BSidesNYC 0x03 interview with Dmitry Bestuzhev

hello Dimitri thank you so much for taking the time to chat with me yes it's my pleasure to be here thank you for your invitation pretty yeah no worries so I hear that you've been part of bid NYC for a long time can you briefly talk about your background and how you got involved with bsid NYC yeah when I started in the industry uh it was like you know many years ago when people even like didn't know what for cyber security because everybody wanted to be software developer or if not like network administrator So eventually the industry evolved now it's like everything's about security so I still remember that time when uh besides New York unknowned like

okay the very first meet we're GNA have here and there was a c for paper and I sent my abstruct and was about mobile implants targeting basically Apple and Android devices and even uh Blackberry devices yet uh so fortunately I was accepted and when I came here I found that this like a super nice experience because all the uh audience you know the individuals like researchers attended this event just like high class you know like the one of the best events I have ever attended uh worldwide nice very nice so really top-notch quality of content here and I'm guessing that's what brings you back or what are the other things that brings you back yeah it's um like good memories

of course like uh you know the way the conference is organized everything is like super practical um essentially you you have like a very nice location everything is uh um like working easy uh the talks like the program is really meaningful so you can learn you can teach um um giver and also like the people you know as basically contacts you can develop it's uh it's what you need yep absolutely that sense of community and just establishing that network is super critical for a lot of people so thanks for sharing that what are you most excited about you know coming to besides NYC uh what are you looking forward to uh learning today uh well I saw like a couple of talks

from the program like specifically um interesting for me I know like using open source intelligence you know tracking like threat actors um but definitely it's uh also Isola workshops okay that is great because uh sharing knowledge and uh for free it's uh it's something which I really like because uh this is how it works if you can teach someone do that because that person can also teach others later um this is how we help uh the entire community and the society to prepare professionals to reduce or to lessen the risks by means of working cyber security and threaten intelligence specifically and making this world a little bit better great great you mentioned risk right so in in your view how does all of this

uh research that we do especially in the threat intelligence space uh space how does it fit into reducing risk because in the end the business bottom line is risk reduction and risk management yeah so yeah the whole purpose of uh like a good threat intelligence program um must include like several things of course it's like operation operational it's tactical uh but strategical but the idea is always to look and to correlate to to find over Labs between events like in real life like what is going on speaking geopolitically economically and uh connecting those dots to the threats we see so that is how we understand why that attack this or that attack happens who is behind

what is the what are the what is the motivation and um by means of that like knowing who is your threat actor What weapons does that threat actor use how they use that we can calculate um let say like a potential impact okay right and with the impact we can also uh to see like okay should we take it should we uh prevent it should can we prevent it not can we detected yeah if it happens okay uh what What's Next like what should I do so when we have a full context about threat actors weapons how they use it what are the impacts um um we can at least at least understand the risks and of course the idea is not to

understand only but lessen them by by measures yeah you know we take uh decisions technological decisions uh other decisions and all all of that just like focus on reducing or lessen the risks uh because we know in advance we we have we may anticipate attacks by means of contexts so we can license the risks got it so I think you touched upon various facets of the risk management life cycle right like you can either um mitigate it have some sort of a control or sometimes you just choose to accept it depending on a lower impact and most of the times you're trying to thwart it right you don't want to have that risk so great

thank you for that thank you one of the other things that I noticed when you were talking about your background is you're working in threat intellig you g you gave a great talk and it looks like you have a lot of exposure doing cyber security in different Landscapes geographical Landscapes so can you give us your perspective on how different cultures and how different uh security teams operate globally yes indeed it's a very good question for example I spent many years in Latin America my wife she's from Latin America uh so I speak uh Spanish at home um wow cool yeah you must be speaking a lot of languages well no not really but it's like one of the language I really

cherish and um you know for example thinking about Latin America it's uh it's a completely different world with different threat actors and different uh weapons to use with different goals what I mean specifically latan for example it is all about financially motivated threat actors okay it's like like 99% of all attacks while like the factories like I mean the main sources of the attacks are usually like Brazil uh Colombia is very well known for prods want ACC Thro or tools and um this is what we see like Mexico it's the lent of mobile spine you know all sort of mobile Espionage um but that's that's like you know the the nature let's say of these

attacks so it looks like the culture is very core to understand the intent the motivation and the objectives of these attacks absolutely and that is a great uh like point to think about because when if someone let's say tries to approach the uh cyber security uh in a generic way let's say like malver is malver fishing is fishing it's wrong it's like it's by removing contacts from the attacks we can't really anticipate those attacks which are tailored to Target us or at least like the industry where you work makes sense great thanks for that I think that's very helpful for everybody listening to it because there are not a lot of people who have that

Global expertise that you have one of the other things that I really liked about besides NYC and I heard a lot of other people talk about it is how they're looking to open doors for people trying to come into sick secur what are some of the things that you do like how do you ensure that people are coming into security getting more interested in it uh what are some uh good training or mentoring resources like what are some of the things that you do well uh sharing knowledge it's it's it's a key right for example you can post what you find on Twitter on masteron on LinkedIn and essentially uh you just put something there just simple

you know a couple of screenshot explanations about how this that works indicators of compromise and sometimes that is enough for those uh highly motivated individuals to finally say hey I found that that's interesting I'm from that country I'm from that company how do you def find it how does it work and uh one like uh one thing I like doing it's uh to provide your research like with with a detailed explanation about for example we found this this led us to that so the person who reads that may essentially like repeat your steps it's like learning from home you know trying to get to those uh pieces of code where you are looking at this moment and um it

helps on the other hand like conferences of course like uh this one it's uh it's also great um programs with the universities it's also like something I did a lot um especially with the universities in Latin America in different countries just uh go in there and have a like a um a presentation with a workshop for the students it's always something like very good and especially it makes you feel good when like time pass and you see those students they were students now they are professionals I mean they work and like very cool companies so like wow yeah that's nice so it's always nice to see somebody that you mentored or somebody for whom you

just helped lower that barrier to entry just a little bit right because it's always helpful to know that if somebody else is also working on a difficult problem and if two people are working on it it it it feels less difficult so I think this is a great example and and and why do you enjoy doing this well um life is all is about this life is about giving giving makes you happy like when you give you feel happy it's not only about getting of course like it's also like you feel happiness when you receive something but when you also share with others it makes you happy and others happy as well and in the

end especially by that time when we started like learning cyber security I remember that even like no universities were available like you know to learn books yeah if you're lucky you may find like some books internet was also so U basic so like when when you he like know and straight to the point like practical things you help others just to develop same and better skills in a shorter time like shorter amount of time when like comparing to what it took me let's say absolutely yeah it's also about like that higher velocity right right nice great thank you so much for that Demitri I don't think anybody else could have put it any better so thank you so much

for that so now we're moving on to um one of my favorite segments and I'll let you get away with this um this segment is for you to ask chat question question and give us your thoughts on what it said and I had asked Dimitri to give us some uh prompts before and one of the prompts that he chose was a very specific technical prompt write aara rule based on the timestamp anomalies from PE files with an entropy higher than 6.7 in uncommon file section it was a very very specific narrow prompt and Chach did give out a bunch of Yara rules and uh sorry one Yara R and it has some interesting things at least I was able

to notice some of the um things that I thought it didn't do so well and some of the things that I thought it was okay at the fact that it generated a Yara rule I think that's pretty good and I let dii take it from here so what are your what's your analysis on this yeah that was like uh an imitation of where Yu I would write and basically it's a string based files with a lot of uh wild cards and and um if you run such rule in your system it will kill it So eventually you can't run it like in a production because it would kill it and of course unfortunately a lot of false positives

also right because the first one was very too generic it gave a very generic um expression to match on exactly exactly even like checking the condition right it's so bad it's it's not even for the files what we we were looking for so for me it's like uh unfortunately CH GPD um you see like at least for this uh specific task for like a threat intelligence analyst it's not that good yet yeah it needs to be trained and probably we need to train it to help us to alate those things yeah and I think this would be one example of you know like make sure that you verify everything that you um that you get out

of Chachi Beauty so yeah very good advice indeed thank you so much thanks a lot for your uh time it was a real pleasure chatting with you thank you pretty and same for me yeah great thank you thank you