These days, it seems like you can’t turn on the TV or open a news site without reading some terrifying headline related to cybersecurity. And the numbers keep escalating. Yahoo’s breaches impacted 1 billion user accounts. Chipotle’s security incident affected more than 2,500 stores in 48 states. We know what cybercriminals are doing; they’re stealing credentials and laughing all the way to the bitcoin bank. So what are we, the good guys, doing to get ahead of criminals?
That’s where today’s interviewee, Eric Klonowski, comes into play. Eric is a senior advanced threat research analyst, meaning he reverse-engineers malware, at Webroot. He has to think like a hacker to figure out how the bad guys manipulate benign software by literally taking apart, or “unpacking” malware.
Webroot: Let’s start with the basics, Eric. Tell me a bit about yourself?
Eric Klonowski: Growing up, I was a nerd. I liked to take things apart and figure out how they work. At six or seven, I would take apart landline phones just to see what was inside.
This was my start as a reverse engineer. Even now, I like to disassemble random software to see what makes it tick.
On any given day, 90 percent of what I think about is related to security, malware, computer science, and engineering. It’s my passion. Perhaps I need to get outside more, but generally, security is what I think about.
I’m not surprised by your “focus” on the industry. I think your field requires that level of passion and commitment. Besides, nerds are cool nowadays, thanks to the Mark Zuckerbergs of the world. How did you make the leap from deconstructing phones to reverse engineering?
Probably not a shocker to anyone who has read this far, but I was a mischievous child. I remember going on a family trip when as a kid, and I spent the entire time on my laptop following Russian tutorials on how to crack software. I loved that complex software protections could be reduced to a simple byte.
I kept teaching myself from there, and that naturally evolved to looking at more in-depth, sophisticated software. Malware is particularly interesting to me because it is level 10 difficult as far as puzzles go. A malware author’s entire goal is to fool reverse engineers like me.
The problems I face are not traditional computer science problems that are covered in textbooks. They tend to be non-traditional, and without getting too far into the weeds, they are unique problems you won’t find at other organizations.
So how did you hear about Webroot?
I was perusing an online job search site and got an ad. Being a malware-oriented techie, I was aware of Webroot.
At the time, I was working as a government contractor, and I was interested in getting into the commercial world—something that doesn’t require clearance.
I don’t know, that sounds pretty cool!
It was an awesome opportunity. I started as an intern, which is key for getting your foot in the door anywhere, and it soon turned into a full-time job. But I wanted to be able to discuss my work and be more involved in the threat community.
That makes sense. What does a day in the life look like for you?
The majority of the time, I’m really excited to come into work. I know there are interesting problems waiting for me to dissect. The problems I face are not traditional computer science problems that are covered in textbooks. They tend to be non-traditional, and without getting too far into the weeds, they are unique problems you won’t find at other organizations. They aren’t algorithm or mathematically driven, but related to questions like, “how can I manipulate the nature of the software already running on the system?”
I also interface with almost every engineering team and multiple departments. It gets me out of my shell.
What lessons have you learned from working for a few years?
Absolutely everyone has something to offer. In school, we tend to segregate into specific engineering groups and form bias. Even working with people like you (public relations career shout out!), there tends to be a distancing at first because you don’t understand each other’s roles.
But we all have something to offer, and we are all good at what we do. I have something to learn from everyone at this organization.
That’s a great life lesson, Eric. Switching the focus to students, any advice for hopefuls in your field?
This is the kind of job where you need to be passionate about figuring out how things work. You may want to do something good for the world, and this is one way to do that. But if you’re the kind of person who walks by the puzzle store at the mall and thinks, “those look cool, I wonder how they work,” this is the kind of job you would find interesting.
Full disclosure: this is not just a 9-to-5 job. I find myself thinking about these problems all the time.
What about professionals looking to get into reverse engineering? There have been a lot of conversations around re-training traditional IT staff to fill the many cyber roles available.
I think people who have a solid network or security background could make the transition, if they are passionate enough about the field to teach themselves. This isn’t something you will pick up by shadowing a co-worker for a few days or reading a single book. You need to roll up your sleeves and dig into online forums, webinars, courses, and you need the drive to keep learning.
That’s the truth! It reminds me of my favorite quote from Mahatma Gandhi, “Live as if you were to die tomorrow. Learn as if you were to live forever.” Thanks for taking the time to chat, Eric.
If you’re interested in a job at Webroot, check out our careers page, www.webroot.com/careers.