Vishal Hariprasad has seen two sides of IT security. Formerly a Cyberspace Operations Officer for the US Air Force and National Security Agency, ‘V8’ is now a Threat Intelligence Architect for startup research firm Unit 42, and a member of the Cyber Threat Alliance. He tells CNME about his experience of advanced malware.
Tell me about the Cyber Threat Alliance, who are you and what do you do?
We’re a one-year-old organisation that was founded by Palo Alto Networks, Intel Security, Fortinet and Symantec. We have a strong interest in threat intelligence trends, groups and actors, and our aim is to publish research into cutting-edge malware, and develop the enhancement of the Open Source community.
The Cyber Threat Alliance consists of eight members and is rapidly growing. Every member must share 1,000 samples of malware per day to justify its membership, so in general we have over 10,000 samples arriving daily. This allows us to continually analyse what is out there.
We don’t yet have members in the Middle East but we are always looking for affiliates from all regions. We want global perspectives on research that aren’t geo-specific.
Your background was in the US military. How did you make the jump to Silicon Valley?
As a mathematics undergraduate I got a job in the cyberwarfare office at the NSA, and I saw a unique side of advanced malware. In terms of advanced persistent threats I was always thinking about how they could be stopped. That’s what I was trained for. I gained funding from Silicon Valley, and, after a lot of work, was very fortunate not to be amongst the 99 percent of startups who fail.
I was initially skeptical about Silicon Valley, and didn’t necessarily want to be a part of it. But now I’m there I’m almost indoctrinated by the place. The culture there is one of the aggressive pursuit of ideas; they have no time for naysayers. On the East Coast of the US, if you fail, you’re finished. But in Silicon Valley, failure is almost a rite of passage, and you’re held in higher regard if you take risks.
What has working at the NSA taught you about malware and security?
When I was working out in the field in the Iraq War, I really got a chance to see who the attackers we were combating were. Ultimately, at the other end of a connection is a human being. They’re doing what they are because they’re trying to earn a living. They aren’t just there to mess with us – most are just after money. When it comes to their ability to design iterative malware it gives them an advantage. Credit card details may be worth $1 to them, while social security numbers are worth $10 and health records $50. Even political hacktavists are still human beings, but their malware is probably commodity-based so is less intensely motivated.
One of your specialist subjects is point of sale malware. Can you expand on that?
It’s become much more serious over the last year-and-a-half. A lot of companies hadn’t realised how similar their POS systems are to the Windows XP systems they have at home – when the Target breach occurred around 70 percent of all ATMs worldwide were running Windows XP Service Pack 0. The three or four pieces of commodity malware used in the Target breach were easily available on the underground market. Target’s SOC flagged it up as generic malware, not specifying it was POC-based. That’s scary. The detection may be there, but even a generic alert can’t be ignored. I advocate using as many sources of threat intelligence as possible.