Thursday, August 1, 2013

FOR610 + NetWars = Mucho Malware Goodness

NOTE: I'm leaving this post here for posterity's sake, but this post is an archive.  I originally used it to announce the move to a 6 day format for SANS FOR610.  However,I still think it has value in highlighting the rationale behind the CTF format for day 6.

Original post follows:
I wanted to take this time to a make a formal announcement that FOR610 (SANS Malware Reverse Engineering) is moving to a six day format.  Why six days you ask?  Well, most of our other long classes are six days rather than five.  Most of our six day courses have a final day that involves some sort of capture the flag (CTF) challenge.  Who doesn't like a good CTF?  Yeah, that's what I thought...

A kinder, gentler, CTF

If the thought of a DEFCON style CTF immediately turns you off, fear not. That's not (exactly) what we're doing.  We'll encourage proper hygiene at our CTF, we'll keep the lights on, and we'll keep the music below a dull roar.  Now if you want to geek out for ~6 hours on malware and rock the house without so much as a bio break, then we won't complain, just don't disturb your neighboring teams.  There will be prizes just like the DEFCON CTF (well, not an uber badge).  If your team wins the challenge, you'll score a highly coveted Lethal Forensicator coin.

Why do a CTF at all? I want more material!

Technically, this is more material.  It's more hands-on labs to cut your teeth on. But permit me to share a story with you.  Many years ago, I took a SEC709 with Steve Sims (Exploit Development).  I showed up ready for six days of exploit development goodness. Then I got to the class and found that it was five days of learning and a day 6 CTF.  I was seriously miffed.  I even copped a bad attitude about it the first day. I got over it, but when day 6 rolled around I thought about taking the day to explore San Diego instead of doing some 'silly CTF.'  You see, I knew all this stuff and had nothing to prove (and nothing to learn) by doing the CTF.

I was punked into showing up at the CTF by a coworker.  This particular CTF was a solo event. The FOR610 CTF will be a team event, unless you are just an uber reverse engineer who doesn't need a team.  But I didn't need a team, I was going to blow this out of the water before lunch and still have the rest of the day to explore San Diego.

I needed a team....

Here's the magic of a CTF. It forced me to (quickly) come to terms with the fact that I didn't have this stuff quite as nailed as I thought.  I ran through all the labs in record time.  I don't think I cheated on any of the challenges, I didn't usually "read ahead" to the step by step answers in the labs.  In the few cases where I did, I made sure to learn the actual material.  But when the CTF started, I quickly discovered I didn't quite get it.  I swallowed my pride and spent the day hammering through the CTF (even skipping lunch).  By the end of the day, I actually tied for first place in my class of 16.  I was excited to have been a contender, but more importantly I burned more into my brain on day 6 than the first 5 days combined.  CTF forces you to demonstrate that you get it.  I've never analyzed malware that came with a lab guide. Basically, I don't want your first malware reversing experience to be on the job (that's not good for anyone).

What does the CTF look like?

The CTF runs on the popular NetWars scoring platform.  Those who have played NetWars at a SANS conference know how awesome the platform is.  I'd like to offer a plug to Ed Skoudis and Yori Kvitchko for their work on the platform.  They made my job much easier, allowing me to concentrate on the malware and not the scoring server.

We'll have challenges covering the skills we teach in FOR610, including:
  • Behavioral analysis 
  • Dynamic analysis (OllyDbg)
  • Code analysis (IDA/OllyDbg)
  • Malicious office documents
  • Malicious PDFs
  • Malicious Javascript
  • Memory Analysis
If you've never played NetWars before (or you want to see it with MOAR MALWARE) you can watch the webcast used to promote the CTF.  Building a CTF for malware RE that uses automated scoring was challenging.  I demoed the types of challenges you can expect to see and even walked through some RE challenges live.  I'll spare all the details of the webcast assuming that if you want to know them, you'll just watch it (I've rambled enough here already). 


  1. This comment has been removed by the author.

  2. I am looking forward to it, and hope to take FOR610 soon. I'm still wish I had gotten to take it at the DFIR Summit, but such is life!

  3. it will be very nice to pay for the 6th day! cause i already purchased the course in the past and i have all the GREM Books!
    i think paying for the CTF day solely really a very intelligent idea!


  4. @saudi sn1per: You're on to something, we had the same thought (great minds must think alike). I just sent an email to the alumni list. We're firming up details, but there will be an opportunity for those who have taken the course in the last two years to take a single day version of the course covering only the day 6 CTF.

  5. I think that paying for only the CTF would be a great idea, then people could have a chance to get a "feel" for how it works.

    But in short, the CTF in Vegas was simply awesome, it's the most fun that I've had in a very long time when it comes to CTF and other types of Wargames. The fact that I won was just a bonus :)

  6. Have used Kaspersky protection for many years, and I would recommend this solution to everyone.


Note: Only a member of this blog may post a comment.