[HN Gopher] Ask HN: How can I get into cyber security research?
___________________________________________________________________
Ask HN: How can I get into cyber security research?
Quick background: I am a tech lead in a SRE team. I am not sure
this is what I want for the rest of my life. I love the sec field.
In the last few years I've played lots of CTFs, pwned several boxes
on Hack the Box, studied and reproduced CVEs, etc. I have the
technical knowledge. I don't think that I want to do pentests or
bug bounty. I'm more into research. I like to be the one ahead
discovering new stuff. But, how do I get there? Who hires someone
like that? What do you need to get the role? How is this job for
real? So many questions.
Author : wdym
Score : 27 points
Date : 2023-01-29 21:24 UTC (1 hours ago)
| nibbleshifter wrote:
| Start doing research, find some 0day, publish work.
| sorry_outta_gas wrote:
| find some bugs
| octagons wrote:
| I work for the Adversary Simulation arm at IBM X-Force Red. Prior
| to that, I worked at Mandiant and left as a technical manager for
| the proactive (offensive security) consulting branch.
|
| I'd be happy to chat with you and answer any questions. I have
| interviewed and hired candidates for these positions many times,
| and have also been the one in the interview chair. My Twitter
| handle is in my profile.
|
| In case you're wondering, Adversary Simulation is a mix of
| research, implementation, and application of techniques to test
| security gaps in an organization. Typically, we use social
| engineering to gain access and must avoid detection by a variety
| of security measures. The goal is usually to gain access to
| something specified by the organization without being detected,
| as the testing is not announced to the security team in advance.
| HedgeMage wrote:
| As others have noted, that's a pretty broad question. Are you
| interested in the theoretical or the practical? Do you prefer a
| scrappy, creative investigation or one within the walls of a big,
| well-resourced, legitimizing, and bureaucratic organization? How
| will you serve the needs of others (aka the only way to make
| money in this world)? What's your current background,
| professionally and educationally?
|
| Feel free to DM me if you want... I work in cybersecurity at a
| major university. My role is primarily operational, but I also
| manage and conduct research. Before that, I was a more
| independent sort of security geek.
| woodruffw wrote:
| "Cybersecurity research" is a very large domain, so it's hard to
| offer a wholly encompassing answer here! The company I work
| for[1] does a great deal of program analysis research, primarily
| in and around the LLVM ecosystem. Other companies/groups in our
| domain(s) include Galois, Inria, and GrammaTech.
|
| In terms of working in our domain: we frequently find it
| difficult to hire for pre-existing compilers or program analysis
| skills (it's a small community!), so we generally long for strong
| engineers with security/low-level fundamentals who don't mind
| making a pivot.
|
| As for how the job is: I personally find it very fulfilling, but
| it definitely contains a degree of uncertainty (particularly when
| doing government-funded research) that ordinary SWEs/SREs may not
| be used to. I've noticed that it takes new hires a decent amount
| of time to acclimate and become comfortable with the idea of
| _research engineering_ , meaning engineering where we expect less
| than 100% of all exploratory avenues to have productive outcomes.
| This can be a large culture shock compared to typical
| engineering, where tasking is defined primarily by business
| requirements that don't contain a large degree of uncertainty or
| ambiguity in terms of implementation approach.
|
| [1]: https://www.trailofbits.com/
| robcohen wrote:
| Could you give us a few examples of security research jobs?
|
| It seems pretty obvious that you'd need to go into a PhD program
| in cybersecurity to work on groundbreaking research. Perhaps you
| mean industry or implementation specific research?
| nibbleshifter wrote:
| Most of the actually groundbreaking and useful research in
| security happens out of necessity in the industry as opposed to
| in academia, where they seem to rediscover things that are
| widely known in the hacker community a few years later.
| HedgeMage wrote:
| It's really not pretty obvious...says the non-degreed
| cybersecurity researcher at a major university in the US.
|
| The majority of academia is further behind in cybersecurity
| than they think they are. Some bright spots are far ahead than
| they get credit for. A huge amount of impactful research is
| being done in the private sector or by hobbyists. Whatever the
| source or the organizational affiliation of the researcher, the
| best ones have a solid connection to what's really going on out
| there in the field, rather than living in a safe little
| researcher bubble disconnected from the real world.
| kokonoko wrote:
| Assuming vulnerability research, you need to be able to recognize
| bug patterns (buffer overflows, use-after-frees and such), be
| familiar with fuzzing, code audits, debugging. Of course
| understanding the code usually in C/C++ and assembly.
|
| Assuming you have the technical skills there are companies that
| hire for such positions ranging at varying degrees in the
| "ethical" scale. See Google Project Zero and Zerodium for
| instance.
|
| You don't need a PhD, CISSP, a cybersecurity bootcamp, a relevant
| degree or pretty much anything. You need to understand how the
| computer actually works. Most of the stuff needed are left out of
| a typical computer science curriculum. And (most) of the people
| hiring actually know that.
|
| In order to do it you must simply spend so many hours to learn
| that stuff and then not be disheartened by the work that needs to
| be done. Example: No one has compiled a binary with ASAN. Do it
| (by spending an exorbitant amount of time to fix all the linking
| errors during compilation). Run the binary with literally any
| input. Boom, you got a bug.
|
| Getting the role is pretty much like any other, you pass the
| interviews. Solving ctf like challenges is common. Finding all
| the bugs in a toy C program. Elaborating on the exploit ability
| of a latest CVE, etc.
|
| My favorite interview question:
|
| 1. Write a hello world in C. 2. Run it 3. Explain how it works
|
| You'd be surprised how many people actually have even a vague
| ideas what happens.
| MSFT_Edging wrote:
| Do you want to work for a government contractor?
|
| If so, they're always looking to expand and hire more great
| minds. Many people who are technically skilled but relatively new
| to RE/VR get hired because it's such a niche field and they teach
| on the job.
|
| If you don't want to work for a government contractor, gl;hf
| because most of the money lies in alphabet agency contracts and
| the vulnerabilities WILL be weaponized and left open. This will
| often cause things like the ransomware attack on the NHS.
|
| If you're cool with keeping systems vulnerable for cyber weapons
| and you're a US citizen, throw a rock in the Northern VA region
| and you'll hit a building that will hire you.
| leoqa wrote:
| I'm down to do security contracting. I'm in a similar level of
| experience as the poster (HTB, CTFs) and work in Security
| engineering. I'd like to try more typical cybersecurity work,
| like malware analysis or offsec.
|
| What companies / titles can I apply for to give it a shot? Open
| to getting a clearance.
|
| Also open to government agencies if they're in Austin.
| wepple wrote:
| What do you mean "discovering new stuff"?
|
| New vulnerabilities?
|
| New attack vectors against new technology?
|
| New defensive ideas?
___________________________________________________________________
(page generated 2023-01-29 23:00 UTC)