Today, Jim has over 40 years of experience in the IT field including systems and database administration, and security and research in parallel processing and distributed systems. He's spent the past 20 years as a technical consultant and network security architect for AT&T doing malware analysis, forensics, incident response, intrusion detection, system hardening, and botnet tracking.
When Jim took his first SANS class in 2000, his instructor Stephen Northcutt emphasized giving back to the community. Jim sees teaching and mentoring as one way he can do that. "I've taken enough training to know that SANS provides the absolute best technical security training in the business, so I'm proud to be a part of that," says Jim. "Plus, I learn something from the students every single time I teach."
Jim has now been a SANS instructor for over 20 years, teaching a wide variety of classes ranging from packet analysis and first responder classes to reverse-engineering malware and CISSP preparation, as well as mentoring intrusion detection, firewall, and forensics courses. Today, he teaches FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.
In his teaching, Jim strives to share his passion for the field with his students and to lead by example, sharing his experiences for others to learn from. He also focuses on hands-on experiential learning. "The only way to truly learn something is by doing," he says. "That's part of why I love most SANS classes, the hands-on exercises are the best way to learn how to actually do."
Jim notes that students often assume they need to be an assembly language expert to do malware analysis. But as he puts it, "it isn't a dark art or magic, anyone can learn to analyze malware if they put in the time."
In his classes, Jim says students learn the basics and how to recognize the important API calls and control flow, and gradually learn more assembly language as they do more reversing. "We'll show you how you can find IOCs even if you only have an hour to analyze a particular sample or how to figure out most or all of the capabilities of the malware if you have 20-40 hours," says Jim.
Since 2006, Jim has served on the GIAC board of directors, and as a volunteer incident handler at the SANS Internet Storm Center since 2002. He co-authored the SANS Press book, Securing Solaris 8 & 9 Using the Center for Internet Security Benchmark, and holds the GIAC Security Expert (GSE) certification (#26), and the GIAC GCFA, GCIA, and GREM Gold certifications. He also holds the GIAC GCIH, GPPA, GCFE, GCWN, GSEC, GPEN, GPYC, GNFA, GCDA, GCUX, GMON certifications, as well as the CISSP.
When he's not working or teaching, you'll find Jim on his recumbent bike, which he's ridden more than 1,100 miles annually on in recent years and looking for opportunities to put his instrument-rated private pilot license to use. When he's off the bike and out of the plane, Jim enjoys spending time with his family and their pets, a dog and cats.
ADDITIONAL CONTRIBUTIONS BY JIM CLAUSING:
The State of Malware Analysis: Advice from the Trenches, September 2019
Shellcode Analysis 101, June 2020
A Ghidra Test Drive, August 2019
- sigs.py - Generate md5, sha1, sha256, sha512, sha3-384 signatures from files (potentially recursively)
- mac_robber.py - mac_robber rewritten in python
- docker_mount.py - Script to read-only mount docker layered filesystems (currently supports underlying aufs and overlay2)
- tln_parse.py - Python script to replace parse.exe in Mari's KAPE mini-timeline workflow to give me good yyyy-dd-mm UTC timestamps