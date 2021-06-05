Don’t let expectations define who you are. I’ve been a malware researcher my whole career. I had a single female colleague. But I didn’t let this make me consider switching from a position I love to something more traditionally considered “feminine”.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Doina Cosovan.

Doina Cosovan is a Malware Researcher at SecurityScorecard, the global leader in cybersecurity ratings, where she focuses on ideation and implementing proof of concepts, finding ways of non-intrusively gathering malware-related signals. Her research on various cybersecurity topics such as malware packers, Command and Control communication protocols, analysis of various malware families, web injects, adware, and machine learning for malware detection is often cited in research and technical journals such as the “Journal of Computer Virology and Hacking Techniques” and “International Conference on Artificial Neural Networks.” Her talk tracks have also been featured in cybersecurity conferences such as VirusBulletin, CARO, AVAR, Cyber Security Summit and more.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born in Moldova’s capital, Chisinau. My father had to work abroad for most of my life to make ends meet, while my mother was struggling to raise my brother and I. Regardless, they managed to provide us with everything we needed.

When time came for high school, I decided to apply for a scholarship in Romania, a neighboring country that shares the same language and culture as Moldova. I managed to secure a place in Iasi, Romania. I vividly remember sitting one day alone in our apartment from Chisinau a few days before the departure and thinking things would never be the same again.

It took me some time to adjust in Romania: for example, the Moldovans are exposed to both Romanian and Russian languages, which means the Romanian language that Moldovans speak has some Russian influence, such as the accent and borrowed words. Though it took some time, I did find my place in Romania and have lived here since.

There are people that say they always knew what they wanted to do with their life — not me. I decided I want to get a Computer Science degree in my last year of high school. While I enjoyed other fields of study, when I imagined my future, being a programmer caught my attention the most, especially cybersecurity. I secured a position as a Malware Researcher at a cybersecurity company towards the end of my second year of college and learned a lot during my five years there.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

There are many books that had a significant impact on me in one way or another.

Charles Duhigg taught me “The power of habit” — that real progress is achieved with habits, not willpower and that I am what I repeatedly do.

By “Thinking fast and slow”, Daniel Kahneman introduces and explains many ways in which people make decisions irrationally. This taught me to accept that I am not the rational being I thought I was and that I need to monitor my emotions and document irrational tendencies when I have to make an important decision, switching from fast thinking to slow thinking.

Carol Dweck’s “Mindset” pushed me to embark on a lifelong learning journey and to stop overestimating talent at the expense of hard work.

Alfie Kohn made me realize that I was being “Punished by rewards” by highlighting the dark side of the praise. I realized that praise can make us dependent on the appraiser’s opinion, that praise can enslave us to the fear of failure, and that being curious and asking questions is a stronger motivator than praising instead.

With “Man’s search for meaning”, Victor Frankl made me realize that you can lose everything in life except the way you react to the things that are happening to you.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I started my cybersecurity career at BitDefender, which is based in Romania. It is where I fell in love with this field.

Reverse engineering and malware analysis is like solving a puzzle. Usually you have to unpack the malware sample first. Then you decrypt the strings and compute the imports. Only after that do you start looking at what the code does. It’s like having a dark room with many small and big lights and you start turning them on one by one.

Then you start comparing it with other samples of the same malware — this is another puzzle entirely: how to gather more samples of the same malware, how to figure out a chronology, why was a particular change made, why was a particular period of time more active / passive, and so on.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Many years ago, I was analyzing a malware sample and, in order to observe its behavior, I decided to execute it on a virtual machine. I added the “exe” extension and clicked Enter only to realize that I was not on the virtual machine but on the host machine. I panicked for a few seconds. Then I executed the sample on the virtual machine, observed all the changes it made there and reverted them on the host machine: kill the process, remove the registry key it used for persistence, remove the copy it created on disk. Fortunately, it was something that didn’t require much effort to reverse the changes, unlike a file infector or rootkit. This taught me to be more careful when handling malware samples.

Are you working on any exciting new projects now? How do you think that will help people?

SecurityScorecard is an integral member of the Ransomware Task Force alongside several other high-profile cybersecurity companies. We are proud to be working together to find causality between various security-related signals and ransomware infections. It would be very helpful for companies to know which of their security issues can lead to ransomware infections so that they can focus on fixing them and, hopefully, prevent infection. This is part of SecurityScorecard’s mission of making the world a safer place and I am happy to be a part of that larger mission.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I see an increased level of collaboration among the entities from the cybersecurity sphere. For example, in addition to the Ransomware Task Force as mentioned previously, SecurityScorecard is also a proud member of the Cyber Threat Alliance, a non-profit organization that brings security companies together in an effort to encourage sharing of malware samples, indicators of compromise, research, and ideas. Compared to a decade ago, currently there are better learning resources (books, articles, white papers, conferences, tutorials, certifications, courses, technical blogs) and tooling available (e.g. more disassemblers, a bigger variety of assembly-level debuggers, various online sandboxes). Usually, companies are inclined to hide the fact that they’ve been breached in an attempt to avoid a crisis. However, nowadays it is harder to hide a breach for several reasons. First, the stolen data is openly sold on hacker forums. Second, the ransomware attackers maintain a wall of shame websites, threatening the victims not willing to pay the ransom to add them to the list and even publish their data. Third, there is an increased prevalence of the supply chain as an infection vector, which means the attackers infect a company in order to get access into all the companies using affected products developed by the infected company. Even if the initially infected company wants to hide the breach, any of the client companies infected as a result can uncover the infection vector. While at first sight, this seems bad for the initially infected company, a more open discussion about how and why a breach occurred helps understand the attackers tactics, techniques and procedures (TTPs), which in turn might help with detection and prevention.

What are the 3 things that concern you about the cybersecurity industry? Can you explain? What can be done to address those concerns?

Everything we publicly share with our fellow malware researchers, we also inadvertently share with the attackers. We communicate on public channels while they communicate on private channels. An existing solution for this are private groups of malware / security researchers. The downside of this approach is that the information sharing is restrained to a select audience. The dark side pays better. Fortunately, most people are driven by moral values and principles. A bigger salary doesn’t make up for the feeling of pride that you get when you are doing the right thing. All the cybersecurity practitioners around the world are choosing to build, not destroy, to give and not take, to fight, not take flight. The attacks are becoming more frequent and more advanced. There is more collaboration between attackers, (e.g. the appearance of a ransomware cartel).

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

A few things:

Given the prevalence of the supply chain attack as an infection vector, companies need to be aware that monitoring the security practices of their vendors is imperative. A company is as secure as the least secure of its vendors.

Given the recent huge increase in the valuation of the cryptocurrency, the attackers might put more effort into mining / stealing it as it becomes more valuable.

By combining ransomware with data breaches, the attackers specialized in ransomware might increase both the quantity of breaches and the amount of breached data.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

In October 2019, SecurityScorecard’s Threat Intelligence team (which I am a part of) discovered QSnatch, a malware targeting Quality Network Appliance Provider (QNAP) Network Attached Storage (NAS) systems.

A NAS is a dedicated file storage server providing data access to heterogeneous clients. A business might use such a server for storing the data in a single place and providing access to the data to its employees, clients, partners. The NAS provided by QNAP Systems, Inc. runs a Linux-based operating system called QTS.

While monitoring passive DNS data for emerging malware families, SecurityScorecard researchers stumbled upon several suspicious domains. On October 10, 2019, the Threat Intelligence team decided to gather more information by sinkholing one such domain and received requests from almost 100,000 unique IP addresses.

Although the sinkhole received a large number of requests from infected devices the first day, the next day, it received very few requests. This discrepancy along with the fact that passive DNS data indicated a limited time period for the domains’ validity suggested a date dependent Domain Generation Algorithm (DGA). A DGA is an algorithm that generates domains in a deterministic pseudo-random fashion. A date dependent DGA is a DGA that terminates a domain’s validity after a certain period of time.

In order to keep gathering requests from machines infected by this malware family, the DGA needed to be uncovered. Since the DGA is embedded in malware samples, researchers needed to find malware samples corresponding to this malware family first. In order to achieve this, SecurityScorecard’s Threat Intel team used the URL’s form (/qnap_firmware.xml?t=<timestamp>) to search through VirusTotal’s behavioral reports for samples corresponding to this malware family. In this way, SecurityScorecard discovered multiple shell scripts uploaded on VirusTotal dating back to January-February 2019. Additional research found that this malware has been active before that date.

SecurityScorecard shares sinkhole feeds with ShadowServer, who then shares them with the National Computer Emergency Response Teams (CERTs), including the National Cyber Security Centre of Finland (NCSC-FI). NCSC-FI received the signals and inquired for more information on October 22, 2019. In response to the requests, SecurityScorecard provided the information which led them to research further as well as publishing a blog post. On November 4, 2019, they added an update to that blog post, crediting SecurityScorecard for the initial information sharing and collaboration. In the meantime, QSnatch made it to the center of media reports. All this attention led to efforts to clean the infected systems, so that today there are approximately 40.000 infected systems compared to around 100.000 systems contacting our sinkholes at the discovery time.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Sysinternals Suite — a set of tools for monitoring and managing the activity of processes, files, registries, networking, etc.

VirusTotal — provides files and URLs scanned with a huge selection of security products

Burp Suite — monitoring and manipulation of networking content

IDA Pro — disassembler (generates assembly language source code from machine-executable code)

Olly / Immunity debugger — assembly level debugger

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Huge amounts of data being transferred outside the network might indicate data exfiltration. More spam to / suspicious activity from some accounts might indicate those accounts might have been breached. Some exploits might crash the application/system they are trying to exploit, so an unusual crash might be an indicator something is amiss. Use canary tokens — fake files on your system, fake emails in your inbox, fake urls, etc which trigger a notification when accessed. Since they shouldn’t be opened by you or any legitimate application, a notification that the tokens have been accessed is an indicator that someone / something is accessing your files, emails, databases, etc. Unusual behavior on your system or your network.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

After a company has been notified of a security breach, there are a few steps they need to take:

notify as soon as possible all the affected customers about what exactly was breached so that the customers can take further actions

discover the source of the breach, think of similar ways they can get breached and fix them

continuously monitor the security scorecard of their company and fix their issues as soon as possible

continuously monitor the security scorecard of their company providers and ask them to fix their issues as soon as possible

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Companies usually make the following mistakes:

The companies unnecessarily expose their digital footprint, increasing their attack surface. They should expose externally only what is absolutely necessary.

The companies don’t update / patch the software and technology they use in a timely manner. The frequency of updates should be increased and the responsibility should be assigned to a specific person.

The company employees reuse or use easy to guess passwords. The company should provide password management software to their employees.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

If we want to change the status quo regarding women in STEM we need to fight against prejudice, expectations, priming, and implicit associations.

I believe there is a prejudice that women are better at humanities subjects and therefore they are expected to follow a career in that direction. Unfortunately, people in general tend to do what is expected of us. Take, for example, the experiment in which some people are asked to take a test on a subject with the condition that the people belong to a category (e.g. gender, race, nationality, etc.) for which there is a prejudice that they should perform worse in the given subject. If they are split in two groups and one of the groups is asked to mark the category they belong to on the test paper, but the other group — not, then the group asked to mark the category will actually perform worse because they have been primed to do so.

It was proven that even if we don’t agree with and don’t want to associate specific categories with specific activities, we still unconsciously do it. Take, for example, the Gender-Career Implicit Association Test, in which you have four categories: Female, Male, Career, and Family. You are provided with words that belong to those categories and you have to put them in one of two columns. The most revealing classifications are the following two: one column for Male and Career words and the other — for Female and Family words AND one column for Male and Family words and the other — for Female and Career words. It takes longer to classify the words of the four categories when the columns are Male and Family versus Female and Career than when the columns are Male and Career versus Female and Family.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

There is some terminology that is usually misused in virus versus malware — malware is the term used to describe any type of malicious code while the virus is a file infector — a type of malware that adds malicious code to other, usually legitimate, files so that the malicious code is executed when the host file is executed.

Myths:

One of the myths I encountered a lot is the fact that using an antivirus software makes you safe. No antivirus software has a 100% detection rate. A myth I myself believed in is “I can safely google information about the malware I’m analysing”. Malware researchers usually search on the web more information about various specific strings they find in the malware sample. There are at least two potential problems with this myth. First, the attackers can set up a website to appear in the search list for you to click on. Second, given the way advertising works, the attacker can insert into the malware sample a randomly generated string and make sure to serve malvertising to those searching for that string. Since the string is only present in the malware sample, the attacker knows the advertising will be shown to researchers looking into the malware. This is important because it both tips the attacker about on-going research about his/her malware and provides the attacker with a way to gather information or infect the researcher.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Don’t let expectations define who you are. I’ve been a malware researcher my whole career. I had a single female colleague. But I didn’t let this make me consider switching from a position I love to something more traditionally considered “feminine”. Favour curiosity over praise. At some point I started to receive constant praise from a person and, in time, I quickly observed my tendency to depend on that person’s opinion. I realised praise can be used as a powerful manipulation tool. Rather than praise, genuine curiosity is a much better endorsement. Avoid complacency like the plague. After a successful project, I became complacent. Fortunately, I realized I don’t want one single project to define my work, so I started actively researching new ways of achieving results. Don’t let the ups and downs make you feel like a superstar or a failure. I’ve had days in which two bad things happened and I was considering it to be a bad day — even if good things happened afterwards, I was inclined to ignore them because of the confirmation bias. I’ve also had days in which one really good thing happened and I became complacent for the rest of the day — instead of working towards more good things. The better approach is to take the time to enjoy / adjust to the good / bad things but don’t put a label on the entire day. Appreciate autonomy. I’ve always had autonomy in my workplace — if I come up with an idea I’m free to test it, implement a proof of concept and present it. I was taking it for granted until after I heard friends / acquaintances complaining about the lack of it or simply not understanding how it is possible.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!