Since she was a child, Cindy Eisner, a senior technical staff member at IBM Research – Haifa, has loved watching whodunit detective shows on TV and reading suspense thrillers. Today, as an expert in malware evasion techniques, she tries to figure out how the bad guys are avoiding detection as they try to hack our computers to steal money, take over systems, defraud people, or do other damage.
With malware moving all over the globe and going mobile, according to IBM X-Force’s 2016 report, I spoke to Cindy about her work and how her unique approach to the security business is helping put a stop to these breaches and threats.
How does a malware writer try to evade detection?
Cybercrooks use things the wrong way on purpose. This makes it difficult to understand what they are doing. My job is to constantly think about how someone could misuse a system.
For example, one of the ways malware writers try to make detection difficult is by flouting and abusing coding conventions. They purposely make it hard to figure out what they’re doing so it’s difficult to debug. For example, if malware authors want to find out if I’m surfing my bank site so they can take my password, they can achieve that in about 25 lines of code. But they write it in 25 million lines of code so it becomes almost impossible to find the lines that do the damage. The extra code might do nothing except waste time, but it also might perform necessary calculations in a convoluted manner. For instance, using a very long multi-threaded function whose sole purpose is to return the value 0.
What is your area of expertise in this field?
As opposed to a lot of the security software out on the market, we’re not looking into the attack, but rather investigating the malware itself. Once hackers get inside the system and run their code, they want to keep it hidden. My job is to understand what the hackers are trying to do so we can stop them. They have sophisticated ways of knowing if they are being tracked. And if noticed, the code will automatically divert from malicious behavior to benign. So the challenge is to evade the evasion code. It’s a game of cat and mouse.
It can sometimes take weeks or months for a new piece of malware to be identified. Our goal is to detect it immediately so that the malicious behavior is blocked. My team builds tools that are used by other security experts to make sure malware is detected faster and more accurately.
How did you get started in this area?
Everything I did in the past feeds into this. I started out working on compilers back in the 1980s. At that time, compiling the compiler would take eight hours, so we could only compile once a day. It was the last thing we did before going home at night. We spent a lot of time debugging by going into the binary code and editing it manually to verify our code fixes. As a result, I became comfortable working directly with machine code, and intimately familiar with the structure of code generated by standard compilers.
I joined IBM in 1994 and started working in the area of formal verification. In verification, you know what is supposed to happen and you’re looking for cases where it doesn’t happen because of a bug. Any assumptions can really trip you up. If you assume something is one way, then you can miss the bug–which by definition means that things aren’t working as they should. In essence, malware disregards all the coding conventions that compilers depend upon. This is what bridges the worlds of compiler technology and verification, which led me to malware detection.
How does your detective nature influence your daily life?
I do spend a lot of time thinking of how to design things or put them together in a way that ensures they can’t be broken into. A few years back when banks started offering account access by mobile phone, my first thoughts were about how someone could break into the system. A colleague thought it was very strange that I was already thinking about how to steal money!
What advice would you give to people starting out in the hunt for malware?
The bad guys use powerful tools, built by people who have a deep understanding of programming theory and compilation. To be good at fighting malware, you have to unscramble it (consider unscrambling an egg!). You have to know about operating systems and compilation. Understanding the theory of compilation and operating systems is very important in figuring out how to undo something.
Anything else you’d like to tell us?
If you’re passionate about hunting down criminal hackers and would like join a team of experts to solve security challenges with leading-edge technology, IBM Research is a great place to work. Our team explores new verification, learning, and statistical algorithms to solve emerging security and quality challenges in highly virtualized environments. We’re talking cloud, devops, analytics, and mobile. We also work closely with IBM product and service units, and with the European academic research community. You can find more information at IBM Global Careers.