Getting into security architecture: Careers, skills and ransomware

[00:00] Chris Sienko: Cyber Work is celebrating its next major milestone. As of July 2020, Cyber Work has had over a quarter of a million listeners. We’re so grateful to all of you that have watched the videos on our YouTube page, commented on live release feeds, left ratings and reviews on your favorite podcast platform, redeemed bonus offers, or just listened in the comfort of your own home. Thank you to all of you.

Because our listenership is growing so quickly and because Cyber Work has big plans for the second half of 2020 and beyond, we want to make sure that we’re giving you what you want to hear. That’s right. We want to hear specifically from you, so please go to www.infosecinstitute.com/survey. That’s www and the numeral two, www.infosecinstitute.com/survey. The survey just a few questions and it won’t take you that long but it will really help us to know where you are in your cybersecurity career and what topics and types of information you enjoy hearing on this podcast. Again, that’s www.infosecinstitute.com/survey. Please respond today and you could be entered to win a $100 Amazon gift card. That’s www.infosecinstitute.com/survey.

Thanks once again for listening and now on with the show.

[01:19] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader, and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, all offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

Pranshu Bajpai is a name that may look familiar to longtime readers of the Infosec Resources website. If you only know infosec from the Cyber Work Podcast, I'd encourage you to check out resources.infosecinstitute.com where you will see thousands of articles that our authors have written over a span of about 10 years on all aspects of cybersecurity certification, security awareness, skills training, lab walk-throughs, career development, and a ton more. We’ll have two to three new articles on the site every day. So if you're just a podcast listener, hope you'll stop there and diversify your journey.

As mentioned, Pranshu is a recent graduate who earned his PhD in computer science and has been an Infosec Resources contributor for many years. He recently graduated with a PhD in computer science and engineering from Michigan State University and is a security architect at Motorola Solutions, so we’re going to talk today about ransomware and career opportunities as a security architect.

Pranshu Bajpai has research interests in system securities, malware, digital forensics, and threat intelligence. He’s authored several papers for reputed magazines and journals, including IEEE, Elsevier, ACM, and ISACA. His work has been featured in various media outlets, including Scientific American, The Conversation, Salon, Business Standard, Michigan Radio, GCN, GovTech, and others. He is an active speaker at conferences and has spoken at APWG eCrime, DEFCON, GrrCon, Bsides, and ToorCon among many others. He obtained his PhD in Computer Science from Michigan State University and an MS in Information Security from Indian Institute of Information Technology.

Pranshu, welcome to Cyber Work today.

[03:13] Pranshu Bajpai: Hey, Chris. Thank you for having me.

[03:16] CS: We always like to start the show by getting a little baseline of our guest’s origin story. So when did you first get interested in tech and specifically in cybersecurity?

[03:26] PB: There was no definitive point for me where I turned into tech and security in particular, but I do remember a few incidents back when I was in school, 9th 10th grade. I was into reading books, different kinds of books. One of the books that I accidentally stumbled upon was called The Little Black Book of Computer Viruses. That’s a great title for a book. I was in ninth grade at the time. I had all the time in the world to read and with just the right book to read at the time because it wasn't technically dense, but it contained enough detail for me to get really interested in these mystical arts of viruses and hacking and all of that. That definitely helped.

From that point on, there were other resources. I started paying more attention to the hacker culture. Open source technology interested me, the Linux operating system. I discovered one thing after the other. Then before I knew it, I finally realized that I want to work in security. That’s how I started.

[04:35] CS: That’s awesome. Yeah, I love those kind of books where you find out that it’s just enough to get you hooked but not enough to overwhelm you like that.

[04:43] PB: That's right.

[04:44] CS: How did you come to write for Infosec Resources? I know you worked with my colleague, Rob Rodriguez. How did you find out about the site or how did the site find out about you?

[04:53] PB: I was getting my master’s in information security at the time, and this was many years ago. There was a lot of theoretical component to some of my classes, at least. I used to get bogged down with this theory in my head. So one of my favorite things to do was at the end of the day go back and do practical experiments, spin up a vulnerable VM and then in my own environment and then try to break into it, a Metasploit and all of those things. Then I used to blog about it on my own blog. With time, my blog caught attention, and ultimately an InfoSec Institute staff member reached out to me and asked me to contribute, and I contributed an article, and it was great. I love the freedom of just coming up with my own topics, as long as they’re relevant to security and they’re practical. Yeah, I loved contributing there over – I contributed several articles there at the site actually. So, yeah, that was fun.

[06:04] CS: Yeah, yeah. Like I say, we have a whole a writer’s pool turning things every week and every day. I was just editing some articles too that will go up in August. Also, if you’re a listener and you have writing proficiency, feel free to get in touch with us through the site as well. We’d love to hear from you and you might be able to be on the site as a contributor.

I wanted to talk to you today about – Because in Cyber Work, the big push here is helping people to get started in cybersecurity and who don't necessarily know where to start or don't know what the next steps are in their careers. For listeners who might think that you're fresh out of college, I want to point out that you’ve been working in security for some time between undergraduate studies and your recent master’s degree. So I guess what I wanted to know, what were you specifically trying to achieve in getting your PhD in Computer Science from Michigan State before returning back to the business sector?

[06:59] PB: There’s a strong analytical component that is an integral part of any doctoral degree. I began my PhD with the objective of owning my critical thinking skills and exploring the truth, that depth of certain areas in security because as we know – We will look at the 10 domains of CISSP and that it’s everywhere from physical security to cryptography and everything in between your own network. I was doing that for a long time, and it came to a point where I wanted to really truly understand something in depth to the point where I could get a PhD in that area. That was definitely a motivating factor for me going in.

[07:46] CS: Do you have a sense of how the addition of a PhD like this has changed your job prospects? I mean, obviously, you seem to be happy with Motorola. But like what sort of doors does a graduate-level degree like this open for a cybersecurity professional?

[08:01] PB: That’s a great question. In terms of career prospects, it definitely opens up more research opportunities, both in academia and industry. Some research opportunities and industry will explicitly ask for a PhD, so it definitely opens those doors. Talking about industry in particular, like I said, there’s few doors that open up right away. I could've definitely been a security architect without getting a PhD, but the benefit is more intangible in that there is elements of my PhD that prepared me for my role today and allowed a smooth transition into a security architect role because I play both a tactical and a strategist role during my work as a security architect. Especially the strategic part of the PhD definitely helps in.

[09:05] CS:  Okay. You mentioned that this is a pretty specifically useful thing if you're going to go into a research capacity. Is this something that you're looking to pursue as well? Are you looking to – Because I believe your emphasis was on ransomware. Are you doing sort of ransomeware sort of research level study of things like ransomware right now?

[09:23] PB: Yeah, definitely. That’s a component of my work, and even at Motorola Solutions I’m preparing. I’m pursuing that. For example, one thing that comes to mind that a PhD would directly help you in an industry is like if you’re contributing to IPR, if you’re generating patent applications. That process is very similar to writing for a scientific journal, so that's something that comes to mind right away where a PhD helps me in the industry.

[09:55] CS:  When we spoke earlier and I just mentioned it just now, but you said that ransomware is probably the main focus of your study I believe. So could you tell me little bit about what you learned about ransomware in this academic context and how deeply have you gone into this topic and sort of what was your specialized area within ransomware? Is there a certain aspect of it that really sort of attracted you?

[10:16] PB: Speaking in the academic context, there’s a lot of new things I learned. One of them is – Actually, funny you speak of academic context. In 1996, there was an academy paper out in IEEE conference which talked about where the authors, Young and Young, talked about crypto viruses that will deploy cryptographic libraries on hosts to perform unauthorized encryption and demand a ransom in order to provide you with the decryption keys. So they predicted the whole thing back in ’96, and this was in a – Ransomware didn’t really start to grow around until 2005. 2006 is when it started to grow. That’s always interesting is when academics predict some of these things ahead in time.

Reading about it in the academic context, I noticed that there's papers that have done studies on large samples of ransomware discovered, for example, that 92% of them are not effective because cryptography is hard, and cyber criminals make mistakes all the time. A lot of the times, they’re just scareware where they lock your screen and expect you to pay the money when they haven't really done any encryption in the background. If you take away all of that fluff, then the 8% are the truly troubling ones. So there's a lot of noise in the cybercrime underground, and we get into this mode of thinking that cyber criminals have descended from the heavens in terms of their skills, but that's not true. They make a lot of mistakes.

[11:57] CS:  Widely varied too in terms of competencies. You could have just some dork who just wants to be a tough guy versus like huge networks and people who are really well done. Then you have the sort of ransomware as a service where you're just paying someone else to basically give you a setup, and then you just kind of run it like that.

[12:15] PB: Yup, a lot of noise, a lot of script kiddies out there.

[12:17] CS:  Right. In our preshow emails, you said that you are physically interested in talking about some of the intricacies of the latest ransomware attacks and noted that there's “certain parts of the ransomware kill chain that are often overlooked” and that you’d like to draw attention to. So could you tell me a little more about these concepts?

[12:37] PB: Right. One of the things about the ransomware kill chain is that it's comprised of several elements. Now, a kill chain would be a path that our adversary takes in order to attain their malicious objective. At the end of the day, we have to remember, like I was saying, our adversaries are people, and they have certain constraints that they operate under and if you recognize what those constraints are. In other words, if recognize what elements of the kill chain exist, removing one of these elements debilitates their entire attack chain. To that end, there is, for example, components that people miss of the attack chain. Some are very well discussed while some are not.

For example, in order to have leverage over the victim, they need to maintain a route to the decryption keys that only they control. There’s an alternative path to the decryption keys. It doesn't matter how you get there. If you’re – For example, there are key escrow systems out there that are making copies of keys as they're being generated as a protection. If you're able to make copies of the keys as they're being generated by the ransomware on your machine, then you can use those keys for decrypting your files at a later point.

Now, there is – People don’t like the idea of key escrow systems being on their computer, but there's ways that can be done safely and you would – Only the victim or the owner would be in control of these decryption keys. The point is that there’s parts of the kill chain that are often overlooked. Another part that is overlooked is that, for example, filing numeration is a big part of discovering files of interest on the host. They cannot encrypt what they cannot find. If you can restore your data from a backup, of course, backups are the easy answer to the problem of ransomware. But the backup server are never the answer because backups are not properly implemented. Backups are impartial. Depending simply on backups has proven to be bad over the course of the previous decade where ransomware have been hugely successful.

[15:17] CS: I want to move from the theoretical into the practical here. Based on what you're saying here, what are your thoughts on the first steps that one should take if in the worst-case scenario you get hit by ransomware? You see the red screen and you realize some thing that’s happened. What’s the absolute first step you should take or more importantly should not take?

[15:39] PB: I've been asked that before, and that's a tricky question to answer. In terms of the computer, if you can hibernate it, that’s great. That is because if you hibernate the computer and you're lucky enough to be hit by a ransomware that's using the same encryption key to encrypt all files, in that case that encryption key is in memory and can be theoretically recovered from memory at a later point in time, and that would help you decrypt your files. However, the truth is that most advanced ransomware out there today will deploy multiple encryption keys and encrypting the files. That means that they have the file encryption loop. Within that loop, they are generating a fresh key to encrypt every file. Then within that loop, when the file encryption is complete, they will destroy that key and then generate a new one.

In this case, if you hibernate and you recover the key, then you’ve only recovered the key that was being used to encrypt that specific file, and so that doesn't really do you any good. I mean, it’s also – If hibernation is not possible, shutdown the computer. Definitely disconnect it from the network at the very least, so that if it’s trying to propagate laterally through the network as it – We were all taken by surprise when WannaCry came out and spread like a worm on the network by splitting vulnerability. Definitely disconnect the machine from the network, so you can prevent the person next to you from getting infected as well.

[17:11] CS: There’s a real speed issue here, network. As soon as it happens, you got to start. You got to jump into action immediately.

[17:17] PB: Yeah, exactly. One thing I would add to that is if you’re a part of an organization and this is your work computer, definitely call your SOC team, your security operations center, your security team, IT team, whatever it might be. They would give you the rest of the steps.

[17:34] CS: Right. Yeah, yeah. Don’t be embarrassed.

[17:37] PB: Yeah, definitely.

[17:37] CS: It’s only going to be worse if you try to hide it.

[17:40] PB: That's right.

[17:42] CS: I guess it's sort of connected to that. What are some of the most common and bad mistakes that ransomware victims are making that you think are preventable?

[17:50] PB: Well, like I said before, one of the things that I've noticed is backups are – We have to come to terms with the fact that our backups are just not as good as we think they are, and it’s because in theory backups work very well. But in practice, what I’ve seen is backups, in order for them to work, they have to be well tested. They have to be taken frequently enough. They have to be complete. They cannot be impartial backups of parts of your data, and they have to be stored in an off-site location that is secure when the event occurs that your backups – If they are infected as well and if they are encrypted as well, then that does you no good. There’s a – One thing is for sure. We have to maintain the quality of our backups, and they have to be able to test the quality of our backups.

The next thing I've noticed is many people make the mistake of depending solely on identification, protection, and detection and deliver critical components in the defense cycle. However, there’s also response and recovery, and those are important as well. Defense and depth demands that you have all of these components as part of a multilayered defense. Depending too much on just protections can lead you down the wrong path, and ultimately you have to assume that the adversary is already in. Now, what can you do from this point forward?

[19:31] CS: Yeah, I guess let's talk about that a little bit it in terms of like what are these. You mentioned these in sort of a general sense. You have the defense steps and then the sort of response steps. What would be the response steps and the sort of like backup steps and so forth? What are the best practice versions of these things?

[19:54] PB: In terms of backups, like I’ve said, it’s important to ensure that there are quality backups, and by quality I mean they're well tested. First of all, you have to maintain complete backups. They cannot be partial. This part of the data is backed up but that part is not. That cannot be. They have to be taken frequently. Now, that means that if you’re hit by a ransomware today and backup was taken a month ago or a week ago, you just lost a week’s worth of data, so they have to be taken frequently. They have to be kept at an off-site location somewhere where if the ransomware hits this location right here, the backups are safe in another part in another physical location. That is a very important component to it, and then they have to be well tested which means you can just try to recover and try to restore from backups when the event occurs. You should practice it too a few times. That’s a very important part.

In terms of – I'm sorry. I forgot what the other question was.

[21:05] CS: I guess I was just trying to get a sense of like what all the actual sort of steps along the way are. But I guess that sort of leads me to my next question which is to say, I mean, you're – The way you’re speaking of it, it sounds like your opinion is that you're going with the idea that you're never actually going to like speak to or like you’re talking about ransomware in terms of like we’re not going to negotiate. We’re not going to pay. We’re not going to do any of that. We’re going forward with the idea that we’ve been hit, and all we’re doing is we’re going to just let the time run, the files get encrypted, and then you're just going to go with the backups. Is that the case?

[21:42] PB: Right. Protections need to be in place. We all know that we cannot do without detections and protections and identification. That’s a very important part. But what I’m trying to get at is that more people are focused on the protections part, and less people are focused on the response and recovery parts. We have to think about all of these together. So, yeah, protections need to be there as well. Yeah.

[22:09] CS: What I'm saying, like there was a certain point I feel like and certainly it was some of the

healthcare systems where people did pay the ransom and stuff like that. But the way I’m hearing it from you, like that’s just not a viable option, right?

[22:22] PB: Well, paying the ransom, I mean, unfortunately, the way it stands, if you’re hit by the ransomware and all your files are encrypted and they haven't made a critical error in their implementation, in that case, your only path to recovery and you don’t have backups and your only path to recovery unfortunately is to pay the ransomware. That’s why I understand when victims have to pay. However, we do not advise it because it invigorates the ransomware as a service industry underground. I mean, it gives them more fun to go and research more and come up with better attacks next time. That’s definitely true. Second, there’s no guarantee of file decryption even after the ransom payment in some cases.

[23:04] CS: Now, you also mentioned that there's a whole sort of range of potential ransomware attacks from like an actual one in which your files are locked versus some real bush league stuff where it's just some script kid who froze your screen, and it looks like a ransomware attack but it’s not really. Do you have sort of different – Do you have like sort of a checklist of sort of like figuring out like what you got hit by?

[23:30] PB: Yeah. As part of reverse engineering and when somebody gets hit, it’s part of incident analysis I guess. I mean, you look at the files. You look at the sample. If you're able to isolate the sample, you look at the sample. You go into the guts of the sample, and I'm talking about reverse engineering over here. You look at the assembly. You can figure out. You can pretty much locate encryption components quickly. They are standard crypto calls. For example, many ransomware out there will try to contact your windows resident crypto API, and they'll make the CryptAcquireContext, CryptEncrypt, CryptGenKey, all those familiar calls. They’re not generating cryptographic material. They're using it to encrypt the files. You look at the file itself after the encryption, after the ransomware has hit. I mean, you can look at the random data. So, yes, things are truly encrypted at this point.

A study of the sample indicates that this was actually a well-written ransomware. There are efforts out there I want to bring attention to. For example, The No More Ransom Project.

[24:39] CS: Yes. I was going to bring that up.

[24:41] PB: Yeah, so where several entities come together and take a look at the ransomware sample. Then if there are any implementation flaws in the sample, then they will provide you the decryption tool. They will provide the victims with the decryption tools. Those are great efforts. However, in the underground, we have to remember, as an industry, they are growing. You were talking about ransomware of the service. That’s a very big problem because today if I'm not good at writing code myself and I'm definitely not good at writing crypto code myself, if that happens to be the case, I can still go and pay somebody to write that code for me and I can just act as the ransomware operator in that case. I don’t have to be the ransomware developer.

This is a highly synergisti environment where everybody focuses on their skills. Somebody is very good at writing the code. Somebody is very good at finding exploits to propagate the threat. Ultimately, the impact is that they’re growing as an industry. They’re learning from their past mistakes. You find a flaw in the previous variance. They come up with new variance, and this time they remove the flaw. Ultimately, in the absence of flaws, even experts cannot help you decrypt because they are standard algorithms.

[25:55] CS: Now, what in your opinion and you've mentioned some aspects of this, but give me a full big picture solution for making ransomware as small of a problem as possible. Obviously, it’s on the rise. But is there some combination in your mind of tools, awareness, change of business, change of security practices or backup practices? What is your sort of like optimal combination of all of these things that would make ransomware a much lower sort of order of danger?

[26:24] PB: Right. You’re talking about what would be my order of actions.

[26:30] CS: Mostly, I just sort of – What are the things you would like to see change sort of industry-wide that would make ransomware a much lower threat? What are all the sort of like ideal implementations?

[26:42] PB: Right. In those terms, first of all, know what your assets are. What are you trying to protect, so the data in this case? Then the ransomware will go after. You cannot leave data unprotected because you're not protecting what you don't know exists in your environment or is exposed in your environment. Know where all of your assets are. What are you trying to protect? That’s the identification part of it. Then have detections in place, and these are your standard malware detection capabilities and protection capabilities. Protections would – All the network policies and all of that, stopping the thread before it gets in, all the protections in place, and these are standard.

Moving on to the detection part, there are constant improvements out there. They’re incremental. They’re not revolutionary, but there is definitely incremental improvements in ransomware detection technology out there, so make sure you’re constantly taking advantage of that and you haven’t fallen behind on that. That means you’re protected. After that, as of discussed before, response and recovery procedures. Okay, well, you try all of that. It did not work. Unfortunately, they still got in. That’s one of the major problems is there's a lot of targeted attacks out there today, and that is another big problem because with targeted attacks, these are advanced adversaries. They’re carefully selecting targets for a variety of reasons. But then that also affords them manual reconnaissance. If they’re doing – As opposed to a spray and pray kind of attack that WannaCry did, if they’re doing manual reconnaissance, then they're more likely to find a way in.

[28:29] CS: They’re going to find somebody in.

[28:30] PB: Right. It just takes one exposed endpoint somewhere. Once they’re in and they are doing manual reconnaissance, they will naturally propagate silently and then you'll notice ransom, and that would appear in all machines at the same time. It’s very important to have the correct protections and everything. However, unfortunately, if they still get in, there needs to exist a response and recovery strategy that is well tested.

[29:01] CS: A combination of all these things, yes. Very important. In accordance with us being Cyber Work, I want to talk a little bit about your work life here. What do you do as a security architect for Motorola? Can you sort of walk me through your average day of tasks and assignments? For people who are like, “I’ve never heard of what a security architect is,” what exactly do you do as a security architect?

[29:23] PB: Right. As part of security architect, I play several roles within the same day for my organization. If I have to give you a high level hierarchy, I would say my roles range from tactical and strategic. As tactical, for example, an example of a security setup that I'm working on right now is we’re bringing up a new instance of a next-generation firewall in the cloud environment. This would reside on a virtual machine skill set let’s say. Then we are now in the process of updating so we are also in a process of onboarding new applications on this firewall. We have to set up all the routing and logging and routing procedures within the cloud environment. You can see how the network knowledge comes into the picture of the cloud. The latest cloud technology comes into the picture. You can know the firewall as well.

Then once you've been through – You got the logs coming into the next-gen firewall, you also have to route the logs to go in your SIM instance where they will be ingested and processed and indexed. So then we also have, for example, the elastic sort of stack coming into the picture where you’re ingesting the logs produced by the firewall ultimately. In the firewall, if you want advanced features, you're doing SSL decryption. So a lot of technologies come into play, and so my tactical work would include sitting down and not just designing this architecture. Putting it down on paper. Okay, well, this is what the flow is going to look like. This is where we’ll collect logs. This is where the log is going to go. But also, we believe in walking. We call it walk the walk as well. You can’t just design the blueprint and then give it to somebody else to implement. You have to dense it down and try to implement it. When you try to implement it, you come across these little issues that you never thought about when you were designing at a higher level. So then you don’t just leave it to the DevOps engineers. You actually realize the struggle they go through when they’re implementing something that you designed at a higher level. That’s –

[31:49] CS: You’re seeing the flaws before they do.

[31:52] PB: That’s right, yeah. We work side-by-side with DevOps engineers at this point. We have designed the blueprint but we also will take the tools and then we’ll start hammering away on this build. That kind of work can get really tactical. On the other hand, I also play a strategic role where – This is more of the design component, so this is more architecture. Within the constraints of our environments and the technology that is available today, what is the best series of solutions to a problem we’re facing? When you implement this and when you’re thinking about this, what is the long-term impacts of the solution you are proposing because you can’t just think about what’s going to happen today, but you also have to think strategically about what's going to happen in a year or two years from now, right?

For example, you’re trying to direct the huge volume of firewall logs. Then on an event hubs instance, that will buckle under pressure at some point, right? Not right now maybe but somewhere down the line is you’re onboarding more application. So you have to think about the long-term impacts of your solution as well. It's important not to get pigeonholed when considering the solution to a problem, and so think not just of your team and the problem at hand, but how would the solution affect other teams and the organization as a whole. That's more for a strategic role.

Some of the other examples would be like I also get involved in purchase decisions, considering the purchase of future technologies. There’s business teams that will get involved in these discussions as well. But while they might be considering pricing and other things, you still have to keep focus on the technology. Is there really quality technology there? Then you have to identify those elements as well so that everything goes smoothly somewhere down the line. Those are some of the tasks that I do as part of security architecture.

[34:06] CS: You mentioned that you don't necessarily need a graduate degree to be a security architect or a malware engineer and things like that, so could you just give us – For people who have heard what you said and thought security architect sounds really very interesting, malware sounds pretty interesting, what sorts of types of learning or skills do you think people need? What personalities that are best suited to this kind of thing? Where do you get started in learning this kind of thing? What are sort of the steps along the way that you would recommend to get you towards a career as a security architect?

[34:40] PB: I think that number one I would say is intelligence. That’s one of the first things we would look at in a security architect and that’s one of the first things that will help you. I just described an example scenario where there’s multiple technologies at play, and most of the times you wouldn't have previous experience with this technology, so it's literally you are working on this project. These issues come up. The best way to solve this is with this latest technology. You will not have previous experience with this technology. How quickly can you learn and implement it and use it and determine if that’s the solution you want to go with? So intelligence definitely helps.

The other thing I would say is passion because otherwise you’re going to get overwhelmed pretty quickly. A lot of things are being thrown at you. It’s like drinking through a fire hose. If you’re not passionate about it, then you might fall behind.

[35:46] CS: Yeah. You’re not going to enjoy being hit by a fire hose if you’re not interested in being hit by a fire hose.

[35:51] PB: Right, exactly. Those are the two things I would say that are important being a security architect. It is nice to have an educational background in computing but I’m going to go ahead and be bold enough to say that it's not something that is absolutely essential. It’s not like you need to have a degree, yeah.

[36:12] CS: You mentioned that it requires sort of a baseline knowledge of everything from sort of networking to cloud to firewalls. I mean, can you speak to that? What are some of the sort of like concrete sort of background that you should have to get you to this point because you’re obviously – It’s sort of like a series of steps, like you need to know this, or you need to know this, or you need to know this and so forth.

[36:31] PB: Right. To put it in context of something we already kind of know is think of the CISSP degree, for example. Now, it doesn't go into the absolute details. You want to know every single thing about every single thing but it still kind of gives you idea about the different domains that exist.

[36:48] CS: Give us a sense of the scope of it, yeah.

[36:50] PB: Right. You know about cryptography today if you’re working with the firewall on this, so following the same example. Now, the application logs are coming in. To enable the advanced security features in the firewall, you have to perform SSL decryption, so you can really see what's going on. Now, to perform SSL decryption, there’s problems with TLS because TLS 1.3, the browser wants this but you don’t know what TLS is. That blocks you right away. Then you have to go figure out what TLS is. That’s why – Then your networking knowledge comes into picture, right? You already knew about the TLS and concepts of that nature. You also know a little bit about crypto, so you whip out open SSL right away and you start doing thinks.

That's where you some of your crypto knowledge helps you too, right? As you’re building routes in these firewalls and all of that, your networking knowledge helps you. Think about that in terms of the CISSP domain where all of those components help. So you don't have to go in absolute depth but you need to know knowledge from all of those areas.

[38:03] CS: As we wrap up today, where do you see the study of and defense against malware going in the next couple years? Obviously, you’re kind of on the front line in terms of researching and so forth. What do you see as kind of the next steps that are happening that are going to sort of take fight to them?

[38:18] PB: I think that's in terms of defenses and protections. We’re going to see more machine learning-based approaches going forward. One of the primary problems with machine learnings in the past in detecting malware have been a large amount of false positives. You can – There’s this thing called an alert fatigue where you can send out a user and alert every five minutes. They’re just going to begin ignoring the alerts. That's been really challenging. However, it's going to – I’ve definitely seen improvements in the technology, and so that's signature-based detection can only go so far in protection against novel threats that have been previously unseen but still share some base characteristics with previously known threats. Machine learning can really help with that.

Also, end-users have more compute power these days than they did 10 years ago, so that also helps. I definitely see that growing. I think we’re going to see a lot more research being done to improve the state of response and recovery. I think more and more organizations and people are realizing the importance of response and recovery strategies. Assuming that the adversary is in, what can we do? Definitely see that improving as well.

[39:49] CS: One last very important question today. If our listeners want to hear, learn more about Pranshu Bajpai, where can they go online? Do you have a LinkedIn? Do you have – Is your blog still going? Where can they find more?

[40:01] PB: Yeah. I have this website called amirootyet.com which is also my hacker handle.

[40:07] CS: Amirootyet.com?

[40:08] PB: Amirootyet, yes. There’s more information available over there and my posts and all of the blogs. So, yeah, that’s where.

[40:17] CS: Great. Okay. Pranshu, thank you again for joining us today. It was good to catch up.

[40:22] PB: Thanks for having me, Chris. I enjoyed the talk.

[40:25] CS: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. You’d rather have us in your ears during your workday? All of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher. For those of you who’ve been leaving ratings and reviews, I really appreciate it. I hope you will consider to do that and if you can tell a friend.

As mentioned at the top of the show, we want to hear from you, what you think about the show, and what you want to hear more of on it. So if you could go to www2 , that’s www and the numeral two, .infosecinstitute.com/survey, you’ll find a short set of questions about your listening habits and interests in the show. If you take the survey, you can be eligible to win $100 Amazon gift card. That’s www.infosecinstitute.com/survey. Thank you once again to Pranshu Bajpai and thank you all again for watching and listening. We will speak to you next week.