A day in the life of a security researcher.
By Marcelle Lee, Senior Security Researcher and Emerging Threats Lead, Secureworks
Jan 19, 2021

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

A day in the life of a security researcher.

2021 is an important anniversary in my cybersecurity career. It was ten years ago that I embarked on a career change into the field. Previously I had worked in management and operations roles across both public and private sectors and I was bored. What I really wanted was to be the person that “did” the things, not just the person that managed the doing of things. But there was no context for me for what that would look like. I only knew a handful of women who worked in technical fields and I wasn’t drawn to their careers. And then I started hearing about cybersecurity in the news and media and the rest is history. 

Fast forward to today and I am a security researcher and I love my career! I describe security research as the perpetual hunt to identify malicious cyber activity and threat actors. Sometimes I refer to it as collecting all the shiny cyber things. Either way, security research is a fabulous role because you can focus on areas that interest you. My focus is on cybercrime and emerging threats but the possible topics are broad and virtually endless. 

There are knowledge, skills, and abilities (KSAs) associated with working as a security researcher. Having intellectual curiosity is one thing, along with the ability to conduct research and analysis using a variety of sources and tools. Sharing your work is essential, and generally takes the form of written intelligence reporting and sharing findings with the community via conferences, blogs, podcasts, and so on. You also need a strong and broad understanding of cybersecurity concepts ranging from networking to risk management to attacker methodologies. While it is useful to have a specific area of expertise, security research lends itself to “jill-of-all-trades” as well.

Like other work roles in cybersecurity, continuing education is essential for a security researcher. The threat landscape changes daily and we have to keep up. That can be done in many ways, from traditional training to studying for certification exams to attending conferences to competing in cyber competitions. Personally, I do all those things, and give myself stretch goals each year to increase my skills as well as share my current knowledge with others. Right now I am learning Golang, which is increasingly used in malware, hence my interest. I’ve just completed the EC-Council Computer Hacking Forensic Investigator (C|HFI) certification. I’m scheduled to do a number of talks and plan to submit for more. 

I cannot overstress how useful and rewarding it is to be actively engaged in the cybersecurity community. I also think it is incumbent upon women working in the field to give back in the form of mentorship and role modeling. There are many diversity-centric organizations with which you can get involved. Women’s Society of Cyberjutsu is one of these. 

So, what is actually involved in security research? The work I do is largely based on threat intelligence, and follows these steps:

  • Obtain and digest threat intelligence (TI) from a variety of sources. 
  • Apply frameworks.
  • Analyze data and look for trends and patterns. 
  • Identify tactics, techniques & procedures (TTPs), 
  • Extract indicators and knowledge to enrich threat intel platforms.
  • Create countermeasures.
  • Report findings.

Sources of TI that I use are open source intelligence (OSINT) - my Google-fu is strong! Also, human intelligence (HUMINT), including threat actor activity on underground forums and markets. With my role at Secureworks, I have access to client telemetry as well as incident response investigations, both of which give a first hand look at threat actor TTPs. Partner and government data is also very helpful, particularly from CISA, various ISACs, FBI, and others. 

With regard to frameworks, my go-to is the MITRE ATT&CK framework, which breaks down and categorizes threat actor tactics and techniques. I primarily use it as a mapping tool to characterize the threat actor activity that I am researching. There are also the long-standing diamond model and intrusion kill chain which are always in the back of my mind when conducting research. 

Every researcher has a “toolkit” of software and websites. My toolkit includes Wireshark, a protocol analyzer, Volatility for memory capture analysis, CyberChef and Virustotal for all sorts of magic, and my VirtualBox-based virtual lab environment. Of course there are many other websites I regularly use - I share a listing of those, along with other resources, on my GitHub site

I am currently working on a few different projects. I am writing a report on mobile malware to document some of the techniques, trends, and families in that space, such as Alien and Rogue RAT. I have been working on “name and shame” ransomware for the past year and plan to continue in that vein, with Cl0p ransomware up next. I will also be researching nation-state activity outside of the big four that everyone knows of - China, Russia, North Korea, and Iran. There are most definitely other international players. 

Security research is a rewarding career and I encourage others to try it! 

Marcelle presented a talk on this topic at Hacker Halted 2020.