What Does It Take To Be a Cybersecurity Researcher?
Behind the strategies and solutions needed to counter today’s cyber threats are—dedicated cybersecurity researchers. They spend their lives dissecting code and analyzing incident reports to discover how to stop the bad guys.
But what drives these specialists? To understand the motivations for why these cybersecurity pros do what they do, we decided to talk with cybersecurity analysts from around the world.
To get viewpoints from across Europe, Asia, and the Americas, we recently spoke with a team of researchers from Acronis’ global network of Cyber Protection Operations Centers (CPOCs): Candid Wüest, VP of Cyber Protection Research who is based in Switzerland; Alexander Ivanyuk, Senior Director, Product, and Technology Positioning, who is based in Singapore; and two Cybersecurity Analysts, Topher Tebow and Blake Collins, who are both based in the U.S.
The conversation yielded some interesting insights into their views of the world, how they approach cyber threat analysis, and what risks stand out as the greatest challenges facing the cybersecurity field today.
As a security analyst, what drives you to do this kind of work?
While the individual motivations for why these cybersecurity researchers do what they do varied from person to person (as they would in any industry), two traits were front and center: a love of problem-solving and a desire to be the good guys.
Wüest explained, “I am a curious person who likes puzzles and challenges. Hence, tracking cyberattacks and finding ways to disrupt their process efficiently is fascinating to me.”
Collins echoed that sentiment, saying, “Malware is fascinating to me as it can be a bit of a puzzle. How did it get there, what is it doing, and who is responsible? Digging into obfuscated code, understanding, and reversing it is so satisfying. Plus, when you remove a threat, there’s a sense of making the world better.”
That drive to make the digital world a safer place was also shared by others. Tebow explained, “In some ways, writing detection rules, or reporting a new C2 server, feels like vigilante justice. I may not always be Batman, but it still feels incredible to be Alfred — supporting the effort to take down criminals.”
Wüest recognizes that making the internet a safer place for everyone has an actual impact. “It is disturbing to see that some cyberattacks have destroyed lives in the real world. Therefore I would like to make my contribution to improve the situation.”
Their efforts to solve problems and prevent attacks are definitely needed. While 75% of companies report having all of the recommended security measures in place, more than half saw unexpected downtime due to data loss last year.
What’s the biggest surprise that you’ve come across during your career as a security analyst?
Even after a combined 55 years in cybersecurity, these researchers still find surprises in their daily work.
From a technical perspective, Collins says, “the sheer volume of malware that exists surprises me. If you follow cybersecurity news, you have a general idea that malware is everywhere, causing problems. But behind the scenes, you begin to appreciate how astonishingly high the number of malware variants is.”
Just as daunting, added Wüest, is how long it takes to change bad habits. “As an industry, we still fight a lot with old problem concepts like SQL injections, weak default passwords, or unencrypted sensitive data. There are solutions for these issues, but they’re not applied as widely as they should be. Even when there’s a huge privacy scandal, there’s an initial outcry, but people quickly fall back into their old habits.”
Those habits, unfortunately, can lead to something worse — apathy. “The biggest surprise is complacency among cybersecurity professionals,” said Tebow. “It’s astounding to me how often I’ve encountered a ‘this is just how it is’ attitude. I would love to see a larger number of professionals get excited for the challenge of taking down cybercriminals, even celebrating the little wins along the way.”
What trends or techniques have you found to be most effective in identifying or countering new cyberthreats?
Given the flood of new threats, which is constantly increasing now that attackers are using automation and AI/ML optimizations, Wüest is a proponent of threat-agnostic protection solutions.
“Instead of trying to identify the 4 million new malware samples that appear every week, focus on protecting your data from any unwanted tampering or encryption, regardless of what the malware looks like. Smart behavior monitoring that goes beyond the processes’ context can be an effective weapon against modern cyberthreats.”
As the head of cyber protection research, he adds that user entity behavior analytics (UEBA) combined with Zero Trust, Secure Access Service Edge (SASE), and multi-factor authentication (MFA) is promising, especially given today’s work-from-anywhere-with-anything reality — but he cautioned that there’s no silver bullet.
“An integrated approach across silos with efficient automation and visibility is key, but so is the importance of the basics — such as strong authentication and patch management — which too many organizations still overlook.”
Ivanyuk agreed, saying “the use of behavioral heuristics and proper AI/ML models is critical to identifying incursions, but simple things like MFA and role-based management, backed by constant vulnerability assessments and patch management, are surprisingly effective at preventing attacks.”
To make those kinds of automated solutions possible, Collins says that having the ability to distill commonly malicious behavior or code down to a simple rule or signature has served him well.
“These types of detections allow you to cast a wide net that can bring in new, undetected malware for analysis.”
Tebow noted that trend analysis is an effective technique as well. When researching cryptojacking malware, he decided to examine general cryptocurrency trends. “I found that spikes and dips in cryptojacking followed the rise and fall in cryptocurrency value. This gave us a 24-48 hour headstart on defending against the next wave of attacks, and knowing which cryptocurrency to look for.”
Have there been any incidents where the sophistication of the attack has surprised you — or even impressed you?
While Ivanyuk points to classics like the Stuxnet attack and the recent SolarWinds hack as good examples, Collins notes it’s not always the sophistication of an attack that’s impressive.
“I’m always impressed with the exploits that malicious actors can find,” he said. “A few years ago there was a bug in PHP7 that allowed RCE that was surprisingly easy to use by passing a parameter with a payload in a web address. Sometimes, the simpler the exploit, the more impressive it is.”
Wüest, who was part of the team that conducted one of the first deep Stuxnet analyses, said some ransomware attackers took an interesting approach by using an unprotected backup cloud console.
“They stole sensitive data by creating a new backup to a cloud location under their control. Then they used the backup software to restore the malware to critical workloads inside the organization. It was an impressive use of living-off-the-land techniques, turning the victim’s own trusted infrastructure against them.”
Can you rank the security threats you’re most concerned about and explain why?
All four of these cybersecurity researchers agreed that ransomware remains the greatest security threat today — particularly given the pivot from simple data encryption to data exfiltration.
“Targeted ransomware is top of my list because the double extortion schema, where data is stolen and workloads are encrypted, can be very profitable for the attackers,” said Wüest. “With ransom demands reaching 50 million dollars, there is no reason for cybercriminals to stop. The applied techniques have long been merged with APT methods such as living off the land or exploitation of exposed services like the Exchange ProxyLogon vulnerability, making it more difficult to reliably detect.”
During the past 15 months, the Acronis CPOC analysts found evidence that more than 1,600 companies around the world had their data leaked following a ransomware attack, which is why they’ve dubbed 2021 “The Year of Extortion.”
“It is to a point that I hesitate to even call them ransomware gangs anymore,” added Tebow. “I’ve started referring to them as extortion gangs. Data exfiltration and the threat to release anything sensitive has become a primary method of extortion, to which they add increasing ransom demands after an initial time frame and threatening additional attacks, like a DDoS, if the ransom is not paid.”
“Ransomware lets them get money in untraceable cryptocurrencies, whereas stealing money via online banking increases the chances they’ll be caught later,” explained Ivanyuk. “The problem is that ransomware continues to work well, especially since individuals and companies continue to be uninformed about ransomware.”
In fact, a recent Acronis survey of IT users and IT pros around the world revealed 25% of users didn’t know what ransomware is.
Beyond ransomware, the four researchers all expect to see an increase in supply-chain attacks like the SolarWinds breach. “There are many variations of these attacks, from compromising a software vendor to injecting code in an open-source code repository,” said Wüest
“Due to the nature of the trust chain, it can be nearly impossible to identify such a manipulation till it’s too late, as it’s downloaded on demand from a trusted source and verified by the official digital certificate. Such attacks are not trivial to create but will continue to increase in the future, as they are successful even with well-protected targets.”
Tebow added that there was one more risk that anyone in cybersecurity should keep in focus — whether they’re a researcher or are on the front lines.
“I see the desire of analysts and organizations to ‘do it on their own’ as a tremendous threat,” he warned. “If we maintain the old-school siloed method of fighting cybercrime, we have no hope of defeating cybercriminals. It’s only by working together that we stand a chance of winning any large battles against cybercriminals.”
About the Acronis Cyber Protection Operations Centers: Acronis maintains a global network of Cyber Protection Operations Centers, with locations in Singapore, Arizona, and Switzerland that enable the CPOC analysts to use a follow-the-sun approach for 24-hour operations. Analysts detect, analyze, and prepare responses to new risks to data, from the latest cyberattacks to natural catastrophes. The insights gathered are used to issue threat alerts to protect customer environments and aid the company’s development of its cyber protection solutions.