The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders into techniques that malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and methods for vulnerability detection like fuzzing will be discussed and then trained in hands-on exercises.
Learning Objectives
- Introduction into memory, assembly language and compiling
- Usage of debuggers (GDB, Immunity Debugger, WinDBG)
- Basic exploitation techniques on Linux and Windows systems
- Introduction to fuzzing
- Understand operating system mechanisms like ASLR, SEH and DEP and how they get bypassed
- Basic static (IDA Pro), dynamic (OllyDbg) and behavior analysis on different malware samples
- IOC’s writing (Yara)
- Hands-on training of all the learned techniques
Target Audience
- Technical staff of CERTs, IT departments or other governmental or military entities being involved in technical IT security or cyber defence.
Outline
- Introduction:
- Course Introduction.
- Malware and Exploits – basics and definitions.
- Modern OS environment:
- Creating a program.
- Compilation, linking, shared libraries, sections of program.
- Assembly introduction, AT&T vs. Intel syntax, endianness.
- Debuggers:
- Static and dynamic program analysis.
- Getting info about binaries.
- Buffer overflows:
- Concept of stack frame and local variables of function.
- Buffer overflows without ASLR and NX/XD techniques.
- Return-to-system and chaining.
- Protective mechanisms and common exploitation ideas:
- Canaries, non-executable stack.
- Structured Exception Handler (SEH).
- Address space layout randomization (ASLR).
- Data Execution Prevention (DEP)
- Return-Oriented-Programming (ROP)
- Examining static properties of suspicious programs
- Static analysis (IDA Pro)
- Performing behavioral analysis of malicious Windows executables
- Inetsim, FakeDNS, Wireshark
- Performing dynamic code analysis of malicious Windows executables
- Dynamic analysis (OllyDbg, WinDgb)
- Determining the network and host-based indicators (IOC)
- IOC’s writing (Yara)
Prerequisites
- Good work/administration experience in the Linux and Windows environments, especially command line.
- Basic understanding of assembler and higher programming languages (optional).
- Programming experience in assembler, C(++) or PYTHON (optional).
- The course has a mandatory e-learning module (ADL 383 “Malware and Exploit Essentials Course”, see the details in the “e-Learning courses” chapter) that can be accessed through the NATO e-Learning Joint Advanced Distributed Learning portal and will be available to all users of the portal. Once registered, users may access the course by navigating to the ‘Centres of Excellence’ -> ‘COE Cyber Defence’ -> ADL 383 ‘Malware and Exploit Essentials’ course listing.
- English language skill comparable to STANAG 6001, 3.2.3.2.
NB! Please be aware of the strong technical nature of this course: this is not a course for beginners. Note that we most strongly discourage the participation of students who do not fulfil the prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.
ISACA CPEs
With the completion of this course the students can earn 35 ISACA CPE hours.
Registration
Please register for the course by visiting the NATO CCDCOE website and completing the provided registration form before the deadline. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. Should you have any questions, please contact: [email protected].
Module certificate of the ADL 383: It is necessary when applying for the residential part of the course and you can download it once you successfully finish the final test of the e-Learning module. When you register for the residential part of the course please email it to: [email protected]