McAfee’s Steve Povolny Leads Threat Research

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittne:

Hello, everyone. I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 58 of the Recorded Future podcast.

Our guest today is Steve Povolny, head of advanced threat research at McAfee. We’ll learn how he came to lead his team of researchers, his philosophy on leadership, and how to strike that balance between maintaining a healthy competitive advantage in the marketplace, all while contributing to the larger threat research community and helping to make the world a safer place.

He shares his thoughts on threat intelligence, why he believes it’s grown in importance for most organizations, and we’ll get his advice on choosing what kinds of services a company might need. Stay with us.

Steve Povolny:

So, I actually started my career in security just kind of playing on my own when I was a teenager and fell in love with computers. I didn’t really get into security aspect of it until around the college timeframe, when I got interested in breaking into things and the offense and defense sides of security.

After college, I started to explore the world of security a little bit more professionally and started with Target Corporation. I always tell people that the Target hack was not my fault, though. That’s my standard disclaimer. But I worked with Target rotationally for a while — Target Corporate — and found a love for security but wanted to get much more technical.

So, I rotated over and made a move, geographically, down to Austin, Texas, where I joined TippingPoint, doing network security for a number of years. TippingPoint was acquired by, of course, the large AV vendor Trend Micro, and Trend Micro I was with for about a year. I found this position with McAfee in late November of last year and came over to run security research and vulnerability and malware analysis. So, I’m now with McAfee, and I have a lot of family that lives here in the Portland area, so it worked out really nicely.

Dave Bittner:

Describe to us, what is your day-to-day like? What challenges are you facing regularly?

Steve Povolny:

That’s a tough question to answer because one of the great things about this job is that every single day is different — truly different. We never really work the same day twice in a row. But fundamentally, on a day-to-day basis, we’re dealing with complex threats, from vulnerabilities, to malware and targeted campaigns, to just security concepts in general that we see in the world around us. Technology and security change on such a quick basis here. The team is divided into two parts: vulnerability researchers and malware campaign researchers. And what we track are things like nation states and individual actors and their intentions. We look at the type of malware in code and exploits that they’re writing and releasing and who they’re targeting. We work with law enforcement, vendors, and affected parties to analyze these scenarios.

And then … We’re a research organization, so of course, we’re publicly reporting our findings, and you can follow our blog post if you want to see some of the latest campaigns and targeted research that we’ve uncovered. We’re also building, actually, a giant research lab here in our Hillsborough, Portland area office in Oregon, where we’ll start to take the research that our vulnerability researchers are working on — different products, software, hardware, firmware technologies — and essentially try to break them so that we can improve them. We have a responsible disclosure program where we’ll work with the vendors directly and very early on in the process to let them know what we’re finding so that they can better secure the products, whether it’s software packages, hardware re-architecture, or any other kind of issue.

So, we’re building a large, physical lab here to actually support that. And my day-to-day job — just to come full circle — can be anything from reverse engineering, to building talent and recruiting, to painting the walls in the lab, to analyzing the latest exploits. So, we have a highly unique type of role, and that’s what keeps us on our feet.

Dave Bittner:

What are the things that draw your interest? If you look at a list of things that are going on, what are the things you like to do most?

Steve Povolny:

My personal passion is around vulnerability research, and it’s really exciting to be able to take something that most people don’t understand the security implications of and be able to show them what the bad guys are really trying to do with it. If we can beat them to the punch on that and expose it before it is publicly known, that’s pretty exciting, and even more so when we can demonstrate it to them in a very tangible way, like a demo or a systems test.

So, for example, we’ve done some research in the medical industry, which we’re getting ready to report on. We’re showing some in-hospital, physical attacks on systems that aren’t secured, and some of the implications that you might not think of when you’re dealing with systems that are poorly coded or that haven’t implemented strong security practices. So, I’m really passionate about highlighting the problems that we have, the solutions that are possible for them, and letting people visualize what’s really going on around them.

Dave Bittner:

I want to explore how you go about building your team. Can you describe for us, how do you make sure that you have the breadth of talent that you need, and what are the challenges with getting that talent?

Steve Povolny:

Yeah, that’s a great question, Dave. And I wish I had all the answers for that because finding the right talent is very challenging, especially if you’re trying to build a team locally, like we’re trying to do here. So, we can find a number of folks worldwide that have the skill set and expertise to do the type of work we’re trying to do, and we’ve hired team members in Paris; in Cork, Ireland; and in the U.S., of course, in Hillsborough, Texas. We’re spread across Europe. So, we do hire remotely, but one of the challenges we’re trying to do is, as we look toward more of a hardware focus and a device focus to build, as I said, demos and systems that we can show are exploitable, we really need more hands-on talent. So, we need people to be in front of keyboards and in front of the devices they’re tearing apart from a physical perspective, and a lot of the times, relocation is challenging to work on, or finding local talent can be challenging.

So, the types of people that we hire, fundamentally, have to fit into three areas. One is a passion for all things security, and we’ll hire a more junior type of person who has the right motivation, the right passion, and kind of has that mindset of, they want to break things, but they want to do it in a safe and responsible environment. Beyond that, we look for individuals that have software experience, specifically with development. And that’s really important because most of the vulnerabilities that we end up finding and recording are software-based vulnerabilities. And then, finally, we’re now starting to explore more hardware, radio protocols, and some different vectors for research that do require a little bit more of that kind of hands-on capability. And so, we look for people that have experienced opening up devices and removing boards from them, and components, and connecting to vehicles and extracting information. These are the types of systems that we’re auditing in our new lab in Hillsborough.

Dave Bittner:

Now, certainly, McAfee has a long history on the product side. It’s certainly one of the most well-known names when it comes to antivirus and in protecting computers. Why do you suppose that it’s important for the company to make an investment on the research side?

Steve Povolny:

I think every security company, fundamentally, needs to have some kind of a research entity, and depending on where you play in the industry, as an organization, the size and complexity and technical capabilities of that team might be different. But for McAfee, with the size it is and the reach it has for its customer base, we need a research team to explore the areas that either the product plays well in today, could play in the future, or maybe we haven’t even thought about before. So, part of the work that our team does — although we consider ourselves kind of product-agnostic in our research — is highlighting and understanding the different verticals of the attack surface so that we can educate McAfee, as well as the industry, on what we should be looking at defensively, in addition to just, “What can we break? What can we look at offensively?” Areas like automotive, aviation, and SCADA and industrial control systems — these are non-typical areas for an antivirus vendor to play in. For key industries, from a security perspective, especially in the emerging future of connected devices … Our research capabilities allow McAfee to consider whether it’s a smart, strategic play to be involved in those industries.

Dave Bittner:

I’m curious about your take on this notion that from a business point of view, it’s important for McAfee to be able to support your own products, to have things that perhaps are exclusive to your products. But it strikes me that there’s a need to balance that against the sense of community, of sharing information with other researchers to help make the community — and I guess even the world — a safer place?

Steve Povolny:

Yeah, Dave. That’s a spot-on question, and very insightful and not easy to answer, either, because I think it is a gray area in terms of information sharing versus what you keep internal and what you actually arm the security world with versus potential attackers. That’s a gray area that we navigate all the time. So, for instance, if we find a vulnerability in software, our typical public policy is that vendors have 90 days to provide a patch or a fix for that software — potentially up to 120 days if the vendor is working with us in good faith but just can’t make that timeline. At that point, most vendors have understood security implications, will take ownership for and develop patches for a problem like that, roll it out, and that’s the end of the story. At that point, the world is kind of a safer place, we’ve potentially patched that vulnerability, and it’s time to talk about it.

The more complex scenario is when a software vendor may not respond or may not be able to roll out some kind of a fix in time, and then we navigate the challenging waters of, “How public do we get with the information? How do we hold the vendor accountable without burning them and making the products that they’re shipping weaker or more susceptible to attack?” And fundamentally, I guess, the way that I look at it, personally, is the bad guys are doing the same thing that we’re doing. They’re better funded, there’s more of them, and their full-time jobs are focused on the same type of work that we’re doing, just with greater resources. So, I kind of view every potential vulnerability in the light of … They could have been, or probably have been found, and certainly will be, at some point, with enough time and resources. So, why not educate the security industry publicly, to a responsible extent, of what kind of problems are out there and how they can be fixed before the bad guys actually get a chance to exploit them?

And certainly, there will be times when you have … The disclosure does not quite line up to the actual recording of the vulnerability, but we kind of view it as, this is something that we feel responsible for, pushing the software development and hardware development community toward. We’ve really seen vendors lag significantly behind, in terms of their abilities to respond to and patch critical vulnerabilities, and we want to be a part of improving that process in that timeline. It isn’t an easy answer. It’s a complex question, but I guess our fundamental takeaway is that we want to be seen as a strategic security partner, even though it seems like some of the activities we’re doing, to the uneducated eye, might seem malicious in nature. Fundamentally, what we’re doing is, we’re actually helping secure these produce before the bugs can be found and exploited by the bad guys.

Dave Bittner:

I want to touch on threat intelligence, and specifically, the role that you think it plays in an organization’s ability to defend themselves?

Steve Povolny:

Again, another great question, and also a loaded question because everyone claims to have a threat intelligence feed nowadays. It’s kind of the buzzword, as you know, at every conference you go to. And threat intelligence is essential. It’s a large part of the byproduct of our research that goes back into our McAfee products and into our other research organizations, as well in the industry. There are a number of both public and private entities today that have phenomenal products for threat intelligence, many of which are freely available to researchers, and also to exploiters or to threat actors. So, you consider something like VirusTotal, which is kind of your quintessential feed, or repository for malicious files, documents, and activity. It is, of course, heavily used by the white hat industry, but it’d be a mistake to think that it wasn’t also leveraged by attackers when they’re trying to gather information on targets, attribution, and gain access to files that they might not have otherwise had.

So, we’ve got this kind of yin and yang perspective of how much threat intelligence we publicize, when we go public with it, and what it could be used for or has been used for in the past. But I think ultimately, the takeaway for us is, we believe in openness and transparency, so when we publish a report, for example, on a major threat actor or campaign, you’ll see that we almost always link or list the indicators of compromise and the threat intelligence that we’ve found to the full extent that we’re able to, and certainly that we’ve got covered in our products already.

Dave Bittner

Now, how do you go about balancing the role of the analyst versus automation, of dialing that in to really optimize and make the most of both of those assets?

Steve Povolny:

Our analysts automate to do their job effectively, and in the research industry, specifically security research, automation is absolutely essential. So, if you take for example, a product like IDA Pro where you may be using, again, a very standard industry product to analyze malware or vulnerabilities, you can actually build upon that framework by using something like IDA Python to automate the analysis and exploitation. Discovery of vulnerabilities like this is a very, very common practice for us. So, we rely heavily on scripting-based languages like Python, Perl, Ruby, and JavaScript to further automate the work that we’re doing from both finding and enumerating vulnerabilities, to exploiting and analyzing vulnerabilities, and even sometimes for scraping the web for threat intelligence, like we talked about earlier. There’s a lot of automation that we’ve built internally that lets us pull down resources in vast volumes that we wouldn’t be able to do with a much more manual approach. So, I think it really is an essential skillset.

Dave Bittner:

What’s your advice for someone who’s out there shopping around for threat intelligence, trying to decide what role it’s going to play in their own organization and how to approach it to get what best fits their needs?

Steve Povolny:

I think it’s a complicated answer, but if we boil it down to the simplest answer that I can think of, it would be, what are you going to do with it, and is it actionable? So, you can have the largest dataset and threat intelligence in the world, but if you don’t have an action plan or understanding of what you’re looking at or what you can do with it, you’re really just sitting on useless data. So, think about what your attack surface is, where your exposure points are, what you have the ability to take action on, and apply those concepts to the threat intelligence feed to be able to respond more quickly.

So, if you consider phishing and spear phishing attacks — some of the highest threats to your specific industry — some of the threat intelligence that might be really interesting would be email vectors of attack and the type of malicious documents that you’re seeing associated with phishing and spear phishing attacks. It might be some natural language processing, or artificial intelligence, or machine learning on actual emails to recognize malicious content from benign or standard content. So, to me, it’s really, what’s the impact that you can take away from threat intelligence feeds and directly apply it within your organization to solve security problems?

Dave Bittner:

I’m curious what your philosophy is when it comes to building your own team and what your leadership style is. How do you go about building that culture of coworkers to do the tasks that need to be done there?

Steve Povolny:

I have a little bit of a unique perspective on building research teams, because researchers, as you may know, have some specific ideas about how they want to operate within the confines of their job. Researchers are inquisitive by nature. They want to explore and break things. They want to have extensive support, whether long term or for projects. I think a big part of building a research organization is being able to protect those kinds of resources and give them the runway to explore and chase down solutions where it may seem like there’s not an easy answer right away.

So, we had an interesting anecdote of this exact type of scenario last week, actually, where one of our researchers was just at the point where he’d been working on an exploit for about a month and was getting really frustrated. We thought he was there, and he called me up and said, “Should I move on?” I said, “Absolutely not. You’ve got this. I think you’re really close to it. Yes, you could potentially move to something else and find something just as interesting, but I think you need to stick with it.” And three days later, he sent me a reverse shell exploit for the vulnerability he was looking at. So, it’s being able to guard, being able to protect those resources from distractions, while at the same time not letting something run indefinitely.

And then, I think it’s also really important to be able to provide the opportunities for them to grow and expand. This industry is so highly volatile that you need access to training resources. You need access to mentors and to serve as a mentor, so we encourage a lot of that cross-team growth and collaboration, formal or informal mentorships. We find that in the long term, that really helps build the talent that we’re looking for, versus going out and finding someone who’s been doing it for 20 years and is kind of stuck in their ways. We’re really looking for just generic problem solvers and people that can think of solving challenges differently. So, we think a little bit outside of the box when we’re building a team like this, and the type of researchers that work well in this industry, I think, are those that
think outside of the box as well.

So, I would like people to take away from this conversation one of the concepts that we’ve been trying to expand upon, which is the explosion and growth of internet-connected devices and technology that we now take for granted and carry around in our pockets, that we drive in our cars, that we fly around the world in, and that control every aspect of our lives. The downside of that explosion of technology and that growth and innovation is the negative security implications that come with it. Part of my team’s job is to shed some light on, what are the challenge areas there? What are the potential impacts and implications of this growth and explosion in technology, and how do we help secure this space? We spend a lot of time looking into each of
these areas for that sole reason.

So, I think just educating the industry and folks who might not otherwise be aware of the security challenges that are out there is one of the fundamental tenets of this team, and we hope that you follow our blog and keep up with our social media accounts, which is where we post most of this relevant information. We also contribute occasionally to a podcast called Hackable, which is a McAfee podcast, and we’d welcome as many viewers to that as well.

Dave Bittner:

Our thanks to Steve Povolny from McAfee for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.