This article is about my experience with the SANS FOR610: Reverse Engineering Malware course and preparation for the GREM examination.
Course Overview
Recently this year, I registered for the SANS FOR610: Reverse-Engineering Malware - Malware Analysis Tools and Techniques. I took the on-demand class as it is more suited to my timings.
My overall impression of the course is that it was great. It contained less theory and was more hands-on, exactly how I liked it. The course authors also did a great job in laying out the basic concepts which I believe are necessary to anyone new to reverse engineering.
I did have a fair bit of experience with RE as I learned a little bit when I was in college, but it was mostly reversing ELFs. I never touched Windows PE files before and did not come across malicious document analysis.
Throughout the course, you get to learn about many tools which you can use in your analysis. The exercises were the best part. Lots of malware samples and you also get to explore the capabilities of each tool comprehensively.
Preparation for GREM
Since I took the on-demand version, I did take quite some time to finish the whole course. Once finished with the course, I asked a few of my colleagues how the exam might be and I did get the impression that this would one of the tougher exams.
The exam has a total of 74 questions divided into 2 sections -
- 65 MCQs
- 9 CyberLive questions
Indexing
Going through the books, I did not feel like making an index or bookmarking the pages for this exam. I read through all 5 books as well as I could and thought that to be more than enough for this exam.
Practice Exams
The practice exams are an excellent opportunity to assess your preparation and also plan a proper exam strategy. I utilized both the free practice exams and scored 86% and 76% respectively.
Not so good performance in the 2nd one because I was too hasty when answering questions and hence made a lot of silly mistakes.
Final exam
The questions in the final exam were relatively in the similar range of difficulty as in the practice exams. I took time for every question just to make sure I don’t select the wrong answer hastily. The cyber live questions were quite easy as well. I finished the exam at about 02:01:49 hrs and cleared it with 92%.
Quick Preparation Tips
- Read through all 5 books completely (you can ignore the appendix sections).
- Identify sections which you feel you are not completely confident about. If you want to, you can bookmark those sections/topics so that you will not waste time when looking them up.
- I have not personally made an index or bookmarked anything but if you think you need an index, do prepare one.
- Go through all the exercises mentioned in the course. The cyber live questions are very direct but the question can be written in a way to confuse you.
- Take time answering a question.
- If you are in doubt, use the “skip question” option to come back to it later. From personal experience, I got a question in which I was confused with 2 options both of which seemed to be the answer. Coincidentally, the next question contained the concept/theory which would aid me in answering the previous one. So skip question feature is useful.
Summary
I liked the SANS 610 course and it helped me gain a few new skills. The materials provided (books, labs) are also top-notch. The exam process via ProctorU was also really smooth and effortless.