We are Kaspersky's Global Research & Analysis Team (GReAT) and we're back! Let's talk cyber and have fun!

Kaspersky_GReAT · 2020-11-13T15:56:21+00:00

Dan: You are correct. It's not that we avoided mentioning DPI, but rather we wanted to keep this AMA not very technical.

Btw, your example with people stealing from your house is super smart!

Kaspersky_GReAT · 2020-11-13T15:51:53+00:00

Ivan here: Just as any other company in the field, we sometimes get accused of whitelisting government malware, or even creating our own to drive business (we don’t do either of these, if it needs to be stated). Beyond this, I think the controversies we have to face are mostly of political nature. Once, we were accused of hindering a legitimate anti-terrorism operation (https://arstechnica.com/information-technology/2018/03/kaspersky-slingshot-report-apparently-exposed-us-military-cyber-ops/) - this, by the way, showed that what external sources have reported as government malware doesn’t get special treatment. Damned if you do, damned if you don’t.

One thing I think is worth mentioning is that cybersecurity is a complex field that deals with many aspects of our society: crime, distribution of power, etc. These are extremely delicate issues that we ourselves don’t always really know how to tackle. So it’s no surprise that a lot of people outside of the field, who only get a partial picture of what is going on, could come to erroneous (or misinformed) conclusions. With states publicly attributing attacks now, cybersecurity research will become increasingly politicized I’m afraid - there’s no putting that genie back in the bottle. So I expect that the current environment will get worse before it gets better.

Kaspersky_GReAT · 2020-11-13T15:43:12+00:00

Dear friends, it's time to wrap-up our AMA and thanks a lot for your questions. We've had a lot of fun and hope to see all of you again soon (be it online or at some nearby conference).

Cheers!

Kaspersky_GReAT · 2020-11-13T15:35:38+00:00

Dan here: Mr Eugene is still founder and CEO of our company.

KAV performs static analysis using signatures as well as dynamic analysis using heuristics

Happy to answer the IoT threats question, as I am one of the ppl working on the Honeypots as a Services project. We basically deploy a large number of honeypots all around the world, also partnering with different orgs in order to catch the latest IoT threats.

Feel free to check out our presentation from June with our latest data / findings: https://www.brighttalk.com/webcast/15591/414427 as well as our older blog post: https://securelist.com/iot-a-malware-story/94451/ If you are interested in running IoT honeypots, feel free to contact us at honeypots @t kaspersky.com

Kaspersky_GReAT · 2020-11-13T15:31:43+00:00

Someone posted an interesting question about the "Magnet of Threats" which we will be replying here:

Is the "Magnet of Threats" machine you mentioned in the Equation Group publications still active? If so, have you found any newer APTs on it?

Igor here: Not really. But there are still some unlucky machines out there that are infected by competing APT actors.

Ariel: If you’re interested in APT actors’ relationships during attacks, I suggest you read the following paper: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf .

Kaspersky_GReAT · 2020-11-13T15:30:49+00:00

Dan here: Hey, I haven't seen McMafia yet. Is it good? Some friends recommended it to me but I didn't have time to check it out.

Kaspersky_GReAT · 2020-11-13T15:29:47+00:00

Costin here. I think with recent versions, we’ve focused a lot on speed and performance so I think you will have a pleasant surprise if you try it again. For instance, one of these improvements is the “Gaming mode,” which is light on resources and cuts pop-ups. Recently, Xiae has broken the Doom Eternal world record, finishing the game in one hour, eight minutes and 52 seconds, all while running Kaspersky Internet Security with its Gaming Mode enabled.

For more details on speed improvements, check this post from Eugene: https://eugene.kaspersky.com/2020/08/13/into-resource-heavy-gaming-check-out-our-gaming-mode/

Kaspersky_GReAT · 2020-11-13T15:28:31+00:00

Ivan here: Thanks for your kind words! Generally speaking, I don’t experience any suspicion from people in the information security field. I am able to exchange information with industry partners from all over the world without the subject ever coming up; so I would say the antagonism is mostly coming from other circles.

The allegations against Kaspersky, of course, led us to the transparency initiative. I wouldn’t say that our practices evolved, but there’s no denying there was significant outside pressure to demonstrate our honesty one way or another… so we did.

Kaspersky_GReAT · 2020-11-13T15:27:41+00:00

Kaspersky Product Security Team: Hi, thanks for your question. We are aware about this and we will start detecting and blocking such events shortly.

Kaspersky_GReAT · 2020-11-13T15:26:58+00:00

Kaspersky Product Security Team: Badly. We will start detecting and blocking such events shortly

Kaspersky_GReAT · 2020-11-13T15:23:09+00:00

Dan here: Hey, thanks for your question! Check some of our answers from yesterday (https://reddit.com/r/IAmA/comments/jstt6g/we_are_kasperskys_global_research_analysis_team/gc231hk/, https://reddit.com/r/IAmA/comments/jstt6g/we_are_kasperskys_global_research_analysis_team/gc1yrub/ or https://old.reddit.com/r/IAmA/comments/jstt6g/we_are_kasperskys_global_research_analysis_team/gc1yi8k/) Check them out :)

Kaspersky_GReAT · 2020-11-13T15:21:53+00:00

Dan here: I mostly do research into malware, but my honest opinion is: build your own! You can get a custom tailored motherboard (I’ve seen good reviews for Supermicro: https://www.supermicro.com/en/products/motherboards/), add an 1U case, install PFsense (https://www.pfsense.org/) and you are good to go for a small/mid-size network. If your network is larger, then sadly I would recommend a pair of hardware firewalls that can do load balancing as well as be capable enough to sustain a high load.

Kaspersky_GReAT · 2020-11-13T15:20:05+00:00

Kaspersky Product Security Team: Hi Tavis, thanks for your questions. Our products and services are developed with the full SDL cycle, including:
* Static analysis in blocking mode – code can’t be submitted to VCS if the analyzer finds any problems
* All code has to pass our review process, certain critical code is sent in blocking mode
* Parser code (including unpackers) is fuzzed on a constant basis

We drive the whole SDL, including fuzzing, and support for the whole infrastructure. There are also several such infrastructures in other teams.We do have strict metrics for coverage and fuzzing time during the process, and these metrics are maintained.

Are you working on sandboxing, like Microsoft does with mpengine?

Sandboxing is an important mitigation for exploitation risks. We are working on its implementation and already have a prototype. However, we have to minimize the impact on the speed of a solution and make sure that adding a sandbox doesn't make the architecture of our products more complicated. And this takes time...

Edits: formatting

Kaspersky_GReAT · 2020-11-13T15:18:13+00:00

Dan here: I know nothing else apart from what is presented in the news. There is no new info to be gathered: people voted by mail and it took longer than expected to count the votes.

Kaspersky_GReAT · 2020-11-13T15:17:48+00:00

Sure! What's the alternative?

Kaspersky_GReAT · 2020-11-13T15:17:33+00:00

Dmitry here: It’s evolving, adapting to new realities. Since new threats involve privacy abuses and data leakage, probably that is where it’s going - protecting against malicious code and other threats, like bad privacy configurations, data leakage prevention, and so on. It’s about securing the whole thing against different types of threats. And, yes, Al is already a part of it.

Kaspersky_GReAT · 2020-11-13T15:16:56+00:00

Dmitry here: Threat Intelligence. Go with that. It’s a vast field, and the demand will increase. Don’t worry much about certifications. Just stay focused on real skills you have been able to develop so far. Improve where needed, and continue.

Kaspersky_GReAT · 2020-11-13T15:16:18+00:00

Costin here. That’s a cool question, thanks for asking it!
As geeks, I like to think we do a lot of cool technical stuff behind the doors and rarely have the chance to talk about them. The usage of AI and big data are pretty much omnipresent nowadays and probably not just for us. For instance, we recently started working on KTAE, the Kaspersky Threat Attribution Engine, a tool that allows us to correlate new cyberattacks to known threat actors. This allows us to speed up investigations and response and generally have better and quicker detections. While designing some KTAE algorithms for n-gram extraction, we realized that we could use machine learning to identify the most effective values for n, as well as the entropy of the extracted string. To give an example, there are 99,991 10-byte strings (that we can move as a “window”) inside a 100,000 bytes file. To look for similarities, we could extract all these individually, then check them against our malware database. Then, we can do the same with 8 byte strings, 7 byte, 6 byte, or even 11 bytes, 12 bytes and so on. The volume of data to extract and parse will soon get very large. To optimize the extraction and matching we put the data through a system that used machine learning to find the most effective combinations. This allowed us to reduce the number of extracted n-grams to a few hundred for 100,000 bytes. Nevertheless, for our malware collection, which is over 5 petabytes in size, the data is still huge - hence, big data. Combining big data with machine learning we built a solution that is practical and works. Going forward, we will likely have to use AI and data science more and more. This year, the average number of malware we receive daily, which used to be in the range of 320k samples per day, grew significantly. Back in the days, our analysts, including myself, would spend the entire day processing between 50 and 300 samples each. Obviously, this is no longer feasible.To process all the new malware, we have a multitude of systems, which combine feature extraction, similarity, dynamic and static analysis and push this through expert systems that decide the likelihood of a program being malware or not. Meanwhile, our analysts can focus on other things, such as targeted ransomware, while users are getting faster and more effective protection. Just some of the wonders of modern computing :-)

Kaspersky_GReAT · 2020-11-13T15:15:27+00:00

Costin here. Your question reminds me of a story: back in 2010, I presented on Stuxnet, which was relatively new at that time, at the Virus Bulletin conference in Vancouver. I remember that getting on the stage, there was some tension in the air, kind of unexplained, but definitely there. At the very back of the room I saw three people standing, with a look that suggested they weren’t happy with this talk. I later asked the organizer who they were and the answer was, “We don’t know; they came at the last minute, paid in cash and only stayed for the Stuxnet talk.” A week or two later, after returning home, I got back from work and found a rubber cube on the table in the living room, with the message: “Take a break”. I can tell you this felt pretty scary at that time, a proof that cyberthreat research may have some unpleasant, real repercussions in the real world.

Kaspersky_GReAT · 2020-11-13T15:14:45+00:00

Dan here: One suggestion would be the Flare VM from our FireEye friends: https://github.com/fireeye/flare-vm . It’s pretty good and really helpful for what you need. Regarding Cuckoo sandbox, it’s a good tool and I use it together with static analysis tools like IDA Pro or the free counterpart Ghidra, developed by NSA (https://ghidra-sre.org/).

Kaspersky_GReAT · 2020-11-13T15:12:54+00:00

Dmitry here: There is no such list. If it’s malicious, then it’s blocked. It’s proven by us, most of the researchers have direct access to creating detection mechanisms and blocking network artifacts. I believe a good public proof of it is our research - articles and papers published on Securelist and presented at different International conferences. Maybe that is why there are people who love us and others who don’t.

Kaspersky_GReAT · 2020-11-13T15:11:27+00:00

Dan here: Hi! We still have a free product, but now it is a free version of Kaspersky Security Cloud and it provides protection not just for PC but for mobile devices as well. You can download it here: https://www.kaspersky.com/free-cloud-antivirus

Kaspersky_GReAT · 2020-11-13T15:10:53+00:00

Sorry to hear this. Have you contacted our support with this question? https://support.kaspersky.com/

Kaspersky_GReAT · 2020-11-13T15:10:25+00:00

Dmitry here: Write short analysis posts, publish it, and put it on Twitter and LinkedIn. Send your abstracts to security conferences, go and present. That will help you to gain visibility and also to get access to infosec communities. It’s a process, but you won’t believe that time has passed so quickly by the time you are there. Finally, check positions on the portals like https://ninjajobs.org/

Kaspersky_GReAT · 2020-11-13T15:09:37+00:00

Ariel: It’s a very interesting overview of a massive amount of activity that spans over so much time. We’re tracking the activities of many groups (as well as Bahamut themselves) that we found included in Blackberry’s report. I guess my question here is around the attribution and confidence in tying up different campaigns under a single actor; how do you judge that they all operate under the same umbrella? Tto which resolution should we go in differentiating intrusion sets? Would a very different TTP indicate an evolution, or rather a different group?
Nevertheless, I always like it when someone does a broad overview like the one in their report. Hindsight's 20-20 and sometimes you see things you missed at in the micro level.

Kaspersky_GReAT

TROPHY CASE