We are Kaspersky's Global Research & Analysis Team (GReAT) and we're back! Let's talk cyber and have fun!

I used Kaspersky for several years, but later switched away after reading an article about back doors, Russian ownership or controlling interests, and other potential backend security concerns. Have not heard the name mentioned recently and am curious how those concerns were addressed(?). The articles I read left me with an overall distrust of the Kaspersky brand.

Costin here. Let me start by saying that I have our Internet Security solution installed on my own computers, family’s and friends’. I’m confident they are secure and keep me protected because hey, I can check that at a source code level and on our servers. :)
Speaking about security concerns, we addressed them by becoming more transparent and moving some of the critical data processing to Switzerland. Kaspersky’s first Transparency Center was launched in November 2018 in Zurich, while in June 2019 we opened another Transparency Center in Madrid.

You can read more about these measures here: https://www.kaspersky.com/transparency-center

You can look at the source, but can I?

Hey doesn’t your software state: "In order to inspect encrypted data streams using SSL/TLS, Kasperky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on–the–fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be "Kaspersky Anti–Virus Personal Root"."

Here is a link to source: https://bugs.chromium.org/p/project-zero/issues/detail?id=978

What a nice and silent way to say "we own all your data" creepy Kaspersky.

Ivan here: if anything, I think this P0 thread shows that Kaspersky handled bug reports gracefully and in a timely fashion. As for the SSL Man-in-the-Middle, it’s really the only way the product can inspect the contents of the web traffic to detect malicious elements in pages, or to decrypt malware traffic which routinely uses HTTPS. In any case, this feature can be disabled in the program’s settings if you’re not comfortable with it.

Igor here: The whole HTTPS MITM interception happens only locally, within the memory space of the same machine and the data doesn't leave unencrypted or encrypted with some third-party certificate. It is required to scan the HTTPS traffic for malicious code, including the exploits that may arrive in your browser. The bug though doesn’t indicate any malicious intent, just a mistake in the implementation, and we fix these fast.

Do you have any idea how many Kasperky employees in Moscow HQ are secretly recruited by GRU (or other Russian intelligence services)? By secretly I mean that they work for both GRU and Kaspersky, but Kaspersky Lab does not know that they have second job at GRU.

Brian here: At last check, no employee answered “Yes” to this question on their yearly polygraph.

Maria here: Since they are secretly employed and no one in Kaspersky knows about it and we are definitely in Kaspersky… why are you asking us?

I'm asking because the "GRU Tower" is located in just 5km from Kaspersky HQ.

Igor here: There is also a huge supermarket and a furniture store much closer to the building. I wonder why nobody is asking them.

Why do you think Kaspersky was targeted by Duqu 2.0? Attacking an AV Vendor seems rather reckless for an advanced actor.

Brian here: My guess is maybe they were a bit pissed about catching them last time.
Kurt here: They could have just asked for a tour of the new office.
Ivan here: I would like to take this opportunity to remind all threat actors that our private intelligence reports can be purchased for a very competitive price.

Ivan here: I would like to take this opportunity to remind all threat actors that our private intelligence reports can be purchased for a very competitive price.

That got an audible laugh from me. Give this man a raise! Or at least a hot bowl of borsht

Ivan: thx! I'll take the raise!

Hello GReAT!

I routinely am asked what the best commercial antivirus is, and I typically respond "Kaspersky, but I don't recommend you install it" due to concerns of how much you send back your cloud, and the dynamics of the inevitable cooperation you have with the FSB and other Russian state security institutions. Given the declining relationship between our two countries since the "Russia Reset", how would you assuage the privacy and security concerns of a potential US customer who also isn't looking to have their documents reviewed at Лубянская площадь?

Ariel here: Antivirus products make use of telemetry (just like your operating system) in order to detect and protect against unknown threats, meaning, a file should match some heuristic detection in order to be analyzed in the first place. Even then, it’s being anonymized and is handled according to various regulations (read about KSN and our transparency center). Also, you can opt-out from participating in it.

Maria here: You can limit the data you send to KSN by just clicking in a checkbox. Which is actually really rare for antivirus products, most of them do not ask when they want telemetry

When I installed Kaspersky a couple of years ago, my Firefox started complaining about non-authentic root certificates. Why was that? Do you still replace root certificates to decipher https traffic?

Brian here: The AV uses its own cert in order to have the ability to see HTTPS traffic. If a user does not want this to be the case, the option can always be disabled in the settings

Okay - now i have to ask. Why would my AV need to strip my ssl on https traffic?

It's just an optional module, you can disable it. Idea is that some website might try to inject malicious scripts into your browser (Javascript scripts are the most popular infection vectors). The only way for the AV to try to protect you against that attack is to be able to block the request before it hits your browser. Hence, it needs to be able to monitor your HTTP as well as HTTPS connections.

Again, you can disable that feature

Okay, i see how it makes sense in stopping browser hijacking(noscript would properly not work for the normal user :) ). Now im just curious, so a question more. If the "malicious script" from the browser, tries to execute or change anything outside the browser. The "normal" Kaspersky AV catches that?

Okay, i see how it makes sense in stopping browser hijacking(noscript would properly not work for the normal user :) ). Now im just curious, so a question more. If the "malicious script" from the browser, tries to execute or change anything outside the browser. The "normal" Kaspersky AV catches that?

Brian here: All the components of the AV work in unison, so yes...It should pick up a browser escape in theory.

How likely is the possibility that torrented operating systems and programs contain malware, keyloggers, or MIM vectors that could lead to identity theft or impersonation?

Dmitry here: It depends. It's not uncommon to get a distro, which is actually backdoored. We have seen it for Windows ISOs and other popular installers. If there’s no chance for files hashes verification, then you can assume it might be potentially backdoored, of course. Of course, it does not mean everything on Torrent is backdoored or malicious.

What is your take on the argument that antivirus programs are juicy targets for exploits, in the sense that they are widely installed, are huge, complex, closed-source code bases which have a large attack surface area and generally run with high privileges?

Also, do you encounter and have to fend off attacks of this nature on a regular basis, or is it rare?

Ariel here: It’s a bold move to target antivirus software, not something your average attacker does. Antivirus software runs in a high privilee context in order to be able to detect and stop attacks from threats that are also executing with high privileges. There is easier software that is more widely used - word processors for example. Take a look at the exploits available for Antivirus products in the recent year—the number is so small it’s not a good reason not to use them :)

Kurt here: It's rare. Take a look at what is really getting exploited - it's not anti-malware. There is no shame; Careto had a thing for our product several years back. Although, Blackhat presenters might get more high-fives for exploiting an “AV” than Chrome.

Why should anyone trust a security research team from Russia given modern geopolitical situations?

Maria here: We have analysts in many countries of the world; you can choose the one who you trust the most.

Costin here: Our team is split across 18 countries; I guess that makes it extremely resilient to influence from any specific side of the world. That aside, we try to stay away from geopolitics and focus on more technical and sometimes, funny things.

There was a story recently about a 'drone detector' originating from Kaspersky. Is that really a threat for some orgs, or is this primarily a Russian hobby?

Maria here: My neighbor has a drone, and he is Russian. So maybe it’s a Russian hobby, I don’t know. But a drone is, in many cases, just a flying camera that can make photos of anything the owner wants, be it what’s inside someone’s house or in the office, say on the monitors of the computers. So it seems there is something to worry about.

Brian here: Drones are definitely a threat to many organizations. For instance, prisons in the US are using anti-drone technology to help prevent the smuggling of contraband. The tech is also used in many public spaces, such as sporting events, large crowd gatherings, etc. for protection and monitoring. Some organizations are also concerned with corporate espionage through the use of drones.

What was the coolest or most impressive chain of exploits your team has seen in the wild that was used to create an attack (that you're able to discuss)?

Boris Larin here: The coolest and most impressive chain of exploits for sure is the one used in the Stuxnet worm. It has everything: amazing logic bugs, win32k bug, print spooler attack… Actually all “wormable” and 0-click exploits are very interesting to look at, and it was very fascinating to take apart and understand EternalBlue, EternalRomance, EsteemAudit and other exploits. However, there also exist some rare cases when payload is much more interesting than the exploit itself… but that’s another story :)

Boris here: I’m having lunch. Can I answer later? My borshch is too good to stop eating it for you

Isn't it fancy bear ?

Brian here: I prefer Bougie Bear

Kurt here: nyet. Disco Stu Bear. Or Sofacy.

Was there anything nefarious happening yesterday to cause youtube to go down worldwide?

Brian here: Too many Stans trying to watch the latest BTS video?

Noushin here: I uploaded a video of my cat! Sorry!

I had a positive experience working with Kaspersky reporting vulnerabilities a few years ago. The team were responsive and my impression was they were shocked I was able to find so many problems and were committed to putting it right.

I haven't looked at Kaspersky since I completed my audit, but colleagues have told me since then that Kaspersky engineers are now active libFuzzer contributors, and it sounds like you've built new fuzzing infrastructure from scratch. Nice!

I have two questions,

• Are you working on sandboxing, like Microsoft does with mpengine?
• Can you talk about your fuzzing infrastructure, do you have dedicated engineers working on engine security? Is it integrated into development, e.g. new unpackers can't ship without 100% code coverage and X hours fuzzing? What tools are you using, are you 100% libFuzzer, or are you using anything else?

Hi Tavis - thanks for the questions. They are all good ones and we are checking with the right teams internally and will get back to you. Many of them are offline now, so may be tomorrow.

Swedish news is apparently reporting the country is having som wide attack of ransomware the last couple of days, starting late last week. Standard phishing being the apparent attack vector.

​

Luckily not hit, but I've not been able to figure out exactly what Ransomware is currently active. SE-CERT is no help. :(

​

So are you aware what this might be and what ransomware I would need to look out for?

​

(also very lucky to see you doing an AMA at the same time)

Dmitry here: If you mean this post https://www.cert.se/2020/11/cert-se-s-veckobrev-v-45 then it’s more about several targeted Ransomware families, including Ryuk and others. If there is anything else, please paste it here to check or DM us privately

Ivan here: I’m not sure exactly what you’re referring to. Do you have a link with information about this particular campaign?

If I were a user of your AV, and make a Subject Access Request for a copy of all information about me, which I am entitled to receive under Article 15 of the GDPR, what would you provide me?

Hi there! If you want to file this request, this is the right place to visit: https://support.kaspersky.com/general/privacy

Thanks for your reply. I'm not a Kaspersky customer. I'm just wondering, what data would you provide me with, in case I have your AV running and make a Subject Access Request (e.g. browsing history, history of opened files, etc.).

The data obtained for processing depends on the product or service use and the end-user license agreement (for instance, if you voluntary accept the KSN agreement or not). The detailed information is in our data processing policy here https://www.kaspersky.com/products-and-services-privacy-policy

Details of the data processed can be found in the End-User License Agreement (EULA), the Kaspersky Security Network (KSN) Agreement and other agreements which differ depending on the product. The data users send to Kaspersky is not attributed to a specific individual, is used in the form of aggregated statistics and is anonymized wherever possible

Is there a trustworthy site/resource that common Internet folk can take a glance at and understand the cyber crimes that are taking place and where the attacks are coming from? Do you all post your own findings anywhere?

Thanks for all the fighting your doing!

Maria here: https://securelist.com is where you can find a lot of our findings!

Kurt here: https://threatpost.com is also another good source.

I was required to install Kaspersky at a university I attended to use campus internet. When I left, I uninstalled Kaspersky. Nevertheless, afterward there was always a "kav" process running in the background. Nothing was listed in the startup processes and when I manually ended the process it would immediately pop back up. Can you tell me why that happened and why I should trust Kaspersky?

Ariel here: If you have any technical detail to share about that “kav” named process, we’re happy to take a look. Otherwise it sounds like the uninstall failed?

Dan here: yes, this seems to be the case of a failed uninstall. Once I had to use kavremover so maybe this might help you: https://support.kaspersky.com/common/uninstall/1464

Wanna cyber? A/S/L?

Vitaly here: LSASS SSL SAS
Brian here: What is A/S/L? I’m old.
Dan here: Username checks out ;)

The German government legalized a trojan for our internal intelligence agency. The idea is that they will work with ISP to get it on target systems.

How do they protect their spyware from detection through anti virus software?

Ariel here: Trojans and other malware used by law enforcement and intelligence agencies are not exempt from getting detected.

Ivan here: One of the subtle difficulties of our job is that we’re flagging as malicious some activities which can be perfectly lawful in the place where they originate. Our policy is to treat all malware as such and never make any exceptions. And on their end, attackers will do their best to avoid detection through techniques such as packing, anti-heuristics techniques, and so on. It’s a constant cat and mouse game.

do you have any idea how can I get remote job as Malware Analyst? is such position exist?

I'm 17 y/o; have read famous book in subject; currently reversing malware that I had access to (gootkit, remcos, netwalker, ...) and reading Advanced Binary DeObfuscation Material

Ivan here: If you’re reversing those samples at 17 years old, I have the feeling that finding a job will not be an issue :) Just keep doing what you’re doing and companies will be fighting for your services in no time!

Maria here: I totally agree with Ivan:) Just today we’ve hired an intern who is 18 and who is reversing samples and is really interested in the cybersecurity topic just like you are. So There is a way to start your career path really soon and even working remotely. Gogogo!:)

I was hoping to learn Yara, but before doing that, what prerequisites should I be aware of? Do I need to know assembly, C & reverse engineering? My background is in network security.

Costin here: Yara’s syntax and strings are similar to C, so that would be a good start. General knowledge of reverse engineering helps, although we know many people who write Yara rules without ever having reversed any samples! A general feel of how malware looks like, how malware works and things like file formats is probably a good start. In case you haven’t seen it yet, do check out this short webinar I did on Yara back in March: https://securelist.com/hunting-apts-with-yara/96386/

PS: Our PR and sales are kindly asking me to try to sell you this training :) Some people say it’s pretty good actually: https://xtraining.kaspersky.com/

Vitaly here: To add to what Costin said and give him some credits, please watch this short presentation written entirely in Yara about Costin using Yara to catch 0-days: https://www.youtube.com/watch?v=fbidgtOXvc0

In essence, those skills are not required, but the more you know the more tools you have to create your own perfect Yara rule!

What's your favorite disassembler?

Noushin here: The one and only IDA PRO!
Ivan here: Seconded.

What's your opinion on the Tor network? Do you hate it because it makes your job harder? Do you use it yourself? How do you deal with command & control servers hiding behind .onion services?

Ivan: My personal opinion is that Tor overall does more good than harm. Bad guys will always find ways to bounce their traffic around, hacking random machines if they need to. At least Tor provides some degree of anonymity to journalists, activists and oppressed minorities all around the world. As for C2 servers hosted as .onion services, we don’t really see that many of them, especially now that we’ve moved to the era of targeted ransomware, where cryptographic material is embedded inside payloads directly.

Vitaly: There have been a few interesting articles on the imperfection of Tor when it comes to long-term always-on services and approaches to deanonymize them. While Tor is still useful and important to protect activists and independent journalists when they go online, long living C2s and marketplaces will not survive for long. And, we don't hate Tor; we love Tor!

Kurt: Tor is awesome. Yes, I dislike coming up against a tor exit when I’m researching APT activity, but anything can be misused

Thanks so much for y'alls time.

I'm am severely and permanently disabled. I have no knowledge of cyber-security, but I'd like to learn. I only have minimal coding knowledge and have forgotten what I learned in applied agents and combinatorics.

1. Where should i start if I want to take a route (non-institutional) that's bringing me to an intermediate level .

2. Do I need to be able to type fast, or is that just the Hollywood take on the industry?

3. How are knowledge and skill separated in your industry?

All the best.

Ariel here: Actually, this is one of the most comfortable (for a lack of a better word) for people with disabilities. You don’t need anything but a way to interact with a computer and the passion to learn. Generally speaking, knowledge is perhaps the most valued skill in cybersecurity. Start by reading about how the industry works, see which open positions are available around you and would allow you to work the way you want (no travel?), then find which relevant topics are interesting to you enough to invest time in learning. You can see from other responses here, you don’t have to take an institutional route - there’s so much knowledge that you can gain by yourself.

Vitaly: I think that one's disability creates an opportunity for super-ability. If you are looking for one, you are on the right path. Once you find it, there will be no one like you!

Hey guys, with all your tools for advanced data analysis, can you help shed some light on the failures at Scuderia Ferrari in 2020 and what your team would recommend to fix the problem? Thanks!

Brian here: I’m more of a Red Bull fan myself :)

Dan: Actually I don’t know a lot about Formula 1, but I heard Scuderia Ferrari has some amazing engines!

I saw you posting on r/malware, so I'm assuming red team questions are all good?

What does malware need to do to hide itself from AV software? A person analyzing it will catch it but I'm sure there are some tricks to not be detected.

Brian here: The best “malware” is the kind that looks and acts like normal administrative and system behavior. There’s a reason why more and more bad guys are moving to built in “features” like PowerShell and others. It’s a constant game of cat and mouse though. New technique is used, it’s discovered, signatures written, rinse and repeat.

Kurt here: you can run but you cannot hide

What's your favourite hacker movie?

Igor - Hackers, 1995
Ariel here: I’m a fan of the TRON universe.
Vitaly here: How about Mr Robot? Of course everyone knows it. But I was once surprised to see something I missed. It was Defcon Movie Night where they screened "23" and it was pretty cool! Check it out: https://en.wikipedia.org/wiki/23_%28film%29
Brian here: Matrix series
Kurt here: Matrix ++
Noushin here: Ghost In The Shell anime, Cyber City Oedo 808
Maria here: Code Mercury. Bruce Willis is the best

Hi I am learning how to reverse engineer malware in particularly ransomware and I have a few questions about that.

What is important to include in a Yara rule to so you can detect new versions of malware?

How do you detect or analyse which encryption algorithm is used in the ransomware?

Kurt here: Some folks start by looking for constants hardcoded into the algorithm, which is quick, easy, and fairly reliable. Ransomware is often compiled with freely available open source crypto, and while malware writers unfortunately are implementing it properly, this use also makes the algorithms easier to identify. Reversing the cipher itself is more reliable, but more time consuming of course.

Ivan here: There are a few ways to recognize cryptographic algorithms. A number of them include specific constants that are very easy to recognize (you can find some Yara rules for them here and there). Some of them, however, don’t, and then it’s a matter of recognizing the encryption process, which only comes with experience.

Ariel here: Don’t forget to make the conditions in your yara less strict and allow some false-positive results (e.g. make the file size range bigger, lower the match criteria on the strings, remove filetype to scan memory).

Has there been a time when you guys were put into a panic by the sudden emergence of a new virus/worm/trojan that Kaspersky software was not prepared to protect against at the time?

(Just for an example, the WannaCry fiasco comes to mind as something that many in the industry were caught off guard by and scrambled to find a fix for.)

Maria here: In any situation before you start panicking you should ask yourself: is there anything you can do? If yes - don’t panic and do it. If no - why should you panic? So when something truly severe is happening we don’t panic and start doing something that’s up to us. By the way, talking about your example with WannaCry our antivirus detected it and our users were protected from that threat.

Vitaly: I remember the emergence of ransomware in 2006. It was the first type of asymmetric cryptography ransomware using RSA (a family called GpCode at that time). We kept warning that it was going to become a big problem and we should address that as soon as possible. We even broke several of their attempts to improve that ransomware. They disappeared for a decade, but look where we are now: organized crime is using that in targeted fashion with high stakes, demanding millions of dollars for decryption.

Dmitry here: The KIDO aka Conficker one was another big thing. It relied on a Windows vulnerability and the disinfection process was painful enough and unsuccessful if no patch applied. No surprise to find it yet in some countries, spreading via removable devices. Crazy!

A lot of the world is living in cyberspace. Our financial, health, social, entertainment, and legal matters too. But in terms of personal cybersecurity and ease of interaction, Mac or PC? And which one with what antisoftware or "best practices" would you recommend users to implement to ensure that our data is secured and not out for everyone to use?

I personally use a password manager, 2FA whenever I can, VPN, storage/data encryption, but I always wonder if there is something else I can be doing to ensure my cyber protection.

Dmitry here: It's an eternal dilemma: macOS or Windows. In reality, the answer is both. In my case, I use all of them; each one is good enough for specific tasks. The whole thing is about making threat actors’ attacks cost-ineffective. So basic OpSec techniques are a must. For example: browser security (anti-fingerprinting, not saving passwords, logins, card information, or addresses, auto-deleting cookies), end-point security (anti-malware protection, auto-updates for all locally installed applications), network security (VPN, DNS queries analysis from your network to the world), passwords (enable 2FA, but skip those relying on SMS. Use password managers protected with something like a Yubikey), email security (pgp, use privacy minded email providers), privacy in general (check settings in the app, block ads and tracking on your device and network layer, use security minded search engines), physical security of your machines (enable BIOS password to prevent boot order change, settings change, require boot password to start up the machine, disable hibernation, protect your machine with strong password and screen auto-locking).

Aseel here: It’s a matter of personal choice of course, but I prefer PC - although you have to remember that the more popular a platform is the more likely it is to be targeted. In addition to the precautions you already mentioned, I would also add an adblocker, an anti-virus solution, and generally being careful about what you click on/download.

Recently, I had Internet outages and when talking to support from my local ISP, they said they were suffering some DoS attacks.

I'm wondering why an ISP would be targeted? Or if perhaps it was a byproduct of someone else being the actual target?

Ivan here: It’s hard to say with the data at hand. DoS attacks usually aim at extorting money from the victim (“we’ll keep the DoS running until you pay”), and it would obviously be a problem for the ISP if it couldn’t serve traffic to its customers anymore. But in all likelihood, the target was some other customer using that ISP.

Vitaly: Quite often ISPs are suffering from collateral damage when the attack is targeting some of their customers.

I am not a computer-security-literate guy, but I do find this stuff interesting when it's explained in regular-person language. So, like you're explaining it to your dumb cousin, what's the cleverest attack method you've seen?

Kurt here: one of the most interesting continues to be Darkhotel’s misuse of hotel networks that they compromised. When specific guests would attempt to connect to wifi, Darkhotel would misuse the hotel’s network to install backdoors on a target’s laptop.

What's your favourite flavour of crisps?

Brian here: WTF is a crisp? You mean chips? Salt and vinegar.
Aseel here: Salt and vinegar.
Ariel here: Sour cream and onion.

Can you comment on the use of VPN? Have has issues with sites allowing access?Is there a block chain alternative?

Costin here: I’m still waiting for blockchain-flavored Oreos.

Ivan here: The concept of a VPN is to move trust away from your ISP to another provider of your choice (the VPN operator). Usually, the information available for you to make that call will be limited, so there is no easy answer for this. If you trust Kaspersky enough to run our executables on your machines, you might as well trust our VPN with your traffic! Otherwise, it’s actually quite easy to create a VPN endpoint on a server you own.

Dmitry here: It really depends on your VPN provider. Not all of them are what they claim. There is a list of criteria to comply with. For example: the country of jurisdiction, running on hard drivers or in the memory only, audited no logs policy or not, following the PFS or not. What are the encryption protocols and keys it uses? In the end, VPN is a good choice, which also protects against DNS poisoning attacks, melted implants installed on the fly and so on. Of course, not all VPNs can really be trusted and comply with the criteria described above.

Which cybersecurity certs (if any) do you consider most relevant when hiring?

Noushin here: None! Certificates usually do not show how much knowledge and skills you have.

Vitaly here: the best certificates are those stolen from legitimate vendors and used to sign malware. If a candidate brings one of those - instantly gets hired! :-P

Is it Kas-per-ski or Casper-sky? Thanks!

Vitaly: That reminds me of this question, we answered on Reddit 4 years ago: https://www.reddit.com/r/IAmA/comments/4uueqa/we_are_kaspersky_labs_global_research_analysis/d5t5ltt/

Costin here: there are many different ways the people pronounce it! Personally, I love the Japanese form: “kasoo-peroo-sooky”, although the most appropriate English version would be “Kas-per-ski.”

Why do people deny that nation states are constantly attacking private individuals and businesses? It's literally happening constantly, to local SMEs, all over the place, it keeps me in work.... Yet people think it's some conspiracy bullshit :/

Costin here: Nation states do constantly target private individuals and businesses. I guess the people claiming conspiracy theories are also probably the ones doing the attacks. :)

If your IT infrastructure is compromised, and you are the target of a cryptolocker, how do you know which backup is a safe point to recover from?

Even with offline backups, your network could have been compromised some months before, and the foundations of the attack could still lie in an offline backup for months, how can you be certain the recovery point you are using is safe? Example, performing an authoritative restore of Active Directory from backup, or recovering some SQL database, or even file level recovery?

Dmitry here: That is a tricky situation. If you don’t have a ready to use play book, not for Ransomware in general but for each family, you are running a flat tire. Those playbooks must include actions and timing for IR.
If you do IR, you will find when was the initial compromise date. It will help to take your decision regarding the backup recovery timing. Also those books must include specific plans of monitoring for outgoing connections to ensure there are no implants in the network talking to the Internet. No threat modeling with play books, no good answer for an incident like this.

Any hypervisor level malware you've come across yet? Bitdefender just released an open source hypervisor introspection engine a short time ago, it seems this will possibly serve as the battlefield in the future. Thoughts on a hypervisor AV?

Kurt here: The more recent low level stuff that we reported on was MosaicRegressor, a purpose-built UEFI bootkit. Since bluepill and SubVirt, there have been EoP vulnerabilities and exploits reported on, but no rootkit malware. Unfortunately, I think that it's ITW and discovery is just not there yet.

What do you think about password managers?

Noushin here: password managers are essential when you consider all the accounts people have these days. It’s not easy to remember complex passwords for every single account and you definitely don’t want to reuse a password or make it easy for criminals to guess or brute-force. But make sure that you do a good research on what password manager you want to use and what meets your requirements. There are many tools written by not-so-professional people just for fun and on the other hand there are a lot of password managers which have written with security and privacy in mind.

Dmitry here: it’s a must. You just can't memorize all the passwords if they are unique and complex. If you use a pattern to create them, it’s a bad choice. If your pattern is discovered, you are burned. Not all password managers are the same, use those which are 0-knowledge enabled. Turn the 2FA on and make it SMS disabled.

Dan here: I’m more like a CLI and Linux person so I recommend a great tool made by Jason A. Donenfeld called pass (https://www.passwordstore.org/)

Ariel here: I personally use a hardware password manager - Mooltipass.

Have you seen any coordinated hacking of election software? I’m legit terrified that agents of foreign governments, or just really really rich people could hire hackers to swing elections. (I’m convinced that whenever a scientific poll, of statistically significant sample size, and proven methods is off by a large amount that the difference is due to hacking.)

Vitaly: If an election process is moved entirely to virtual space, I think it has to be designed with full transparency, so that any vote's path can be validated and election rigging detected. We are not there yet, and that also keeps us worried. Every step in this direction shall be carefully made.

Brian here: We have not seen any real evidence of actual voter data / software manipulation in elections. That being said, there is evidence that APT actors have “interfered” in other aspects. One such case was when CyberBerkut targeted the Central Election Commission of Ukraine in 2014. They were able to disrupt the updates showing voting results, but the actual data was not manipulated.

Costin here: Although there have been theoretical proof of concept attacks on various voting machines, we have not seen or heard about any real world case of a successful attack on voting proceedings that resulted in the change of outcome or results.

How could someone reasonably trust Kaspersky? It's a company controlled by Russian interests, Russian espionage and cyber attacks is a critical issue in most of the world.

Ivan here: Here’s a personal story. I joined Kaspersky around the time all these allegations took place. I felt that surely, a company that’s pissing so many people off must be doing something right (which was correct). I was also curious to see for myself whether there was any truth to the accusations. Today, I can say unequivocally that I never saw anything that would allow me to doubt that Kaspersky employees are held to anything less than the most ethical standards. I wouldn’t have stayed if it was any other way. But don’t take my word for it. Send us your resume!

P.S. I am French.

Hi Folk do you have evidence of activities related to Israeli nation-state actors?

In the past, you have uncovered and documented several nation-state campaigns, but since today none has provided technical details of Israeli activity in the cyber space. Something related to their implants or attack platforms.

Apart Cina, Russia, Iran and North Korea, are you observing concerning activities related to other States. This is very important due to ongoing pandemic.

Thanks and go ahead with your excellent job.

Igor here: We are always tracking malware campaigns and malicious actors, not people or nation states. There is a fine line between a technical analysis and politics or any kind of allegations. At best, we can discover language artifacts left by the attackers and usually these don't include anything written in Hebrew.

What is the best way to get into cyber security? I am 23 years old and have no IT qualifications. I've been really interested in computers since I was young, and have a lot of general knowledge, but no way to prove it. I have been trying to get my foot in the door with a simple IT helpdesk role, but have had no luck. Any advice? Thanks!

Brian here: Seeking out internships is probably the best way to get in the door. I’ll agree it’s a hard nut to crack initially, but once you get that first start, the sky’s the limit. Keep your nose to the grinding stone and don’t give up. Be persistent! (just not advanced, persistent, and a threat - APT).

Costin here: Keep trying. Sometimes it takes a lot of persistence to succeed! Play with some useful tools such as Yara, Sigma rules or Zeek, and then add them to your CV. Those should be nice, attractive skills for anyone that looks!

Maria here: I started at Kaspersky when I was 23 as well, and I also didn’t have any IT qualifications. I started with a position that didn’t require any solid IT knowledge and was fine for me as a student. You should look for such a position as well and don’t be shy to try applying to big and known companies. After you get there, you’ll get more knowledge and wisdom from your colleagues, and surely try to find time to go through some trainings, read books and check tools that were suggested by Costin to get even better.

Noushin here: These days many companies look for interested people who want to enter the cyber security industry at conferences and online events (more happening during COVID time). Getting to know people who are hiring and letting them see how passionate you are and the knowledge you have can definitely help.

Actually, we quickly discussed this internally and would be happy to offer you for free access to our new online training on threat hunting with Yara: Yara is golden standard right now in cybersecurity, but what we teach goes much beyond common knowledge as we share the tips / practices which helped us to hunt down one of the most sophisticated threats. Very hands-on! hope you will enjoy learning! Please PM us here to organize this if you want to enroll in it :)

You can also contact us here: https://help.kasperskyxtraining.com

The training info: https://xtraining.kaspersky.com/courses/hunt-apts-with-yara-like-a-great-ninja

Just get engaged. Lots of people on Twitter sharing resources, the defcon website has a ton of resources, etc. Many conferences are free this year as they’re online, or are much cheaper to attend. I’ve seen many people say that starting with it helpdesk is a good place to start. There are also online things like hack the box you could try in your free time. Also, find a direction you want to go in. It’s all interesting! But choosing a focus will help you accumulate some skills (or realize you want to focus elsewhere) to get started.

Dan here: Totally agree with you! Also, 2020 is the first year I've seen a LOT of good cyber security conferences going online as well as free to view!

One example coming to mind: VB Localhost

So check out Twitter accounts where we post news about new upcoming conferences.

Also, https://www.cfptime.org/home is a good website to track security conferences

Hi thanks for the AmA!

I'm doing a degree in Cyber Security, but would love to get some hands-on experience, where do you think/how do you think I should start

(I'm currently a web developer)

So normally I'd go Apprenticeship - Junior - Mid level - Senior, is this the same in Security?

Brian here: Honestly depends on the area of focus within “Cyber Security”. Certifications and degrees are great and show dedication and follow through, but really nothing beats hands- on experience. Best way to get a start with the experience is through an internship (paid or unpaid).

In my experience, some of the best talent I’ve seen has started with an intern who showed a drive to learn as much as possible.

What would your company do to gain the good will of IT professionals back? After the whole Russian interests thing, as well as the security concerns, my former company moved away from using Kaspersky. What would you do to prove that we can trust Kaspersky to manage our security?

Vitaly: You should always manage your security by yourself. Kaspersky or other vendors can only provide you with tools to do it more efficiently. In addition, since politics entered the cybersecurity field, we responded by providing transparency of our processes and products, releasing open source code and launching our own bug bounty program. We are happy to elevate it even further if you have good ideas!

Shouldn’t the team just be GRAT? Otherwise, it should be GlReAnTe. Please fix.

Vitaly: The name "GReAT" hints that the beauty of this world can sometimes be found in its imperfection. Once you comprehend this, you no longer need to question such things but enjoy your life journey.

why there is no GREAT researchers base in china? you know china have a big it-sec market.

Boris Larin and Maria here. We had a China-based researcher in another Kaspersky department but unfortunately not anymore.

Vitaly: What do you mean? China has got the GREAT Wall! Seriously speaking, we slowly grow our presence in Asia country by country, and China is coming soon.

What are we missing?

Ariel here: Going to conferences and meeting colleagues and friends from different companies. Dan here: Meeting friends face to face and just going out to concerts and having fun! Мaria here: and additionally spare time for all that :) Dmitry here: friends who didn’t make it and died because of the COVID-19 :(

How do you assess staffs technically during their time in Kaspersky? Based on test? Portfolio? Accomplishments outside the work?

Edit: additionally, is there competency levels to “grade”your technical skills?

Brian here: At least in GReAT, we are evaluated based on our performance in many different areas of responsibility. Our research and related work speaks for how well we do each year.

Vitaly here: I usually check what figures people make from clay and leave on their work desks. It tells a lot. I like horses and unicorns. And then you can also see how self-organized and passionate they are in cracking problems in the endless flow we get daily.

Kurt here: work life balance weighed with very heavy rock

Your thoughts on NSAKEY?

Ivan here: Hanlon’s Razor. “Never attribute to malice that which is adequately explained by stupidity.”

1. How much info and damage can a person do with basic details like phone number and email (even if I have 2FA)?
2. If you were the CEO of Facebook and Instagram, what steps would you take to make it a better, safer and secure platform?
3. ⁠One of the main privacy issue from Facebook is selling user data to companies for ads. How should this be resolved as ads are the main source of revenue to keep a company free and running?
4. Are there any free certifications that college students can take which will help them break into the field?

Question 1

Aseel here. Even if an attacker only has access to an e-mail address or a phone number, they can still take advantage of this information to deliver malicious files or links and generally use them for initial infection. Noushin here: Even with 2FA enabled, your devices are not protected until you make it your habit not to trust every phone call, message or email that you receive, especially when they ask for sensitive data or personal information.

Igor here: 2FA tied to your phone number is susceptible to a SIM swap attack if the attacker is lucky. Dmitry here: it depends on the country where you live. In some countries your entire life is connected to your cell phone number. So, when you go shopping and make other payments, they might ask for your phone number. If provided, it will connect those purchases on that number. Potentially if fraudulent purchases are made, it might lead to unwanted actions and situations in general.

Question 2

Noushin here: Security should not be an afterthought. In order to have a secure platform, you need people who deeply understand security to be involved in your design phase, implementation, and all the way to the support phase. These people need to have a thorough knowledge and sometimes years and years of experience working in the industry. Having the right team of people with constant improvement of their knowledge, I guess, is the answer!

Question 3

Kurt here: the privacy issue isn’t just Facebook. “Targeted advertising” is an industry that wants to be more and more precise.
Vitaly here: This problem is deeper than the ocean. I recommend seeing what the sharpest minds from the social media and tech industry think about it - check out "Social Dilemma" documentary released this year.

Question 4

Vitaly: In our professional world, free certificates are always self-signed. The same applies to people. I have seen some smart people with certificates signed by reputable organizations, but many more smart people without them. The best way is not to hunt for certifications but learn how to break and fix things. If you made something cool, show it to the others; that will be your ticket!

Ariel here: Certifications are great (no pun intended) but not always necessary. Find an area that interests you in the field, find good recommended literature about it and start playing around.

Where can I get some artwork showing your old packing / boxes... the old vintage retro stuff?

Eugene shows it in his recent "Kaspersky HQ: office walk" video :-)

Here is a video with the history of our boxes: https://youtu.be/wkjgqBw0EtI

Who would win, Kaspersky or Kasparov?

Dmitry here: At this point I believe it would be The Queen's Gambit indeed.

As far as cyber security goes in universities, what areas in IT should we focus more on as students to excel in this field?

Aseel here: Programming languages, networking, and internals of operating systems are always helpful. And obviously, anything related to information security.

Sometimes my search bar in my Chrome browser is slow to respond to any of my keyboard inputs. Is Kaspersky the cause of this?

Ariel here: Check your extensions; they’re the new toolbars. Also see if autocomplete suggestions might be the cause of that. If all else fails, blame the antivirus.

Have you seen any "blockchain virus"???

Aseel here. When I die, I want blockchain virus to lower me into my grave, so it can let me down one last time.

Vitaly here: Not really in the wild, but what's on blockchain lives forever. I have presented about it at Blackhat Asia 2015 with some live demo of a shellcode loaded from the blockchain: https://www.youtube.com/watch?v=KkixID3ICNg

As an antivirus team, do you feel powerless against COVID-19? Or you think you can code a vaccine? 😅🤣

Costin here: Sometimes I wish life was just as easy as computers. Seriously speaking, some of my friends have caught the Sars-CoV2 and recovered. I’ve been trying to exercise daily, eat more healthy food and drink more water. Being Romanian, I also try to add garlic to every meal as well. So, why talk about garlic? Well, according to my late grandfather, who lived to the respectable age of 102, it is very good for your health. Actually, my grandfather lived by a very strict routine for the last 40 years of his life, which included the following daily activities:

• Eat garlic
• Drink 1L of Borsch every day
• Walk 5Km
  

I can’t say for sure if a) and b) were the formula for his exceptional health (he only took antibiotics once in his life, at 80 years old), however, as some would say, experimental observations suggest you may live longer if you do these things as well.

Back to garlic; there is one more thing to keep in mind. It’s good against vampires!

Can you go next door to the FSB and ask who actually won the US elections?

Igor here - no, they’re too far. You need to take a cab or go by metro.
Kurt here - US headquarters still counting ballots
Brian here: By “FSB” do you mean “Friendly Secret Banya”?

Long time Kaspersky user, what as a home Windows 10 user can I do to prevent or prepare to recover from ransomware; on the cheap?

Igor here: The cheapest and the most effective solution is simple: offline backups. An external HDD or a USB stick would do.

What is your favorite kung fu movie?

Brian here: Kung Fu Panda

Costin here. I recently watched Five Deadly Venoms, a 1978 movie produced by the Shaw Brothers studio. I love the 70’s style filming, no CGI, odd filming angles and lenses, the acting, choreography and, of course, the artists’ martial arts performance. You can find it on Netflix btw! I’m also a big fan of Jet Li’s “Hero” (Yīngxióng), which is possibly one of the best martials arts movies ever filmed. I remember reading a story about a younger Jet Li, competing in a wushu contest. He broke his hand before the final and fought with it broken, not telling anyone. He is just that tough.

Kurt here: The Kill Bill series is a blast

who killed kennedy?

​

the subreddit is called ask me anything so...

Costin here: The “Watchmen” opening credits has a possible answer