Advice for aspiring threat hunters, investigators, and researchers from the old town folk

There’s a big cohort of security geeks who joined the industry around the turn of the millennium by either landing “infosec” jobs or, quite frequently, just by making infosec their job despite having some other formal job title. I count myself in this group, and we are becoming the old town folk.

Many of my closest friends and colleagues have moved from fingers-on-the-keyboard investigators or researchers into executive leaders, investors, and board members. In these new roles, we are struggling to find the top tier of the ever-expanding next generation of threat experts. In other words, we are incredibly incentivized to share the most valuable secret insights we have for launching a new career in the security field, and more specifically, showing aspiring security professionals how to strongly differentiate themselves from the droves of less inspired resumes competing with theirs.

In career advice calls and meetings with young adults over the past couple of years, I’ve noticed an unexpected and common pattern emerge with Ivy League fresh grads with cybersecurity degrees, people considering a career transfer with little formal infosec training, and everyone in between. When I share what I believe are the fundamental characteristics of the most successful people I have known in the industry, the people I’m speaking with consistently find my insights to be a complete surprise.

Aspiring threat hunters, investigators and researchers clearly need a better idea about what their prospective employers are looking for in an ideal candidate. So, here are some of the insights I have derived from 22 years of threat research and investigation, interviewing and hiring, and cross-company collaboration. There are undoubtedly industry luminaries whose list of “pointers you need to follow to launch a top-tier career in the cybersecurity industry” are radically different from mine. But here are three truths have served me (and those I have mentored) incredibly well over the years:

• You can establish yourself as a proven threat researcher/investigator without having a formal job doing it.
• Be “a dumbass,” just like some of the world’s most influential and recognized investigators.
• Don’t work with data. Play with data.

These are the pointers that come as a surprise for people, so I’ll start by demystifying the first.

You can establish yourself as a proven threat researcher/investigator without having a formal job doing it. Most malicious hackers were performing malicious activities before they made a living as a hacker. In many (but not all) cases it is the type of thing you can practice from your couch before getting hired into an organization with fancy resources.

Likewise, threat investigators and researchers can achieve the same “career progression” moving from hobby to professional work, assuming they can demonstrate creativity and determination. And believe me, hiring managers are desperate for candidates with more determination and creativity than certifications and degrees. Why? Because truly malicious hackers are driven by creativity and determination (as opposed to certifications).

It may be shocking to hear, but it is not true when they say that cybersecurity candidates are in short supply (sorry, the counselor who told you this is incorrect). There are no shortage of people seeking cybersecurity jobs, and that fact becomes plainly obvious as my colleagues and I at Awake Security search to fill open positions. However, defenders who can demonstrably match wits against top tier attackers on the asymmetric gameboard of enterprise security are in desperately short supply. The keyword here is demonstrably, but how can you demonstrate aptitude if you do not have a job doing it?

“Experience” isn’t hard to get

Demonstrating an aptitude in cybersecurity is extraordinarily simple. Examine malicious files, websites, or activities, then write blogs (on Medium, LinkedIn, etc.) teaching analysts how to identify the activity you have analyzed. In other words, dissect the activity to the nth degree, then write about it from a practical, in-the-trenches perspective.

This is important for both altruistic and self-serving reasons.

Insightful and publicly referenceable work frequently carries far more weight for hiring managers than a resume skills list. As I can painfully attest to, the fact us that hiring managers spend a huge portion of their time interviewing underqualified candidates because resumes are so frequently full of rubbish. Resumes demonstrate little and certifications are a commodity.

On the other hand, blog posts allow you to objectively demonstrate your abilities to discover, analyze, and possibly even remediate sophisticated threats, which is something that will dramatically differentiate you from most other candidates.

Yes, many certifications require the same work to be done, but do you think a hiring executive would be more impressed by someone forced to do the work to get their money’s worth from a certification track, or someone who does the work because of their own intrinsic motivation? Make no mistake – there are people who do this work as a hobby, and we are looking for them!

The benefits of this approach don’t stop there. This visibility can also help make connections with other researchers who may want to collaborate on the work you have done. This very frequently opens doors to job opportunities that would have been impossible to find otherwise. At Awake Security, we have built entire teams this way.

As many ways as there are to hack computers, there are perhaps just as many ways to analyze malicious code and activity. When you begin asking questions where the internet cannot provide answers, it is likely the internet (and security teams globally) needs your help documenting the approach you took to answering questions about that threat or activity.

Of course, the elephant in the room at this point is “How do I get my hands on unknown (or, not already documented) threats if I don’t have a job in cybersecurity?!?”

There is exponentially more data on the internet than people on the planet. While most people intuitively know this, the implications are still surprising at times. For instance, if you go searching for the more obscure edges of the internet, the probability of finding data and activity that has not already been closely examined by other people in your bubble increases exponentially too.

Worded simply, do this:

• Find very recent threats, that
• Are not already analyzed by other people, and
• Write an analysis of them.

Most people might think this list is ordered from most-to-least difficult. But actually, the opposite is true. I’ll explain how in my next Help Net Security article.