Ilya Sachkov, Founder and CEO at Group IB, in this interview tells us about DDoS and malware threat as well as Russian cybercrime specifics.
Ilya Sachkov, CISM, the founder and head of Group-IB, the leading Russian company, specializing in the investigation of computer crime, information security breaches, and computer forensics. The author of a technology of investigation of circumstances of DDoS attacks. The member of the International Information Systems Forensics Association (IISFA), the Association of Certified Fraud Examiners (ACFE), the Honeynet Project, the Russian Information Systems Security Professional Association (RISSPA) and the Committee against Cyber-Crime at the Russian Association of Electronic Communication (RAEC).
Yuri: Ilya, what is your current job?
Ilya: Now I’m holding the position of General Manager in Group-IB. I’m responsible for the long-term development planning, bringing new products and services to the market, collaboration with strategic partners from business and law-enforcement agencies. I’m keeping our development within the values that lays in the foundation of our business and guarantee that all the employees and the company in general are as professional as possible. Apart of the management I’m trying (but it happens rarely) to take part in the most resonance investigations. In addition I’m co-chairman of the commission for cybercrime in Russian Association for Electronic Communications and the Expert for Cybercrime in Russian Duma.
My first investigation was at 11th year of school
Yuri: How did you become involved in computer security field?
Ilya: I studied in the physics and math school-laboratory #444 in Moscow. The training in the Information Security started when I was in 9th form. When I was in 11th form, I clearly understood who I would be and took part in my first investigation for the Ministry of education and science. That time unknown persons used schools’ logins and passwords to get a free Internet access. They used malicious software for gathering information. As for me, it was very interesting and I got my first reward for that investigation.
Being a senior, I was reading lections to our lecturers
Yuri: Do you have any related education? What did you major in at university?
Ilya: I have graduated Bauman MSTU in Moscow for a degree with honors. I have been studying at the Information Security Department at the Faculty of Information and Management Systems. There I’ve accepted a systematic approach for the information processing. But all of the special skills were gained by the self-education or during the work. It happened that I read lections for some of our teachers at the upper years.
Yuri: Please describe your working day. When you get to, what do you do first? What do you do most of the time?
Ilya: Fortunately, I don’t have a typical working day. The day is overwhelmed with meetings and conferences and often with speeches at different events. Usually it starts at 9-10 AM in the morning and ends late at night. Thanks to the possibility of remote work many things I do at home. It happened that I worked all the vacation because there was an internet access in the hotel. But the life shown that it’s not the best way of relaxing. That’s why I started to go offline.
Our business is not just about earning money
Yuri: What do you like about your job most? Less?
Ilya: I like most that our business is not just a way of getting money. There’s a huge meaning for the entire society. The job we are doing helps to denounce violators, decrease the number of incidents, and give the money back, and so on. It’s linked with the travels, dangers and even some kind of romantics. We always have to learn and discover something new; take the floor, contact with people. I like less that we have a winter and bad weather in autumn, but I think it’s not about the job itself.
The first investment in our company was returned in a week
Yuri: This is something you would not complain if you try to spend these seasons in St-Petersburg, rather than in Moscow (smiling). How did you join your company? How it started and what is its’ main differentiation to others?
Ilya: I started to work in 11th form. It was my luck and I managed to work at responsible positions in the field of the information security in large and international companies when I was very young. At some moment I felt bored. So, I understood that information security is not the thing I actually want. All the time long I was remembering investigations of the incidents in school, and tried to work with incidents and investigations as much as possible. Once upon a time I’ve got an American book about computer crime investigations – «Incident Response: Investigating Computer Crime» by Kevin Mandia and Chris Prosis. I was wondering who is doing the same things in Russia and discovered that such organization doesn’t exist. When I asked the K-department (special police department for stopping computer crime) representative “Can I come to work with you?” he just said “No”. (Now we perform 30-40% of work by the requests from police). So I had to establish my own business. We started with a small lab in MSTU but very soon we could rent our own office. The first investment of $5 000 was repaid in a week when we got our first investigation. After just a half of year we were overwhelmed with a work from police and commercial organizations. It happened despite the fact that in 2003 very small amount of people understood what the business in the field of computer crime and investigations is.
Yuri: What is special about your company?
Ilya: First of all we are the only company of our kind in the CIS. We managed to attract professional specialists in our field one by one. For now we are always invited in every resonance or difficult case linked with cybercrime or malfeasance in informational technologies. So, we are at the sharpest edge of the fight with cybercrime and can see its’ most current and deep aspects.
Our customers call us magicians
Yuri: What is the most unusual thing a customer has ever said about your company or your solutions?
Ilya: Usually our clients don’t believe that it’s possible to find or bring an offender to book. When it happens they say “How did you do it”? They even call us magicians, but, of course, we work without any magic.
Yuri: What is the most challenging investigation you have ever been involved to?
Ilya: For example, in 2012 the hugest gangs in the history of Russian cybercrime were identified and arrested during our investigations. In addition we participated in the first Russian case when the client, organizer and executor of the large DDoS-attack were discovered. There also are some investigations we can’t talk about, even if we want. Speaking about large-scale international investigations, I should admit the case with a spammer Leo Kuvaev.
Our company is the best expert in Russian cybercrime
Yuri: What is about your company or tool which you are proud of?
Ilya: I’m proud of the statistics for the completed investigations – it’s about 90%. The rest 10% we use to produce new utilities, methods and recommendations that will help the customer to prepare for the incident better and be sure of the possibility of the investigation. Our company became the best expert in Russian cybercrime. That’s why Russian media contact us for all the questions linked with the information security. We are very proud of it and will not leave our position of #1 in this field.
Yuri: Your company has recently opened an office in USA. Is it tough for Russian organization to get trust from American customers? Russia and China are considered the faithless countries due to the amount of cyber crime, so it is hard to imagine how cautious Americans trust you.
Ilya: There was no risk in opening an American office. Among our clients there are international and generally American companies, which need our support and help within Russian market. US companies tried to involve American criminalists and investigators, but didn’t achieve any adorable result. There are a lot of specific Russian nuances, which have to be taken into account. Legal peculiarities, technical questions – I’m not speaking about a simple language barrier. That’s why a half of our clients are international companies, which want to get high quality services in Russia. For example, we are the vendor for the CIS investigations for the Microsoft.
While opening US office, we had a minimum plan:
1. Support existing clients from the USA being physically available (office in New York) in the same time zone.
2. Provide 24 hour operation for our incident reaction center CERT-GIB, and eliminate night workers in Moscow.
3. Work with local police for the problems of Russian cybercrime counteraction.
The Internet has no borders and the business is out of the politics
After several first months we repaid all the expenses for the representative office opening. When the minimum plan was completed we started with common commercial activities. Of course it’s difficult to compete with American giants in the corporate sector. But the first year shows that our service as Russian cybercrime specialists is in high demand. Many potential competitors in USA became our partners.
Russian man can be watchful to Americans and vice a versa. But I personally think that all of this is just a prejudice and a lack of education. The businessmen have already understood that the Internet has no borders and the business is out of the politics. We are also beyond these borders.
Yuri: By the way, to the previous question: can you confirm that there are really that much Russians in cybercrime?
Ilya: We divide Russian cybercriminals to Russian citizens and Russian-speaking citizens of former SU countries. But in any case I can say that there are quite a lot of Russian hackers. It can be explained by a good technical education and hard years or 90th, when many people lost their honesty and generosity. But Russia does not stand out against all other countries. There are a lot of hackers in the US, China, countries of South Africa. Yes, there are persons of natural gifts in Russia, they can invent new schemes and are good in code writing – it’s the fact. But as for the number of hackers and incidents, the RF is not a leader definitely.
Russian hackers are famous for new schemes
Yuri: What is Russian specifics in cybercrime?
Ilya: Russians are famous for new schemes. Usually Russians invent new approaches which are used by all the other hackers: botnets, DDoS-attacks, affiliate programs and so on. All of these were invented by Russians. Speaking about now I can say that we have a unique situation. I call it “three-headed dragon”: the feel of impunity, technical ability to theft and economical possibility to legalize stolen money. That’s why organized gangs appear in Russia, and it’s difficult to fight them within the legal field.
In Russian criminal code there is no such concept as “digital evidence”
Yuri: What is Russian specifics for doing computer forensics?
Ilya: The specifics of the legal system force Russian criminalists to know a lot not only in information technologies, but also in legal nuances. It’s quite difficult to work with digital proof, if there’s no such concept in the criminal code.
Yuri: Your MSc thesis dealt with creating mathematical model of a botnet. Can you give more details? Do you use this model in your current work?
Ilya: I’ve composed a methodology of discovering so-called botnet mould by logs of attack, a type of malware, and some other parameters, which you can get from Honeynet. This model was being developed from 2007 to 2009. It allows comparing the moulds of attacks and identifying attacker’s botnet. Let’s assume that there’s a test buy of an attack, which will be aimed to our protected resource. And we get a mould. The next time when the attack will target any usual web-site, our methodology allows us to check is that the same botnet in 90% of cases. When p2p-botnets and decentralized C&C appeared we had to modify the methodology significantly, but in 2009 it helped solving many crimes linked with DDoS-attacks. I know that my methodology is being used in the USA and Germany to investigate similar crimes.
The best protection from DDoS is legal pressure
Yuri: Your company fights against DDos attacks. What methods do you use?
Ilya: We use our traffic routing and analysis system with points of presence in India, China, the USA, Germany, Russian and Argentina For example, we’ve defended from the attack of 24 Gb/s to one of the largest Russian media. But think that the best protection from DDoS is legal pressure. In other case it becomes to the armament race.
Yuri: What are your immediate plans with regards to your company? Your solutions?
Ilya: We plan to work more actively in European, Arabic and Asia markets. Also we’ll launch channel sales of our software for the financial operations protection.
I know computer crime agents, who cannot prepare a list with right questions to an expert
Yuri: What do you think every police/private investigator should know about computer forensics?
Ilya: I think that, first of all, every police representative should know that there’s such area like computer forensics and understand what it can do for the investigation. If everybody knows about it – they will have no more questions. I know criminal investigators for murders, who solved the most difficult cases with the computer forensic. But I also know agents for computer crime, who cannot prepare a list with right questions for an expert. Everybody working with any crime, linked with information technologies, must know about and use the computer forensics. Information technologies pierce through all parts of our life. They contain a lot of marks. We should use them for right things and quickly draw necessary information.
We have no goal to threaten anyone with Russian hackers
Yuri: In your interviews you say Russian cybercrime market is about 2B while worldwide it is 7B, what makes Russian market one of a biggest shares in the world. How did you calculate the figure?
Ilya: We have been doing this job for a whole year. Performing computer investigations, we gather information about cybercriminals’ accounts in different payment systems. Considering the largest players, statistics and mathematical modeling, we get the approximate evaluation of the whole market. It’s important that information is based on the real accounts – just after that we use the math. We get similar info from our partners all over the world. All of it underlay the research and in March of the current year we publish the report for the last year. We should admit that analysts re-check the information and use new sources every year. We understand the responsibility in numbers publication, that they can be used for political fight. But we have no goal to threaten anyone with Russian hackers. First of all we want to explain that there are world scale problems, but not just competition “who is the first and who is the second.”
Development of computer forensics in Russia has just been started
Yuri: In your opinion, what is the current state of computer forensic science in Russia? Of legal computer forensic practices?
Ilya: The average evaluation is 5 points from 10 in all the country. There are special situations with our and some governmental labs, which can compete with the most advanced Western facilities. But they are just an exclusion from the rules. In the country-wide scale the development of computer forensics has just been started. The legislation needs many serious improvements. For example, we need to add a concept of “digital proof”, define the sequence of gathering for digital proofs, etc. There’s also a need to toughen the criminal code in terms of computer crime. Now malefactors don’t feel any serious responsibility.
Yuri: How can you explain the fact that it is so big?
Ilya: I cannot say that computer forensics is developed well in our country. In many regions it’s just in the first stage. But I can admit positive moments. The government clearly understands the meaning of this area and started investing to the labs and experts’ education.
Yuri: I actually was speaking about the cybercrime market size… Anyway. What are Russian law system and practice specifics?
Ilya: It’s difficult to speak about any specifics because our system doesn’t differ much from the worldwide one. There was no special school formed in Russia in the area of computer forensic. Our experts always carefully learn world’s trends, trying to adopt the best practices and improve them. In some cases we definitely lag behind our Western colleagues, but we manage to decrease this lag little by little.
Yuri: I’ve heard that in one case a police investigator went online on a suspect’s computer two weeks after arresting that suspect and still, evidence found on this computer was acknowledged by a court. In US this situation will lead to total invalidation of all evidence from such computer.
Ilya: Frankly speaking I hear of this for the first time. It seems to be the sole precedent and the demonstration of the weak understanding of the computer crime specifics. In other cases this kind of actions would lead to rejection of proofs.
Customers often don’t believe that computer criminal can be caught
Yuri: Are there any obstacles to selling services like yours?
Ilya: The main obstacle is that people often don’t believe that computer malefactors could be caught. Quite often they even don’t go to police, where they can get free help. What can we say about commercial service? Nevertheless, the situation is changing little by little. The media started to pay attention to the computer crime. The materials about the basics of the cyber security started to appear with the stories about identifying and arresting of the next malefactor group by the police. It allows changing social opinion and destroying the myth about unstoppable hackers. When people will finally understand that the offender can be successfully identified and brought to responsibility, the computer forensic in Russia will advance with strides.
The problem with clouds is the absence of synchronization for the international legislation
Yuri: Cloud computing is becoming very popular now. The more data is in a cloud, the less data is on a suspect’s computer, right? Do you think that digital investigation itself is going to be much more difficult due to the cloud idea implementation? How does this reflect on your company?
Ilya: Behind any cloud there are severs and computers. That’s why computer forensics must be ready only for growing amount of data. The only thing that prevents is the absence of synchronization for the international legislation. Law-enforcement agencies cannot get “legal access” to any cloud. As for our company, we have not experienced any difficulties with clouds. Honestly, the job became even easier.
More crimes are being solved with the help of social networks
Yuri: The same question about social networks, which displace usual evidence such as mailboxes, chats, etc.: does this make investigations more difficult?
Ilya: It’s not a secret that the amount of solved crimes has grown because of social networks. It’s the same for us. Social networks bring huge possibilities for the analysis and search. As for computer forensic, I’ve noticed no problems with Russian networks.
Yuri: What do you like most about computer forensics? Less?
Ilya: Computer malefactors always leave marks. I love computer forensic for the possibility of finding cause and effect within different incident stages. I don’t like that computer is bad for my eyes.
Yuri: What forensic resources do you regularly read? What would you recommend to others?
Ilya: I benefit from my position in the company, so getting interesting articles, printed by analysts after prior selection. If there was no such service, I’d use http://www.forensicfocus.com and http://computer-forensics.sans.org.
Russian government clearly understands the meaning of this area and started investing to the labs and experts’ education
Yuri: What do you see as major trends in cybercrime? Globally and in particular, in Russia?
Ilya: Superprofit. Interest of traditional criminals for the computer crime. Misunderstanding the sharpness of the problem by the major part of the society. This is truth for Russia and the entire world.
Yuri: Please give us some projections of what we will see in computer forensics in 5 year perspective.
Ilya: Considering the rate of the Internet speed growth and amounts of processed information I want forensic complexes to raise their speed and to be ready for huge data arrays in so-called clouds.
Yuri: How many kids do you have?
Ilya: There are no kids yet, but I want to have a son in the nearest time.
Yuri: How do you spend your free time?
Ilya: Sport, reading, tea, coffee and cinema.
Yuri: How many hours of sleep do you usually have?
Ilya: Usually 6-7 hours.
Yuri: What is your favorite vacation spot?
Ilya: I’m not sure yet. I try to explore new places every year.
I hold first-class in swimming
Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?
Ilya: I hold first-class in swimming. Also I go in for fitness and some martial arts.
Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?
Ilya: The Samui Island – Thailand Kingdom.
Yuri: Great, this is also one of my favorites. Do you have a dream?
Ilya: Yes, but Russian proverb says, that I should not speak about my dream or it will not come true. That’s why I won’t tell about my big dream. Apart of it I want to play the guitar and go for horse walk to the places of Civil War battles.
Yuri: Guitar is something I can help with! (smiling) Thank you for your interview, Ilya!