What Do You Need For A Career In Malware Analysis?

malware analysis career
Programming languages, tools, degrees, certifications? Here's what you need to begin a career in Malware Analysis, Reverse Engineering, or Exploit Development.

Who Hires Malware Analysts / Reverse Engineers?


TLDR
  • A lot of places
Details:
  • Malware analysts and reverse engineers are hired by more than just Antivirus Companies. Examples of companies that hire for these roles are:
    • Financial Institutions
    • Big Brands (Google, Facebook, Walmart, Target, Boeing, etc.)
    • Contracting Companies
    • Government
    • Private Security Firms
  • Why do they hire for these roles? To protect their products, keep their customers safe, develop defense products, protect national security assets, prevent financial crime, and the list goes on.

Do You Need A Degree or Certification?


TLDR
  • No
Details:
  • Most companies do not require any degrees or certifications. Most will want you to show adequate expertise in the field you are being hired for as well as being able to show relevant experience via personal projects in github, articles you've written, CTF participation, bug bounty programs, etc. Keep in mind that without a degree/certifications on your resume you will need to list these types of outside activities to show that you are competent in this field. This experience can be gained in your own time through research and practice at home and will be tested during the companies interview process.
  • However, there are some companies and positions that do require a degree or specific certifications. These prerequisites are generally required for positions that must fulfill a compliance standard enforced by the customer. These are usually tied to federal billets.
    • If you are hired on by a company, they will often pay for training/certifications after you have fulfilled certain time requirements. This can help you move on to other positions/billets/contracts within the company or serve as a stepping stone for future opportunities.
Full Details:


Do You Need To Know Programming?


TLDR
  • Yes
Details:
  • For Malware Analysis, Reverse Engineering, and Exploit Development you will need to be fairly familiar with the following languages. Keep in mind that for the most part we are not developers. We write very shoddy code that gets the job done.
    • C/C++
      • Reading - High
      • Writing - Medium
    • Python
      • Reading - Medium
      • Writing - Medium
    • Assembly [x86/64, ARM, or MIPS]
      • Reading - High
      • Writing - Low
Full Details:


What Tools Do You Need To Know?


TLDR
  • A disassembler and a debugger.
Details:
  • You will need to know how to use a disassembler. This is your bread and butter in this career field and you will need to demonstrate proficiency with this tool. 
    • IDAPro - This is the corporate standard, but a full license costs $5,000. 
      • The free version of IDA offers most features and you need to become intimately familiar with it. 
      • Once you have access to the full version, it is a huge bonus if you learn to use the IDA API through IDA Python. This is a very desirable skill to have.
    • Ghidra - A decent alternative to IDA. This is a free disassembler that was released by the NSA and includes a hefty API available for scripting as well as a very good decompiler.
    • BinaryNinja - Free trial, paid license. Good interface and a hefty API. 
    • Radare - Free and has some good GUI interfaces to make it more compatible with other disassemblers. It's ok but it doesn't compare to the others.
  • You will need to know how to use a debugger:
    • GDB - This is the universal debugger that you will need to know how to use.
    • x64Dbg/OllyDbg - These are mainly for Windows malware analysis.
    • WinDbg - This is the standard for low-level Windows debugging
    • LLDB - Similar to GDB, but mostly used on MacOS.
  • You will also need to know your way around various analysis tools, IDEs, and built-in operating system features. The best way to know what types of tools would be to play around with Flare-VM for Malware Analysis and you can poke around Kali for more security testing focused tools. 
The Essentials:


Common Tools and Explanations:


What's The Interview Process Like?


TLDR
  • Long
Details:
  • Phone interviews will go over your relevant experience and judge whether it is worth the companies time/resources to bring you in for an in-person interview. The phone screen generally lasts an hour and can range from a very informal, non-technical conversation with a recruiter to an extremely technically-in-depth interview with one of the companies engineers. It varies widely. 
  • Generally the in-person interview process is quite long. It can range from 2-6 hours depending on where you are applying and will usually consist of these types of activities:
    • Manual code reviews
    • Programming a solution to a problem 
    • Reverse engineering binaries
    • Analyzing malware samples
    • Exploiting binaries
    • Demonstrating proficiency with Disassemblers/Debuggers
    • Working through scenarios presented by the interviewers

Anything Else?


TLDR
  • Yup
Details:
  • You are never going to be an expert in this field. Every day will bring new challenges, technologies, techniques, bypasses, and defeats. It is an ever revolving door of new information and you need to be ready for it. 
  • Being self-motivated to learn outside of work is a requirement because there are not enough hours in the day to fully research, implement, and understand all the problems you will encounter on a daily basis.
  • I will put this as delicately as I can. You are going to beat your face against a keyboard every day trying to solve problems. You will spend so much time on these problems that you will go home and dream at night (literally) of potential solutions. You will repeat this every day until you eventually solve the thing that needed solving and you will rejoice in a sweet moment of victory before the fleeting glimpse of joy is ripped out of your presence and replaced with yet another problem.
  • Above all else you need to be curious. Curiosity will lead you to the promise-land in this field. Ask questions; keep the phrase "what if I just..." at the forefront of your mind; poke at things that aren't meant to be poked; try a new tool that will most certainly drag you through dependency-hell; and pull at strings that lead you down inevitable rabbit holes because along the way, you're going to learn something. 
  • Happy Hunting.