Behind The Firewall

The clandestine(?) life of a cybersecurity researcher.

Portrait of Tammy Strobel

The clandestine(?) life of a cybersecurity researcher.

I remember the time when the first piece of software I’d install on a new PC would be an anti-virus before logging on to the internet. And the first thing I’d do after getting on the internet, was to update my anti-virus signatures. I’d then religiously click on update every day just to make sure I don’t miss those 0-day signatures.

Now, there’s a long-standing myth that anti-virus companies are the ones that develop the viruses so that their anti-virus software continues to be relevant. Regardless of whether you believe in this conspiracy theory, the fact is that the virus game has changed quite drastically in the past 5 years.

Today, the role of the anti-virus has taken a backseat and the firewall rose to prominence. The fancy term is cybersecurity, but the objective is the same; preventing malicious software, code, person from getting into your systems.

The only difference is that the bad guys, or threat actors as ESET likes to call them, no longer want to destroy your data, they want to steal it. As more of our lives go online, everything has value, from the obvious personal data like passport and credit card information to your Netflix account. In contrast, a virus that corrupts your hard drive just seems like juvenile prank. 

My Reading Room

So, what else does an anti-virus company do these days? Most consumer breaches happen through human means, such as phishing, which your security software is unlikely to stop since you were tricked into authorising it. Others are due to high-level hacking of large enterprises, cloud databases and even governments, which again, the everyday user like you and I have no control off. You wake up one day, read it in the news, then hurry to change your passwords.

Now a few months ago, I got a chance to visit ESET’s headquarters in Bratislava, Slovakia and attended their annual cybersecurity summit. It turns out that the people who work there don’t just sit around updating anti-virus signatures. Well, at least not all of them. There’s a team of researchers whose jobs are to track the bad guys, these threat actors, for months…years even; they find unusual patterns in internet traffic; they reverse engineer what could be malicious software to find out what they do and trace them back to their source.

The fancy term is cybersecurity, but the objective is the same; preventing malicious software, code, person from getting into your systems.

Sitting at ESET’s cybersecurity summit felt like I was in an episode of CSI. The researchers presenting were not at all geeky programmers, but detectives giving a debriefing on how they cracked their cases. I was expecting reports on consumer vulnerabilities, such as the Amazon Alexa KRACK attack, which they were. But those are boring stuff. A vulnerability is found, it is reported back to the company or brand, a firmware fix is released. Next.

Instead, I was captivated at how Malware Researcher Matias Porolli detailed a high-level cyber espionage operation targeting Venezuelan institutions by a group called Machete, stealing seemingly random files such as Microsoft Office documents, vector images, geographic information and mapping systems. I also heard reports on how a group of (supposed) Chinese hackers called Ke3chang (pronounced kee-three-chang) targeted diplomatic missions, and another group called Winnti targeted pharmaceutical, telecommunications and even gaming companies. All of these reports were presented with detailed timelines of known attacks, unique signatures found in reverse engineered software that identified the groups, complete with code names and modus operandi. It was all very James Bond-like.

My Reading Room

There was a presentation by Security Awareness Specialist Ondrej Kubovič that felt like a scene right out of Black Mirror as he talked about tracking a particular sextortion scam targeting French users in 2019. It uses an advanced spambot malware called Varenyky that has screen recording capabilities and access to your webcam.

Senior Malware Researcher Anton Cherepanov provided a blow by blow of how he stumbled onto a black hat hacking operation targeting Darknet users, stealing their Bitcoins. Apparently, there is no honour among thieves after all. In the end, we were reassured that he was surfing the Darknet as part of his job as a security researcher…not for personal reasons.

I managed to chat with Zuzana Hromcová, one of the analysts who is the author of the Ke3chang report mentioned above on what makes a cybersecurity researcher tick, and her insights were equally interesting.

Zuzana holds a Masters degree in computer science with a major in computer security. In university, she enrolled in a reverse engineering course and fell in love with it, started an internship with ESET and from there continued as a full time malware analyst. 

“When I learned that where was something like reverse engineering, I liked it because I didn’t like programming that much. This was something different. You have to think about what other people have created, why they created it, how they intended that code to work, and you have to dissect it. It’s a different job. You’re not creating, you’re dissecting and analysing, and I thought that was very interesting.”

Zuzana also revealed that within ESET’s cadre of malware analysts, researchers and specialsits, there are different specialisations. Some are malware hunters. ESET’s statistics show that there 

are about 300,000 unique malware samples that have never been seen before, per day, in the wild. While they have automated tools to filter and sort through the malware, analysts that are termed as Malware Hunters specifically look for interesting malware to give the team a focus. According to Zuzana, picking the right malware to study is an art.

My Reading Room

Zuzana herself as an analyst, focuses on reverse engineering malware and long term tracking of threat actors.

“My team is responsible for malware analysis, and this is not done in real time. When malware appears, we analyse it. The tracking of these malware actors and malware families is long term research that sometimes takes weeks, sometimes months, maybe even a year. As you’ve seen with Ke3chang.”

When you’re talking about reverse engineering, all you have to do is just sit there and analyse the malware and see what it does for yourself.  

On the topic of software evolution, the cat and mouse chase with malware and the use of AI, Zuzana says her job is very technical, and because there’s that human element in investigation work, she doesn’t really make use of AI much, but she has to keep up with all the different tools and languages that are constantly evolving.

“When you’re talking about reverse engineering, all you have to do is just sit there and analyse the malware and see what it does for yourself. Maybe you’ll use some tools to make your work easier, but I don’t really use AI in that sense.

It’s technical work right? Because malware authors are evolving, of course we need to as well. They’re using new languages or different techniques. So, we would have to master all these languages too; it’s not just reverse engineering C code anymore, but also python code for example. You have to adapt.”

The whole summit was a fascinating look behind the curtain of what an anti-virus company does other than a bunch of people updating virus signatures day in and day out.