Thursday, July 26, 2018

How To Prepare for Sans GREM:

Sans certification is one of the reputed certifications in the security domain. Recently one of my friend who completed GREM successfully. When I was discussing with my malware analyst friend regarding how he is doing after the GREM certification. He told me that he usually at least 100 messages per month on how to pass GREM exam, what are the things need to be prepared for the GREM exam, etc.

So I told him to why you can’t write some helpful tips who preparing for GREM certification. He agreed to my idea and shared his input and our newWorld team created this article:
How to get GREM certification?

First of all, we want to separate the readers based on their level:

Malware analyst - Already working in Antivirus or cybersecurity role at any firm:

For you guys, GREM certification is not as tough as you think.
Please go through books like Malware analyst cookbook, practical malware analysis,
windows internals, and IDA pro book.
This is more than enough to get a good score.
Additionally, you need to familiarize with remnux VM and all the tools.

  • While going for the exam, bring all the cheat sheets from Lenny Zeltser, creator of remnux and additionally, he teaches the GREM course in SANS (five-day course).
  • All SANS exams are open book test, so it is good to bring all your notes and cheat sheets.
  • Arrange all the notes in proper order and segregate it based on the types, it is good to keep an index for that collection.
  • For eg:
  • All plugins and tricks related to Olly dbg should be aligned under one section as windows PE analysis.
  • All the windows internals related notes under OS concepts.
  • All volatility plugins related notes under memory forensics.
  • RTF malware, docs, ppt, macro malware notes should come under windows document malware and it should fall under NON-PE files.
  • For NON-PE files, you can add all your notes about flash file analysis, malicious pdf file analysis, and tools used office file analysis.


Malware analyst category is over!!!


Let's go for people in the security domain - but wants to done GREM:
(Condition: Willing to spend money on training)

Personally, it is good to take a course offered by SANS which is super good and helpful.
In case, if you are busy and not able to take a five-day course, you can go for the on-demand course from SANS.

After your training finish, start to dissect the malware in a controlled environment and take notes.
While analyzing the malware, please not just turn your focus in PE file but try to work on all the malware files (non-pe: such as js, pdf, office malware, malicious HTML).

You have one advantage here that you can get the proper study material which can be referred to during your exam. So you just need to put proper index for all the study materials.
Also, bring the cheat sheets with you and that will help.



Next category: Not having enough money to afford the training, but want to complete GREM.

For this, you need to spend quality time on self-learning on malware analysis.
Steps:
Start reading all the books which mentioned in the malware analyst section.
Install VMware in your home machine with remnux image and windows image (good to use windows 7 with Flare from Fire Eye).
Practice each and every tool mentioned in the books and tools listed in the Fire Eye flare.
Get familiar with Sysinternals tools - for viewing the process, listening to the ports, packet sniffing tools, etc.





At least you need 1000 hours to spend on this so that you will get familiar.

After you familiarize with all these, go for an exam where you will get two practice test.
After attending the first practice test, you will understand the intensity of the SANS exam.
You have four months time to for facing the exam. So these practice test will give you a good idea on how the exams will be?



All the best for your dream and one day it will come true.

Post by 
  

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...