Live From the Black Box: What is Like to Work in INTERPOL Digital Crime Centre

You tell them: Hey guys, you have snakes in your backyard. And they tell you: No, no, that’s impossible. They stick to their belief until the moment when a stick under their own leg turns into a venomous monster.

Vitaly Kamluk was born 31 years ago in Belarus. About a third of his life, more than 10 years, he has been employed as a security researcher at Kaspersky Lab. And for the last 7 months, he’s been working in Singapore, home to the recently opened INTERPOL Global Complex for Innovation. In this huge futuristic building on Napier Road, Kamluk is helping policemen from all over the world investigate and prevent cybercrime on a daily basis.

Although his current geographical location is far from Kaspersky Lab’s Moscow HQ, Vitaly is still an employee and simultaneously working in INTERPOL.

This is a special status for employees like him – experts from the private sector or academia/research organizations, who agreed to work inside INTERPOL team.

“Two other groups of employees include local staff working on a contract basis and worked together with police officers from all over the world. Such separation of employees’ types is crucial to the main idea behind IGCI: bring different parties together and let them interact every day, cracking hard cases together with the fastest face-to-face communication”, – Kamluk explains to Kaspersky Business.

For this, security experts from IT should work hand-in-hand with law enforcement representatives, so both parties can exchange information and expertise without passing through many formal obstacles.

One day in the Black Box

Singapore is not a driver’s city. One would have to have serious reasons for buying or renting a car, because these two options are extremely expensive in tiny Singapore. This is how state authorities fight traffic problems in the city.  In exchange, Singapore citizens have a system of comfortable and fast public transportation.

Although fighting cybercrime is a very important, and some times urgent task, Vitaly prefers to be on his feet.

“I don’t really need a car here. I spend 30 minutes to getting to the office by a comfortable air-conditioned bus. What I love in those buses is that anyone can credit the driver by sending his name in an SMS to a special number. This motivates the drivers to be polite and nice to their passengers. It really works here!” Vitaly says.

Every day at 9.30am, he passes the security check at the doors of IGCI, including metal detectors – a necessary procedure for all the employees arriving from the private sector – and proceeds to his workstation. Unlike most other jobs, Vitaly’s work in INTERPOL requires not one, but three separate stations.

“One desk is like any other office desk with a PC connected to the Internet, email, etc. This is mostly for official correspondence and access to intranet, and the usual every day tasks. Another – in the Digital Forensic Lab – is for the malware analysis and digital forensics related to ongoing investigations. There is also a third place where I work sometimes – The Darknet Research Lab. This is a purely R&D area where we – in cooperation with INTERPOL researchers and researchers from other companies – are working on different… let ‘s say, experimental projects that should help in preventing and investigating cybercrime in the future. This may be related to Darkweb, crypto-currencies, P2P-networks, etc. So, in other words, it is not like I’m dying of boredom here,” he says.

A workday for a typical office employee starts with email checking, while Vitaly starts his day with education. On a daily basis he holds trainings for other INTERPOL employees involved in cybercrime investigation either in IGCI or back home in the local police departments they came from.

Vitaly explains,”These are purely technical trainings on malware analysis, networks analysis, OS architecture, etc. What is disassembler? How debugger works? How to analyze network data? How protocols, encryption works – on these trainings I try to cover this kind of topic. These are voluntary trainings, but I have several attendees every day, which means that police have clear need of such knowledge.”

After the trainings, reverse engineering time starts. Being an attached employee means – among other things – that he should do his usual job: malware analysis and cybercrime investigation, which he does in Singapore for both Kaspersky Lab’s and INTERPOL’s needs.

“IGCI is only starting its operation and a lot of things are still need to be set up in order to make it work on a full scale. Perhaps that’s why I currently don’t have many tasks coming from the INTERPOL side. Mostly, I do analysis for Kaspersky Lab however, the results are often used by INTERPOL. Like it was with SIMDA botnet takedown recently,” he says.

While the beginning of Vitaly’s workday is all about conversations with other people, malware analysis time is when he becomes “a grim sociophob”. Just like those movie-hackers sitting in front of PCs in dark rooms in total isolation. There is actually a simple reason for such behavior.

“When I look at the code I try to not check email, and if it is possible, I try to create conditions in which one would have to get through obstacles in order to distract me. That’s because the reverse engineering process is like building a giant house of cards. This house exists only in your mind. When you are distracted, the entire castle falls down, and you have to start from the beginning. That is why some of our kind are so angry when they’re suddenly distracted by someone,” Vitaly explains.

Once the malware analysis is over the office work starts. It’s about 4pm and the Moscow office wakes up to load up Vitaly with company operations tasks.

“After 4pm is also conversation time. Europe starts to wake up, then the U.S. A lot of conference calls are happening during this period of the day. In fact, my work here is a lot about negotiations and coordination. When we were preparing for the SIMDA botnet take down, we held many conference calls with stakeholders from all over the world,” Vitaly recalls.

In parallel, Vitaly is working as a system administrator. Being the only attached employee means that you do the entire job in the frame of partnership between Kaspersky Lab and INTERPOL. Among other things, Kaspersky Lab agreed to set up several workstations dedicated to malware analysis and facilitate remote setup of servers and network equipment that would help Kaspersky Lab to share threat intelligence with IGCI as fast as possible.

“It is really important to set up everything properly and efficiently,” Vitaly says, “Although, it’s not my main responsibility, I’m not complaining. I do my best to help whenever I have a spare moment from other critical activities and I am really curious how things here in IGCI will change once we launch it on a full scale.”

However, the main new experience he got working in IGCI is the experience of “the one from the other side”.

“Previously, during multiple investigations conducted by GReAT team, I personally had an experience of working with law enforcement agencies. We collect some information and pass it to law enforcement,” he explains. “After that – there is silence. For weeks or months, or forever. It is like working with a black box: you put information in it and all you can do – is wait for some output. You have no idea on what is happening with this information in there. You can’t help if some gears stopped spinning. Now, I am inside of the black box. I can understand why things get stuck and even help the gears start moving again. This is a unique experience and a great opportunity.”

Living In the City of Future

Singapore is often called a city/country of the future. And that’s not an exaggeration. Built out of nothing, in just a few decades, it is now one of the richest, comfortable, and high-tech places in the world. Futuristic venues of cities built out of concrete, steel, glass, plastic and miles of wires and LED light stripes which we’ve seen multiple times in sci-fi and cyberpunk movies, comic books, and video games, are actually a reality in Singapore when the sun hits the horizon in the evening.

However, Singapore does not fit in the cyberpunk ideology completely. High-tech/low-life concept – a traditional indicator of a standard “cyberpunkish” piece of pop-culture does not work in Singapore because here high-tech is one of the main reasons for its high quality of life. This is due to a combination of wise political and economic decisions, plus active usage of the most recent technological achievements.

Vitaly arrived in this futuristic venue having an experience of living in another futuristic Asian country. Several years ago, for a whole year, he worked as a security expert in Kaspersky Lab’s Japan office. And he sees differences.

“Although I love Japan, I was feeling like some kind of Lost in Translation guy. Alone in a foreign country with a very complicated foreign language and a very distant culture. I don’t feel the same in Singapore. Even though technically it is an Asian country, it is way more western than many others. Their official language is English and there are a lot of foreigners who live and work here,” he explains.

Like most of other citizens of Singapore he and his wife, an artist, rent an apartment in a condominium not far from the city’s center. They spend their weekends walking around beautiful city venues, attending multiple touring performances or sometimes just playing volleyball at the beach, which is just 15 minutes away.

“It is really comfortable place for work and living: warm climate, a lot of interesting people and activities. It is very safe place. When I first was offered to go here, I wasn’t excited at all. I thought, here we go again: alone in an unfamiliar place somewhere in Asia. But now I see that there were no grounds for those concerns. Well, almost…” Vitaly relates.

One day in early April, Vitaly was speaking with a representative of the Garden by the Bay – one of the most famous tourist destinations in Singapore. The representative was trying to convince Vitaly that “it’s absolutely impossible, we have never seen them here. It’s not the place where you can find them.”

You see, moments before Vitaly was strolling with his wife on one of park’s walking roads, when he stepped on what he thought was a wooden stick… but then it moved and slithered into the bushes. It was a Boiga snake. Vitaly checked his legs, and attending to his inner senses, detected his heart rate had increased due to a sudden rush of adrenaline.

“I am a cybersecurity expert and not an Asian snake expert, so that moment wasn’t very funny for us. There was no chance to take a photo of the snake and we felt a bit hopeless. However, the most interesting part started after I checked and confirmed no signs of puncture. I can tell you, your mind is playing games with you all the time and that was a moment when it was so sharply visible. While common sense told me there was nothing to worry about, my mind artificially created light symptoms that were appropriate for a venomous snake bite. I had a strange feeling in my leg and the moment I thought about other symptoms such as vertigo, I started feeling dizzy and wanted to find a bench to sit down,” Vitaly remembers.

“After all, I have learnt my lesson: feelings of safety make you relaxed, but if you want to survive in this world, you must always stay focused.”

“You tell them: Hey guys, you have snakes in your backyard. And they tell you: No, no, that’s impossible. They stick to their belief until the moment when a stick under their own leg turns into a venomous monster. For a security researcher it isn’t hard to draw the parallels with the IT industry here,” Vitaly concludes.