Of mice and malware

Some of the most important training I got for a career in computer security research was not from a computer-related class, but in a biology class. While these two disciplines may seem entirely unrelated, the skills that are needed in both cases can have some interesting overlap.

I’m often asked what kinds of “unexpected” skills are helpful to succeed in a job in computer security. My answer usually includes qualities like “empathy,” “curiosity,” or “communication,” but there’s a whole other skillset – or perhaps it’s a mindset – that is often equally important but difficult to describe in a single word. And that skillset can often be found in a seemingly unrelated discipline: biology.

Blind men and an elephant

There’s a popular parable in which a group of blind men come across an elephant for the first time. Each man tries to conceptualize and describe this animal, while feeling only one specific part of the elephant's body. Based on this limited experience, each explanation of what the elephant is like is completely different from the others. There are many interpretations of the meaning or moral of this parable, but I found it to be relevant in a slightly different area of my life.

Malware research can be a similar situation to this parable, in that the sample we receive from an affected customer could often only be a very small part of a much larger phenomenon. Two researchers – even within the same company – might look at two different pieces of the same malware attack and have completely different explanations of what the malware is like. And those two researchers may never have a chance to compare notes, especially if neither discovers that they’re dealing with two parts of the same, larger threat.

The more information each researcher can get about the context of that piece, and the more effectively they can share information with others, the more accurate each of their explanations can be. And thus, asking good questions and learning to glean a whole lot of clues from very scant information can be a vital research skill.

Biological beginnings

The class I took in college that would have the most impact on my future career was not a computer class, but a plant taxonomy class where I learned about how plants are categorized and identified based on a variety of different features. Those features include things like a plant’s reproductive structures, the arrangement or qualities of leaves, and even the environment or geographical area in which they’re found.

After completing the class, I had learned a new level of careful observation, as the difference between two different species within a genus of plants can come down to something as subtle as the presence or absence of a line of tiny hairs on a stem. But this skill isn’t limited to things you can find while staring at it with a magnifying glass; it also required me to look more broadly at any other types of plants and water bodies in the environment. You must never lose sight of the forest even when you’re focusing deeply on a tree.

What exactly does this have to do with computers?

When I started my training as a malware researcher, one of my tasks was to process files as they came into the research mailbox. I didn’t initially know whether they were malicious files or clean files, until after experienced researchers had assessed them.

I got to know what qualities these “suspicious” files possessed. At first, my inspection was at a middle-distance. I learned what icons the files used, what filenames were used, and what file types were more likely to be considered sketchy by people who sent us files. I also learned what environmental clues were valuable to researchers, as I was tasked with relaying their additional questions to people who’d sent us files.

When I learned to use malware research tools, I was able to look much more closely at files and to observe their effects on an environment, which gave me a whole new set of clues to work with. In time, I had a robust collection of methods for gathering relevant information that would help me identify and classify samples.

I’ve done both formal and informal training for malware research, and in both cases the sole focus was on gaining the technical skills for identifying files. There was no discussion about what to do when you get a file that is too little of a portion of the complete picture, or simply too ambiguous to make a conclusive determination. What questions should researchers be asking to get a clearer and more complete picture?

For me, the answer to this question came from my taxonomy class: because I knew what sorts of qualities would help me narrow down an identification, I could quickly jump to the most important questions to figure out how to narrow down the search.

If someone asks me to identify an unknown plant from a picture, the first question I ask is where the plant was found. Was it in California or in New York? Was it in a garden or a forest? The answers to these questions are the quickest way to rule out a whole lot of possibilities. From there, clues I glean from the picture may be enough, or I may have to ask another question or two to narrow the genus and species.

If I needed to know more about a suspicious file, my first question was also to inquire where they found it. Was it sent to them? Did they download it from somewhere? Was it residing in a folder on their machine? If I could get more information about how it was sent, where it was downloaded from, or which specific folder it was in, that was usually enough to make a conclusive classification.

Learning about taxonomical categorization of plants allowed me to make more informed decisions about files more quickly, because I learned what the most important details were in making a quick but thorough identification. And taxonomy isn’t the only discipline that gives unexpected benefits like these.

While more and more companies consider a computer science degree to be an absolute must-have for new tech employees, it can be beneficial to seek out people who have a different kind of educational background. Skills learned in other disciplines can provide a wealth of value to your organization, if you’re willing to look for those hidden gems.

This article is published as part of the IDG Contributor Network. Want to Join?

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!