What Is a Threat Researcher and How To Become One

Cybercrime investigators, computer forensicists, threat hunters and researchers… No, these are not sci-fi characters; rather, they are actual cybersecurity experts. Keep reading to learn more about why and how you can study cyberthreats, as well as how you can get started in the profession. The article is based on a talk by Nikita Titarenko, an analytical engineer at Gazinformservis, and Andrey Zhdanukhin, a SOC L2 analyst at Gazinformservis, at the recent Positive Hack Days Fest 2.

Threat researchers

These specialists are responsible for investigating and analyzing vulnerabilities in information systems. Their tasks are to gather and process data on information security, which they subsequently share with their colleagues in other departments to boost team efficiency.

As a rule, employees at information security departments are divided into two teams: a blue team (defenders) and a red team (attackers). The task of the blue team is to protect IT infrastructure and prevent attacks, whereas the red team mimics the behavior of real-life attackers and thus detects vulnerabilities in systems.

Threat researchers do not belong to any of these teams. On the one hand, they are constantly identifying patterns in attackers’ actions and designing the models of their behaviors, while, on the other, they are hunting for and fixing bugs. Therefore, they are often referred to as the purple team, whose purpose is to enable collaboration between defenders and attackers for the sake of a mutual goal, that is the security of information systems. In addition to threat researchers, purple teams also include security engineers and pen testers.

Andrey Zhdanukhin. Credit: Positive Technologies & Positive Education

Responsibilities

Classify and analyze attacks and vulnerabilities, as well as help colleagues from other departments find solutions for associated problems.

Interact with and build cooperation between attackers and defenders. Researchers are the first to detect new attacks; they also share the latest trends in the field and show how to test systems efficiently. Together with defenders, they work to improve system security, suggest new methods for threat detection, and build mock attacks on cyber testing grounds. A cyber testing ground is a virtualized IT infrastructure that serves as a platform for creating information systems models and training in their attacks and defense.

Advance security systems. This means not only improving the existing methods but also their constant updating following trends. Threat researchers need to keep track of products’ latest editions, determine their strengths and weaknesses, and based on that adapt their security systems.

Develop new detection methods. Conventional methods may not be enough for complex attacks, and that’s why researchers need to be on the lookout for new ways to identify threats so as to keep up with hackers and avoid extra risks.

Automate attackers’ actions. Threat researchers help create models of possible attacks on systems and develop protection software.

Create mock-ups. Threat researchers build mock-ups of flawed infrastructure based on their analytics at cyber testing grounds, which then attackers and defenders can use to test new methods, as well as train themselves or train newcomers.

Analyze publications on relevant vulnerabilities. Major IT companies, such as Kaspersky or BI.ZONE, regularly publish reports on attacks carried out by hackers. The focus should be on both web bugs and cyberattacks on critical infrastructure.

Train AI algorithms. Attackers and defenders are increasingly using AI in their practice. They can train algorithms not only to detect hackers and repel attacks but also to find unorthodox security solutions. Training datasets are created by threat researchers, as well.

Nikita Titarenko. Credit: Positive Technologies & Positive Education

Where to train

For defenders:

Blue Team Labs and CyberDefenders – ready-made lab projects and virtual information infrastructures;
MITRE and BI.ZONE (in Russian) – databases with current and archived reports on system vulnerabilities to expand and update your cybersecurity knowledge.

For attackers:

HackTheBox and TryHackMe – a variety of theoretical materials and exercises in ethical hacking;
PortSwigger – a guide to web penetration testing and training in collecting system data, scanning information systems, and mimicking attacks;
Codeby Games (in Russian) – a hacker’s simulator;
Standoff 365 – a training platform for Standoff tournaments with real-world cases and testing tools.

The talk was delivered at Positive Hack Days Fest 2. The event brought together experts from Avito, MTS, and many other companies who spoke about how to get started in cybersecurity and find your niche, as well as where to look for internships and jobs. The festival was co-organized by ITMO’s Faculty of Secure Information Technologies.

What Is a Threat Researcher and How To Become One

Threat researchers

Responsibilities

Where to train

Ksenya Desyatkova

Marina Belyaeva

Related news

Hack Me If You Can: Computer Hackers and Why They Need Hats

Sberbank’s Cyber-Security Staff on Protecting Bank’s Network Perimeter

ITMO University Team Takes Third Place in RuCTF 2019