APT (Targeted attacks)Publicationssecurite informatique

Behind the scenes with the head of Kaspersky’s GReAT

Costin Raiu has been with Kaspersky since 2000, initially as the Chief Security Expert overseeing research efforts in the EEMEA region. In 2010, he became Director of our Global Research and Analysis Team (GReAT). During his tenure at Kaspersky, he has spearheaded the company’s research on some of the most infamous cyber threat campaigns in recent memory, from the highly destructive computer worm Stuxnet to the Dukes advanced persistent threat which targeted the White House and the US Department of State in 2014, as believed. In our interview with Costin, he spoke about the job of a security researcher, its challenges and advantages, and offered some advice for newcomers to cybersecurity.

How did you start your career in cybersecurity?

I probably got into cybersecurity by accident. It was the early 90s, when my high school’s network was infected by a computer virus, a very nasty one called BadSectors. Unfortunately, none of the antivirus products that were available back then were actually able to clean the virus, so the teachers who knew I had some experience with computers asked me if I could write an antivirus for it. That’s how I wrote my first antivirus, and from that moment on, more and more people asked if I could write them a custom solution for their problems. And slowly, this turned into a more capable antivirus product. That’s how I got into computer security.

What makes research successful?

I guess, it should be something groundbreaking or otherwise special, something new that’s never been discussed before and has the potential to impact a lot of users and other people. The research is successful if we identify a new type of attack, such as some kind of hardware supply chain attack, or perhaps a sophisticated persistence mechanism which replaces one of your computer’s low-level programming subroutines with malicious code.

Here’s an example from the 90s. It was before the world knew about security vulnerabilities and zero-days. And back then there wasn’t much research into kernel exploitation. I did a bit of investigation in this direction, and managed to find a zero-day in the Windows kernel which would allow anyone to escalate their privileges and compromise the system. Then I tried to report it to Microsoft, but back then there were no good reporting channels. It was almost impossible to find somebody who would acknowledge the bug and actually patch it. It took several months of e-mails before they eventually acknowledged the vulnerability.

How do you name APTs?

We don’t have a specific scheme, which gives the researchers more freedom. If you stick to a very specific narrow scheme like an index table with a limited number of elements, you’ll soon run out of names. One thing we try to do is avoid using the name suggested by the malware authors. It doesn’t always work, but the idea that’s been here since the early days of computer antivirus research organizations is not to honor the virus writer by using the name they suggest. You should use a name that has the opposite effect, which may prevent them from producing further malware.

What was the craziest discovery you made?

It happened in April 2016, just a few days before my birthday. It was late, maybe eleven o’clock at night, when I got a message from one of my colleagues. He said something along the lines of “we’re working on something complicated, it’s very big, very dangerous, and very, very serious.” And I was like “you know it’s eleven, seriously is this some kind of a joke?” I wasn’t entirely sure it was serious, so I went to bed and woke up the next morning around seven. I opened my computer and, lo and behold, that guy was online at 7 a.m. This was very unusual for him. He does work late, but he’s usually never online before, say, 12 or 1 p.m. So, I wrote him a message: “Hey, what’s going on? Why are you up at 7 a.m.?” He replied: “I’m working on the issue, on the stuff from the last night.” I wrote: “Ok, give me some details, send me a sample.”

We started looking into it, and it was rather complex, very sophisticated. It was somewhere between 600 and 800 KB in size, and a lot of work was required to figure out what it does. I initially thought it was some kind of accidental or random malware but it soon became obvious that it wasn’t a random incident, it was what later became known as Duqu 2.

What’s the best part of a security researcher’s job?

The best part of the job is that you never know exactly what to expect on a given day. Twenty years ago, we used to collect about one new piece of malware per day. Now that number is close to half a million new malware samples per day. And the amount of sophisticated attacks is also exploding.

For someone working in computer security, it’s both worrying and very, very interesting at the same time. We are worried that cyberarms are on the rise, and average users will be the ones who will suffer, people who just use the internet for shopping, writing e-mails or watching movies. On the other hand, this is very, very interesting for us. There is an old Chinese proverb saying: “May you live in interesting times”. I can tell you that the times we’re now living in are probably the most interesting of all time for computer security.

How do you overcome the challenges?

I guess different people around the world find different solutions. There’s artificial intelligence, which helps a lot, and there’s automation and robots, which help us manage and identify threats in more effective manner. But cooperation and the exchange of information between researchers around the world are probably at the core of solving this problem. The Computer AntiVirus Researchers’ Organization (CARO) has advocated sharing information between trusted parties since the early days of computer security, and this is how we can fight the growing threat of computer viruses more effectively. These days, different cooperation groups have taken this to higher level.

What advice can you give to newbies in cybersecurity?

If I were to start out in computer security again — and this is my suggestion for all young researchers who want to gain more experience in computer security — I’d probably begin by learning a programming language such as C, C++, then I’d move into two areas: reverse engineering and threat hunting, probably with YARA. On the one hand, reverse engineering is always helpful for understanding how threats operate and how to dissect different malware strains. On the other hand, YARA will help you to become more efficient at threat collection, threat intelligence, finding new types of malware, and correlating all the points in an attack.

Until safer times, join us online on webinars, join GReAT Ideas, and Security Analyst Summit (SAS) online. I hope to see you all there, and of course I hope to meet everybody in person once the pandemic is over.

Watch the full interview to learn more about Costin’s experiences. If you have a question you’d like to ask a GReAT researcher, please, leave a note in the comments.