Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts talk to Anthony Aykut, co-founder of vxIntel. vxIntel’s Malware Intelligence Platform currently analyzes over 500,000 files each day and over 10 terabytes of data each month from over 100 global data sources. The massive scale of their platform helped them to create one of the largest malware databases in the world and become an essential threat intelligence source for dozens of enterprise organizations, government agencies, and leading cybersecurity companies around the world.
In their discussion, Anthony shares how he became a key figure in the malware collection ecosystem and swap perspectives on when it makes sense to incorporate threat intelligence into your security operations.
Ian McShane 0:00
Hey welcome again to the latest episode of Challenge Accepted podcast here at Arctic Wolf. My name is Ian McShane. I’m the VP of strategy here. And as always, I’m delighted to be joined by Adam Marrè. Adam, how’s it going, man?
Adam Marrè 0:25
It’s going well, how’s it going?
Ian McShane 0:29
Yeah, pretty good. Pretty good. I mean, I find myself in a really privileged position. Again this week, right? I’ve had jobs and projects and tasks where, you know, you just grind things out because the you got to get it done. But for like, the fourth time in a row with this podcast is a topic that’s really really caught my interest, because we’re going to be talking about malware, malware analysis, and CTI, right cyber threat intel.
Now, a couple of months ago, the nerd part of my brain back at the start September was kind of itching for something nerdy to do. So I actually started to go through a self led malware analysis course now.
I guess I’m not completely new to it. But let’s say it’s been a while. So it was, it was a lot of fun to get back into building a lab and observing malware behaviors, and really thinking about how you would build detections, or how you could hunt for that kind of activity, because I kind of feel that a lot of that work is abstracted away really well. So that, you know, people don’t really realize the effort, the skill and the expertise that goes into detections and prevention, right?
Adam Marrè 1:26
Yeah, so yeah, I remember my intro to this obviously, was was when I was in the FBI as a special agent doing investigations. And we would have to figure out what was going on, and whatever machine or drive we were looking at. And I learned just enough probably to be dangerous, you know, looking through memory and other things to try to reverse engineer some malware, figure out what’s going on.
There’s actually a position in the FBI that maybe not too many people know about, with the title of computer scientist. And there’s two or three or four of these computer scientists, on each cyber squad. And one of their main jobs, among other things, is to help reverse engineer malware. And they’re also doing a thing in the FBI now, where they have specific field offices that are an expert in a certain type, or strain of malware. And so a lot of it’s trying to figure out what it is what it’s related to. And then we can get the experts in that particular piece of malware and have them reverse engineer it.
But yeah, I remember my fumbling, bumbling attempts to try to figure out what kind of what kind of malware this was searching through memory and all that kind of stuff. So I’m really excited about this too.
Ian McShane 2:31
But today, I’m delighted to be joined by Anthony Aykut who’s joined us, he’s one of our senior threat researchers. And he actually came in through an acquisition, we did have a company called vxIntel. And this is really interesting, just because of not only the company that we acquired, but also I’m stoked to talk about Anthony’s background. So Anthony, welcome to the podcast.
Anthony Aykut 2:49
Nice to be on board. Thank you Ian.
Ian McShane 2:52
How about you give us a real quick kind of background about you? And maybe how you got into cybersecurity?
Anthony Aykut 2:58
Yeah, sure. So growing up in, in Turkey in the in the ’80s, sort of late ’80s, the brain virus came out, and which immediately sparked my attention into how can things be used, subvertantly, so to speak, to do things that, you know, systems are not supposed to do. And literally, when the news of the brain virus came out, I had to have it, look at it.
I mean, I didn’t understand too much of it at the points. But you know, playing around with it. And then, of course, the ’90s came with all the big break in viruses, polymorphic viruses. I was like, ‘Yeah, that’s it’, I was told I had to sort of collect them, analyze them, put them in like, a little zoo and admired them basically, that and sort of growing up with that, with my Commodore 64, home computers, I just sort of fell into it.
So I’m in my first job was like a computer programmer job at a pump manufacturer in the south of England. I was an evening shift. So by day, I was like a programmer, systems analyst. And in the evening, I search checks or bulletin boards, see what’s new viruses were coming out so I can add it to my collection. And it just grew and grew from there. Really, there’s no stopping.
Ian McShane 4:25
That’s really interesting,so you talk about collecting, how big is your collection today?
Anthony Aykut 4:30
Well, I think it’s approaching almost a billion samples, with all the old stuff from the late ’80s, all the different stuff. All the polymorphic stuff, I would guess, I mean, conservatively, eight 850 million unique samples.
Adam Marrè 4:47
Wow. Yeah, that kind of begs the question, how do you store all of this like where is it all kept?
Anthony Aykut 4:54
Well, until, I mean until vxIntel started, it was still just kept on hard disks. At some point, we had, I think, close to five hundred.
I mean, I’m talking physical hard drives, you know, like four terabytes hard drives. And so when we started vxIntel 2017 2018, we spent, I think, almost three years, moving all the data to the cloud. And some of it’s still there, like a backlog, and we’re sort of slowly sort of ingesting everything into the main database. So it’s a lot of stuff.
Adam Marrè 5:31
Wow. So kind of a follow up question what you’re talking about earlier, you started looking at these these programs, these viruses? You know, did you ever go get some formal education on top of your programming skills to specifically for like malware, reverse engineering or anything like that?
Anthony Aykut 5:50
No, not at all. I’m actually pretty much self taught. And I mean, as far as malware, reversing, I’m very, very bad at it. But I sort of am more interested in like, where do they come from? Who writes it? And especially if they exchange codes? Yeah. How does go from person A to B are the related? It’s just this ecosystem more, who runs it? Who operates it? That sort of thing that fascinates me.
Ian McShane 6:24
That’s really impressive. I mean, I guess I want to take it back to the start. It’s like, what did you start doing with the collection you were building? Like you said, you had no idea what the brain virus was doing? Did you? Is that how you started to learn? Did you start to reverse all that stuff? Did you you know, what to get from one virus to having this, you know, pipeline of a billion samples?
Anthony Aykut 6:43
What, you know, it’s late ’80s, early ’90s, it’s sort of like, became more and more prevalent as well, we used to get maybe a disc from a magazine. And all of a sudden, there was something like major streaming, melt or whatever. And it was like, hang on, let’s get on here. So it was becoming I mean, at that time, mostly joke viruses. So it was just doing things on your screen or wherever. But it was like how does it go from one disk to the next? Or how does it come onto my system?
Of course, then you start doing things like, Dr. Solomon’s EV toolkit and stuff like that. All the fun stuff lasts from the past. Right. I mean, it was such a great time, like new discoveries almost every day, people discovering, hidden commands on your operating systems, on what you could do on Dos, undocumented commands. And it was such fun time. So, at that time, it’s literally keeping stuff on desk cataloging and going, you know, oh, you have these like baseball cards. Well, I have these viruses and people are like, so, so lost, and I thought I was great, but that’s our story.
Adam Marrè 7:54
Yeah. So you’re sitting on this collection that’s growing and growing what was it that made you decide, like, hey, we want to turn this into something or start a business? How did you how did that transition happen?
Anthony Aykut 8:09
Yeah, actually, I always joke because I always like to say to people there was like this Hitchcockian story behind it.
I was on the Eurostar one day traveling from Brussels to London, and literally, very serendipitous I met this guy, like last train out to London. And he was drawing things. And so we got to talking, and sort of lo and behold, it turned out to be some sort of hardware software engineer this company actually in based in the Netherlands. They built this hardware filtering device for malware, and they were looking for malware to test their system against and they said, Bobby, tried to approach various AV company they said, No, we don’t give up this sort of stuff, even like for testing, like a bonafide anti malware system.
They could not get any malware to test their systems. I was like, hang on, I have set up at that time, don’t laugh 100,000. They give me unique samples. And maybe I can do something with it. And they become our first customer and so every month I was sort of able to find 20,000 new viruses and sort of sell it on like a subscription base. At the time it was like a weekly updates. And every month researchers send out discs or not CDs to our subscribers, the new updates on it, and that’s how it started. Man. It’s roughly 100,000 is like we’ve collected on an hourly already right now. So it’s grown significantly since.
Ian McShane 9:58
How much can you share about the collection process? Like, is there a community where you’re sharing samples? Obviously, I know that there’s VirusTotal is one that springs to mind is a big repository of malware that’s delivered by the community. But how does how does it work with you, if you can share some of that?
Anthony Aykut 10:15
Behind the scenes, it’s a somewhat similar to VirusTotal. We are part of this, like big malware sharing ecosystem with all the AV vendors. And basically, I would say, 99% of AV vendors has a particular malware share every day. They make available X amount of samples that they’ve seen, and they’ve collected to this collective share. And this is literally something you build by, like, bumping into the right people at conferences, saying, Hey, you have a malware share, we can save or share something back.
And it’s done on who you know, basis, like, if somebody off the street came and said, ‘You know, I want to share samples with you.’ They’re like, now I got introduced to it, I was taken to a conference, I think was the virus booth and conference and somebody said, this is like a reliable person who has data to share, you can share samples with them. And that’s how it started. And it’s been growing since then.
And since I still after that, it’s building relationships, you know, after the AV companies come to anti malware companies, then some researcher might say, hey, I’d like to upload some samples, are you interested? Sure, we’ll take anything you’ve got and it’s like taking almost 20 years to build this community. And it’s definitely a big part of my day to day is to sort of nourish this community as well, if something breaks or things don’t work, if you need sample a, that somebody’s looking for, you can ask and it’s, it’s a nice thing.
Ian McShane 11:57
Seems to be a lot the human element involved there. So is there any other any fun stories about beefs that you can discuss where maybe one vendors, like, ‘I’ll share it with you, as long as you don’t give it to vendor x, y, or z’ or any of that kind of stuff?
Anthony Aykut 12:09
Oh, no it’s actually aware, quite friendly, obviously. I mean, no one shares the samples they can’t share. And if you’re in the circle of sharing, there is no audio, you can share with but you can share with being if it’s out there, it’s it’s available to this group, it’s a very small group. I think your worst case, what happens is they might give you a sample, they might say, ‘Well, you can’t share the sample at all with with any of your customers,’ you can like extract data, but the metadata, whatever it can share that, but the actual sample, you can’t, for whatever reason.
Ian McShane 12:44
Yeah, that makes sense. Let’s say, obviously, you’ve been in it for a long time, and you’ve seen a lot of samples, what’s the biggest shift you’ve seen? And I think in terms of, from portable executables, to low bins in terms of adversary activity, but have you seen a big shift or a big evolution over your time as well?
Anthony Aykut 13:02
I mean, if I look at the last 25 years, I have to say, personally, what used to be encode a fun thing, like you’re all new and exciting, turned into a real bizarre, ransomware plus, also, ransomware plus data exfill, as well, it’s turned into this business, but really malicious business, they ransomware you they try to exfill data, if they can’t exfill, they basically destroy your system just to get you back or whatever. And it’s turned into this really nasty thing, which, that’s a part of it, I don’t enjoy at all anymore. It’s more a case of like, Can I grab a copy of their samples, so we can analyze it in house and build attention that’s become the number one priority now?
Adam Marrè 13:56
Yeah, so I was gonna just ask a question on that. We really have seen the shift from, there was kind of your hobbyists making, like, you talked about earlier, almost prank level viruses. And it seemed like it was that that level of individuals making this even criminals, you had nation states involved. Sure. But then there was this turn a number of years ago, where there was the commoditization of malware, where you had you different different groups really specializing in different types of things and then selling those to each other and there’s even conferences for Carter’s and things like that where there were sharing this and I I was curious as you watched how did that change your business and did it become sort of less fun like you’re mentioning.
Anthony Aykut 14:49
It becomes governed by money. And where I come from from Turkey, that was also a big thing Carters skimmers so they found out they can use their talents and build this big money making machine around that. And unfortunately, it has come to just that, because these guys that do ransomware. It’s nothing political anymore not trying to prove a point. And they even admit to it, it’s become a money making machine purely. And that’s it. So for me the fun side of it, and collecting all the viruses, trojans has turned into this crusade. I know, it’s a cat and mouse game, most of the time, but you know, if you didn’t develop something new, I’m gonna try to find it and basically hand it out to our to our guys to build addictions, you’re pure and simple.
Ian McShane 15:43
That’s a good lead into my next question is like, we talked about the sample set and collection, what’s the actual operationalization of all of that stuff that you collect? What is your team? What is your research team build from that massive corpus?
Anthony Aykut 15:57
Oh basically, now they have the whole data, so available to them? At any given point, if there is a new file, they can go out and see if they’ve seen something similar before, right? If there’s any similar similarities, count similarities, in some cases, they can see something they’ve developed now as something in it from maybe eight or 10 years before because, like, how in this business, the old becomes the new.
Ian McShane 16:26
What goes around comes around.
Anthony Aykut 16:29
Yeah, all of a sudden, the newest systems stop protecting systems from their things were 10 years ago. So hey, they grabbed that and built into this new malware. And it does circumvent stuff. So I’m like, you know, it’s good to have this, like, know, 15-20 years of backlog you can basically look into ‘Hey, you know, where’s this coming from originally?’ So yeah, I think it’s, it’s a useful resource for our guys.
Ian McShane 16:55
Yeah. I think, Adam, for you, if you think about running it, as you step into your role as CISO for a moment, how would you go about consuming some of the threat indicators or the threat intel from a feed like, Anthony was just discussing?
Adam Marrè 17:12
Well, yeah, actually, that’s one thing I’d like to ask Anthony himself. But I have noticed, putting my CISO hat on that companies really have to get to a place where they can use the threat intel feeds that they get. I do talk to many leaders, and know others where they have threat intel feeds, and they don’t have anything set up to deal with it. Or they don’t do it because like, ‘I don’t have time for that I’m trying to just cover the vulnerabilities I know about and I’m trying to set up a program or set up a SOC’. And there’s so much to do. As a security leader, it’s really hard to then also make time for this, but I was gonna ask you, Anthony, what have you seen? So you talked about operationalizing this on your side? What about on the other side, your customers? What are some of the best practices are really impressive things? You’ve seen a big company, small companies of how they use what you have to offer?
Anthony Aykut 18:07
Yeah, so we actually be built the vxIntel, primarily for startups. There are people that’s maybe one or two three man team, who traditionally don’t have the cash to go to a big service like VirusTotal. I mean, obviously, everybody starts these days to use things like MalwareBazaar, or vx-underground. These are great, you know, open source communities.
But if you have a business running, and you have to study, you have to have a steady inflow of malware, fresh malware, like every day, every hour, open source systems go down, sometimes they’re not available or stuff is not shared. So our goal was to make something available 24/7 to the startups. And you know, quite a few of our customer are also VT customers or other big surf like repositories, but they come to us, because a lot of researchers are uploading stuff to us companies or people that share but don’t want to necessarily share with VirusTotal right, because they’re so commercialized.
They share with us so if you’re a VT customer, but also be vxIntel customer, you get this overage of data. Sure some of it is seen by the by VirusTotal. But we have also stopped they they don’t see. So they have this like humongous access to this corpus every day. So we sort of try to be this value add service, if anything to all the the small fry, so to speak.
Adam Marrè 19:46
Yeah, that’s great. And that really is one thing that I’ve seen to answer your question is, you’ve got to start somewhere and there’s little things you can do and big things you can find, great services like vxIntel. Or you can even just set up like an RSS feed and a Slack channel, there’s lots of things you can do, to try to pull in extra information that can inform your security program, and point you in the right direction.
It’s really important for you to understand how you operate the environment you’re operating in, and sort of the threat landscape that represents, you know, it’s very different for, like a critical infrastructure, business utility or something, as opposed to like a SaaS company, as opposed to, you know, maybe a title company or real estate, all of these different verticals, or have very different needs.
And so you can set up something specific to you. And I think the biggest thing is to not be intimidated by it and realize that you can bring this on. Conversely, the other thing I see is people turn on all the switches, turn on Intel feeds from maybe their firewall providers something but they don’t have anything to operationalize so it’s just coming in, and they’re not doing anything with it. So I really do think it requires some thought. And if you do it carefully, it can really be a value add, like Anthony said to what you’re doing in your security program.
Ian McShane 21:08
Yeah. Why would be the first place to start? I mean, I think it’s fascinating that you mentioned just setting up an RSS feed that pumps to a Slack channel. I mean, when someone mentions threat intel, people are going to be like, Oh, it’s nerdy stuff like threat indicators, like Yarra rules. But that’s clearly not the case. So where would you start out today?
Adam Marrè 21:27
I just what I said, I think I think it would start out with when you’re operationalizing, your team, so you’re looking at your security operations. So think incident response, think, SIEM, whatever fields that you have coming in, that are telling you, they’re giving you your visibility. So because basic security programs start with visibility.
So now I can see the various things in my environment that I have whatever that is, well, then you’ve got to overlay that with some sort of Intel, right? Like you can have detections that are built, you can build your own detections, but then you need to be able to detect is this something bad or not? Right? And so figuring out how to do that, so is it a feed of IOCs that go right into my SIEM, or right into my firewall? That that will tell me what it is?
Or is it something like a virus total vxIntel, where I can upload hashes or other artifacts to say, ‘tell me what this is, is it bad, and having something that’s up to date is really important.’ Because you could be one of the first companies seeing something that no one else has seen, I responded to a lot of incidents like that, where we go into a small Mom and Pop Shop, random motel in the middle of nowhere, and they are one of the first ones that have ever seen this, something on a phishing email or something like that.
But as you’re thinking about this, as a company, I think it’s really just walking through your operations and saying, ‘Okay, so we detected something, how do we determine what this attack is?’ What are our ways of doing that we can analyze it and also your response to that, but we can analyze it ourselves. And looking for great solutions, like VX, Intel can be a way to do that, especially when you max out your free lookups at virus table or something.
Ian McShane 23:13
Yeah, I like the idea of this kind of, threatened form defense approach that you’re describing there. Like the other the other side of it, I’m thinking of aside from consuming IOCs and feeds into systems or devices, something like CISA’s KEV, known exploited vulnerabilities and RSS feed that just tells you when something’s been added to that, and then you’ve got a fairly high priority task for one of your IT or your security teams to do to figure out are we at risk of something like that?
Adam Marrè 23:40
Yeah, I love what Anthony’s talking about, about this community, this close knit community of sharing information, we need to do that better. Just worldwide, everybody, I’m just gonna say a blanket statement, we need to do that better.
We need to share information with one another better and we’re getting better at it. CISA is doing great. They’re known exploited vulnerabilities less than their publishing is awesome. There’s other groups like the cyber threat Alliance and things like that, where people are trying to set up groups of private organization, public organizations that are getting together and sharing more information with each other.
So not just in the malware community, like Anthony described, but also just in the community, it could be with similar companies could be with totally different businesses and organizations, but sharing the information of what we’re seeing today. I’ve tried to set up some of these sort of ad hoc in my communities, but it’s something that we can do better. And that will help drive our threat informed security programs and help us get on top of these things faster and have better reaction times to new things that are coming out.
Ian McShane 24:46
Absolutely, sharing is caring. I can’t think of a better way to wrap up today’s episode. Anthony, thanks so much for spending some time with us today. It’s been a pleasure to meet you and really interesting to hear about your what I’m going to age in our 30 year 40 year journey in malware.
Anthony Aykut 25:00
Makes me feel old oh my god.
Ian McShane 25:04
You’re welcome. I’m happy to help. And Adam, as always man, thanks for being here and joining in the conversation with me today. And thanks everyone for listening. Until next time, we’ll be back with episode five in a short amount of time. So see you then.
Transcribed by https://otter.ai