Insights from a discussion between Yaniv Hoffman and Uriel Kosayev
In a recent discussion between Yaniv Hoffman and me, a core idea came back again and again: strong defense in cybersecurity starts with understanding the attacker’s mindset. Malware analysis, EDR evasion, and modern attack chains cannot be learned only from theory or from a single defensive angle. They require thinking across roles and understanding how real attackers operate in practice.
This approach is at the heart of how I teach and research malware, and it is highly relevant for students and researchers learning at TrainSec Academy.
Becoming the Enemy to Defend Against It
I explained that effective defenders must learn to think like attackers. To detect and stop real threats, you need to understand why attackers choose certain techniques, how they bypass security tools, and where defenders usually make assumptions.
Malware analysis sits between blue and red teams. By reversing malware and studying real tradecraft, defenders learn how attackers reuse code, copy techniques from known ransomware groups, and adapt quickly. This is not theory. It is exactly how attackers learn from each other in the real world.
For TrainSec students, this means that malware analysis is not just about reading indicators or signatures. It is about understanding intent, design decisions, and abuse of legitimate system behavior.
Simple Techniques Are Often the Most Dangerous
One of the strongest points raised in the discussion is that attackers often succeed by using very simple methods. Instead of advanced shellcode or complex loaders, many attacks rely on trusted, signed system tools that defenders ignore.
I demonstrated how built in Windows utilities can be abused to fully compromise Active Directory by dumping the NTDS database. No custom malware, no suspicious API calls, and no obvious indicators. From an EDR point of view, everything looks like a normal administrative action.
This highlights a critical lesson for security researchers and SOC analysts: if you only look for complex behavior, you will miss the attacks that matter most.
EDR Internals: Research & Development
This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work, and how to both research and build them from the ground up.
Modern Malware Trends Researchers Must Understand
The discussion also covers how malware has changed in recent years:
- Phishing has become more targeted and realistic, including voice based attacks.
- Attackers increasingly use AI to generate and adapt malware.
- More malware is written in LLVM based languages like Rust, which makes static detection harder.
- Evasion techniques now focus on bypassing both antivirus and EDR by abusing performance and detection limits.
- Living off the land techniques are becoming a default approach, not an exception.
For TrainSec students, these trends explain why learning internals, operating systems, and detection logic is essential. Tools change, but attacker thinking patterns stay consistent.
The Skills That Matter Before Malware Analysis
- Understand why you want to do it and what motivates you.
- Learn to think from multiple perspectives, attacker and defender.
- Build strong fundamentals: how computers work, how memory and CPU interact, and how networks communicate.
- Invest time and patience. There are no shortcuts.
This philosophy aligns directly with the learning paths at TrainSec, where students are guided step by step from fundamentals to advanced research topics.
$1000
$700 or $73.5 x 10 installments
The MAoS Bundle is your fast track to mastering malware analysis. From core concepts to hands-on reverse engineering, this bundle gives you the real-world skills needed to dissect malware with confidence. Perfect for aspiring analysts, SOC pros, and red teamers preparing to dive into advanced content like the MAoS book.
Why This Matters for TrainSec Students
This discussion reflects how TrainSec approaches cybersecurity education. Courses are designed to teach how systems really work, how attackers abuse them, and how defenders can respond with informed detection and prevention.
For students and researchers, this mindset helps bridge the gap between theory and real world security work. It prepares them not only to detect threats, but to understand them deeply and adapt as attackers evolve.
Credits and Thank you
I appreciate Yaniv Hofman for hosting me for this great discussion. Check out his youtube channel here:
