When it comes to being a malware analyst, the name of the game is reverse engineering.
A person in this position examines malicious software, such as Trojan horses, bots, and worms, in order to ascertain the threats to hardware and software. Sometimes referred to as a reverse engineer, a malware analyst needs to understand programming languages, since malicious code can manifest itself in a variety of ways, and such a person must also be fully adept in the realms of software development and reverse engineering.
Reverse Engineering Instant Pricing – InfoSec
The nature of the threats continues to change as creators of malicious code get craftier, which means that a malware analyst cannot expect to succeed in his or her job with outdated hard and soft skills.
“The anti-analysis capabilities of malware are becoming more and more advanced,” said Isaac Palmer, malware reverse engineer specialist at Damballa. “With source code leaks like Zeus and Carberp, malware writers can build from the skills of the authors that came before them. Anti-virtual machine code is being posted in black-hat forums, making it harder for sandbox analysis systems to get good data out of some samples.”
He added that there will always be a need for malware analysts who stay abreast of developments in the malicious-software space.
According to Ronnie Tokazowski, senior researcher at PhishMe, a lot sure has changed in terms of the skills required by malware analysts in 2014 compared to in 2009.
What follows is the transcript of an interview in which Tokazowski provided, among other things, insight into what the job entails and the skills needed to be successful.
Q: What led you to become a malware analyst?
A: I have always had an interest in computer viruses. Growing up, I would do computer tech work for folks in my neighborhood. There would be times when the anti-virus on their computer wouldn’t pick up the malware on their computers, so I would have to go and find out where it was hiding. I took it more as a challenge to see if I could beat the AV software. One of the most memorable calls of mine was to fix a computer that was having trouble, and I was paid 20 bucks, a few pounds of jelly beans and a Mountain Dew. What more could a teenager ask for?
Fast-forward to college, where I worked as a technician on campus. I would fix students’ computers, and many times I would have to deal with malware infections. I was usually called with the one-off problems, which were typically related to malware that dug itself into the system, and again was not found by AV software. Another day, another puzzle, something new.
At the first round of an interview with a defense contractor, I had to analyze a piece of malware. At this point in time (2010), I hadn’t taken a deep dive into malware from a reverse-engineering perspective. I researched all I could, looking into things such as how to set up a VM and run a sample of malware safely in it. While I didn’t get the position as a reverse engineer at the time, I was hired for an analyst position, where I was exposed to many things in security such as APT, network forensics, and reverse engineering. It was a combination of on-the-job experience, bouncing things off of co-workers and learning from others in the industry that kept me coming back for more malware.
The one thing that keeps me doing reverse engineering is it’s always something new and different. There’s always a new malware sample, a new encryption algorithm and a new nation state joining the cyber game.
Q: Can you discuss some of the hard skills you need as a malware analyst in 2014 as compared to those you needed in 2009?
A: For hard skills as a malware analyst in 2014, knowing the inner workings of computer systems is a plus. I feel that my background as a technician helped me to look at a system from a perspective of ‘there’s something wrong here.’ There are many training courses out there, so keeping up on the newest and greatest techniques is also a plus. Compared to 2009, things were simple, as most malware wrote to start-up or was able to be found by checking “msconfig” to see what programs were set to start at boot.
Q: What about soft skills? Is there are difference when comparing 2014 with 2009?
A: For soft skills in 2014, being able to look at data and identify possible encryption schemes based off of data is a plus. This helps to speed up analysis, as you can spot possible encoded data without touching the data. For malware analysts who are successful in the industry, they have a passion for what they do and really enjoy digging into binary data. However, the good thing is I have yet to meet a malware analyst who wasn’t passionate about reverse engineering.
In 2009, things were simpler. You didn’t have to worry about packed or encoded binaries, and IRC botnets were all around. It was very easy to look at the malware and find the IRC servers in order to block the attackers.
Q: What sort of challenges do you face in 2014 that you did not face in 2009?
A: Cryptography, encryption and obfuscation. As more analysts have entered the field, attackers have stepped up their game and are starting to hide their tracks more.
Q: On the education front, have the requirements in terms of degrees or certifications changed in any way when comparing 2014 and 2009?
A: In 2009, there really weren’t many ways to get security education, unless it was on the job. Now, there are dozens of certifications and classes you can take about reversing malware.
Q: Is it possible to become a malware analyst without going a traditional route?
A: This is very possible. However, a candidate needs to be given the opportunity to show their experience. I have seen some very talented individuals with just a high school education. However, they have that passion to take things apart, which is a big plus in my book.
Q: What sort of career advice would you give a student in college or university who wants to become a malware analyst?
A: For students in college or university who are looking to become a malware analyst, start researching now. The knowledge one gains in a traditional four-year institute is usually outdated within two years, and in some cases outdated when they first attend.
Tokazowski explained that the cyber security space has changed considerably over the last five years, and more change in the months and years ahead is a certainty. For students looking to ultimately work in the industry, he offered one more recommendation.
“I would also recommend finding other like-minded individuals as you can bounce ideas off of each other,” said Tokazowski.