Security Expert Interview Series: Christian Wojner
We recently checked in with Christian Wojner to learn about malware analysis and how businesses can know if malware analysis is right for them. Christian is a Senior IT-Security Analyst, Malware Analyst, and Incident Responder based in Austria. His specialties include automating malware analysis, development of code analysis tools, development of Minibis, Visda, and Bytehist. Read the full interview below, we promise it will be insightful.
1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Christian?
After I made my decision against starting off as a professional tour guitarist for some newcomer starlet back in the ’90s in favor of having a stable income in my second major field of interest, I entered IT as a programmer developing specialized banking software for IBM mainframes using PL/1 and DB2. It turned out that despite my bad experiences with mainframes, batch programming, and especially with PL/1, which I had from my years visiting a higher school focused on software development, one could really find some meditative satisfaction in such ancient stuff when digging deeper into the actual possibilities of the latter.
However, years went by and I moved from batch to CICS in terms of programming. The next step was developing complex client/server systems based on Visual Basic using mainframe batch stuff in the backend with some detours into AIX serving some middleware needs. After that, I moved on to web development based on J2EE having a good old IBM mainframe with PL/1 and DB2 in the back, again. It was quite hilarious how long that ancient stuff was keeping up with my continuously growing steps towards a brighter future in IT.
Therefore, I made another huge decision in my career, actually jumping into cold water in terms of the new and blazing field I was just about to enter back in 2004: IT Security. Whilst receiving some accordingly oriented training to build up appropriate skills I continued to develop software as a shareware developer. In 2007, constantly improving my IT security skills and being the technical right hand of the CSO of the software development sub-organization of one of Austria’s major banks, I was kind of frustrated: All those diverging skills I had … and there seemed to be no job where one could take advantage of all of those – at least that was my impression. So I asked my boss and mentor for advice in this respect. He instantly came up with the idea, that considering all of my various skills, the latter would be the perfect foundation for becoming a malware analyst/reverse engineer.
Today, almost 15 years later, I can say that he was absolutely right. Due to a fortunate coincidence in terms of a job opportunity back then, I quit my job just 1 month later and started as the first IT security analyst for the kick-off of Austria’s Computer Emergency Response Team (CERT.at). And it was another coincidence, that I got the opportunity to start building up the CERT’s assets in malware analysis and reverse engineering just at the end of 2007.
From that moment on I really dove into every available material regarding malware analysis and reverse engineering, but however, the latter was far from being a well-documented profession and field at these times. The only way for me to really evolve in these terms was to start developing accordingly oriented software and tools thus getting in touch with all the respective aspects and concepts as closely as possible. So I started to contribute a lot of software to the malware analysis community. One of the first freely available malware sandboxes (Minibis), my own IDA Pro competitor (VisDA), a generic revealer for even unknown malware based on entropy (Densityscout), a PE section-oriented entropy histogram utility (Bytehist), and last but not least my biggest throw, a nowadays standard companion tool for behavioral analysis called “ProcDOT”. Each of these tools was my way to get a deep(er) understanding of specifically mystic and only rarely or even un-documented topics.
Through all of these years, since I moved to CERT.at, I constantly broadened and enhanced my IT security skills to cover most fields of digital forensics and incident response, with malware analysis and reverse engineering being my major obsession. In this respect, I am responsible for dealing with accordingly flavored tasks, incidents, and cases.
2. You are currently holding the position of Senior IT-Security and Malware Analyst. What does excite you and what do you like about this line of work?
Digital forensics as a whole can be seen pretty much as a mixture of action adventures and level-based games with bosses. By solving puzzles of various kinds, revealing artifacts of different relevances, and fighting your way through the case by constantly taking the hurdles left for you by the adversary, you are putting all those pieces together to finally have an all-in-one picture of the situation. Every step further in this progressive process comes with its respective amount of satisfaction. All this with the sublime aim of helping victims to cope with the situations they were pushed into by their attackers, what else could be more rewarding?
3. What kind of skillset does a person need to be a malware analyst?
To be honest, that actual question brings a smile to my face. It is the one question that is usually asked when you are in a conversation and the point of “What’s your occupation?” is reached. I always loved to share knowledge with people being interested in these specific fields to help them to find their ways. Therefore, I created my own teaching material, which I teach as an introduction to malware analysis featuring many detours into relative topics within digital forensics as a whole. And the last slide of my slide deck addresses this very question. The title is “Summary: Malware analysis is a DECATHLON++”, and that is just what it actually is all about.
So I’m more than happy to have the chance to reveal that mystic information also here. So, what are the skills one has to be familiar with to subsist in the fields of malware analysis?
In random order:
– System internals: Hardware, Software on various architectures
– Disassembly and de-compilation techniques
– Assembler (Machinecode), Java, C#, Python
– Debugging techniques
– Shellcode
– Monitoring/Sniffing
– Network protocols
– Customized configurations (HW/SW/Network) to build your own lab settings
– Memory forensics
– Development of tools/utilities in various languages
– Deep understanding of compilers
– Detecting/spotting algorithms (crypto and de-obfuscation)
– …
However, such a list can never be exhaustive in any way. So as a rule of thumb: The more widespread and broad your skills are, the more you are able to cover and take advantage of in according situations.
4. How can businesses know if malware analysis is right for them?
If you are running a business that is potentially prone to targeted attacks and APTs, then having someone being capable of doing malware analysis might be a wise thing, especially, if you are not willing or are not allowed to share samples with third parties. By the way, please avoid uploading any samples you might encounter within your organization to Virus Total! If the former is part of a campaign targeting your organization, chances are high that you alert the adversary by doing so. Instead of uploading the entire sample to Virus Total, just compute a file hash (like MD5 or SHA1) and search for it there.
How to know if your business is prone to targeted attacks and APTs? Do some research (threat intel) regarding those well-known APT groups out there and the branches they are usually focused on. If your organization is a player in one of these branches, it might be just a question of time when you are going to have guests within your network, if not already.
5. Tell us about a current malware campaign that CISOs will want to be cognizant of.
If we wouldn’t have already got rid of it, then it would have definitely been Emotet, which CISOs should be aware of. However, even with this pain-spreader of its kind gone away, one should absolutely keep an eye on the constantly ongoing evolution of ransomware campaigns in general. The according groups behind those attacks are nowadays competing on a level that is comparable to state-sponsored APTs. Don’t (just) try to defend against them, be prepared to have them aboard some when.
Besides that, I think it is not a question of specific malware families CISOs need to be cognizant of these days. One of the most relevant topics nowadays is supply-chain attacks leading to an unmanageable number of compromised organizations and entities of various flavors in terms of their business branches. Adversaries don’t need to really master the initial compromisation phase anymore, now they just need to choose the most attractive target which they are possibly already in by using automated exploits.
6. What policies and practices would you recommend defending against the latest malware threats?
I do not think that copy-pasting all those (classic) defense tips here again is of much use, actually, you find them everywhere on the net. As one might already know due to my answers before, I am more into the approach of the expectation that it’s just a question of time when one gets hacked. Do not get me wrong, it is still relevant to put efforts and resources into defense, but it is the detection one should have her major focus on.
Be sure to have all the necessary logs to be able to successfully handle and solve an incident. Think about the typical scenario that someone (i.e. a researcher) informs you that there was some network traffic/contact between your organization and some specifically bad domain or IP address. Would you be able to trace that connection back to its originating client or server? And how far back in time would you be able to do that?
Know your network’s, server’s, and client’s behaviors, or at least have someone that does so. Baselines are key to efficiency when doing incident response.
And last but never least, some people say, “Security through obscurity doesn’t work!”. While that is not entirely wrong per se, I am a big fan of combining approaches. If an adversary enters your organization/network, she expects to be confronted with well-known IT security solutions like antivirus, IDS/IPS, or endpoint protection for example. The term “well-known” is key in this respect. As an adversary, you can prepare yourself and your toolset to circumvent those, or at least to be much stealthier to those. What an adversary cannot prepare for beforehand is some unknown custom concept, solution, or approach. The very first time the adversary has the chance to analyze such a solution to get rid of it is when she is already facing it, but by that time your tripwire is already triggered.
7. How do you stay up to date with industry news and updates regarding IT security? Feel free to share the sources/websites with us.
There are so many information sources out there, in so many flavors – I really think that everyone needs to find her own way to do this. However, for an easy and efficient approach, one can take advantage of the newsletters of various national CERTs. CERTs (usually) have people that are specialized in scanning the net for tech news, filtering the most relevant of them. So do we at CERT.at. Our tech-watchers are doing a great job in this respect in my opinion. Besides a few really specialized sources that I follow, that’s my major source of information that I am taking advantage of.
8. Last question: what is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in IT security?
Get your hands dirty! If you are wondering, how specific things work, get yourself a controlled environment (lab) and try it in praxis. Do not be scared of the efforts of self-education, because in the end, you will gain a much deeper understanding as you are/were confronted with core aspects which you master/ed on your own. And maybe the most relevant hint: Build up your reputation in the IT security community by contributions. You do not have to be an ace in programming, research, or something else. There are still a lot of blind spots out there which need to be taken care of, just pick one that’s most attractive to you and support the community, that’s how it works, that’s how we work.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.