Career newcomer in "LC": With leaps and bounds, slowly grow forward
Some habrovchane believe that the employees of Kaspersky Lab are cloned in secret laboratories or, from childhood, they bring up you know where. We decided to investigate this issue in more detail and captured several young colleagues on the subject of interviewing. It turned out that no, these are quite lively people, and among them come across extremely curious specimens. Here, for example, Nikita Kurganov - a recent addition to the AMR (Anti-Malware Research) team - an enthusiastic bearer who came into the profession right from the fourth year of Baumanka.
In less than a year, he, from amateur competitions like capture the flag (CTF), became a professional threat researcher and does not plan to stop there. Now this madman (in the good sense of the word) combines full-time university studies with a full-time forty-hour working week of virus analyst. So we decided to ask how he came to life like this, in case his experience is needed by some of the local readers. By the way, the title is a quote from Nikita. So he answered the question "how do you see the future career."
“LK”: Tell me from the very beginning how did you even come up with the idea of ​​security?
')
Nikita: I originally came to the department of information security in Baumanka. Because information security is the most promising direction. It will always, no matter how cool. And the further information technologies evolve, the more will be willing to steal information and the more difficult this information will have to be protected. Therefore, I wanted to do exactly this direction. Plus, all sorts of horror stories about hackers spodvigli. It was interesting what this is all about, I thought, maybe I can do something in this area too ...
Specifically, how I came to practical aspects of information security is another topic. We in Baumanka have our own CTF team, I am in it from the second year. Before speaking at the competitions last year (and in general, the whole story of my career advancement began last year), I decided to find out what trends and trends in information security were in general, and went to study various “summer schools” in information security. Then I saw the news about Kaspersky Summer Lab, which was held only once. There, in seven days, I was told almost everything I wanted to hear, and I finally realized that I wanted to be either a reverser or study computer forensics, that is, forensics.
After that, I found out about the SafeBoard internship program and decided to apply. I went through the online testing phase normally, solved the crackme tasks, then went to the hackathon. There, he was initially determined with the direction of forensic, became interested in recruiting to the department dealing with incident response.
After the hackathon, I was told that in principle I was passing, but there were different directions, including testing, system analysis. But I knew for sure that I wanted to do exactly IB. After that there were general courses in which we were quickly given basic knowledge of development, testing, sysanalysis, and threat research. But I was already deliberately going to AMR, I wanted to be a re-sever, explorer of vulnerabilities.
But when they started with an interview, it somehow happened that I did not qualify for an interesting specialty. There were a lot of them, these interviews, probably 10 pieces. There were four in IB, in the heuristic analysis group, in botnets, and, well, in forensic. I reached the final stages of selection, when you are sitting here, the manager of the department and you decide the tasks right in front of him. And I did not pass in AMR, anywhere. In general, security did not work.
“LK”: And how did you end up in AMR?
I already understood that I didn’t want to leave Kaspersky. I was offered to go to the testing department while interning at the internal development department. Our team there was engaged in services of the publication of releases. I worked there for two or three months, but after the first month I realized that testing was not mine at all, and I started looking for something in the AMR. And once on the internal portal I saw a vacancy of a junior virus analyst in a viral laboratory. And I decided to apply. Well, why not?
Accordingly, I contacted HR, they sent me assignments. That is, in addition to studying at the university, I simultaneously solved the qualifying tasks at Virlab, which are needed to reach at least the interview stage, and I was also engaged in the main work - testing. The task was difficult, but very interesting. By the way, it was a crackme from the 2017 Zero Nights conference. As it turned out later, he was written by my future mentor in Virlab. I solved it about three nights, I really liked it. Well, in general, the main goal was to go to Virlab, eyes were burning. I made a report, sent it to me and a week later, in March, I was assigned an interview.
Further it is generally interesting - I came, and my direct tutor and the head of the department sit there. Ask questions all about the same here. Talk crackme. And then they put me in front of the computer, give me a small file and say: you have 10 minutes and you have to tell us what this thing does. And there is just an assembler listing. And I have to tell especially without hesitation, just looking at the listing and commenting on the course. For me, it was, firstly, unusual, and secondly, shock.
I sat analyzing all this in order. As it turned out, it was some kind of adapter for downloading Malvari, I got confused along the way, unraveled, they pushed me to certain thoughts. It so happened that I coped with it in 10 minutes, told in pieces what was happening there. He told where the material was being pumped from, why it was being pumped out, all sorts of subtleties. Then the interview ended and the waiting began. Soon they wrote to me - they say that you are passing to the position. And at the end of May, ready to enroll in the state.
And here was probably the most difficult choice for me. Will it be possible to combine this with the university? But I went to this step. I realized that the position is smart, exactly what I always wanted. I understand that, yes, it will be incredibly difficult to combine. But if fate gives you such a chance, then we must take it. Here is the truth. So that there would be no thoughts then "what would have happened if ...". To not regret all his life. And you can say that I went all in. Without even knowing what the schedule will be.
And all summer I worked, studied, got in the course of things. Before you come to the position in Virlab, when applications come to you and you analyze everything directly, you have to go through a three-month probationary period. That is, they introduce you to the course of the matter, tell you how AMR works, how to use the tools, what to look for when analyzing, how to do it quickly, well, and all the nuances of Virlab reveal. At some point, I thought I could not do it, but, as it turns out now, I manage to combine. That is, the university and work.
“LC”: Are you at the university on which course now?
Nikita : I'm in my fourth year. Another two years to study. In the sixth year I leave the university with a degree in computer security. But this in fact has nothing to do with reverse. These are mathematical methods of information security.
“LK”: Do you plan to study further? Master's?
Nikita : Well, it doesn't make much sense. We now have a specialty, it's like a bachelor plus a master's degree. That is, if you go, then already in graduate school. But I do not want to graduate school, I want to do applied things. In science, no, I do not want.
“LC”: A virus analyst is the same “woodpecker”. He works in shifts, he has a lot of Malvari and suspicious files, and he sits and hammer the code. So?
Nikita : Makes a code, yes. But not only. That is, most of the work is really that we are sitting and analyzing the code. Many applications arrive to us, the Chinese can send 50 files each at night, this is a normal situation. But besides this, we are still writing our own heuristics, that is, heuristic detections. We improve the work of the stream, that is, we have accumulated samples, we are thinking about how to improve the analysis on the stream, we write our internal utilities. That is, in fact, we are also engaged in the development to some extent. In addition to those that are written for us by other departments.
And in fact, we are like some kind of viral support. Malvari flies to us, we aggregate them, process them and distribute them between departments. Here is this malware - in the heuristic analysis department, this one - in antispam, this one - in botnets. We have such a staging post here - the first line. We also do some other things that serve to improve the analysis, but in fact - yes. We beat the code.
“LK”: And shifts for how many hours?
Nikita : Change for 8 hours. There are also night, but, fortunately, not with us. We have morning and evening. And when it is night in Moscow, a shift works in Vladivostok. That is, we actually have two main locations. Vladivostok and Moscow.
“LC”: And how do you all fit in with the schedule at the university?
Nikita : Oddly enough, it turned out that almost without loss. That is, I miss from the power of five percent pairs. It turned out that the schedule was perfect, and the management made concessions on a schedule. That is, I have a five-day work schedule, but it is distributed. For three days I work in the morning shift and two days in the evening. And thanks to this balance, I successfully combine my studies and work. That is, of course, you sacrifice your weekend, you can not go somewhere. But the goal is great! I want to be cool. And to become cool, you need to plow. At the session I will take a vacation. But what about the other way?
“LK”: In general, how do you see your path further? Now you are an analyst, you are gaining experience, but AMP has a large department and does various things.
Nikita: I understand, yes. In general, the start of work in information security from Virlab is ideal. Because we analyze all kinds of hardware, from Androids to Linux. Sometimes the APT attack is sent to us by the GREAT department. And we all analyze it. Over time, you begin to understand which topics you are interested in, which development vector you want to choose. Right now I am most interested in complex APT attacks. There are different things. Some won companions trying to hack. This is really very interesting. Any heuristic detection is also interesting. And everything related to the search for vulnerabilities. Here you look at the code and understand where there may be potential zero-day-vulnerabilities. If you find zero-day, then your prestige is growing.
"LK": But this is no longer the analysis of suspicious files? Where are you looking for zero-day vulnerabilities?
Nikita: No, it's not in suspicious files. It's like a hobby.
“LK”: So you still have time for your hobby?
Nikita: Well, the hobby is time. It is, unfortunately, a bit. Study Sometimes it turns out to play CTF, sometimes look for vulnerabilities. And which way I see ... So I want to do so. First gain experience, and then understand where to go specifically. In which departments. In general, the ultimate goal is to become the head of RnD. But in fact, I’ll decide on a specific area after I have accumulated a diverse experience. In the near future - in a year to rise to the level of middle.
“LK”: How do you like the team?
Nikita: In Virlab? Well, first, when you come to a new place, you harvest a little. A little shy. But over time, this all subsided, when I began to pump directly into knowledge, I became acquainted with all the guys. We throw each other there, professional jokes, memes, discuss work moments. That is, I normally joined the team. And there are common interests. Someone also wants to develop in the same direction as I do, with them it’s generally just a common language to find.
“LK”: You are now reading some additional materials on the specialty. Follow the news. And what resources do you read from?
Nikita: I read quite a lot, because in the information security you need to constantly stay on the topic. After all, not only we catch new threats. All the time there are some vulnerabilities, some new attacks. Any, but advanced training. Sometimes directly helps to respond to incidents. What exactly am I reading? Well, the main source is Hacker. Then I read on Habré any articles. Sometimes from the sandbox. Sometimes I watch reports from past conferences on information security topics. There DEFcon, BlackHat. I try to read more in English, because most of the literature is still English.
“LK”: You have now worked for more than six months and you still are interested in it? Do not disappoint the routine?
Nikita: Interesting! In general, if we already come to some conclusions from my history, I want to say that you need to clearly go towards your goal. So I set a goal. Great goal, so to speak. And I'm going to her. I understand what I need, and when I walk in small steps, and when I jump over several steps. So it happened with SafeBoard - after four months from the intern, he became a junior virus analyst. And we must understand that if fate gives you some chances, you must take them. Because if you don’t take them, fate will turn away from you, and that’s all, there will be no chance, and you will reproach yourself for not using them. And you have to work on yourself for whole days (I understand that this is hard, I want to take a walk). But it is better to work now - then it will be easier. If you constantly go to this goal and take chances, then everything will be fine. We have to work, work hard.
“LK”: Nikita, no one will believe that you say this all by yourself. They will say that HR forced you to end the speech with a motivating speech.
Nikita: And what if I really think so?
“LK”: Well, success to you, most importantly, do not burn out from the loads.
Now, by the way, it continues, or rather, the enrollment in the next Kaspersky Lab internship program is already ending. So if you want, like Nikita, to devote your future profession to the fight against computer evil, then it's time to apply. Five areas are available - threat research, development, testing, system analysis and system administration. More details here on the program page.
In less than a year, he, from amateur competitions like capture the flag (CTF), became a professional threat researcher and does not plan to stop there. Now this madman (in the good sense of the word) combines full-time university studies with a full-time forty-hour working week of virus analyst. So we decided to ask how he came to life like this, in case his experience is needed by some of the local readers. By the way, the title is a quote from Nikita. So he answered the question "how do you see the future career."
“LK”: Tell me from the very beginning how did you even come up with the idea of ​​security?
')
Nikita: I originally came to the department of information security in Baumanka. Because information security is the most promising direction. It will always, no matter how cool. And the further information technologies evolve, the more will be willing to steal information and the more difficult this information will have to be protected. Therefore, I wanted to do exactly this direction. Plus, all sorts of horror stories about hackers spodvigli. It was interesting what this is all about, I thought, maybe I can do something in this area too ...
Specifically, how I came to practical aspects of information security is another topic. We in Baumanka have our own CTF team, I am in it from the second year. Before speaking at the competitions last year (and in general, the whole story of my career advancement began last year), I decided to find out what trends and trends in information security were in general, and went to study various “summer schools” in information security. Then I saw the news about Kaspersky Summer Lab, which was held only once. There, in seven days, I was told almost everything I wanted to hear, and I finally realized that I wanted to be either a reverser or study computer forensics, that is, forensics.
After that, I found out about the SafeBoard internship program and decided to apply. I went through the online testing phase normally, solved the crackme tasks, then went to the hackathon. There, he was initially determined with the direction of forensic, became interested in recruiting to the department dealing with incident response.
After the hackathon, I was told that in principle I was passing, but there were different directions, including testing, system analysis. But I knew for sure that I wanted to do exactly IB. After that there were general courses in which we were quickly given basic knowledge of development, testing, sysanalysis, and threat research. But I was already deliberately going to AMR, I wanted to be a re-sever, explorer of vulnerabilities.
But when they started with an interview, it somehow happened that I did not qualify for an interesting specialty. There were a lot of them, these interviews, probably 10 pieces. There were four in IB, in the heuristic analysis group, in botnets, and, well, in forensic. I reached the final stages of selection, when you are sitting here, the manager of the department and you decide the tasks right in front of him. And I did not pass in AMR, anywhere. In general, security did not work.
“LK”: And how did you end up in AMR?
I already understood that I didn’t want to leave Kaspersky. I was offered to go to the testing department while interning at the internal development department. Our team there was engaged in services of the publication of releases. I worked there for two or three months, but after the first month I realized that testing was not mine at all, and I started looking for something in the AMR. And once on the internal portal I saw a vacancy of a junior virus analyst in a viral laboratory. And I decided to apply. Well, why not?
Accordingly, I contacted HR, they sent me assignments. That is, in addition to studying at the university, I simultaneously solved the qualifying tasks at Virlab, which are needed to reach at least the interview stage, and I was also engaged in the main work - testing. The task was difficult, but very interesting. By the way, it was a crackme from the 2017 Zero Nights conference. As it turned out later, he was written by my future mentor in Virlab. I solved it about three nights, I really liked it. Well, in general, the main goal was to go to Virlab, eyes were burning. I made a report, sent it to me and a week later, in March, I was assigned an interview.
Further it is generally interesting - I came, and my direct tutor and the head of the department sit there. Ask questions all about the same here. Talk crackme. And then they put me in front of the computer, give me a small file and say: you have 10 minutes and you have to tell us what this thing does. And there is just an assembler listing. And I have to tell especially without hesitation, just looking at the listing and commenting on the course. For me, it was, firstly, unusual, and secondly, shock.
I sat analyzing all this in order. As it turned out, it was some kind of adapter for downloading Malvari, I got confused along the way, unraveled, they pushed me to certain thoughts. It so happened that I coped with it in 10 minutes, told in pieces what was happening there. He told where the material was being pumped from, why it was being pumped out, all sorts of subtleties. Then the interview ended and the waiting began. Soon they wrote to me - they say that you are passing to the position. And at the end of May, ready to enroll in the state.
And here was probably the most difficult choice for me. Will it be possible to combine this with the university? But I went to this step. I realized that the position is smart, exactly what I always wanted. I understand that, yes, it will be incredibly difficult to combine. But if fate gives you such a chance, then we must take it. Here is the truth. So that there would be no thoughts then "what would have happened if ...". To not regret all his life. And you can say that I went all in. Without even knowing what the schedule will be.
And all summer I worked, studied, got in the course of things. Before you come to the position in Virlab, when applications come to you and you analyze everything directly, you have to go through a three-month probationary period. That is, they introduce you to the course of the matter, tell you how AMR works, how to use the tools, what to look for when analyzing, how to do it quickly, well, and all the nuances of Virlab reveal. At some point, I thought I could not do it, but, as it turns out now, I manage to combine. That is, the university and work.
“LC”: Are you at the university on which course now?
Nikita : I'm in my fourth year. Another two years to study. In the sixth year I leave the university with a degree in computer security. But this in fact has nothing to do with reverse. These are mathematical methods of information security.
“LK”: Do you plan to study further? Master's?
Nikita : Well, it doesn't make much sense. We now have a specialty, it's like a bachelor plus a master's degree. That is, if you go, then already in graduate school. But I do not want to graduate school, I want to do applied things. In science, no, I do not want.
“LC”: A virus analyst is the same “woodpecker”. He works in shifts, he has a lot of Malvari and suspicious files, and he sits and hammer the code. So?
Nikita : Makes a code, yes. But not only. That is, most of the work is really that we are sitting and analyzing the code. Many applications arrive to us, the Chinese can send 50 files each at night, this is a normal situation. But besides this, we are still writing our own heuristics, that is, heuristic detections. We improve the work of the stream, that is, we have accumulated samples, we are thinking about how to improve the analysis on the stream, we write our internal utilities. That is, in fact, we are also engaged in the development to some extent. In addition to those that are written for us by other departments.
And in fact, we are like some kind of viral support. Malvari flies to us, we aggregate them, process them and distribute them between departments. Here is this malware - in the heuristic analysis department, this one - in antispam, this one - in botnets. We have such a staging post here - the first line. We also do some other things that serve to improve the analysis, but in fact - yes. We beat the code.
“LK”: And shifts for how many hours?
Nikita : Change for 8 hours. There are also night, but, fortunately, not with us. We have morning and evening. And when it is night in Moscow, a shift works in Vladivostok. That is, we actually have two main locations. Vladivostok and Moscow.
“LC”: And how do you all fit in with the schedule at the university?
Nikita : Oddly enough, it turned out that almost without loss. That is, I miss from the power of five percent pairs. It turned out that the schedule was perfect, and the management made concessions on a schedule. That is, I have a five-day work schedule, but it is distributed. For three days I work in the morning shift and two days in the evening. And thanks to this balance, I successfully combine my studies and work. That is, of course, you sacrifice your weekend, you can not go somewhere. But the goal is great! I want to be cool. And to become cool, you need to plow. At the session I will take a vacation. But what about the other way?
“LK”: In general, how do you see your path further? Now you are an analyst, you are gaining experience, but AMP has a large department and does various things.
Nikita: I understand, yes. In general, the start of work in information security from Virlab is ideal. Because we analyze all kinds of hardware, from Androids to Linux. Sometimes the APT attack is sent to us by the GREAT department. And we all analyze it. Over time, you begin to understand which topics you are interested in, which development vector you want to choose. Right now I am most interested in complex APT attacks. There are different things. Some won companions trying to hack. This is really very interesting. Any heuristic detection is also interesting. And everything related to the search for vulnerabilities. Here you look at the code and understand where there may be potential zero-day-vulnerabilities. If you find zero-day, then your prestige is growing.
"LK": But this is no longer the analysis of suspicious files? Where are you looking for zero-day vulnerabilities?
Nikita: No, it's not in suspicious files. It's like a hobby.
“LK”: So you still have time for your hobby?
Nikita: Well, the hobby is time. It is, unfortunately, a bit. Study Sometimes it turns out to play CTF, sometimes look for vulnerabilities. And which way I see ... So I want to do so. First gain experience, and then understand where to go specifically. In which departments. In general, the ultimate goal is to become the head of RnD. But in fact, I’ll decide on a specific area after I have accumulated a diverse experience. In the near future - in a year to rise to the level of middle.
“LK”: How do you like the team?
Nikita: In Virlab? Well, first, when you come to a new place, you harvest a little. A little shy. But over time, this all subsided, when I began to pump directly into knowledge, I became acquainted with all the guys. We throw each other there, professional jokes, memes, discuss work moments. That is, I normally joined the team. And there are common interests. Someone also wants to develop in the same direction as I do, with them it’s generally just a common language to find.
“LK”: You are now reading some additional materials on the specialty. Follow the news. And what resources do you read from?
Nikita: I read quite a lot, because in the information security you need to constantly stay on the topic. After all, not only we catch new threats. All the time there are some vulnerabilities, some new attacks. Any, but advanced training. Sometimes directly helps to respond to incidents. What exactly am I reading? Well, the main source is Hacker. Then I read on Habré any articles. Sometimes from the sandbox. Sometimes I watch reports from past conferences on information security topics. There DEFcon, BlackHat. I try to read more in English, because most of the literature is still English.
“LK”: You have now worked for more than six months and you still are interested in it? Do not disappoint the routine?
Nikita: Interesting! In general, if we already come to some conclusions from my history, I want to say that you need to clearly go towards your goal. So I set a goal. Great goal, so to speak. And I'm going to her. I understand what I need, and when I walk in small steps, and when I jump over several steps. So it happened with SafeBoard - after four months from the intern, he became a junior virus analyst. And we must understand that if fate gives you some chances, you must take them. Because if you don’t take them, fate will turn away from you, and that’s all, there will be no chance, and you will reproach yourself for not using them. And you have to work on yourself for whole days (I understand that this is hard, I want to take a walk). But it is better to work now - then it will be easier. If you constantly go to this goal and take chances, then everything will be fine. We have to work, work hard.
“LK”: Nikita, no one will believe that you say this all by yourself. They will say that HR forced you to end the speech with a motivating speech.
Nikita: And what if I really think so?
“LK”: Well, success to you, most importantly, do not burn out from the loads.
Now, by the way, it continues, or rather, the enrollment in the next Kaspersky Lab internship program is already ending. So if you want, like Nikita, to devote your future profession to the fight against computer evil, then it's time to apply. Five areas are available - threat research, development, testing, system analysis and system administration. More details here on the program page.
Source: https://habr.com/ru/post/425981/
All Articles