ANY.RUN Blog is launching a new topic – interviews with different experts in cybersecurity. Getting to know the industry’s insides and engaging with market leaders help understand the sphere. And we hope you will like our new series.
Today we would like to share an interview with Ali Hadi, Senior Information and Cyber Security Specialist with 14+ years of industrial experience in the IT field. Ali is currently working as a full-time professor and researcher for Champlain College in Vermont, USA.
We talked with Ali Hadi about his experience teaching young malware analysts and his thoughts on cybersecurity. Read more in our interview.
How did you get into cybersecurity?
Ali Hadi: My first experience goes back to my first unofficial job when I was asked by a local computer repair shop to help them offer data-recovery solutions to their customers.
They had hundreds of corrupted computers due to the Chernobyl Virus (aka CIH) that hit many computers around the world at that time. I noticed how a small piece of software could cause damage to hundreds and thousands of computers around the world. This was something that surprised me, caught my attention, and led me to my passion for cybersecurity.
Cybersecurity and Digital Forensics both became a passion and what I do on a daily basis.
What are your favorite things about malware analysis?
Ali Hadi: Learning about new threat actor techniques and methods used. In my opinion, the best way to learn about threat actors and how they operate is by learning about the samples they create, and you really get into their minds.
Analyzing malware allows you to understand threat actors’ techniques and how they operate, how they think, and how they use these small pieces of software to achieve their goals.
But that’s not the only thing that I like about malware analysis. What interests me most is that you get to learn new techniques. You discover how they abuse systems to run their samples and avoid detection. You get to discover all the new methods that software can be used to run in memory and fake its existence by so many different injection methods. You learn how they will exploit vulnerabilities and system weaknesses to achieve persistence and stay hidden as long as possible.
Why is cybersecurity attractive for students?
Ali Hadi: It might not be attractive to everyone, but to those who either switch to or start in cybersecurity, probably because of the high demand, high pay, and competitiveness. If you like to be challenged, then cybersecurity is definitely the field where you will be on a daily basis. Another reason could be because of all the hacking/compromise news that they read and watch in the media.
What are the advantages of malware analysis training?
Ali Hadi: The advantage of malware analysis training would be to learn how the software works at the lowest level. They get to see system internals and learn about how they are being abused. They might have taken a Programming, Operating Systems, or Networking course, but they never got to see how all of that has been abused to achieve the threat actors’ goals.
For example, they learn about how the OS protects each process and that no other process on the system has the right to work within its memory address space. But when taking a malware course, you find out that malicious processes are actually capable of injecting code into a victim process and running under the radar.
Another example would be how malicious processes would use system APIs to hide their process, delete a file, or even themselves. These are different methods and techniques you don’t get to learn in a normal computer science course because they don’t teach you about abusing the system and exploiting its weaknesses.
Some companies are having trouble finding employees. Why do you think cybersecurity is lacking new talent?
Ali Hadi: Probably because they are looking in the wrong place. Many think they should be searching for students from universities and colleges with big names. Unfortunately, that’s not always true.
The lack of new talent is because most of them do not have a specialized Cybersecurity or Digital Forensics program but rather a computer science or computer engineering program focusing on cybersecurity. Or they have a Cybersecurity program but led mainly by faculty who have only teaching experience but no true cybersecurity field expertise.
You are a professor and researcher for Champlain College. What are the benefits of courses where you teach?
Ali Hadi: There are two courses that I take part in:
The course is an intro to operating systems and aims to teach students the best practices and techniques for responding to security incidents and covers the Incident response lifecycle.
Here students learn:
- basic computer organization and the main functions of operating systems.
- processes, threads, CPU scheduling, virtual memory, and disk management concepts.
- how the stack, heap, and functions work.
- the lifecycle of Incident Response and Information security planning.
- IR risk assessments and frameworks.
- triage and preserve evidence during an incident response engagement.
The course is about Malware Analysis. It introduces various techniques to analyze malware by working with real commodity malware as well as specially crafted advanced malware. The students gain the required skills to identify and analyze malware.
Students study how to:
- perform static and dynamic analysis on malware.
- analyze the latest attacks and articulate them to technical and non-technical audiences.
- dump and analyze memory for infected systems
I’d like to note that Champlain College’s Computer and Digital Forensics program is recognized by the Department of Homeland Security (DHS), the National Security Agency (NSA), the National Institute of Justice, and the Department of Defense Cyber Crime Center (DC3).
What role does ANY.RUN play in these courses?
Ali Hadi: Students can use ANY.RUN to study malware behavior, extract metadata from the analysis performed, map threats to the MITRE ATT&CK framework, download samples, and learn about the process behavior by understanding what files and registry entries the sample has been interacting with.
For students, it will also play a vital role in validating their work and checking if what they found is what a clever sandbox could find, too.
Why have you chosen ANY.RUN to work with?
Ali Hadi: From our experience, ANY.RUN is one of the market leaders when it comes to running malicious files or URLs within a safely protected environment, or what is also known as a Sandbox. But actually, it is not just that, but the ability to interact with the system during the execution of the submitted/uploaded sample is one of the unique features that we don’t know if anyone else provides.
Other features that we think our students could benefit from are the ability to run archives, office documents, extract IOCs, view process hierarchy and activity, and the different reporting formats. With that being said, the wide range of available operating systems to choose from makes it easy for our students to test their sample on a specific system and learn about its behavior on that system.
What advice would you give to someone wishing to start their career in cybersecurity?
Ali Hadi: Start learning the basics, the core of computers and systems, especially Operating Systems. While doing that, learn as much as you can about programming. Sooner or later, you will notice that it’s very helpful to have a programming background too.
Cybersecurity is a very demanding field that is rapidly growing and changing. Therefore, let your passion for learning be the driver and not to find a cool job. My favorite quote, which I apply daily, is a famous Sherlock Holmes quote:
“Education never ends, Watson. It is a series of lessons, with the greatest for the last.”
My final advice is not to compare yourself to others, we are all different, and the world needs this diversity. We all think and learn differently, so don’t feel you’re behind or someone is better than you. There is a place for all of us, no matter what we know. We are grateful for this amazing talk with Ali, and if you want to learn more about him and his work, please check out the blog and website. And don’t miss out on our expert interview series.
1 comments
You have brought up a very great details , thanks for the post.