SANS Digital Forensics and Incident Response Blog

Mastering Malware Analysis Skills - The Power of a Capture-the-Flag Tournament

Here at SANS, we've worked hard to deliver a Reverse Engineering Malware course packed with technical knowledge, hands-on exercises, and our insights from years of experience. Just as attackers and their tools continue to evolve, so has this course to arm participants with relevant skills they can apply immediately. As both an instructor and a practitioner, I believe the most significant addition to this course is a Capture-the-Flag Tournament. I'd like to share why I think this new content is an amazing opportunity for students to develop their malware analysis skills.

In my experience, building malware analysis skills requires several parallel efforts:

(1) Digest key concepts: With a basic foundation in computer systems, learn how to perform behavioral and code analysis to evaluate a suspect file, dissect its key functionality, assess its impact on a system, and discover potential indicators of compromise.

(2) Develop a process: Draft an approach to apply your knowledge and then iteratively improve it as you gain experience. As part of this activity, it's critical to document your efforts so you can reflect upon your analysis and eventually share your observations (I previously discussed one approach to tracking your analysis).

(3) Drill: Analyze malware. Don't just buy a book about it, don't simply read an article about it - actually experiment with real-world malicious software samples in a properly-isolated laboratory environment.

While all three activities are important for becoming a proficient analyst, the last is, by far, the most critical for internalizing malware analysis skills. This is why we've dedicated an entire day of the SANS Malware Analysis course to a capture-the-flag tournament built on the powerful NetWars platform. During this final day of class, students work through a series of challenges that involve a diverse set of real-world malware samples. This game provides participants a fantastic opportunity to apply their training from the first five days of the course, where they learn how to perform behavioral analysis, interpret assembly instructions, deobfuscate binaries and scripts, extract malicious code from documents, and mine memory dumps for malware artifacts.

Participants of the FOR610 Malware Analysis Tournament

Analyzing malicious code can be a difficult task, and understanding sophisticated malware may require days, weeks, months or more to investigate. That's why we've carefully chosen malware samples for the tournament and crafted targeted questions to emphasize the tools and strategies discussed earlier in the course.

Participants of the FOR610 malware analysis tournament presented as part of a live course at a conference have roughly six hours to test their skills against a variety of malware and collect as many points as possible. Getting a top score naturally gets you a bump in prestige, but it also puts you in the running for the coveted SANS Lethal Forensicator Coin. So far, hundreds of people have accepted the challenge of Day 6, and we've received terrific feedback. We encourage students to take a lunch break during the tournament to feed their body and minds; however, we find that many survive on adrenaline alone.

If you'd like to take part in this truly unique learning experience, join me at an upcoming FOR610 course.

And if this final day leaves you yearning for more malicious software to munch on, there are numerous resources you can access to download malware for your educational entertainment.

-Anuj Soni

Anuj Soni teaches FOR610: Reverse-Engineering Malware for the SANS Institute. He is also a Senior Incident Responder at Booz Allen Hamilton, where he focuses on hunting threats and double-clicking malware all day long. You can find him on twitter at @asoni.