In the cybersecurity industry, few skills are as critical as those that cybersecurity researchers possess. They are extremely knowledgeable computer experts who spend their time looking for vulnerabilities in systems and investigating malware. They also analyse malware to understand its capabilities and possible targets, thoroughly documenting any incidents of compromise. Security researchers also try to figure out which actors are behind which campaigns, as their research has shown them time and time again that bad actors often recycle effective attack methods, and these methods have telltale signatures even as a cyber criminal’s targeting and tools evolve.
They are also the men and women charged with staying current with any advancements in the realm of computer software and network security threats. These threats encompass various categories of malicious software, such as computer viruses, ransomware, advanced persistent threats, as well as direct assaults on network infrastructure. And beyond finding established malware variants, assessing their functionalities, they often end up predicting what new and innovative strains of malware might emerge, in order to come up with suitable security countermeasures. Sometimes they also engage in reverse engineering of malware or carry out assessments on security systems.
No one has a better understanding of the best steps for mitigation of today’s threats, and as such, the cybersecurity industry could function without these specialists. This month, we spoke to several cybersecurity researchers, to get their take on the job, its challenges, and rewards.
Hunting malware in the wild
Costin Raiu, a cybersecurity researcher with more than 20 years of experience in the antivirus industry, says somehow he always knew his path would lead him to this role. “When I got my first computer, a ZX80 clone with 64KB of RAM, the most disappointing thing about it was the realisation that it couldn’t get viruses. While this may sound funny to some, in the early 90s, all interesting stuff was coming either in the form of tapes or from computer magazines.”
To prepare for the arrival of PCs and with them, viruses, Costin began learning assembler and C. “When I got my first Intel x86 PC, in 1992, the first thing I did was to check if it was infected by any viruses. Sadly, it was not. It took some time before I encountered the first virus, which I promptly disassembled and documented. Time passed and my collection grew, so did the complexity of the viruses I was finding, as well as the tricks required to detect them.”
Even now, in 2023, more than years later, Costin says he still has the same feeling of excitement when he discovers a new malware in the wild. He describes being a researcher as a unique combination of technical skills, analytical skills, visual pattern recognition, memory and a good dollop of instinct-powered hunting. However, compared to real-world hunting, the weapons or the tools are just a bit different, and cybersecurity researchers use Yara, IDA, Hiew, Ghidra or PEExplorer, instead of the more traditional bow and arrows.
“Looking back, I feel fortunate for having been able to become a cyber hunter and there is nothing I'd have done differently,” Costin ends.
Being comfortable with uncertainty
For another experienced cybersecurity researcher, Santiago Pontiroli, Security Engineer, Amazon Web Services, one outstanding characteristic of doing this job is being comfortable with uncertainty, adapting and facing new challenges, and approaching each new research with a "beginner's mind" attitude, and without being attached to any preconceived notions or opinions.
“We all deal with an immense list of cognitive biases. As I was getting more involved with the cyclical discipline of threat intelligence, I learned that sometimes there are technical challenges to overcome, and other times I needed to rely on proven processes and frameworks such as the Cyber Kill Chain, MITRE ATT&CK, and the Diamond Model to maintain objectivity and distance from the analysis.”
Pontiroli says being a cybersecurity researcher is a way of thinking, having that child-like curiosity about how things work, and annoying himself and everyone else with a never-ending stream of questions until he can finally make sense of the proverbial needle in the haystack.
Enjoying the rabbit hole
Curiosity is clearly a common thread among the profession, as Maria Markstedter, CEO and founder of Azeria Labs, says for her, what it means to be a cybersecurity researcher is being curious, enjoying the rabbit hole when an interesting challenge comes along, wanting to learn new things, and not being afraid of the unknown.
“The best researchers in this field love learning and exploring the unknown,” she says. “This applies to all subfields in cybersecurity, whether it's hunting down threat actors as a threat analyst, reverse engineering software to find vulnerabilities or dissecting malware, or developing guardrails and defences for new attacks. Some people are afraid of the unknown and would much rather follow a rulebook.”
According to Maria Markstedter, in cybersecurity, most are self-taught and have learned through exploring something they didn't understand but wanted to figure out or break; something they rabbit-holed into until we found what they were looking for.
A constant dance between curiosity and caution
“As a kid, I loved watching Jessica Fletcher solve crimes in picturesque locales in the show "Murder, She Wrote”, adds Martin Vigo, the security researcher, founder of Triskel Security. “My grandma and I would try to outsmart each other in predicting the outcomes of each episode. I remember admiring Jessica’s unwavering determination, sharp wit and deductive prowess.”
Martin says in much the same way, cybersecurity research can be a mystery, or a puzzle that needs to be solved. “It’s a constant dance between curiosity and caution, a path that demands persistence, a keen eye for detail and a deep passion for unraveling mysteries.”
Cybersecurity research began as a hobby for him. He signed up for bug bounty programs and found that there was nothing quite like the rush of uncovering a critical vulnerability. Over and above bug bounties, this has lead him to a great deal of opportunities, conferences and general exposure within the community. It has also enabled him to realise one of his dreams, speaking about a few of his research projects at famous cybersecurity events Black Hat and DEF CON.
The process can be fairly intense, with a string of highs and lows along the way. “When you're in the middle of a complex investigation or trying to hack a system, protocol or piece of hardware, it can feel daunting. In these moments, I sometimes find it helpful to collaborate with fellow researchers to share insights. The community is great and I found help many times when I felt stuck trying to solve a specific problem,” he explains.
He says there is also something exhilarating about those moments when a researcher finally solve a puzzle that has been haunting you for days. That being said, he says there can be many frustrations, such as when the company or vendor pushes back and threatens with a cease and desist letter, or they may also ask the researcher not to publish their findings even when responsible disclosure has been made.
“Being a security researcher is both a demanding and incredibly rewarding journey,” says Martin. “It’s a field that demands dedication, resilience and a deep commitment. While it's not always an easy path, the knowledge that our work contributes to a safer digital world keeps everyone in this field motivated.”
Empowering stakeholders to mitigate risk
Threat intelligence consultant Holly Andersen, says whether an individual, works within blue, red or purple teaming, they are a cybersecurity researcher. Within red teaming, penetration testing means finding vulnerabilities within systems, while those working within social engineering, need to conduct reconnaissance into their targets. In blue teaming, forensics involves researching system data and other digital evidence, while malware analysis examines malicious software. Purple teaming also needs research, for example, to create realistic crisis simulations.
“Threats are constantly evolving, which necessitates a high level of research being conducted in order to stay abreast within the industry; this applies regardless of your position,” she adds.
Cybersecurity research is at the heart of working in cyber threat intelligence, Holly says. “We are conducting the research which ultimately empowers stakeholders to mitigate risk and stay ahead of threats. At an operational level, research is needed to collect and correlate large sums of raw data from multiple sources, which can be used in real time to detect threats. At a more tactical level, research is needed to better understand the latest APT group operations, and the tactics, techniques and procedures (TTPs) they use. In turn, the results from this research can be used within models such as the Cyber Kill Chain or the Diamond Model.”
Having a real impact on a young industry
“Being a security researcher involves so many aspects that it is difficult to explain,” adds Vicente Diaz, Threat Intelligence Strategist, VirusTotal team at Google. “I think we all got into this field because of our passion to learn and, to some extent, the romantic idea of being a hacker. The old days when just a bunch of technical people would sit in a room trying to understand how something worked in order to share their knowledge are gone.”
He says security is now an industry worth over $200 billion, and is growing every day, with thousands of complex technologies and myriad companies and solutions. As individuals, security researchers can only hope to grasp enough to keep up with the pace of research in their area, which Vicente says can be frustrating and exhausting.
“But I want to end on a positive note. These are unique times when our work can have a real impact on a still young industry - when will we ever have such a unique opportunity again?”
Fighting to be heard
On a more sombre note, Kymberlee Price, founder of Zatik Security, who describes herself as a transformative product security executive, says that being a woman in security is difficult, because there is still pervasive systemic sexism in the tech industry.
“We're viewed as a special interest group versus just belonging. We still have to fight for our voices to be heard, and rely on male allies to stand up for us when we are being marginalised. We have created our own private women's community groups not just to help mentor and support one another, but also to have a safe place to share horror stories and warn each other about toxic companies or colleagues.”
She says it is not because women in the industry haven't demonstrated their capabilities time and time again, quite the opposite. “Women are excellent security professionals. After all, we have informally threat modelled every day of our adult lives without thinking about it, because we live in a world where we have to assess risk in nearly every interaction. For example, we can anticipate and quickly identify how a messaging system will be abused to harass users because we routinely get harassed.”
“This has been really hard to write because I'm angry about it. Angry that women are assumed to be less technical than men. Angry that we are talked over in meetings. Angry that we are criticised for doing exactly what our male colleagues are promoted for. And yet I love my job. I build amazing diverse security teams that are both high performing and inclusive. I'm doing all I can to change the cultural norm for as many people as possible.”
Leading teams that secure software is her job, but evolving the industry is her mission.
In ending, it’s fair to say that in today’s rapidly-evolving landscape of cybersecurity, these heroes are always working hard behind the scenes to protect our data and private. The weapons they use are skill, ethics, and a deep understanding of the adversaries we are fighting today. These are the unsung heroes who add dramatically to the safety of the digital world in which we live, and their relentless pursuit of exploits and vulnerabilities plays a critical role in safeguarding businesses in every sector from cyber attacks.