Taking some time to reflect
The industry I work for used to be called anti-virus, anti-malware etc. For a while now it's been part of the cyber-security world.
I started the day after I completed my time in the Norwegian army back in 1994 and I haven't looked back since. Back then, anti-malware engines was very simple by design. I remember the Virus Bulletin magazine coming out monthly with a page or two of "new viruses" and scan-strings suggested. The zoo-collection was some floppies. Those were the days...
Back then we had a monthly wild-list which was the benchmark of what AV needed to detect as a minimum. For years (or decades), the arguments have been made that this needed to improve to reflect what's really out there. These days, once seen in the wild - it probably means you'll never see it again. We're in a one-off-world when an attack uses a unique set of objects that nobody else sees. Next time it will have a different physical form.
Emulators fast became a very generic tool as entry-points of viruses started to manifest themselves deeper into the code of their hosts, to break simple encryption-routines etc. My first attempt on an emulator (1995?) supported a handful of opcode and did the job on the samples that we had (SMEG anyone?). I think I had 286 laptop to write it on with a defect battery. The speed was "amazing" of course, as it supported 0.02% of what clean samples would do back then, but we didn't want to run those.
Years and years later this had evolved into a full emulator, filled with virtual hardware & my own win32 operating system. From boot to sample running, and even doing “restarts”. I remember one day using a debugger to match one of the features of my analyser; setting a break-point of the start of a newly started child-process to do further analysis. My world had been "virtual" for so long using my own tools. The number of steps to perform this simple task in real-life which was just a process-less break-point in my tools really got to me. In real-life that kind of break-point doesn't exist, but that's the beauty of emulators - you can add features to the CPU which is invisible to the "guests".
One good old memory was the ACG series of metamorphic viruses. Yes, we're talking good old MS-DOS. Metamorphic means you can look at any samples of the infection and under each layer you won't find any sequence that looks the same to make any signature - but it effectively behaves the same when it’s run. That became my first reason to write a sandbox back in 1998/1999 - to let the virus show what it was doing instead of trying to find it via the ever evolving code. When this support was done, I was astonished to see it needed nearly 19 million emulator opcodes to run to get to the point of solid detection. At that point it was unheard of. Fast forward to today, it's absolutely nothing. You can easily spend millions of emulator cycles to unpack a normal PE packer/protector. Good thing our CPUs are faster, memory is cheap and we can use cloud services.
One thing is analysing malware from the wild, another thing is when you do it with a huge organisation that has been affected by something unknown and the world-wide consequences are scary. You get a copy of some hard-disks and start digging. This must have been the most exciting time in my career as it involved things I can't talk about, but in the end - when I found what I was looking for - I started looking for black cars parked in my street. If I wasn't paranoid enough to start with, this didn't help.
After doing this for ~20 years I needed a change. I was stuck in such a small world, stuck in my comfort zone. One day I got a call from a recruiter if I wanted to try something completely different. I liked the sound of that, so I went for it.
That got me into Websense, exactly 6 years ago today, in a totally different role to start with. Websense turned into Forcepoint and since then we have steadily been creating the Human Centric approach which in these days of Covid-19 really shows us people are the new perimeter as nearly everyone who can, works from home.
For a long time now I’ve been working in Innovation Labs under the Office of the CTO where we run all kind of research-projects covering the entire range from a to z of our product portfolio and beyond. To start with, I must admit, my skills coming from the "old anti-malware" side of the house wasn't a great match. Not much asm and C. So much to learn, but after learning and practising new skills for some time you get used to nearly always working outside your comfort zone. This becomes the new normal. There is always new stuff to learn, and I get to use compartments of knowledge from the old days - matching it with new technology, capabilities, tools and new use-cases to solve new and old problems. We still have largely the same problems as before due to the ever-growing complexity of our systems, constant connectivity and persistent attackers increasing their efforts as everything is digital who just needs a vulnerability to get a step closer; but we have such an arsenal of tools, power and skills to make a difference. Working with younger talented people with totally different skill-sets has been amazing leading to a lot of new exciting possibilities.
“Even an old dog can learn new tricks” comes to mind when I look back on these 26 years or so of experience. Can’t wait to see what’s behind the next corner...
Note: Opinions expressed in this article are my private opinions, not necessarily my employer.