Ask HN: How can I get into cyber security research?
Quick background: I am a tech lead in a SRE team. I am not sure this is what I want for the rest of my life.
I love the sec field. In the last few years I've played lots of CTFs, pwned several boxes on Hack the Box, studied and reproduced CVEs, etc. I have the technical knowledge.
I don't think that I want to do pentests or bug bounty. I'm more into research. I like to be the one ahead discovering new stuff. But, how do I get there? Who hires someone like that? What do you need to get the role? How is this job for real? So many questions.
46 comments
[ 2.5 ms ] story [ 105 ms ] threadIt seems pretty obvious that you’d need to go into a PhD program in cybersecurity to work on groundbreaking research. Perhaps you mean industry or implementation specific research?
Anecdotally, I vividly remember industry people showing up in academic conferences, bragging how they knew everything about bit-flips already. They didn't. They just happened to know to be aware of the phenomenon, and smart enough to understand that it should have security implications of some kind. But that's not research.
As for the bitflips example, are you talking about Rowhammer? That and the CPU side channel issues are the kind of area academia really tends to do great work on.
Where I find academia incredibly disappointing is in areas like covert channels - there's a fucking paper mill in Israel that keeps shitting out implausible "covert channel" research.
Also stuff like memory corruption techniques - academia seems to spend a lot of its time reinventing shit that has been done to death in industry or even has papers in Phrack.
The majority of academia is further behind in cybersecurity than they think they are. Some bright spots are far ahead than they get credit for. A huge amount of impactful research is being done in the private sector or by hobbyists. Whatever the source or the organizational affiliation of the researcher, the best ones have a solid connection to what's really going on out there in the field, rather than living in a safe little researcher bubble disconnected from the real world.
* Security AI : ugrad-level math ability (linear algebra, prob, stats, info theory, ...) is required, as well as experience with deep learning and operational AI problems. PhD more strongly suggests you can communicate & plan, such as for giving talks, pitching crazy projects, and writing DARPA grants... but not necessarily, nor required.
* Security engineer: We care more that someone has worked with big operational security systems, getting things like large & gnarly Splunk deploys and how tools like Spark, AI, Python, notebooks, and viz can seriously augment them. You don't learn that at school.
If so, they're always looking to expand and hire more great minds. Many people who are technically skilled but relatively new to RE/VR get hired because it's such a niche field and they teach on the job.
If you don't want to work for a government contractor, gl;hf because most of the money lies in alphabet agency contracts and the vulnerabilities WILL be weaponized and left open. This will often cause things like the ransomware attack on the NHS.
If you're cool with keeping systems vulnerable for cyber weapons and you're a US citizen, throw a rock in the Northern VA region and you'll hit a building that will hire you.
What companies / titles can I apply for to give it a shot? Open to getting a clearance.
Also open to government agencies if they’re in Austin.
If you are career focused and doing this type of work then relocating near the capital is a no-brainer. It's the difference between being in finance and working on Wallstreet or working in Denver.
Typically the game in the industry is work for a contractor, quit with a few of your best buds, open an LLC and sub back to the same customer/contractor with your billing rate doubled. Since you lack the overhead of a larger company, you can be a little entrepreneur with your specialization and get very rich very fast.
New vulnerabilities?
New attack vectors against new technology?
New defensive ideas?
I’d be happy to chat with you and answer any questions. I have interviewed and hired candidates for these positions many times, and have also been the one in the interview chair. My Twitter handle is in my profile.
In case you’re wondering, Adversary Simulation is a mix of research, implementation, and application of techniques to test security gaps in an organization. Typically, we use social engineering to gain access and must avoid detection by a variety of security measures. The goal is usually to gain access to something specified by the organization without being detected, as the testing is not announced to the security team in advance.
Feel free to DM me if you want... I work in cybersecurity at a major university. My role is primarily operational, but I also manage and conduct research. Before that, I was a more independent sort of security geek.
In terms of working in our domain: we frequently find it difficult to hire for pre-existing compilers or program analysis skills (it's a small community!), so we generally long for strong engineers with security/low-level fundamentals who don't mind making a pivot.
As for how the job is: I personally find it very fulfilling, but it definitely contains a degree of uncertainty (particularly when doing government-funded research) that ordinary SWEs/SREs may not be used to. I've noticed that it takes new hires a decent amount of time to acclimate and become comfortable with the idea of research engineering, meaning engineering where we expect less than 100% of all exploratory avenues to have productive outcomes. This can be a large culture shock compared to typical engineering, where tasking is defined primarily by business requirements that don't contain a large degree of uncertainty or ambiguity in terms of implementation approach.
[1]: https://www.trailofbits.com/
Assuming you have the technical skills there are companies that hire for such positions ranging at varying degrees in the "ethical" scale. See Google Project Zero and Zerodium for instance.
You don't need a PhD, CISSP, a cybersecurity bootcamp, a relevant degree or pretty much anything. You need to understand how the computer actually works. Most of the stuff needed are left out of a typical computer science curriculum. And (most) of the people hiring actually know that.
In order to do it you must simply spend so many hours to learn that stuff and then not be disheartened by the work that needs to be done. Example: No one has compiled a binary with ASAN. Do it (by spending an exorbitant amount of time to fix all the linking errors during compilation). Run the binary with literally any input. Boom, you got a bug.
Getting the role is pretty much like any other, you pass the interviews. Solving ctf like challenges is common. Finding all the bugs in a toy C program. Elaborating on the exploit ability of a latest CVE, etc.
My favorite interview question:
1. Write a hello world in C. 2. Run it 3. Explain how it works
You'd be surprised how many people actually have even a vague ideas what happens.
What helped me is that every layer of the OSI model was something that I dug in to until I understood it well. Nowadays most bounties are happening on the web (layer 7) but you can still find some fun in the other layers too.
2. Think about what challenges are generally faced in the field in whatever capacity you're interested in (network security, hardware security, etc.) and what organizations (public/private/solo hacker groups) are actively working towards addressing these challenges.
3. Do some work, reach out to people, ask some questions, assert your solutions.
I wouldn't be surprised as other posters have opined (and likely accurately) that industry/hacker groups have progressed past academia.
[1]: https://recon.cx
Tbh there is a much larger market for application of existing technology (e.g., pentests) than development of new technology (e.g., DARPA programs and the 1% of tech firms that need something new). There are a handful of others, but the market doesn't support dozens of other firms like Trail of Bits. There is some innovation that happens in Series A and B security startups but IMHO that quickly gives way to pressures of building an enterprise sales team.
I recommend exploring OpenSecurity's courses to gain a comprehensive understanding of topics such as assembly, debuggers, and x86 architecture. It is essential to have a solid grasp of these concepts before diving into malware analysis.
Then, I suggest watching OALab's YouTube channel and streams for excellent malware analysis content, and practicing by following along with his videos, reversing malware with Ghidra (if you do not have access to an IDAPro license). Additionally, if you have the money for it, also participate in virtual machine-based malware analysis exercises, such as those offered by the SANS Institute, to gain hands-on experience.
Once you are confident with the material from these resources, you can choose to specialize in a specific area that interests you. Would you like to delve into Linux Kernel security, Windows internals? Perhaps mobile security or ARM? By having a strong foundation, the research papers, CVEs, and exploits will be easier to comprehend and analyze.
Don't get discouraged by setbacks, it's a difficult field, just always strive to expand your knowledge and skills.
For context, I transitioned from publishing top academic papers in security to building & growing a visual graph AI startup where, for one of our bigger customer bases, we work with top enterprise & military security teams. We're actively hiring here so some quick responses based on what I look for and have seen:
* Red team makes sexy headlines, but it's the blue team who gets the seat on the board. Think prioritizing areas like detection, hardening, new protocols, thorough fuzzing, SDLC, vs finding bugs with a security flavor. Red team does have its niche, as pen testing + compliance audits form an important services industry, but the research opportunities are more limited.
* Education: Cybersecurity fundamentals are super approachable and CS ugrads who did systems courses already have the harder basics: networking, OS, and compilers. Cyber-specific coursework mostly just revisits the harder fundamentals with a "gotcha" perspective. For more modern AI-ish roles, a classical math/cs background is typical.
* Industrial education: Interestingly, SOC/IR/Hunt are NOT taught in school. Likewise, industrial experience in AI/data engineering/software can often be way more valuable than university-flavor, so career pivots are doable.
It can be hard to do R&D within a regular operational security team. However, early-stage vendors like us inherently have to do it, and we work with top enterprise/tech/mil teams who in turn do research internally & through us. US, esp DC-area with clearance (ex: drugs can be problematic), opens a lot of doors. If anyone is like that for cyber AI or sec eng, either US or Australia, we're def looking for senior, and aim to have mid/junior later in the year :)
What’s the pay?
Is it competitive with FAANG? (See levels.fyi)
In more mature environments I would say up to 20-30% of a pentester's job can be finding bespoke vulnerabilities, 30+% is writing reports, so you get some good exposure to those; these are the exact skills you need in vulnerability research. If possible, request a ridealong with your company's pentesters in your environment, usually they love that: SREs know where the bodies are buried.
Research itself is a bit harder leap to get into straight from SRE; definitely far fewer junior roles. A lot of companies hire up researchers internally from their red and blue teams. Bug bounties are a way in without operational experience; without doing one or the other it's a bit of a tough sell. I would recommend a year or so on a red team and try to spend as much time as possible doing vuln-researchy things. Find some interesting things, communicate them effectively, and you will be well-poised to get into research.
https://github.com/W4RH4WK/ETnM/blob/master/docs/paper.pdf