Hello, loyal readers! After republishing my first Women in Information Security series from last fall, I’m now ready to republish my second series from this spring. These interviews have proven to be really popular, and I’m honoured to bring them to Hacker Noon.
I will do a third series for Fall 2017. If you’re a woman or non-male who works in cybersecurity, or you know someone who is, feel free to tweet me about it!
This was originally published on Tripwire’s State of Security blog in May.
As a woman who works in cybersecurity, I know that there are many amazing women in my field.
Last time, I had the pleasure of speaking with Cheryl Biswas, who works as a corporate cybersecurity consultant. This time, I spoke to Thaís. She’s been educated on two different continents in both physics and computer science! Now she’s doing some pretty interesting malware research.
Kimberly Crawley: So Thaís, explain what you’re currently doing in cybersecurity.
Thaís: I just graduated in computer science, and I now work with malware analysis and vulnerability hunting.
KC: What did you specialize in when you studied computer science?
T: My thesis was about malware detection and analysis using constraint programming.
KC: Wow, that sounds cool! Did you go to school in Germany?
T: Yes, I did. I studied physics in Brazil before coming to Germany, where I decided to go to school again. It’s a bit different here in Germany. It depends on the university, of course. But you are allowed to start in the first semester with the things that you like.
KC: You started in physics? Which schools did you go to?
T: Oh, yes. I love physics. In fact, I studied Astrophysics. And there I needed to program a lot. I went to the Universidade Federal do Paraná in Brazil, University of Hamburg (Germany), and University of Düsseldorf (Germany).
KC: And you were probably mastering various programming languages at the same time?
T: Yes. I was a bit disappointed with the way people work in physics. I notice that I have a lot of fun programming the tools. Sometimes more fun than really using the data that I got after running the program. Then I decided to focus on automation. My “mother language” is Haskell, but I work a lot in PROLOG and Python.
KC: Speaking of languages, you’re fluent in Portuguese, German, and English, right? That’s also really impressive.
T: Yes, I am. Portuguese, German, and English, and I’m currently learning French.
KC: Now when you were a little girl, were you encouraged to pursue science?
T: Yes. My father is also an engineer and computer scientist. In the beginning, he didn’t believe that I wanted to go through with physics, but after three years, he was really proud of me. The whole time, my mom didn’t understand what I do, but she supported me all the same.
KC: Tell me more about your malware analysis thesis.
T: I focus on the design of a malware detection tool using the SMT solver Z3. More specifically, I have looked into different techniques to explore multiple execution paths for binaries, which were gained through symbolic execution. And I am using the Z3 SMT solver to deobfuscate malware code. Now I am starting to program a tool that I designed.
KC: I notice that a lot more malware attacks on datacenters are fileless these days. Does your thesis and tool help make fileless malware detection better?
T: Not sure yet. I just tried with files.
KC: I recently wrote a report on how a lot of SIEM vendors implement machine learningmalware analysis, but one vendor ditched machine learning in favour of something they call “behavioral network detection.” Does your work shed any light on any of those sorts of technologies?
T: Yes. It’s the same idea: training a system with “safe” behaviours and using the complement of these behaviors as “not okay.” I was implementing it in a cloud server so that all customers can use the same database.
KC: Did your thesis work and tool development experience lead you to your current employment?
T: I am working independently right now on my tool. But yes, it led me to focus on malware analysis positions while looking for employment.
KC: Onto endpoint security. What do you think of those people in tech journalism who are now advising people that AV software isn’t necessary on Windows clients?
T: I think that having an AV is better than nothing. It’s still not safe, but the only way to secure a system fully is not to connect it with anything else.
KC: Hey, I wrote an article for Tripwire recently on an external attack method for airgapped machines. It seems like where there’s a will, there’s a way.
T: Ha ha, you are right. There is always a way. That is what keeps me motivated. There must be a way to make a better AV. For most of the users out there, it may be okay. It is the job of security researchers to make better AVs.
KC: My opinion is that all machines that can acquire external data from any means (network, removable media) should have some sort of AV software, however imperfect it is. I was impressed that Malwarebytes seemed to take a leading role in employing heuristics in a freeware client, starting a few years ago. Kaspersky does good heuristic stuff too, as does ESET, but having to pay for software is one level of friction for many consumers, I’m afraid. Especially when vendors like Symantec pay to put “free trials” on Windows OEMs.
T: The “neural network” approach is really promising. Security should be accessible for everyone. And yeah, if you collect enough data summarising which kind of behaviour should be accepted, it should be reasonable to infer that the complement of those behaviours are dangerous. The only problem with this kind of assumption is that you have a lot of false positives. And that is not what customers want.
KC: False positives are a huge problem. On another note, you’re really fortunate that your dad encouraged you to pursue science and technology. Mine did too. But do you feel a lot of girls are still discouraged from considering science and technology careers?
T: Yes, of course. I am really lucky that my family supported me all the way, but anytime I visit a conference or give a talk or just go to classes, it is the same. I am sitting there surrounded by guys. And they often look at me like I’m an alien.
KC: I’ve experienced that. Guys assuming that you’re just the girlfriend or wife, assuming that you’re not the techie. I personally hate that. I feel like I’ve had to work extra hard to prove myself.
T: And if you are a girl and try during a “university day” to visit a computer science class, it’s horrible. If I get scared now, I can imagine the impact it has if you also don’t have family support.
KC: I assume that your computer science classmates eventually took you seriously. Your knowledge is obvious to me.
T: Once I had a professor who called me and asked if I could get a man on the phone because he had some computer questions.
KC: Ugh. That’s horrible.
T: I also work extra hard to prove myself every single day. Sometimes it is exhausting.
KC: How would you advise schools and tech companies on how to attract more women?
T: At the University of Düsseldorf, they have something pretty amazing called “girls day,” where just girls that are interested in taking undergraduate courses come to the university and they get a mentor for each subject. I was really happy to be a mentor once for girls that wanted to study physics. It is really important to have a role model so you can follow the steps.
KC: Have you done any research in cybersecurity areas outside of malware?
T: I am working a lot with vulnerability hunting. I’m also using constraint programming and logical programming for that.
KC: Vulnerabilities for what sort of attacks? Man-in-the-middle? Stuff like that?
T: I’m using vulnerable VMs for that right now. Not just network vulnerabilities. It’s kinda of software analysis also. But not just malicious code. Good code, as well.
KC: If a teenager asked you for advice on how to get into cybersecurity, what would you tell them?
T: Go for it! Create a lab at home, keep curious and try everything you can imagine at home in your private network. Find your path in cybersecurity. There is a place for everyone.
KC: Are there areas of cybersecurity that might be easier to get into, employment wise than others?
T: I don’t think so. If you work with passion, you can get into cybersecurity easy. It doesn’t matter which area you choose. But cybersecurity is more than a job; it is a way of life. If you understand it and choose to live it, you’ll get employed.
KC: Before we go, is there anything else you’d like to say?
T: Thank you for your amazing work. It is really good to know that someone out there wants to read and hear what women in cybersecurity have to say!