Interview with Tamás Lengyel

Tell us a bit about yourself

Hey everyone! I work at Intel as a Senior Security Researcher in the Software and Advanced Technologies Group. My team has a very wide scope in terms of software security at Intel: we have a company-wide pen-test team, we run the secure architecture review board, as well as a lot of open-source security initiatives. I personally spend most of my time performing hands-on security evaluation of various Intel software products, doing threat modeling and review, while also working on new tools to push the boundary of what can be tested effectively. Currently that is primarily around operating system fuzzing using hypervisors, which I talked about recently at DEFCON and OffensiveCon.

You have been working in the security research area for more than 8 years. What is it you most enjoy about the field?

The nice thing about the security field is its tempo. There is always something happening and there is always something new. One week we are pen-testing a hypervisor tool-stack written in Rust, the next we are looking at the firmware of a next-gen system. As a person who enjoys puzzles, it’s a fun field to be in day-after-day. But perhaps the real answer is the community and being able to collaborate with like-minded people across the globe. I’m an avid open-source developer, and there is just something greatly energizing about seeing other people pick up your projects and run with it to do awesome things you never even considered.

What are the biggest challenges you face in security research?

The learning curve on some of the security topics is really steep, so jumping from one topic to another is a serious mental workout. Finding the right rhythm that’s sustainable long-term is the biggest challenge. I always have to remind myself that it’s a marathon, not a sprint.

What do you think are the best tools for helping to ensure application security?

On a personal level I see running up-to-date software, adblocking and a good password manager as the baseline you can’t go wrong with. Although I use Linux for most of my day-to-day work, I actually switched to running them in VMs on top of Windows 11 whenever possible. I personally have observed the security foundations of Windows improving past that of Linux over the last decade. Using VPN when on an untrusted network is also a good idea, I’m a fan of Cloudflare’s WARP for example.

As for application security from the developer point-of-view, I think the most important thing that should be in the toolbox of every developer is continuous integration (CI). Having even a simple CI can go a long way to help ensure your code doesn’t suffer from regressions. With tools like Github Actions, it’s there for free! If you also throw in something like CodeQL, which will warn you of unsafe coding practices, you can improve your baseline tremendously with minimum effort. Going from there, adding additional static analysis tools, having an up-to-date threat model, and fuzzing are the most effective methods in my book.

In the DRAKVUF project you were dealing with malware analysis. How have malware threats evolved over time, and what are the best ways to prepare against them nowadays?

When I started the DRAKVUF project the threat landscape was significantly different than it is today. In 2012 when the first PoC was put together, a third of all machines in the world were still running Windows XP. If you put a bare-bones XP VM on the Internet without a firewall, it would get infected by Conficker within minutes without any user interaction! You would download your software for random websites over http and the application required no signatures to install a kernel-mode rootkit on your machine. The DRAKVUF project naturally fit into this niche of capturing and analyzing malware samples by adding an additional hypervisor-layer protection under the OS, so that even if rootkits were involved we would not lose control and visibility into what the malware is doing.

In contrast that with the threat landscape today, hypervisor-based protection is baked into the foundations of Windows 10 and 11. Loading kernel mode code requires valid signatures. You most likely get most of your software from a pre-vetted appstore. This pushed malware to try to exploit harder and harder interfaces to achieve persistence by attacking the firmware. But sophisticated malware also became harder to capture and analyze as more anti-sandbox techniques became commonplace. These days, the most common infection vector is not from random websites or over the Internet directly but from phishing and watering hole attacks.

The best way to help protect against those is again: up-to-date software (especially your OS and browser), adblocking, and using password managers. On an enterprise level, I would also add honeypots to the list, like the Thinkst Canary, so that even if malware breaks through the perimeter defenses there are early-warning signals on the network to alert you of the compromise before it escalates further.

What do you think is the best way to raise security awareness in development teams?

In my experience, having the development team sit down and draw up a threat model for their application is when they become most security aware. It is normal for the architecture and blueprint of an application to evolve as requirements change and there is a crunch to get it done by a deadline. Some of the initial security assumptions may no longer apply, but they only get discovered when the final threat model is drawn up. That’s why at Intel we require all software teams to present their threat model to our review board before they are approved for release. It’s always easier to push a deadline back than having to issue a security advisory after release. We try to make that review as painless as possible by providing a ton of sample material and 1-on-1s to the teams to prepare them for the review. It’s a lot of work, but usually the teams come out with a better documentation and security awareness which they are thankful for.

You work in an organizational structure that includes many squads/teams and thousands of individual projects. How do you ensure all these teams have good security awareness?

The future is zero-trust, and I can’t wait. We are a long way from that being the reality for most enterprise networks but it’s coming, and it will totally change how company-wide security programs look. There are a lot of different interpretations on what “zero-trust” means, but the way I like to think about is that it boils down to:

1) A machine has to say what it does.
2) It has to do what is says.
3) Prove it.

What this means in practice is that you only gain access to resources on your enterprise network if your machine can cryptographically prove to the remote cloud that it’s in an uncompromised state, running only verifiably good applications in the proper configuration. That way your machine may get compromised, but your data is still secure. It eliminates outdated models like having a “trusted network behind the firewall” or relying on password-based security alone.

And finally, do you have any advice for fellow security professionals on how to improve their craft?

Participating in open-source projects is a really great way to improve your skills. It’s also a good way to stay positive and to network with other security professionals. These days having a public Github profile with a track-record of quality work speaks volumes more than a cover page or simply listing references!