Recapping the GReAT AMA

When your company hosts an AMA on Reddit, you have to be ready for all possibilities. About four years ago, we were a bit apprehensive heading into our Global Research and Analysis Team (GReAT)’s first AMA and then the one with Eugene Kaspersky — but like Boy Scouts, we prepared. And despite the expected trolls (more on them in a bit), both events went off without a hitch for the most part.

You know, working with a global team and getting everyone on the same page was challenging even before COVID. Nevertheless, it had been a while, and we wanted to get the gang — plus a few more — back together.

Yesterday, we logged on to a virtual room for the AMA with Costin Raiu, Vitaly Kamluk, Brian Bartholomew, Noushin Shabab, Aseel Kayal, Ivan Kwiatkowski, Maria Namestnikova, Dmitry Bestuzhev, Ariel Jungheit, Dan Demeter, Igor Kuznetsov, and Kurt Baumgartner to kick off our second Reddit AMA. The event was slated to last 2 hours, but the team had so much fun, it lasted almost three times as long. Below are some of my favorite question threads of the chat.

What’s up with Antidrone?

I was glad to see the recent news of our antidrone technology caught some Reddit users’ eyes. The question and answer were pretty good.

There was a story recently about a “drone detector” originating from Kaspersky. Is that really a threat for some orgs, or is this primarily a Russian hobby?

Maria here: My neighbor has a drone, and he is Russian. So maybe it’s a Russian hobby, I don’t know. But a drone is, in many cases, just a flying camera that can make photos of anything the owner wants, be it what’s inside someone’s house or in the office, say on the monitors of the computers. So it seems there is something to worry about.

Brian here: Drones are definitely a threat to many organizations. For instance, prisons in the US are using anti-drone technology to help prevent the smuggling of contraband. The tech is also used in many public spaces, such as sporting events, large crowd gatherings, etc. for protection and monitoring. Some organizations are also concerned with corporate espionage through the use of drones.

How to learn YARA

As many a reader of this blog knows, YARA is a crucial tool for our research team as well as for many other threat hunters around the world. I’m glad to see people becoming interested in using it professionally.

I was hoping to learn Yara, but before doing that, what prerequisites should I be aware of? Do I need to know assembly, C & reverse engineering? My background is in network security.

Costin here: Yara’s syntax and strings are similar to C, so that would be a good start. General knowledge of reverse engineering helps, although we know many people who write Yara rules without ever having reversed any samples! A general feel of how malware looks like, how malware works and things like file formats is probably a good start. In case you haven’t seen it yet, do check out this short webinar I did on Yara back in March: https://securelist.com/hunting-apts-with-yara/96386/

PS: Our PR and sales are kindly asking me to try to sell you this training 🙂 Some people say it’s pretty good actually: https://xtraining.kaspersky.com/

Vitaly here: To add to what Costin said and give him some credits, please watch this short presentation written entirely in Yara about Costin using Yara to catch 0-days: https://www.youtube.com/watch?v=fbidgtOXvc0

In essence, those skills are not required, but the more you know the more tools you have to create your own perfect Yara rule!

The Catcher in the YARA — predicting black swans

How to start working in the field

I was psyched to see a number of questions about how to get into the cybersecurity field. This on stood out in particular and is one that gives me positive feelings for the future.

Do you have any idea how can I get remote job as Malware Analyst? is such position exist?

I’m 17 y/o; have read famous book in subject; currently reversing malware that I had access to (gootkit, remcos, netwalker, …) and reading Advanced Binary DeObfuscation Material

Ivan here: If you’re reversing those samples at 17 years old, I have the feeling that finding a job will not be an issue 🙂 Just keep doing what you’re doing and companies will be fighting for your services in no time!

Maria here: I totally agree with Ivan:) Just today we’ve hired an intern who is 18 and who is reversing samples and is really interested in the cybersecurity topic just like you are. So There is a way to start your career path really soon and even working remotely. Gogogo!:)

Good ol’ trolling

Of course, we expected some challenges, and sure enough, Reddit came through. Some people still cannot get over the false narrative that Kaspersky is run by the Russian Federation — seriously, that joke is old. Our folks replied in earnest, but it seemed that people wanted to dish it out, not take it. Come on — it’s Reddit!

Still working for the Russian government?

Costin here: Of course! From the banya, when we are not riding bears to the beach. We also run a chocolate factory 6 miles north of the Kremlin

Ariel here: If it ain’t broken, don’t fix it.

Ivan here: I’ve been trying for years, but as a French citizen they just won’t let me.

Brian here: Secretly for the Americans, with the Russians

Dan here: Privet!

At least some people got our point.

Hacker movies

The age-old question about hacker movies was sure to come, and our researchers had some good answers.

What’s your favourite hacker movie?

Igor Hackers, 1995

Ariel here: I’m a fan of the TRON universe.

Vitaly here: How about Mr Robot? Of course everyone knows it. But I was once surprised to see something I missed. It was Defcon Movie Night where they screened “23” and it was pretty cool! Check it out: https://en.wikipedia.org/wiki/23_%28film%29

Brian here: Matrix series

Kurt here: Matrix ++

Noushin here: Ghost In The Shell anime, Cyber City Oedo 808

Maria here: Code Mercury. Bruce Willis is the best

A modern take on the movie Hackers

AV as a target

Here’s an interesting question about whether AV is a tempting target for attackers.

What is your take on the argument that antivirus programs are juicy targets for exploits, in the sense that they are widely installed, are huge, complex, closed-source code bases which have a large attack surface area and generally run with high privileges?

Also, do you encounter and have to fend off attacks of this nature on a regular basis, or is it rare?

Ariel here: It’s a bold move to target antivirus software, not something your average attacker does. Antivirus software runs in a high privilege context in order to be able to detect and stop attacks from threats that are also executing with high privileges. There is easier software that is more widely used—word processors for example. Take a look at the exploits available for Antivirus products in the recent year—the number is so small it’s not a good reason not to use them 🙂

Kurt here: It’s rare. Take a look at what is really getting exploited – it’s not anti-malware. There is no shame; Careto had a thing for our product several years back. Although, Blackhat presenters might get more high-fives for exploiting an “AV” than Chrome.

Well, those were my favorite moments from the AMA. Take a look and let us know on Twitter what yours were. If everyone thinks it was fun, we may jump in again with the team or maybe some other members of Kaspersky — maybe we won’t have to wait four years for the next one. Until then, see you on the social webs!