A Review of TCM Security’s Practical Malware Analysis and Triage
Cyber-defense trainings and certifications are incredibly expensive. In a world where SANS charges thousands of bucks for trainings from world-class professionals, Heath Adam’s work via TCM Security is nothing short of ‘amazing’.
I’ve been a personal fan of Heath and his continued promise to help beginners in the field progress without emptying their pockets. TCM’s Practical Malware Analysis and Triage (PMAT) is one of the latest trainings from their collection — aiming to assist up and coming malware analysts and helping them improve their craft.
Now that I’ve successfully completed the course on my own — I figured it was time to quickly script a review to help others get a quick idea as to what the course presents and what should they expect while jumping right in.
PMAT: Practical Malware Analysis and Triage
PMAT is a fairly intensive training authored and delivered by @HuskyHacks (Matt Kelly). Looking at the targeted audience (as per the training’s page), it is focused on beginners and intermediate analysts looking to upskill themselves. We’ll take an in-depth look at the course curriculum later. For now, here’s what the course enrollment offers you:
- Access to the student-only channel on Discord to receive support from the instructor and other students
- Access to 9+ hours of engaging, instructional video content
- Access to the PMAT Lab repository containing dozens of malware samples designed to teach you the fundamentals
- Course completion certificate
Course Curriculum
The curriculum covers everything from basic static analysis to advanced dynamic analysis — along with several other helpful bits — such as analyzing shellcode, macro-enabled documents, and others.
The course curriculum is properly designed to take an analyst from the start till the end — explaining the entire thought process an analyst should ideally go through while breaking down malware and reporting it to the world. Not only that, you get to work on an amazing queue of malware samples (most, custom written by Matt to assist newcomers) — at the end of which stands — WannaCry (the “Boss Fight”).
Course Content
Let’s break the course down into four sections — setup, basic analysis, advanced analysis, and specialties (shellcode, maldocs, automation, etc.).
Setup is quite simple. A FLARE VM is setup alongside a REMNUX machine which are then bridged together in a private network to isolate the two machines. The training prerequisites do suggest that you need a good workstation to setup the lab environment successfully. However, if you’re unable to do so, you might want to try alternative solutions so as to run a single virtual machine for e.g. use FakeNet instead of INetSim to see if the objectives of the lesson are met.
Basic Analysis was quite beginner-friendly and I loved how Matt explained concepts to ensure everyone could be on the same playing field. Static and dynamic analysis help pave the way for advanced analysis and are nicely followed up by an exercise to help put the concepts to use.
Advanced Analysis is where I’d say beginners might feel light-headed. Matt’s overview of x86 assembly and disassembling malware in Cutter was decent. Advanced dynamic analysis, on the other hand, was fairly good. However, these sections were no match for the exercise which was later presented to the students i.e. SickoMode. The Nim-based binary and its analysis was a fairly difficult challenge (in comparison to the lessons) and presented a steep learning curve.
All in all, this section requires more exercises and in-depth explanations. I had covered some of these topics in Practical Malware Analysis (by FireEye’s analysts) and felt comfortable going through the course; however, other beginners might need serious work off-course to understand this section properly. Perhaps the Twitch stream with the final exercise’s analysis also needs to be shifted up in the course such that students can directly learn from Matt’s analysis. Currently, the stream is at the end of the course — where I feel it serves less purpose.
Specialties is where I felt I fell in love with the course. Analyzing malicious documents, identifying Go binaries, and working with shellcode was super beneficial and can serve as the starting ground for someone looking to expertise in these specialties.
I knew what Jupyter Notebooks were but this course was the formal introduction to the might of this amazing automation suite. Blue Jupyter motivated me to kickstart my own automation notebooks and I’d say would be highly beneficial for anyone already armed with the might of Python. The sections for report writing and Yara rules were handy additions and concluded the course in just the right fashion — ensuring analysts are able to produce content and ensure their analysis is read by others.
Malware and Custom Samples
Every single video in the course is complemented with a malware sample — mostly custom developed by Matt — to help analysts practice the lesson. Two challenges and a “Boss Fight” is also added into the course which makes the learning experience quite awesome!
The “Boss Fight” — featuring WannaCry — was also an exciting challenge which ensures the analyst puts all newly learned concepts to use. However, I would highly suggest students to review the complementary blog attached by Matt to analyze the malware (if they’re stuck) rather than the basic walkthrough.
Matt’s Discord
Soon after enrollment, you’ll see your glistening invite to Matt’s personal Discord server. For me, personally, this was an much-needed addition to the course as it gets the student a bridge to the author and other students who’re likely going through the same content.
Whatever problems I’ve come across (or other students for that matter), Matt has been quick to respond and help out in any way possible (other students were quite helpful as well). I know as the course scales and students start coming in, it might be a tad bit difficult for him but by then the pre-existing knowledge in the server should be self-sufficient for anyone coming for assistance.
Conclusion
With the $30 price tag, the course is definitely a steal. The course has gray areas but I’ve seen two students pass on suggestions (similar to my review) to Matt and his humble response to the suggestions meant he’d be adding in content to ensure the course is truly serving its intended audience. I’m sure once Matt polishes a few sections in the course, it’s going to be far more valuable than the default price tag put by TCM Security.
Just to summarize a few hard-hitting questions —
Who is the course for? Beginners in malware analysis and reversing though you should know basics to some degree to ace the advanced sections of the course.
Should you get it? YES. If you aren’t able to solve the exercises, there’s plenty of material to help you acquire the knowledge necessary to continue. The course simply puts up a methodical way of analyzing malware. You’re still going to have a structured thought process by following the course — unlike by following a random assortment of open-sourced knowledge which might lead you astray.
Want to give the original course curriculum a look? You can do so here while also easily signing up for it if you feel like going through the technical course!