Deeper Investigations for the SOC

This is a great first malware and incident investigations class. The goal of the class is to consider the basic workflow of a typical internal IT security/SOC analyst, but go a number of steps beyond that. Rather than just guess about the severity of a particular security alert, how deep of an investigation is practical in 20min? You’d be surprised. But first you have to get comfortable with all the tools and techniques. That’s what we do in this class.

Who should take the class?

Anyone from SOC analysts, pentesters, developers, testers, QA, managers, journalists, etc. Anyone who wants to deepen their knowledge about how the latest threats can be quickly analyzed.


State of Malware
We start our training by looking at the current state of malware – how it is spread, what is being spread and how this impacts organizations. We will also discuss the overall process of how to analyze malware and develop a methodology that can be used for the rest of the course. Discussion will include SOC workflow and an introduction to core tools.

Command and Control
Before we begin analyzing samples, we’ll discuss how malware communicates. This will give us an opportunity to discuss domain generation algorithms (DGA) and other techniques that malware uses to avoid detection and disruption.

Open-Source Information Gathering
Once we have data that can identify our sample, we can use open-source tools to help us identify if it is malicious and, if so, what is it’s primary purpose. During this section we’ll look into VirusTotal and the VirusTotal API. We’ll start to explore ways to automate our work with Python scripting.

Gathering Signatures and Hashes
In this section we’ll cover techniques to help identify, and share, information about a potentially malicious sample. From generating file hashes to imphashes (import hashes) and file similarity analysis with tools such as ssdeep, we’ll generate identifying data about a sample to help our analysis.

Basic Malware Analysis
As we dig deeper into malware we look at basic static and dynamic approaches to analyzing malware. Our goal is to develop techniques and leverage tools that allow us to find the best data, the quickest.

Anti-Virus and Other End-Point Protections:
This section will discuss how anti-malware protections, such as AV, work – we’ll dig into their strengths and weaknesses. We’ll get hands-on with anti-malware products to write our own signatures to detect malicious files on a host machine.

Delivery Methods: How Malware Gets Through the Perimeter
We’ll begin this topic by discussing how malware is commonly spread. One of the more prevalent ways is through exploit kits (EK), which often requires no more interaction from the user than to visit an infected website.

Deeper Malware Analysis
Once initial triage is complete, we may have to dig deeper into our samples in order to collect the necessary information and answer questions such as “what did it do” and “how did it impact the organization”. In this section we look at disassembly tools such as IDA Pro and debuggers in order to gain that deeper level of understanding.

Deeper Look at Malware: Blocking and Hunting
This section we’ll explore advanced attacks such as those initiated by an exploit kit (EK). Using indicators of compromise (IOC) we’ll be able to create custom signatures – this will give us the ability to proactively and retroactively block and hunt for infections.


The following standard courses are regularly conducted by VDA Labs – to see the next upcoming sessions, check the upcoming list to the right.

Application Security: For Hackers and Developers

Advanced Exploitation

Advanced Malware Training

Binary Ninja Training

Deeper Investigations for the SOC

Security Leadership Training

For any VDA class students should bring:

  • Modern laptop capable of playing a VM (player, workstation, or fusion)
  • Plenty of HD (at least 70 GB free), CPU (at least 4 cores), and RAM (at least 8 GB)
  • You’ll need a USB port to copy the VM media to your HD