3508
3509

TechnologyWe are Kaspersky Lab's Global Research & Analysis Team (GReAT) AMA! (self.IAmA)

Kaspersky_GReAT 投稿

Hello Reddit!

We are Kaspersky Lab’s Global Research & Analysis Team (GReAT), a group of 43 anti-malware researchers in 18 countries around the world. We track malicious hacker activity around the globe with an emphasis on advanced targeted attacks.

We have worked on dissecting some of biggest cyber-espionage campaigns, including Stuxnet, Flame, Gauss, Equation Group, Regin and Epic Turla and we’re currently tracking more than 100 nation-state threat actors and campaigns.

A photo just for you

You can find some of our research work at Securelist.com and our targeted attacks tracker at apt.securelist.com

Here with us are:

Proof: https://twitter.com/kaspersky/status/758281911722795008

https://blog.kaspersky.com/great-ama/12637/

Ask away!

EDIT (1:28PM Eastern): Thanks all for the thought-provoking questions. We tried to answer as many questions as possible but it was tough concentrating in this horse's head. Follow us on Twitter (links above) and keep in tough. Stay safe out there.

上位 200 件のコメント表示する 500
並べ替え:
ベスト
トップ新着論争中古い順Q&A

[–]BasselDamra 538ポイント539ポイント  (98子コメント)

Hi all,
If you watch Mr.Robot, on scale from 0 to 10 rate how the show actually meet the reality in IT security and hacking field?

[–]Kaspersky_GReAT[S] 649ポイント650ポイント  (93子コメント)

Costin here: Mr Robot is a strong 9.5 for me. Most of the scenes are top class and the usage of tools, operating systems and other tiny details, from social engineering to opsec is very good. I guess having help from some real world security experts (the folks at Avast did a great job! - https://blog.avast.com/2015/06/25/are-the-hacks-on-mr-robot-real/ helped. I particularly enjoyed some of the quite realistic scenes, such as the poor developer who can’t help fixing the broken Bitcoin bank and the parking lot USB key attack.

Juan here: Admittedly having only watched the first season, some of the depictions of hacking are surprisingly good. Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation (less than the span of a shower).

[–]moviuro 134ポイント135ポイント  (66子コメント)

So, are you KDE or GNOME? ;-)

[–]Kaspersky_GReAT[S] 298ポイント299ポイント  (64子コメント)

Costin here. I’ve been using various *nix systems for over 20 years, so I can say that I’ve spent a considerable amount of time on both KDE and GNOME. About five years ago I switched most of my systems to Ubuntu, so currently, Unity it is. Sorry if that disappoints. ;-)

[–]BowlerNona 171ポイント172ポイント  (3子コメント)

Blasphemy!

[–]zombie_girraffe 78ポイント79ポイント  (35子コメント)

Now on to the real holy war: vi or emacs?

[–]Ajfried22 37ポイント38ポイント  (5子コメント)

I3 Wm for me

[–]CaptPikel 25ポイント26ポイント  (11子コメント)

XUbuntu is best Ubuntu

[–]hcsLabs 40ポイント41ポイント  (0子コメント)

You are now a moderator of r/pyongyang r/xubuntu

[–]LifeWulf 3ポイント4ポイント  (9子コメント)

Do any of them offer desktop slideshows with different wallpapers on each monitor (edit: and keep the collection automatically up to date)? I've tried everything from Unity to Gnome to XFCE to LDE to KDE to whatever Deepin Linux uses and so far the best I've gotten is the Variety program, but that stitches wallpapers together into one big one so it's not quite the same thing.

[–]CaptPikel 11ポイント12ポイント  (4子コメント)

XUbuntu (Ubuntu with XFCE) does this naturally. Right click Desktop -> Desktop Settings -> Bottom of the options is the ability to change background every X amount of time. It does it per desktop if you have multiple monitors. I have 2 monitors and just tested it. Pretty trippy to set them both to change once per second.

[–]LifeWulf 5ポイント6ポイント  (3子コメント)

Odd, I tried Xubuntu about two months ago and couldn't get it to work independently, only the same wallpaper for both monitors

コメントをもっと表示する (4 返事)

    コメントをもっと表示する (6 返事)

      コメントをもっと表示する (1 返事)

        [–]SgtCheeseNOLS 65ポイント66ポイント  (8子コメント)

        0 to 10, how is this NCIS scene?

        https://www.youtube.com/watch?v=msX4oAXpvUE

        [–]vicarion 27ポイント28ポイント  (2子コメント)

        He backdoored the phone's owner first...

        [–]konrad-iturbe 22ポイント23ポイント  (1子コメント)

        Let's say he was... A penetration tester ( ͡° ͜ʖ ͡°)

        [–]Pchelovod54 28ポイント29ポイント  (0子コメント)

        how quickly a phone can get backdoored with the right preparation (less than the span of a shower).

        Here is a play by play of that scene:

        http://spycasa.com/depiction-android-spyware-mr-robot/

        [–]gigabyte898 4ポイント5ポイント  (3子コメント)

        That USB scene was really good, it's a tactic used fairly often. It's how the Stuxnet virus infected computers at the power plant. Too bad it went rouge :(

        コメントをもっと表示する (9 返事)

          [–]TheMSensation 22ポイント23ポイント  (1子コメント)

          Check out this Easter egg from the season 2 premiere.

          https://0x41.no/mr-robot-s02e01-easter-egg/

          [–]hockeyking655 8ポイント9ポイント  (0子コメント)

          This is absolute insanity, I love this show.

          コメントをもっと表示する (2 返事)

            [–]bobmuto 89ポイント90ポイント  (18子コメント)

            In what way are average citizens affected by your work and the malware you fight?

            Should I worry about being the victim of one of these "advanced targeted attacks?"

            [–]Kaspersky_GReAT[S] 140ポイント141ポイント  (17子コメント)

            Costin here. In general, advanced threat actors go after governments, military, big companies, cutting edge research institutions, financial and banks, activists and scholars. If your profile fits into one of these then yes, you should worry about high end threat actors. However, if you’re not necessarily affiliated with one of these, you can still be caught in the middle of cyberwar between superpowers. For instance, you might visit a watering hole and get infected simply because you were in the wrong place at the wrong time, or your personal information can be stolen and used for identity theft at a later time.

            For the average person however, perhaps the most worrying thing in my opinion is the constant escalation of cyber conflicts as more and more nation states obtain cyberstrike capabilities and work to developer their cyber armies.

            [–]ThisIsAnApplePancake 21ポイント22ポイント  (16子コメント)

            What are the steps that we can take to protect ourselves?

            [–]karsh36 239ポイント240ポイント  (1子コメント)

            http://imgur.com/i3IfafU

            [–]throwaway131072 70ポイント71ポイント  (9子コメント)

            Depends on how much you care. If you really care, start by switching off Windows/OSX onto linux distributions, like Debian, use a VPN, get an Android phone with a robust modder community and install an open-source compiled firmware without the google apps suite (including the store), and manually install only fully open source and community trusted software. Research how to build a secure and reliable personal email and storage server, nothing "cloud based".

            Of course, doing this will also make you a more interesting target, so if you really care, then maintain a simpleton or even false digital life without evidence of your activities that you feel would make you a target in the first place.

            [–]mastapsi 6ポイント7ポイント  (0子コメント)

            Honestly, you don't. Ultimately, if a nation state actor gets you, on purpose or as collateral damage, there is really nothing as an individual you can do to stop them from achieving their goals. This is true pretty much at every level, from personal to government and large corporations.

            The current security paradigm against APT (that's Advanced Persistent Threats, essentially well funded, usually nation state actors) is to ensure continuity of operations and disaster recovery.

            APT is going to get what it wants. Your job is to make sure you get what you want, not to stop them. Much like locks on houses, cyber security controls only keep honest people and unskilled or unfunded hackers out. The real threats will always find a way.

            コメントをもっと表示する (3 返事)

              [–]voltagex 89ポイント90ポイント  (12子コメント)

              What's a good way for a garden-variety programmer to get into reversing and binary analysis? (not necessarily malware as I know I'd manage to infect myself).

              I've had a number of false starts trying to learn x86 assembly - mainly because I don't have a specific goal.

              [–]Kaspersky_GReAT[S] 152ポイント153ポイント  (8子コメント)

              Brian here: This is a very difficult thing to learn on your own. I struggled with it for years until I started doing a lot of hands on reversing challenges and capture the flags. Right now, there is one being held by Palo Alto which has a really cool Windows/Unix reversing track. I would recommend starting with something like that, where you are doing things with your hands instead of simply reading a book. Also, a great book that I recommend everyone in our field read is Practical Malware Analysis. It has fantastic labs to go along with each chapter and is very well written. The short answer here is, keep on doing it and don’t give up. One day it will just “click” and you’ll be tearing apart nation state malware before you know it :)

              [–]mnkb99 21ポイント22ポイント  (4子コメント)

              What would you say, for a computer science student learning security on their own would be a better way to go, breadth or depth. From what I've done, wherever I peek, even in the "simpler" topics there seems to be quite the amount of things to grasp and learn about and I'd say the entire security field requires almost proportional amount of knowledge in the specific security area as well as technology in general (for example, the difference in assembly Intel and AT&T syntax is one thing, but the difference in Windows and Unix is a whole other equally importan). Also, any mandatory starting points from which you can build upon? Thank you!

              [–]Greenouttatheworld 23ポイント24ポイント  (3子コメント)

              Go for breadth first across network, OS, application, mobile, web based security.

              After a while assess which one you gravitate towards more often, the one that seems more interesting to you, go into depth on that one.

              Just my $0.02.

              [–]castle_and_elephant 13ポイント14ポイント  (2子コメント)

              This quite literally can apply to anything in life, but people don't trust themselves and so they choose the one they think they "should" go into.

              [–]bluesoul 16ポイント17ポイント  (1子コメント)

              As a quick aside, I put together all the binaries in Practical Malware Analysis in one place.

              https://bluesoul.me/practical-malware-analysis-starter-kit/

              It's a great book for starting to learn how the process goes, but I feel malware analysis and cybersecurity in general is sort of a capstone course; you need to know networks, operating systems, just about everything, plus the security aspect.

              コメントをもっと表示する (1 返事)

                コメントをもっと表示する (3 返事)

                  [–]UntalentedKeyhole 143ポイント144ポイント  (8子コメント)

                  Question especially for the Russia guys - how can we trust that Kaspersky isn't being leaned on by Russian intelligence services to downplay reporting? Specifically talking about situations like Red October/Cloud Atlas actors, where there clearly appears to be a Russia/CIS component.

                  [–]Kaspersky_GReAT[S] 179ポイント180ポイント  (7子コメント)

                  Costin here. First of all, we’re a multi-national team. Our members are distributed across 18 countries. This means the chance of any nation state influencing everyone is very small.

                  Secondly, we like to think we were the first to publish and expose more Russian-speaking APTs and operations than any other security company out there. Some examples on top of my head: RedOctober, Miniduke, TeamSpy, CozyDuke, Epic Turla, Turla Satellites, Blackenergy router attacks, CloudAtlas. According to my knowledge, no other company has published more APT reports on Russian-speaking APTs than us. Check [https://apt.securelist.com] (our APT tracker) for all our work.

                  [–]acidRain_burns 40ポイント41ポイント  (2子コメント)

                  Thanks for answering the question with stuff we can verify... I actually wanted to know the answer to this, but doubted you would address it in a meaningful way. Even though it still leaves doubt in the air, this was reassuring. I might take another look at kapersky for my machines. Thanks for the excellent answer.

                  [–]Nova_Terra 9ポイント10ポイント  (0子コメント)

                  He goes so far as to say that they are a team distributed across 18 countries, which so may be the case but surely there is some degree of oversight from a desk in Russia somewhere in the higher branches of the tree.

                  People who work in multinational organizations might also understand, sure not every decision or change management goes to the higher branches of the tree but something damning or anything that could rub someone the wrong way would surely be declined or given a cease and desist rather quickly.

                  コメントをもっと表示する (1 返事)

                    [–]King_Sobieski 4ポイント5ポイント  (0子コメント)

                    Think I'm late to the party here, but since you guys have published so much on Russian APTs have there ever been instances where Russian officials told you guys to stop reporting on certain APTs or has there ever been any kind of danger especially for your Moscow-based people?

                    Really love your guys' work!

                    [–]Fellidae 9ポイント10ポイント  (1子コメント)

                    BUT WHAT IF IT'S SIMPLY THE RUSSIAN GOVERNMENT GIVING YOU ACCESS TO LOWER LEVEL OPERATIONS TO DEFLECT SUSPICION OF COOPERATION WHILE HIGH LEVEL OPERATIONS CONTINUE?

                    jk, I think you guys are alright. Even have a subscription with kaspersky.

                    コメントをもっと表示する (1 返事)

                      [–]K1llAllHumans 68ポイント69ポイント  (3子コメント)

                      Were there any situations when cybercriminals threaten you guys for your work?

                      [–]Kaspersky_GReAT[S] 125ポイント126ポイント  (2子コメント)

                      Costin here. Andrada Fiscutean wrote a rather nice article on this for Motherboard. I’d say that nowadays, few cybercriminals are bold enough to threaten security researchers, but it does happen from time to time, mostly with security researcher journalists.

                      Juan here: you’d be surprised how many of them have lawyers.

                      [–]Fr33wor1d 126ポイント127ポイント  (17子コメント)

                      What you consider as the hardest part of your job? (it can be technically or moral or whatever)

                      What's the most dangerous situation you have been for doing your job?

                      Thanks!

                      [–]Kaspersky_GReAT[S] 294ポイント295ポイント  (10子コメント)

                      Costin here. I’ve been working in computer antivirus research for more than 22 years. Everything was pretty nice and easy before 2008. Then almost overnight, nation state sponsored attacks appeared. I guess the first big one was Aurora, which hit Google, Yahoo and others. Ever since, my job has been getting more and more complex, from all points of view. Some of the trickiest things to think of include: “when to publish a report?”, “when is research truly finished?”, “is it ethical to research only threats from one side of the world but not another”, “who did it” and “why did you publish it”. I try to navigate around these with a simple system - we research and publish on any kind of threats, no matter the origin. When research is complete and we feel confident our analysis is strong, we publish. And on the internet, answering “who did it” is sometimes impossible...

                      [–]Maladjusted_Jester 47ポイント48ポイント  (1子コメント)

                      Ahh yes, the South Park approach. Always been a fan of that one. We're all equal after all.

                      コメントをもっと表示する (8 返事)

                        [–]Kaspersky_GReAT[S] 119ポイント120ポイント  (5子コメント)

                        Vicente here: We, like everybody else, only have partial visibility of things. That makes extremely hard to take some decisions unless you have a very clear code of conduct. In my opinion, we are living in a world where our work has an impact and ethics should be properly set. I like to think of ourselves like doctors or scientists, working based only on technical stuff and not letting other factors to decide for ourselves. And that´s not always easy.

                        I have not been in any really dangerous situations, but definitely in a bunch of weird, and sometimes scary, ones. There are others who have dealt with some ‘situations’.

                        [–]roi_scmag 193ポイント194ポイント  (25子コメント)

                        Hi guys - I'm Roi - I write for SC Magazine UK. I was wondering if you had any predictions with regards to when we will start seeing mass casualties and perhaps even death from hacking into ICS? Is it possible now? Following from the German steel mill attack, the Black Energy malware and the Swedish air traffic control attack it feels like we're on the brink of something but not quite there yet. Who in your opinion does ICS security well? Do you have any opinions on the state of the UK CNI is like?

                        [–]thedecibelkid 277ポイント278ポイント  (6子コメント)

                        ICS = Industrial Control Systems

                        [–]Kaspersky_GReAT[S] 275ポイント276ポイント  (9子コメント)

                        Brian here: Hey Roi, great question and a tough one to ask to the experts. In my opinion, it’s a matter of time before someone, somewhere decides to cross that line and cause casualties. If you look at all the critical systems that are still unsecured and vulnerable to attacks, all it would take is one crazy person and a general understanding of how ICS works to inflict damage to the masses. This is why securing ICS should be the #1 thing policy makers and other experts in the field should be focusing on right now. We need more voices like yours out there asking these tough questions to the appropriate people. Regarding who does it well...Again in my opinion, no one is doing it “well”. Well isn’t good enough. It needs to be impenetrable and right now, that’s not the case. This isn’t a mythological unicorn any longer. It’s been done before, and will only get worse.

                        Vitaly here: Honestly, I don't want to think about it. Last time I thought about possibility of malware crossing the border between virtual and physical worlds to destroy a physical object, Stuxnet happened just the next month. I was thinking only about "why so soon?" back then. I feel same strange feeling every time I hear about sudden disasters such as crashed planes, derailed trains, etc. A security researcher, widely known as halvarflake, said earlier this year (reconstructed from my memory): "Physical objects can be owned and/or possessed by you. Computer systems have additional dimension, which is control: you may own a computer, possess a computer but with current systems design you can never be sure who is in control". This is what wakes me up at night, because this illusion of control we have over computer systems opens infinite possibilities to create tragedies by people who use their power against others. From my point of view, this is what makes human race primitive.

                        [–]munchiselleh 37ポイント38ポイント  (7子コメント)

                        Just to clarify, what makes us primitive in your opinion? The fact that we buy into an illusion of control, or because we as humans will/would cause mass casualties using these illusions?

                        [–]Kaspersky_GReAT[S] 343ポイント344ポイント  (5子コメント)

                        Vitaly here. The fact that we use our evolutionary development against ourselves makes us primitive. I'd probably prefer to be an engineer of an intergalactic space-travelling gate now. Yet, I am working in a massive planet-size industry that protects "us" from "ourselves". C'est la vie.

                        [–]I_Done_A_Think 50ポイント51ポイント  (0子コメント)

                        This is an excellent, yet horrifyingly true, answer. Good on you for being so honest whilst representing your company, it's nice to have AMAs that aren't purely about pushing an agenda/content.

                        Very poignant answer as well. That our best & brightest are focusing on protecting us from ourselves, rather than solving the bigger challenges facing our species.

                        [–]pilekrig 22ポイント23ポイント  (0子コメント)

                        Incredible response here.

                        コメントをもっと表示する (3 返事)

                          コメントをもっと表示する (1 返事)

                            コメントをもっと表示する (1 返事)

                              [–]borninalandslide 25ポイント26ポイント  (0子コメント)

                              Swedish air traffic control attack

                              FYI: Swedish air controllers debunk cyber attack disruption theory, Solar storms blamed for outage

                              The outage correlated perfectly with the solar storm (Swedish) according to the official investigation by LFV (Civil Aviation Administration).

                              [–]sdglksdgblas 5ポイント6ポイント  (1子コメント)

                              German steel mill attack

                              which company ?

                              コメントをもっと表示する (5 返事)

                                [–]RandomActsFL 66ポイント67ポイント  (4子コメント)

                                Thanks for doing this.

                                Could you explain to us non-techies how metadata and other data can be used to attribute hacks such as the DNC attack and stuxnet? What can and can't be altered such that firms like Kapersky can attribute accurately?

                                [–]Kaspersky_GReAT[S] 78ポイント79ポイント  (3子コメント)

                                Brian and Juan here: This is a great question and very rarely answered in detail, partly because letting the adversaries know what you use in attribution allows them to manipulate the very same data. There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution.

                                The main pieces that seem to be used a lot in attributing attacks usually focus around languages used in the code, the times when the malware was compiled, motivation behind the attacks, types of targets, IP addresses used during the attack, where the data is being sent to after, etc. All of this is used in a sort of “matrix” to determine the potential players when discussing attribution. In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two “groups”.

                                [–]PetalJiggy 12ポイント13ポイント  (1子コメント)

                                I didn't realize the DNC attacks were already being analyzed to that degree, such as recognizing the malware. Does anyone have a link about this?

                                [–]hamburglin 6ポイント7ポイント  (0子コメント)

                                They were analyzed before the news broke. Or rather, that's why the news broke:

                                https://www.washingtonpost.com/world/national-security/cyber-researchers-confirm-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-3719-11e6-9ccd-d6005beac8b3_story.html

                                Guccifer 2.0 became a thing the instant news broke of the dnc being hacked went live last month. Here is a round up article of the data trying to prove Guccifer 2.0 is indeed Russia and not some random hacker:

                                http://motherboard.vice.com/read/guccifer-20-is-likely-a-russian-government-attempt-to-cover-up-their-own-hack

                                コメントをもっと表示する (1 返事)

                                  [–]N3xCess 27ポイント28ポイント  (12子コメント)

                                  I am aware of the work Kaspersky and other agencies are doing involving Ransomware, what preventive measures are in place to prevent a malicious coder from introducing a virus or worm like propagation mechanism? In other words, if these go from being black hats spreading them, to independent spreading via hard code can we honestly expect current antivirus scanning methods to be sufficient?

                                  [–]Kaspersky_GReAT[S] 32ポイント33ポイント  (11子コメント)

                                  Juan here: I think it’s important to understand that good modern anti-malware software isn’t just ‘virus scanning’ anymore. There are a ton of different systems packed together working off of one another to examine behavior and detect malicious actions whether it’s obvious that the file was going to do that off-the-bat or whether it changes its behavior once its running on the system. With ransomware in particular, our heuristic engine (System Watcher) is primed to catch not just different variants of ransomware but the behaviors themselves that ransomware would normally take so that we can not just detect and stop it but also rollback any changes to the system live.

                                  [–]zampson 9ポイント10ポイント  (8子コメント)

                                  How effective is your rollback process? I've had a few clients (both business and personal) that had to tear down, rebuild, and restore due to ransomware. If your software offers a real solution to this our shop would consider a change.

                                  [–]Kaspersky_GReAT[S] 40ポイント41ポイント  (5子コメント)

                                  Juan here: Someone in marketing will kill me if I don’t try to make a sale here :P.

                                  Basically, on the tech end, system watcher is checking constantly checking processes on the system for matches of heuristic signatures that match the actions of ransomware. So even if it’s an unknown variant, system watcher is likely to catch the actions and performs rollback on the files changed (like if you suddenly see a string of files getting encrypted). Nothing is perfect but we work very hard on this technology and it’s given us good results so far. (Pro-tip: Make damn sure people don’t install the product but disable system watcher!!!)

                                  [–]zampson 8ポイント9ポイント  (1子コメント)

                                  Thanks, I'll give it a trial run on a couple of machines to start, see how we like it.

                                  コメントをもっと表示する (3 返事)

                                    [–]Kaspersky_GReAT[S] 22ポイント23ポイント  (0子コメント)

                                    Ryan here: We think it's very effective but you should test it for yourself.

                                    コメントをもっと表示する (1 返事)

                                      コメントをもっと表示する (2 返事)

                                        [–]banya_addict 153ポイント154ポイント  (27子コメント)

                                        Hi all,

                                        So I always read your reports with attention, and I came across something funny in the Equation report. It was a good report on the NSA toolset I must admit, but as we say, devil is in the details.

                                        So if we read the report, we see :

                                        18.How did you discover this malware? We discovered one of the first EQUATIONDRUG modules during our research into the Regin nation-state APT operation.

                                        And while looking at 9412a66bc81f51a1fa916ac47c77e02ac1a7c9dff543233ed70aa265ef6a1e76, mentionned in your report as an "EquationLaser installer", I saw that you detected this sample back in 2006 when Regin was not yet used ; but wait this isn't the best part yet.

                                        Let's look at these pictures : [1] [2], [3]

                                        We can see that on the first submission the malware is already signed by some antivirus companies, and that two days later all of them except Microsoft have deleted it. But, when this is resubmitted in 2015 everyone and many others detect it,and with the same signatures.

                                        So my question is : why did you, amonst other antivirus companies, deleted a signature for a NSA malware in 2006, only to put it back later ?

                                        [–]Kaspersky_GReAT[S] 143ポイント144ポイント  (9子コメント)

                                        Vitaly here. The file you are referring to was added to our virus collection on the same date (24.08.2006) and was never removed. I guess Costin is right. In 2012 it was additionally added to our cloud-based detection collection (for KSN-based products).

                                        There is no conspiracy here, but it's funny that before Stuxnet was discovered Eugene Kaspersky used to say that we could have had nation-state developped malware or police tracking tools in our malware collection which we detected as yet another backdoor. He was right, but back then maybe we did not have enough skills and techniques to discover and track such actors.

                                        [–]Rollingprobablecause 46ポイント47ポイント  (3子コメント)

                                        This is a refreshing response considering most attack/def companies tout their code as the best. The humbleness is appreciated.

                                        [–]Kaspersky_GReAT[S] 52ポイント53ポイント  (2子コメント)

                                        Thank you :) We like to be as honest as possible and we believe all AV companies should have this mindset.

                                        [–]UntalentedKeyhole 19ポイント20ポイント  (4子コメント)

                                        Vitaly, to your point on "back then maybe we did not have enough skills and techniques to discover and track such actors" - what do you believe has changed that would allow you to detect new threats going forward? In other words, how confident are you that you are suited to detect current-gen or future-gen APT material?

                                        [–]Kaspersky_GReAT[S] 50ポイント51ポイント  (3子コメント)

                                        Vitaly here again. How confident can you be when you see a ghost in a room? Are you sure that the ghost has no ghost-friends in the same room? We simply do our best. If you can do better, we'd be very happy to talk to you. So far, this is new land to all of us in infosec and we are just trying to make the first steps very carefully without falling into a trap. And by the way, we are bringing up our own future-gen at homes to detect and fight future-gen APT materials. :)

                                        [–]UntalentedKeyhole 12ポイント13ポイント  (2子コメント)

                                        If you can do better, we'd be very happy to talk to you.

                                        Vitaly, Thanks for the response re: ghosts. I had actually considered GReAT, but was a bit put off from the "must have X published papers or presentations" requirement in the job posting. How exactly would somebody from a career in researching APTs in a "not in the public eye" capacity fit in with your team?

                                        [–]Kaspersky_GReAT[S] 40ポイント41ポイント  (1子コメント)

                                        Vitaly here. You don't have to be great to start, but you have to start to be great. A person that thinks like a hacker will always find a way around. What if it's part of our selection process? ;-

                                        [–]theoptionexplicit 12ポイント13ポイント  (0子コメント)

                                        What if it's part of our selection process?

                                        Something like this?

                                        [–]Kaspersky_GReAT[S] 61ポイント62ポイント  (10子コメント)

                                        Costin here. Hey, that’s a funny username. That’s a good question, however I think you’re seeing steam when there is no banya :). Back in 2006, VT would err from time to time, so it wouldn’t properly scan a sample with all antivirus products. This still happens from time to time and it doesn’t mean anyone dropped detection, only that something went wrong when VT re-scanned the sample. I can say for sure that we didn’t drop the detection in 2006.

                                        コメントをもっと表示する (6 返事)

                                          [–]Itsalongwaydown 69ポイント70ポイント  (10子コメント)

                                          What do you recommend as the best anti-virus software?

                                          [–]WildAnimalFights 22ポイント23ポイント  (2子コメント)

                                          Hello Kaspersky Lab researchers,

                                          I know you avoid attribution as a policy, but it seems fairly evident that most state-level targeted attacks seem to be carried out by the so-called major cyber powers (U.S., U.K., Russia, China, Iran, etc.). For the sake of this question, let’s assume attributional indicators reflect reality. Why don’t we see more state-level hacking activity carried out by developing or undeveloped nations? It would seem that the cyber espionage game is completely democratic with the wide availability of cheap and free remote access and post exploitation tools.

                                          Thanks!

                                          [–]Kaspersky_GReAT[S] 34ポイント35ポイント  (0子コメント)

                                          Vicente here: Following your assumption, it would make sense than countries with more resources to spend in such operations would be the most active, which would reflect the list you mentioned. That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major “cyber-capabilities”. That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).

                                          Also you should consider the “media exhaustion” factor that unfortunately also might limit the information distributed for some campaigns. If someone discovers a campaign of a small tiny country targeting their small tiny neighbour, you probably won’t read about it in any major publication.

                                          コメントをもっと表示する (1 返事)

                                            [–]sergiocastell 21ポイント22ポイント  (2子コメント)

                                            Just saw the KasperskyES tweet and decided to ask something I had in my mind for a long time ...
                                            I saw several informative videos related to Stuxnet, and it's particular way of attacking SCADA embedded systems. The drivers they used to attack the Windows systems at first instance were signed with JMicron and Realtek certificates. How do you think the attackers got into those? Did they previously attack those companies to get them, or...?
                                            Also, when you discovered you got attacked by Duqu 2.0, how did Kaspersky react to that? And, how was the security breach discovered? (I read it was thanks to an alpha version of your Anti-APT solution, but wanted to know more about that). Thanks for making this AMA, hope the team enjoys it, and also thanks for your incredible job!! :)

                                            [–]Kaspersky_GReAT[S] 39ポイント40ポイント  (0子コメント)

                                            Brian and Juan here: OK, so for the first part, as with many other attacks using valid certificates, our best assumption at this point is that those certs were stolen in some way. Whether or not the actors did it themselves, received it from someone else who stole it, or possibly stole it from another thief, the most logical answer is that the cert was used without consent from those companies. At the time GReAT published research into Stuxnet, it was noted that both companies had offices in the same physical location, which suggests an interesting possibility of how the attackers may have gone about getting those.

                                            Regarding Duqu 2, we reacted the same way any other AV vendor would when discovering a very advanced adversary on your networks...We screamed in a pillow for a bit, then went to work figuring out what they deployed. It was discovered in part using an early version of our Anti-APT product called “KATA”. After the initial surprise wore off, we have to admit the reversing ninjas had a great time with it ;)

                                            コメントをもっと表示する (1 返事)

                                              [–]marqo09 43ポイント44ポイント  (7子コメント)

                                              As a fellow RE, I find myself admiring certain elegance and tradecraft used by the actors. I'm curious to know which malware family each of you are impressed with most?

                                              It would also be great to hear why? (e.g. Duqu2.0 impressed me by bypassing the klif interceptor via in memory patching to leverage the KLIS driver's self-defense mechanisms)

                                              [–]Kaspersky_GReAT[S] 91ポイント92ポイント  (6子コメント)

                                              Brian here: I’m fairly partial to Turla, mostly because of their history, longevity, and ability to stay hidden for long periods of time. Their latest toolset we just analyzed literally made me want to jam a pencil in my eye. It was a JavaScript based malware that was heavily obfuscated, ran in memory, and used nothing but Wscript and WMI. While not a very advanced tactic, it has been extremely effective against some VERY high profile targets and was a PITA to analyze. They are also VERY good about having their stage 2 malware only work on the intended target of the attack, preventing reversers who might get the sample from VT or somewhere other than directly from the victim from even decrypting the payload to analyze it.

                                              I envy actors who are very effective at what they do, stay quiet, and make my life hell, and occasional add a “red herring” in there to send you down some rabbit hole.

                                              [–]munchiselleh 20ポイント21ポイント  (2子コメント)

                                              and was a PITA to analyze

                                              You guys really like your acronyms, don't you? Thanks so much for the interesting AMA! Having watched Mr Robot recently, I think you picked a great time.

                                              [–]Zumochi 5ポイント6ポイント  (1子コメント)

                                              PITA? Pain in the ass/arse.

                                              [–]munchiselleh 9ポイント10ポイント  (0子コメント)

                                              It was a joke. There are so many acronyms in this AMA I thought it was funny he used one for a colloquial swear

                                              コメントをもっと表示する (3 返事)

                                                [–]bbuc 40ポイント41ポイント  (8子コメント)

                                                At summer 2013 Edward Snowden came to Russia. Few years later Kaspersky Lab published information about Equation Group on Kaspersky Kaspersky Security Analyst Summit (SAS) 2015.

                                                Some media are saying, that Snowden works as IT-consultant for some unnamed company. For example here: https://rg.ru/2014/12/23/snouden.html

                                                So here my questions:

                                                • Does Edward Snowden work for Kaspersky Lab? On regular basis or as IT-consultant?
                                                • Did Kaspersky Lab use information that was revived from third parties such as Edward Snowden or Russian government to discover Equation Group
                                                • Did you lose visibility of Equation Group?

                                                [–]Kaspersky_GReAT[S] 52ポイント53ポイント  (7子コメント)

                                                Costin here. We have no connection whatsoever with Edward Snowden. As far as we know (based on media reports), he works for a company as webmaster or sysadmin. We didn’t use any of the information from the Snowden leaks to discover the Equation Group - actually, there is no information in any of the leaked documents that could allow somebody to find anything. This is because the documents have been carefully redacted, removing data such as unique DLL names or processes, which could allow someone to catch the malware. We discovered the first Equation sample while analysing a multiple infection on a computer we call “The Magnet of Threats”. This computer has been infected by many other APTs, including Regin, Turla, Careto, Animal Farm, in addition to Equation.

                                                Currently, we have no data on the whereabouts of the Equation Group - it went dark in 2014. However, it still remains one of the most sophisticated APTs we’ve ever analysed.

                                                [–]Arkeros 22ポイント23ポイント  (6子コメント)

                                                Is the magnet of threads something you set up, or is there some granny out there playing gotta catch em all?

                                                [–]Kaspersky_GReAT[S] 46ポイント47ポイント  (5子コメント)

                                                Costin here. The Magnet of threats is our nickname for a computer system belonging to a research institute in the Middle East. This is not something we have setup, it’s just a computer which for some strange, unknown reason, has become the target of some of the best APTs in the world. Based on our knowledge, it’s a pretty unique situation, which never repeated again after the publication of our analysis on Regin. Yes, this probably means the other guys read our research too.

                                                [–]banya_addict 5ポイント6ポイント  (0子コメント)

                                                it’s a pretty unique situation, which never repeated again after the publication of our analysis on Regin. Yes, this probably means the other guys read our research too.

                                                FVEY already did CCNE using Regin plugins in 2010, they did not wait for your research to come public.

                                                cf. this TS//SI Snowden document Discovering aliens on CNE infrastructure

                                                [–]bbuc 9ポイント10ポイント  (2子コメント)

                                                Does this Magnet of threats computer belongs to Malek-Ashtar University of Technology in Iran? If so how do you sell your software to Iranian users, since in 2013 Iran was under sanctions?

                                                コメントをもっと表示する (1 返事)

                                                  [–]rbevans 15ポイント16ポイント  (1子コメント)

                                                  Security breaches are not going to go anywhere any time soon to the extent that the United States now has a cyber incident severity schema. My question what are your thoughts on how the government can tackle this issue or should the government not be involved in the civilian sector?

                                                  [–]Kaspersky_GReAT[S] 30ポイント31ポイント  (0子コメント)

                                                  Juan here: Difficult difficult question. There’s definitely a big role for government to play in tackling this issue. More importantly, in a way it has to be the government doing some of these things. For example, the debate on ‘hacking back’ is one that I’d rather not extend beyond the powers of the public sector (as what you might call an extension of the government’s ‘monopoly on the legitimate use of violence’). At a time when attribution is artisanal and reliable attribution is nearly impossible, I’d much rather certain government agencies handle the recourse to hacking back entirely.

                                                  Now, as to what government can do right now, two things come to mind:

                                                  1. private sector cooperation with law enforcement is essential in taking down certain types of very troubling malware, like Ransomware. When the crypto is properly implemented, the best thing that can be happen is to have law enforcement cooperation to seize C&C servers so we can make decryption software and services for the victims. We can’t seize the servers ourselves so open and empowered cooperation is important.

                                                  2. Information sharing initiatives are awesome and there aren’t enough of them with really key sectors, like the financial sector, healthcare, and even certain specialized sectors of tech. These sectors need expertise but often feel they cannot or should not share for fear of the stigma of a hack or potential legal repercussions. It’s great when governments step in and provide a safe haven for companies to reach out, share what they know, what concerns them, and receive the help they need.

                                                  [–]moviuro 14ポイント15ポイント  (6子コメント)

                                                  How do you get your hands on Virus/Malware samples?

                                                  Do you work with large companies to feed you the malware they receive?

                                                  [–]Kaspersky_GReAT[S] 23ポイント24ポイント  (5子コメント)

                                                  Vicente here: We, like every security company, share big amounts of malware with other companies in the industry. We have agreements for sharing samples, and we also get new ones as we find them in the wild. That could be a new virus detected in one of our customers, or that we proactively found such samples in a malicious server, for instance.

                                                  [–]buso 13ポイント14ポイント  (8子コメント)

                                                  Hello Team! Thank you for doing this.
                                                  How much and what kind of education did you go through to get into this field? How profitable is it compared to less technical careers? Have you ever had to testify as an expert witness on a case? What was the experience like?

                                                  [–]Kaspersky_GReAT[S] 39ポイント40ポイント  (7子コメント)

                                                  Brian here: I know my scholarly friends will hate this answer, but for myself, I failed out of college. Yes...I had a .16 GPA. That said, I fell into the field because I always liked pulling things apart and seeing how they worked. I am a huge advocate for people attending University and completing their degree, simply because it shows drive and follow through. But, unfortunately, the majority of schools today do not teach the skills needed to hit the ground running in our field. Much of what we do is learned through experience and hands on training.

                                                  As for profitability, I think we make a damn good living and the perks are up there too. Where else can you go to work, track bad guys, learn something new every day, and still be a nerd all while making a nice pay check? It’s a very unique field and we need more GOOD people! As for testifying in a case, this is usually left to people we like to call “expert witnesses” (at least in the States). They possess very specific training and processes needed to be able to testify in a legal matter. I personally don’t want to be bothered with red tape and rabid lawyers, so I chose to stay out of that realm.

                                                  [–]Kaspersky_GReAT[S] 38ポイント39ポイント  (4子コメント)

                                                  Juan here: To add to Brian’s excellent answer, we really do need more good people. One thing I found really striking as I got to know people in GReAT and other researchers doing great work in the industry, a lot of them are not CS grads, nor engineers. I happen to know a brilliant researcher who is a PhD in Physics. Some who never graduated high school. It was Philsophy and Logic for me. You get the sense that the more identifying feature here (apart from a love for technology) is the drive to learn new things all the time and leverage that knowledge in cool ways. The security landscape evolves quickly and drastically and it takes constant work to stay on top of it.

                                                  [–]Amythir 5ポイント6ポイント  (0子コメント)

                                                  What would be the best way to enter into the field? I have a bachelor's in information studies and technology.

                                                  コメントをもっと表示する (3 返事)

                                                    [–]buso 6ポイント7ポイント  (1子コメント)

                                                    Thank you all for answering our questions.

                                                    [–]Squiggy_Pusterdump 15ポイント16ポイント  (26子コメント)

                                                    For the every day person, is there a "safer" operating system? I hear all kinds of debates. RIP Windows XP.

                                                    [–]Kaspersky_GReAT[S] 52ポイント53ポイント  (25子コメント)

                                                    Costin here. I’d say that nowadays, an operating system is as important as the web browser or PDF viewer you use. This is because most of the attacks happen either through the web, abusing a vulnerability in your browser, or e-mail, through a malicious attachment. With that in mind, we like Google Chrome a lot and try to use it when possible over other browsers. Make sure you have an blocker installed, KB SSL and a password manager.

                                                    If you want to go a bit higher in terms of security, consider switching the user agent - so use Chrome with a Firefox user agent and Firefox with a Chrome user agent. Deploy Microsoft’s EMET if you run Windows and make sure Windows itself it 64 bit. For now, I try to stay away of Windows 10, since it collects too much telemetry for my taste.

                                                    The next level would be using multiple computers, running different OSes, such as Windows 8.1 x64, Linux and a Mac, and constantly switch between them. Read your e-mail on the Windows machine but open the attachments on the Mac. Browse the net on the Linux machine and so on.

                                                    Common sense also goes a long way.

                                                    [–][削除されました]  (12子コメント)

                                                    [deleted]

                                                      [–]ctrlckey 6ポイント7ポイント  (11子コメント)

                                                      It's just his opinion. He's one of the premier security researchers in the world, so he's likely more on the extreme privacy side of the scale.

                                                      You don't go into that field without an extremely healthy skepticism of any data being collected and sent without your knowledge.

                                                      コメントをもっと表示する (12 返事)

                                                        [–]Senray 13ポイント14ポイント  (2子コメント)

                                                        Several years ago, Kaspersky proposed heavy government regulation of Internet use, including "Internet drivers license". Do you stand by this, and if yes, why?

                                                        [–]DeedTheInky 3ポイント4ポイント  (0子コメント)

                                                        Article & quote for anyone whose interested:

                                                        That's it? What's wrong with the design of the Internet?

                                                        There's anonymity. Everyone should and must have an identification, or Internet passport. The Internet was designed not for public use, but for American scientists and the U.S. military. That was just a limited group of people--hundreds, or maybe thousands. Then it was introduced to the public and it was wrong…to introduce it in the same way.

                                                        I'd like to change the design of the Internet by introducing regulation--Internet passports, Internet police and international agreement--about following Internet standards. And if some countries don't agree with or don't pay attention to the agreement, just cut them off.

                                                        コメントをもっと表示する (1 返事)

                                                          [–]jerrie86 8ポイント9ポイント  (5子コメント)

                                                          What's the worst Virus attack you have seen?

                                                          [–]Kaspersky_GReAT[S] 25ポイント26ポイント  (4子コメント)

                                                          Costin here. It depends how one defines worst. Certain malware incidents remain in history as some of the worst in terms of effects and repercussions in the real world.

                                                          My top includes: The Blaster computer worm

                                                          The CIH virus

                                                          The Stuxnet worm

                                                          The Ukraine 2015 BlackEnergy power grid attack

                                                          Duqu 2.0 :)

                                                          [–]SurrogateOP 8ポイント9ポイント  (2子コメント)

                                                          Newbie here. Are there any books that cover the context and background of these incidents to the layman?

                                                          コメントをもっと表示する (1 返事)

                                                            [–]kourkour 8ポイント9ポイント  (4子コメント)

                                                            About to finish Software engineering degree, what does one do to get involved in security? My uni sure as hell has no 'formal subjects' on the issue and I don't know how I'd get involved. Internship? Are there online courses? Or do I have to just go ham and do self-research?

                                                            [–]Kaspersky_GReAT[S] 28ポイント29ポイント  (3子コメント)

                                                            Costin here. For me, security has always been the most interesting aspect of computer science. No matter what I was doing, security would come on top as one of the main issues to care about. In my case, I became serious about security in high school, when our network was infected by a virus named BadSectors.3428. Back then, no antivirus product was able to detect it, so using my assembler skills I took it apart and wrote a cleaner for it. I remember spending half a day and a whole night to do it – I was so afraid that somebody else in our school would come up with a solution faster than me.

                                                            After this incident, my friends started sending me other computer viruses and asking for cleaning tools. By this time my parents had bought me a 16Mhz 80286 computer with 1MB of RAM and 40MB of HDD, which is where I developed my antivirus called “MScan”, later renamed RAV.

                                                            If security is something you enjoy, I recommend applying for an internship with a large internet security company. It’s an excellent opportunity to see if this is something you enjoy.

                                                            [–]Kaspersky_GReAT[S] 13ポイント14ポイント  (1子コメント)

                                                            Vicente here: In my opinion you can find online all the materials in the world to get you started, and even more. Probably a formal education can guide you and save your time, so I believe it is worth checking the formal syllabus just to know first steps and how everything is related. From there probably you want to explore yourself using such materials that you can find ( a few books, free trainings, online videos, etc) , see which areas are most interesting for you and how far you can get with what you have. But play around! Don´t stop just when reading something, you need to experiment by yourself. And at this point is where you really want to pay for professional trainings and courses, when you can appreciate why you are paying (let´s say) 5k for a 2 days training.

                                                            [–]kourkour 4ポイント5ポイント  (0子コメント)

                                                            You knew assembly in Highschool? What a boss.

                                                            [–]IamDroid 11ポイント12ポイント  (1子コメント)

                                                            This is a robbery. Give me your hacks or ill hack you.
                                                            ̿̿ ̿̿ ̿̿ ̿'̿'\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿

                                                            I find this type of work interesting but I have literally no experience. Besides linda.com and khanacadamy, whats a good place to start?

                                                            [–]Kaspersky_GReAT[S] 15ポイント16ポイント  (0子コメント)

                                                            Juan here: I’m a huge fan of Xeno Kovah and Corey Kalenberg’s courses on http://opensecuritytraining.info/. They do a great job explaining low-level material (for x86 particularly) that doesn’t usually get covered and is essential for good reversing and malware analysis. Learning C and python can’t hurt either ;)

                                                            [–]nailed2gether 7ポイント8ポイント  (2子コメント)

                                                            As Artificial Intelligence(AI) becomes more pervasive are we opening ourselves up to a threat that we may not be able to overcome? I might read too much speculative fiction but machines achieving consciousness and turning on humans looks like it might happen. Should AIs be rigged with a kill switch? What's your take on AIs and do you consider them a possible threat?

                                                            [–]Kaspersky_GReAT[S] 20ポイント21ポイント  (1子コメント)

                                                            Vicente here: One of the main problems with AI is its name - a bit too excessive. Artificial Intelligence (so far) is a collection of methods and algorithms to help with various tasks, specially the ones involving tons of data, which is very interesting in the Internet era. Having the ability to “learn” based on this data, basically improving their results based on previous ones, makes those algorithms really good in a particular task with time.

                                                            Now, moving from there to self-consciousness is a different thing. In my opinion we are very far from there, but for an external observer it might look like the amount of services that we use constantly and appear to be incredibly smart, this might look like real intelligence. See the “Chinese box” experiment to get the idea, but at this point maybe this is more a philosophical question than a technical one.

                                                            [–]NuclearNutsh0t 9ポイント10ポイント  (12子コメント)

                                                            Hey Kaspersky Team! So I've recently been infected with some malware, Adware, and atleast a couple Trojans. Ive done what I could and used a couple tools to fix the majority of this problem, but am still worried that there might be infected files still kicking around that my anti malware programs missed. So I was wondering if you guys have any tips or tricks that you'd like to share on some of the methods and tools you guys use when you run into these problems? Whether it's free or paid for, definitely open to ideas... Thanks in advance if you do respond!

                                                            [–]Kaspersky_GReAT[S] 11ポイント12ポイント  (10子コメント)

                                                            Brian here: Have you tried running our AV on your system? Not to drop an obvious answer here, but that’s where I would start. Other than that, if you’re that paranoid, wipe and reinstall the OS. Or move to Mac. There’s no viruses on Mac :). OK, all joking aside, I would install a couple of different AV products to get the best coverage with respect to detecting known threats. Then I would look in all the normal places malware tends to hide; Registry keys for autorun, startup folder, temp folders, Windows directory, etc. Check for files modified / added around the time of when you suspected you got infected.

                                                            Check your running processes and look for things out of the ordinary. Again, if you’re still thinking there is something on your box, wipe it and reinstall. I can’t tell you how many times I did that growing up because of some stupid virus that I could figure out. Or, just move to Mac :)

                                                            [–]sewer56lol 7ポイント8ポイント  (4子コメント)

                                                            YOU CAN ALSO JOIN US BRETHREN WITH UNIX-LIKE FOSS SYSTEMS OPERATING MAINLY ON THE LINUX KERNEL, IN THE CASE THAT YOU DECIDE WE LACK IN RESOURCES, WE HAVE OUR PITCHFORKS READY!

                                                            Actually, joking and pitchforking aside, I'd recommend for anyone to have a try with a 'Unix-like' system, or Linux (despite being a kernel) as people tend to call it for their convenience, you might find that you may come to love it.

                                                            Many distributions, largely built around free software can offer various user experiences which could suit an individuals tastes.

                                                            There is always a distro for everyone, for example, Tails can be used for those who are extremely privacy conscious or if you like the Mac-like interface try ElementaryOS (or the Elementary desktop environment) etc. There's even Hannah Montana Linux if you'd like to try 'every style, every shoe, every colour'.

                                                            Unixlike systems, as with the POSIX principles
                                                            tend to be secure by design, as for those, well, at least for those running on the Linux kernel, there isn't really any interest of writing malware to infect the 1-2% of all internet users, many of which are reasonably savvy. Of course that argument technically ignores the amount of servers hosted on those machines, but the chances of infection are still much lower.

                                                            コメントをもっと表示する (5 返事)

                                                              コメントをもっと表示する (1 返事)

                                                                [–]Aemon12 4ポイント5ポイント  (3子コメント)

                                                                How do I build a career in computer security (networks)? Is the military a good way?

                                                                [–]Kaspersky_GReAT[S] 10ポイント11ポイント  (1子コメント)

                                                                Costin here. I guess it depends a lot on where you live. In Israel, the military, especially Unit 8200 is seen as the starting point of a successful career in computer security. In other places, formal education, such as MIT works well.

                                                                For me personally, experience worked best. I’d recommend you apply for an internship at a security company and start learning security from the real world. Unfortunately, too many of the formal education systems nowadays are well behind what is happening in the real world. I’ve seen people finish university with computer science degree, however, they didn’t know any practical security, only 5-10 years old theory.

                                                                [–]laststance 2ポイント3ポイント  (0子コメント)

                                                                Do you have any good sources or material? Or is the security community more of a "if you really want to learn, you'll find it? type of scene? Its a general consensus that most of the practices taught in formal education is more about how to approach the problem, the practices are very outdated since its a constant race/evolution.

                                                                If there are courses, which do you recommend?

                                                                コメントをもっと表示する (1 返事)

                                                                  [–]deepankarmalhan 6ポイント7ポイント  (1子コメント)

                                                                  Hi everyone,

                                                                  I'm a CS junior who became really interested in cyber security after taking a security course in my sophomore year (a 400 level course - intense but awesome). My question to you guys is: 1. How did each of you start out in security? How did you focus in on Malware Analysis? And 2. What steps would you recommend I take to learn more about MA (books, online courses, etc.)? 3. What does your day look like at your jobs? And what steps did you take to get to your current jobs (any certifications, etc.)?

                                                                  Thanks for doing this awesome AMA! I'm learning a lot reading through all the other answers.

                                                                  [–]dog_knight 4ポイント5ポイント  (6子コメント)

                                                                  Most of us know basics around protection of our personal computers (anti-malware software, limiting permissions, sourcing applications from reputable sources, using tools like EMET, etc). What are some of the not so mainstream methods you use to protect your personal computers that may not be obvious or known to most people?

                                                                  [–]Kaspersky_GReAT[S] 7ポイント8ポイント  (5子コメント)

                                                                  Juan here: Great question! To be honest, each person on the team has their own security quirks, ranging from things as simple to tape over the webcam to sniffing everything on your own home network. It’s hard to issue blanket advice because there’s a certain amount of threat modeling involved. What I mean is: what sort of attackers and attacker resources can you reasonably expect to be spent on you? Would I advice to my grandmother to have an out-of-band network tap? No. But if you’re handling sensitive IP, scientific research, gov secrets, etc., it may not be the most outlandish thing.

                                                                  [–]Kaspersky_GReAT[S] 9ポイント10ポイント  (3子コメント)

                                                                  Vicente here: Just to highlight some of Juan's great advice, I think sniffing the network you are connected with an external device is one of the best methods to discover if you are compromised. Obviously needs some work when checking for any suspicious connection, but having this data logged somewhere makes wonders.

                                                                  [–]Zircon88 4ポイント5ポイント  (2子コメント)

                                                                  How would one go about doing this without spending years reading up? Is there some dummy's way of doing this or not really?

                                                                  コメントをもっと表示する (1 返事)

                                                                    [–]TheMadMiner 6ポイント7ポイント  (2子コメント)

                                                                    Why comic sans?

                                                                    [–]Ch33sefiend 10ポイント11ポイント  (1子コメント)

                                                                    Have you watched CSI:Cyber? :D

                                                                    [–]Kaspersky_GReAT[S] 29ポイント30ポイント  (0子コメント)

                                                                    Brian here: Yes and it’s terrible. But I do enjoy laughing out loud at it.

                                                                    [–]rastapasta9 9ポイント10ポイント  (3子コメント)

                                                                    If you could be stuck on an island with Jesus Christ or Barack Obama which one would it be?

                                                                    [–]Kaspersky_GReAT[S] 97ポイント98ポイント  (2子コメント)

                                                                    Brian here: Jesus. Simply because he can make wine from water. And I would need to be really drunk to survive living on a deserted island with only Jesus and myself.

                                                                    [–]jonnybravo_14 6ポイント7ポイント  (1子コメント)

                                                                    Brian and Jesus marooned on a desert island? I see a Monty Python movie in the making.

                                                                    [–]karnikaz 3ポイント4ポイント  (2子コメント)

                                                                    Did hackivists try to recruit any of you and how would / did you react?

                                                                    [–]Kaspersky_GReAT[S] 24ポイント25ポイント  (1子コメント)

                                                                    Vitaly here. Due to internal budget issues, hacktivists usually don't recruit, but get recruited. Guessing the follow-up question: no, we don't recruit hacktivists. Guessing the next follow-up question: hacktivists recruit hacktivists. And the next one: we don't know who was the first hacktivist. Vitaly, stop talking to yourself. OK. Over.

                                                                    [–]b214n 6ポイント7ポイント  (2子コメント)

                                                                    Can I get a Ferrari paddock pass for the USGP?

                                                                    [–]Kaspersky_GReAT[S] 2ポイント3ポイント  (0子コメント)

                                                                    Juan here: Sure, as soon as I get one for my Ferrari-addicted uncle...

                                                                    コメントをもっと表示する (1 返事)

                                                                      [–]UntalentedKeyhole 4ポイント5ポイント  (1子コメント)

                                                                      You guys go against what are presumably well-funded criminal organizations and nation-states. Have you ever felt personally threatened by the work you do?

                                                                      [–]Kaspersky_GReAT[S] 6ポイント7ポイント  (0子コメント)

                                                                      Brian here: Every day. But what keeps me going is knowing we are doing good for the rest of the World by working these threats. Also, keeping a good state of awareness and not doing dumb stuff when on travel to other places helps as well. There are some researchers though that have it worse than me as they live in places where they aren’t afforded a certain level of protection from their governments. These are the folks that are generally more concerned with their safety.

                                                                      [–]Bristleb4ck 4ポイント5ポイント  (2子コメント)

                                                                      How the hell are we supposed to pronounce Kaspersky? Is it "kasper sky", "kasper skee" or "kaspErskee" or wth?

                                                                      [–]Zinnny 4ポイント5ポイント  (4子コメント)

                                                                      I have to use your software on my work computer. I gotta be honest, it slows my computer down a ton. What is the reason for this, and do you guy have plans to fix it?

                                                                      [–]Kaspersky_GReAT[S] 5ポイント6ポイント  (3子コメント)

                                                                      Juan here: Sorry for any inconvenience. Hard to tell what’s going on without knowing more about the specifics of the setup (like your OS version, computer specs, and what other software is on the machine as well) and how the administrators have setup the software. Of course any security software is going to involve some overhead in processing power but we do a lot to optimize this as much as we can. If it’s that palpable on your machine, I’d point at something wrong in the configuration as a likely culprit.

                                                                      [–]Branch3s 3ポイント4ポイント  (0子コメント)

                                                                      Tabs or Spaces?

                                                                      [–]seven_pillars 5ポイント6ポイント  (1子コメント)

                                                                      Gents,

                                                                      I tend not to post on subjects I know nothing about, but I'm making an exception because this is the first AMA I've read to the bottom of in a long time. Great subject and you guys' answers are wonderfully in depth and detailed. Super engaging and informative, so major thanks.

                                                                      My question; I'm military, and my lack of knowledge on cyber security bugs me. I have zero tech background. If I was to set aside a few hundred quid and a few hours a week, where would I start developing an ability to secure my immediate environment while protecting myself? My gut says buy a clean new machine, set it up in a way that's sterile of personal data or connections to myself, and try to break and then fix it. Presumably that leaves me vulnerable across a network and, if so, how do I neutralise that vulnerability? I see in other threads that you've recommended open courses. Any suggested starting points?

                                                                      Last and most ignorant question: I've always harboured a worry that googling malware terms, hacker groups, infosec etc and clicking links leaves me vulnerable drawing attention to myself, in the same way that I'm careful not to use obvious keywords that might find me on a security agency watch list. Is this justified or am I being a paranoid joe?

                                                                      Thanks again, and keep fighting the good fight.

                                                                      [–]kujetic 4ポイント5ポイント  (0子コメント)

                                                                      can you help find hillarys emails?!

                                                                      [–]nequin 6ポイント7ポイント  (1子コメント)

                                                                      Is that Jackie Chan behind the gentleman holding the G?

                                                                      [–]Kaspersky_GReAT[S] 18ポイント19ポイント  (0子コメント)

                                                                      Costin here. Yes, that's me and that's a lifesize Jackie Chan print behind me. I’m a big fan of Jackie’s movies and Kung-Fu movies in general. Drunken Master ftw! :-)

                                                                      [–]ankontini 4ポイント5ポイント  (5子コメント)

                                                                      1) If your system has been compromised, using an encrypted email service will not save you, right?

                                                                      2) How can we use android devices safely, while retaining our privacy when we have to connect them to a gmail account? (And google collects data).

                                                                      3) Is there any messaging app for android that you use and that you know does not collect data?

                                                                      4) IT security fascinates me but I don't have the expertise. How can we, normal users, contribute to a safer and freer internet?

                                                                      [–]Kaspersky_GReAT[S] 4ポイント5ポイント  (4子コメント)

                                                                      Juan here: wow there! :) Alright, let’s see. I really love your first question because it reaffirms why I think we are working in the most important side of the ‘infosec problem’. Short answer: No, if your endpoint is compromised, using an encrypted email service will not save you per se. The more nuanced answer is that it won’t save you from an attacker using malware to have a presence on your device, it wouldn’t affect the fact that encrypted email (PGP for example) will keep your emails from being read in transit or in a breach of your inbox or that of the recipient. I say that we are working on an important part of infosec because security solutions tend to be built on the assumption of an uncompromised endpoint so designing and supporting software meant to secure your devices is not a trivial thing.

                                                                      1. Jumping through your other questions since there’s so much to cover here: Android is a difficult platform to secure. If you’re concerned about privacy, a lot of the time your issues will come from excessive third-party app permissions and ‘games’ taking the liberty to lift whatever information they see fit. Those concern me more (personally) than the gmail integration itself.

                                                                      2. As for messengers, we tend to play around a lot with different ‘secure’ messengers. I’m in no position to audit the crypto or implementation on these but some of us are currently testing our Wire. SilentText, Signal, Threema, and Wickr have been old favorites. I don’t know that I can promise that they don’t collect data, you’d have to ask them.

                                                                      3. Please secure your accounts!!! Use a password manager and 2factor authentication. Attackers do a lot with the accounts they pop.

                                                                      [–]exodus2287 4ポイント5ポイント  (4子コメント)

                                                                      How did you guys end up in this field? It's something that has always intrigued me

                                                                      what are the necessary skills one would need to approach such a career?

                                                                      [–]Kaspersky_GReAT[S] 12ポイント13ポイント  (1子コメント)

                                                                      Vicente here: I believe this has been already answered in a couple of questions, but if you want a final advice from me, don't educate yourself only in technical stuff!

                                                                      Learn how to write, speak in public; learn about history and politics; be interested in music and arts. This at least will make you a more complete person, and open your possibilities. Technology comes and goes, deep knowledge stays forever.

                                                                      [–]Kaspersky_GReAT[S] 11ポイント12ポイント  (1子コメント)

                                                                      Vitaly here. Curiosity drives most of us. In another science, lets say in physics, curiosity makes people explain and state the laws of physics. Other people come and try to break the model, find where it is weak, where it doesn't work. Some people break things to exploit the weaknesses and get illegally rich on the cost of other people's suffering. We share the same skills but feel that what is going on is not right and we can't sit still, we act to stop them.

                                                                      To approach a career in infosec, get hypnotized by the magic you can do when a law of physics (or technology design) is in your control. Soon, you will realize that you are reading new type of books and Google stopped recognizing your profile by your search habits.

                                                                      [–]0utlo 3ポイント4ポイント  (5子コメント)

                                                                      Is antivirus companies writing own viruses to have demand a thing or just a joke ?

                                                                      [–]Kaspersky_GReAT[S] 8ポイント9ポイント  (4子コメント)

                                                                      Juan here: People who make this claim don’t understand just how much work we have on our hands. Kaspersky looks at around 320,000 unique malware samples a day. GReAT is tracking upwards of 100+ threat actors and campaigns at the same time. I don’t know when these people think we have time to code our own viruses.

                                                                      [–]ankontini 5ポイント6ポイント  (7子コメント)

                                                                      Do you guys have time to play pokemon :D or some other games? Do you like mmo rpgs?

                                                                      [–]Kaspersky_GReAT[S] 10ポイント11ポイント  (6子コメント)

                                                                      Juan here: I’m sure there are people in GReAT playing pokemon go, particularly with some latent Ingress fans. I don’t get a lot of time to play but like SC2 and Destiny. Brian and I have been playing some Overwatch on Xbox. And I may be slowly trying to make my way through Zelda (A link between worlds) on 3DS in different airport lounges...

                                                                      Brian here: I do play with the Pokemons from time to time :) My wife hates it and honestly, I’m kind of a closet player. I’ll walk around the grocery store and hide my phone while I’m shopping. As for other games, when I have time, right now it’s all Overwatch. Before that, Fallout 4 all the way! And yes, I am a console guy. There is no PC Master race IMO.

                                                                      Costin here. I don’t play Pokemon Go, but I play EVE Online. Minmatar ftw. :-)

                                                                      Vicente here: Big Street Fighter IV fan, disappointed with SFV, and occasional SC2 player. Waiting for the new Mass Effect.

                                                                      [–]K1llAllHumans 6ポイント7ポイント  (2子コメント)

                                                                      Do you guys play "thematic" computer games like Uplink or Hacknet?

                                                                      [–]Kaspersky_GReAT[S] 20ポイント21ポイント  (1子コメント)

                                                                      Vitaly here. My job is my video game. Very realistic, 3D open-world with unexpected turns and hard problems to solve.

                                                                      コメントをもっと表示する (3 返事)

                                                                        [–]Orc_of_sauron 2ポイント3ポイント  (4子コメント)

                                                                        Do you think Stuxnet was really developed by a guy who wore a yellow hooded cape around the NSA offices like the documentary Zero Days portrays?

                                                                        [–]Kaspersky_GReAT[S] 4ポイント5ポイント  (2子コメント)

                                                                        Vitaly here. That was the most terrible image of a hacker that I have ever seen. I assume it was reconstructed through a number of distortions on the way. It probably made the guy (if he exists) laugh to a heart attack. I think Stuxnet was most probably put together by work of several people. They could be strange, could be anti-social but very focused on final objective. It was most likely fun for them, not just an order.

                                                                        Brian here: Absolutely not. Everyone knows we only wear black t-shirts and shorts.

                                                                        コメントをもっと表示する (1 返事)

                                                                          [–]shrugsnotdrugs 2ポイント3ポイント  (1子コメント)

                                                                          Hey guys, thanks for doing this.

                                                                          I recently watched the documentary "Zero Days" about the Stuxnet virus, and some of the malware researchers who first discovered it said when they looked at it, they could tell it was developed by state actors, because that code must've required immense resources.

                                                                          When we look at conventional weapons and militaries, measuring resources and power is more concrete. One can count the number of troops an enemy has, determine what percentage of their GDP is spent on defense, measure the power of their weapons and aircraft, and more.

                                                                          How can security researchers look at the source code of a virus, worm, or any form of malware and say: "this would have required the resources of a nation state" ?

                                                                          [–]Kaspersky_GReAT[S] 2ポイント3ポイント  (0子コメント)

                                                                          Brian here: Well in the case of Stuxnet, it was a bit easier as the malware was targeting specific equipment that really, only a nation state would have resources to test on at the time. In general, when looking at APT style attacks and determining if they’re possibly a nation state, there are many things that come into play. What information are they after? Who are their targets? How large is their C&C infrastucture? What does their ops team do when on a victim? Are they using malware that is only available to a nation state / intelligence organization? How many 0 days have they dropped lately? Are there signs in their code that lead to a massive development effort?

                                                                          It’s a combination of MANY factors that lead one to make an educated guess on whether or not something is directly attributed to a nation state. An easier question to answer is typically “Is this nation state SPONSORED”. That is quite different from the first.

                                                                          [–]ST1LLFLYGG 2ポイント3ポイント  (2子コメント)

                                                                          Does the "e" stand for eSports?

                                                                          [–]Kaspersky_GReAT[S] 3ポイント4ポイント  (1子コメント)

                                                                          Vitaly here. No, sorry, please ignore, that was just a typo. :-P

                                                                          [–]PM_ME_NSFWS 2ポイント3ポイント  (2子コメント)

                                                                          What do you think of pronouncing it cash-purr-sky?

                                                                          [–]Kaspersky_GReAT[S] 4ポイント5ポイント  (1子コメント)

                                                                          Juan here: Better than my mom’s ‘caperki’...

                                                                          Vitaly here: Meanwhile, Japanese pronouce "ka-su-pe-su-ki", Chinese say "ka-ba-si-ji", but my favourite was a delivery service bringing us a parcel for "Carpexcia" in the Romanian office.

                                                                          [–]oversizedhat 2ポイント3ポイント  (1子コメント)

                                                                          Hi all.

                                                                          With a seemingly tech ignorant Congress in place, where do you see the way forward in placing a national priority in updating cybersecurity infrastructure and education?

                                                                          [–]Kaspersky_GReAT[S] 3ポイント4ポイント  (0子コメント)

                                                                          Brian here: I feel it needs to be a concerted effort put forward by all of us. There needs to be a voice and honestly, right now, there’s too many speaking over each other. Also, it might be time for the citizens to start voting for representatives that make these topics part of their campaign and outing the ones who still refuse to admit it’s a problem. I think it has gotten better in the last couple of years, especially at the highest levels though. We’re not there yet, but making noise and speaking together on this is the only way to conquer it.

                                                                          [–]sldx 2ポイント3ポイント  (2子コメント)

                                                                          There's a question that's been really nagging me since this DNC thing started: is it really possible to say with "fair" certainty if that attack was a state sponsored Russian attack?

                                                                          [–]Kaspersky_GReAT[S] 3ポイント4ポイント  (0子コメント)

                                                                          Juan here: Since this seems like a question of the possibility of attributing an attack, let me tackle it on technical terms. Basically, ‘yes’ and ‘no’. The problem with attribution (and the reason we say it’s hard) is that a lot of technical indicators can be faked or manipulated to throw researchers off the tracks of the real attackers. We will be publishing a paper on cases where this has happened (at a conference called VirusBulletin).

                                                                          That said, it’s not to say that it’s a completely anonymous action. What researchers have been pointing to is the fact that the malware used is already known and clustered to two specific groups (which we call CozyDuke and Sofacy) that are known to be russian-speaking and employ known command-and-control infrastructure for these two groups. I understand the skepticism and how loaded the discussion can be but from the technical perspective that is pretty sound.

                                                                          For more details – CozyDuke: [https://securelist.com/blog/research/69731/the-cozyduke-apt/]

                                                                          Sofacy: [https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/]

                                                                          コメントをもっと表示する (1 返事)

                                                                            [–]mastablasta69 2ポイント3ポイント  (2子コメント)

                                                                            Hey just saw this and was wondering since you had to work against such Malware as Stuxnet, did you ever encounter a similar version called Iron Gate? If so what about it is different from stuxnet and where did it originate from?

                                                                            [–]McTedson 2ポイント3ポイント  (4子コメント)

                                                                            I can't believe it's been 22 years already. It's like almost yesterday I was cracking RAV's protection for fun :) To Costin: Do you remember "rav prodigy " ? :)

                                                                            [–]Hobbledehoy899 2ポイント3ポイント  (1子コメント)

                                                                            Are DOS viruses still a concern?

                                                                            [–]Kaspersky_GReAT[S] 2ポイント3ポイント  (0子コメント)

                                                                            Costin here. Oh, good ole 300 bytes long boot viruses... :) Concern no, perhaps only for historians. There is however an heightened interest into Solaris and SunOS malware.

                                                                            [–]decensus 2ポイント3ポイント  (2子コメント)

                                                                            In your experience, how many instances can you recall where an exploit could truly be attributed to technical genius?

                                                                            I keep feeling like every major "hack" that makes the news boils down to crap implementation/administration of solutions, click happy users, or a simple social con that should have been caught. Maybe I'm jaded or naive since I'm (sadly) on the audit and assessment side, but the "anywhere, anytime" style of hacking everyone talks about seems surprisingly rare. (or maybe since I can't hack for shit, I'm just in denial and jealous of you all haha)

                                                                            コメントをもっと表示する (542 返事)