In late February 2023, TCM security launched their brand-new certificate - Practical Junior Malware Researcher (PJMR, I called it pajamas). In this blogpost I wanted to share my experience of taking the exam for this certification, and what it feels like to be an early adopter.
Syllabus:
What is the certification about?
What does the market look like?
Who is this certification for?
My experience of taking this certification
Exam difficulty
Concluding thoughts
What is the certification about?
As you might guess from the name of the certificate, the Practical Junior Malware Researcher is about practical malware analysis. This certification is a continuation of TCM's course Practical Malware Analysis & Triage (PMAT) by Matt Kiely aka HuskyHacks. This certificate is made for testing your theoretical as well as practical knowledge, that you built along the way together with the methodology of malware analysis.
What you will learn if you take this course and certification:
How to safely handle malware samples
How to build your own isolated lab environment
How to use Malware Analysis industry-standard tools, including but not limited to debuggers, decompilers, etc.
How to write a YARA rule for your sample
How to prepare and publish your findings in the report/blogpost
What does the market look like?
If you are up to the challenge, you might want to know what other vendors can offer. There is a SANS course FOR610 for slightly over 8000$, followed by the GIAC Reverse Engineering Malware Certification (GREM) certification. It is too pricey, there used to be the certificate from eLearnSecurity (and later INE), but the problem it was discontinued recently. And that's about it!
TCM security with their PJMR took a route of democratic pricing (well, as with all their other courses and certificates). At the moment of writing this, you can get one of two following options:
299$ - just a PJMR exam voucher
329$ - PJMR exam voucher + PMAT course
PMAT can also be procured separately for just 37.49$.
Who is this certification for?
A quote from TCM site:
Malware analysis is a critical skill in the cyber security field. It can be a stand alone job role in and of itself or supplement many different roles. The job roles include Malware Analyst, Malware Reverse Engineer, Security Researcher, Threat Hunter, SOC Analyst, Incident Response, Detection Engineer, and Adversary Emulation/Red Team Operator.
I took it to support my development in Red Team Operations and I enjoyed it a lot.
My experience of taking this certification
I started my exam on Monday.
You have five full days (120 hours) followed by two more days (48 hours) to write a report. The exam is not proctored, so you are completely flexible.
When you start your exam environment, you would need a .ovpn file that is needed to connect to the lab.
You don't have to set up your malware analysis lab, you will be provided with one and you will operate it via browser. The course itself covers this part though, a fairly big part of it focused on safe handling of malware and building your own environment.
The exam lab consists of two virtual machines accessible over Apache Guacamole in your browser - Windows 10 box with FlareVM on it and a Linux one with RemnuxOS.
The virtual machines on the exam are identical to the ones from the course.
As the environment needs to be automated, there are several things you will need to set up yourself after each revert of the environment. Some of the things are described in the rules of engagement that you receive right before the exam, but for some, you would have to check the Discord server of the course.
Luckily, the support team is there for you, and they are quick to respond. During my exam, I reported several things that can be improved to simplify the usage of the lab and they promised to check it out.
As for the exam itself, you will be asked to dissect nine malware samples of different difficulties. You will earn points accordingly:
4x Easy Malware Samples: 75 points each
3x Medium Malware Samples: 100 points each
2x Hard Malware Samples: 150 points each
Yara Rules: 175 points total
Assessment Debrief: 175 points total
To pass the exam you need to earn 950 points out of 1250 possible points, which is approximately 76%.
You surely can do the math yourself, but the formula for success is this:
You can pass your exam if you do all the Easy and Medium samples together with writing YARA rules and successfully doing a debrief without doing Hard samples at all.
During my attempt, I managed to dissect all nine samples along with writing YARA rules for all of them. But was it easy?
Exam difficulty
To not spoil the experience for you I will not go into details regarding any of the samples. It is worth mentioning that everything you need to know is described in the PMAT course.
My biggest mistake here was to underestimate how difficult the exam will be. I found this FAQ section only after my exam attempt. As this certification has "Junior" in its name I assumed it would be easy.
NB: If something is called junior it doesn't mean it's easy, it just indicates the entry level of this field. If the field is complicated in general, even the junior level might be quite hard, especially if you are lacking certain skills.
My plan was to spend a day or two on samples, and a few more hours to write a simple report.
Boy oh boy, I was so wrong. Let me quote the FAQ:
Everyone is different, however, we believe that:
If you are a beginner, the exam will be very difficult and we strongly recommend that you purchase the associated training.
If you are a junior malware researcher, the exam will be difficult and may require additional training.
If you are a mid to senior-level malware analyst, researcher, or reverse engineer, the exam will be of moderate difficulty.
I was suffering for the whole week spending all my spare time staring at the screen during the exam week. Sleep-deprived and tired, I was cut off from the environment in the middle of yet another attempt to reverse a function in a Hard one, took some hours to sleep and started to write my report on Saturday morning.
Sunday, 1:33 a.m. 64 pages later I'm submitting my report to the portal.
A few days after I heard back from the team and scheduled a call with TCM himself for a debrief.
Debrief is relatively easy, all you need is to present your highly technical findings to a person on a call. I personally believe this is a brilliant way to practice your soft skills.
After all, regardless of what exactly you are taking this certification for, there will be a report somebody will have to read, and most likely you would need to present it.
Concluding thoughts
Was this exam easy? Not at all.
Was it fun? Yes!
Did I learn something along the way? A ton!
The PMAT course takes you from knowing nothing about Malware Analysis, teaches you all the fundamentals and leaves there. The PJMR takes you even further and makes sure you learned your lesson and can apply this knowledge to any malware sample in the wild. It does not guarantee you to succeed, some more advanced static and dynamic analysis techniques take years to master, but you will be able to at least handle the sample and understand it to a point where it is possible to make a basic detection with YARA rule. To some this is exactly the definition of being a junior. You probably can't handle all the work by yourself, but you can do the work with a little help and experience, this is the key to success.
At the end of the journey, you receive a digital certificate like this one:
I would recommend both this course and the exam to anyone who wants to learn more about Malware Analysis. The practical application of these skills is wide, and TCM Security makes sure you would learn all the fundamentals there.
This is the new certification, it's not in the popular roadmaps yet.
This is the sign you've been looking for!