use traffic analysis to aid in detection and identifying of prevalent malware families. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

    This is a fast-paced course designed to take you deep into malware operations – from delivery methods to payloads! Numerous labs will reinforce key learning objectives throughout the workshop and each lab comes with a detailed lab guide. Comprehensive analysis activities and exercises are used to to test and reaffirm key learning objectives and ensure attendees have a start-to-finish understanding of the material.

    Attendees will be provided with all the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This workshop will also utilize several live classroom sharing resources, such as chat and notes to ensure that attendees have access to all material discussed throughout the training. All the material provided will help to ensure that students have the ability to continue learning well after the course ends and maximize the knowledge gained from this course.

    Trainer Bio(s)
    Josh Stroschein: Josh is an experienced malware analyst and reverse engineer who has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activity for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight, and a threat researcher for Bromium.

    Ryan Chapman: Ryan is an experienced incident response practitioner, malware analyst, and trainer. He is a Principal IR Consultant for BlackBerry, the lead organizer of CactusCon, a SANS trainer for FOR610: Reverse Engineering Malware, and a Pluralsight author. Ryan strives to imbue comedy into his trainings and loves being able to teach others while learning from them at the same time. He is a veteran speaker having presented talks and/or workshops at conferences including DefCon, SANS Summits, BSides events, CactusCon, and more. Prior to working in IR, Ryan worked as a technical trainer for over five years. "We must not teach people how to press buttons to get results. We must teach people what happens when these buttons are clicked, such that they fully understand the processes occurring in the background," says Ryan.

    Last edited by The Dark Tangent; June 16, 2021, 07:18. Reason: Removed outline, it might change before the workshop
    PGP Key: