Secure Asia Pacific 2021

Here are just a few of the comments shared with us by FOR610 attendees:

• "Highly valuable content, greatly increased my understanding of malware and techniques to reverse engineer." - Kenneth Miltenberger, U.S. Coast Guard
• "I thought I knew reversing. This class taught me so much more and provided easy understandings of complex reversing tasks." - David Werden, NGIS
• "It is an excellent course for those who want hands-on experience understanding an under-the-hood view of malware and how it works." - Ryan Denniston, Department of Defense
• "High valuable content that has immediately boosted my skills. The day 6 CTF was awesome." - Rafe Pilling, Dell Secureworks
• "Blown away again. FOR610 is intense, challenging, relevant, and will take you to the next level!" - Matthew B., BlueCross BlueShield of Louisiana
• "The best SANS course I've ever attended, and it was easy to say that; great structure of knowledge, great teaching skills, great function." - Karel Nykles, CESNET, z.s.p.o.
• "Like all SANS courses, it exposes you to everything you need to know in the subject. It lays a foundation for you to keep learning and building the skills taught in class. Nothing could make you an expert in a topic in a week, but this class can take you from zero to a good working knowledge, so you can teach yourself to be an expert." - Dave Lassalle
• "I learned a variety of tools and techniques for malware analysis in a relatively short time, I am a better forensic analyst and I can better protect my organization." - David Bernal, ALSTOM

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway: Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.

MANDATORY FOR610 SYSTEM HARDWARE REQUIREMENTS:

• CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class. Important - Please Read: a 64-bit system processor is mandatory.
• It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machines will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
• BIOS settings must be set to enable virtualization technology, such as "Intel-VT". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it before class!
• 16 GB (Gigabytes) of RAM or higher is mandatory for this class Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.
• USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. Therefore, a Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.
• 200 Gigabytes of Free Space on your System Hard Drive. Free Space on Hard Drive is critical to host the VMs we distribute.
• Local Administrator access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
• Wi-Fi 802.11 capability is mandatory. You'll need to connect to an in-class Wi-Fi network when participating in this course at a life event. Without working Wi-Fi, you'll be unable to participating in important aspects of the course.

MANDATORY FOR610 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS:

• Host Operating System: Your system must be running either Windows 10 Pro, Linux or macOS 10.14 or later that also can install and run VMware virtualization products described below.
• It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
• Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
• Download and install 7-Zip (for Windows Hosts) or Keka (macOS). Without these extraction tools, you'll be unable to extract large archives we'll supply to you in class.

INSTALL VMWARE "PRO" SOFTWARE:

• Download and install VMware Workstation 15.5 Pro, VMware Fusion 11.5 Pro or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
• You must get the versions of the products that have "Pro" in their name. The free non-Pro versions of these products (e.g., VMware Workstation Player) are not sufficient for this course because they do not support snapshot functionality, which we will need to use.
• Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
• VMware Workstation Pro on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions from VMware.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

FOR610 acts as a practical on-ramp into the world of malware analysis. It is useful both for individuals looking to enter this exciting field, as well as for those who seek to formalize and expand their skills in this area. Attendees who have found this course especially useful often have responsibilities in the areas of incident response, forensic investigation, information security, threat intelligence, and threat hunting. Course participants have included:

• Individuals who have dealt with incidents involving malware and wanted to learn how to understand key aspects of malicious programs.
• Technologists who have informally experimented with aspects of malware analysis prior to the course and were looking to formalize and expand their expertise in this area.
• Forensic investigators and security practitioners looking to expand their skillsets and learn how to play a pivotal role in the incident response process.

The course begins by covering malware analysis at an introductory level, then quickly progresses to discussing tools and techniques of intermediate complexity. Neither programming experience nor knowledge of assembly is required to benefit from the course. However, you should have a general idea about core programming concepts such as variables, loops, and functions, so you can quickly grasp the relevant concepts in this area. The course spends some time discussing essential aspects of the assembly language, allowing malware analysts to navigate through malicious executables using a disassembler and a debugger.

FOR610 attendees should:

• Have a computer system that matches the stated laptop requirements; some software needs to be installed before students come to class.
• Be familiar with using Windows and Linux operating environments and be able to troubleshoot general OS connectivity and setup issues.
• Be familiar with VMware and be able to import and configure virtual machines.
• Have a general idea about core programming concepts such as variables, loops, and functions in order to quickly grasp the relevant concepts in this area; however, no programming experience is necessary.

"Reverse Engineering Malware teaches a systematic approach to analyzing malicious code utilizing the latest and greatest tools and techniques. It's not earth-shattering news that the prevalence of malicious code will continue to increase for the foreseeable future. The knowledge and skills this course provides will enable those responsible for responding to and preventing incidents to better understand and respond to emerging malware threats." - Justin Kallhoff, Infogressive (Read More)

"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Incident Response & Computer Forensics, Third Edition, by Jason Luttgens, Matthew Pepe, and Kevin Mandia

"When I saw Lenny Zeltser was teaching the SANS FOR610 course on reverse-engineering malware in Prague this year, I dashed to my boss's office to beg him for approval to attend. The topic is not only very relevant to our work here at i-Force/Cyberforce but was going to be taught by one of the topic's spiritual leaders, so to speak. I haven't come across another analyst that doesn't use REMnux, the Linux distribution created and maintained by Mr. Zeltser.... So I jumped at the chance to be present. It's like having the opportunity of being trained in using the Force by Yoda himself..." - Jan Verhulst, Cyberforce (Read More)

"I'm thrilled I got the chance to take the course. I walked away with a lot of new skills and am able to provide a lot of value to my organization as a result. I now feel completely comfortable performing code analysis of malicious binaries." - Chris Sanders, Security Analyst, PhD (Read More)