Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How can I get into cyber security research?
117 points by wdym 56 days ago | hide | past | favorite | 45 comments
Quick background: I am a tech lead in a SRE team. I am not sure this is what I want for the rest of my life.

I love the sec field. In the last few years I've played lots of CTFs, pwned several boxes on Hack the Box, studied and reproduced CVEs, etc. I have the technical knowledge.

I don't think that I want to do pentests or bug bounty. I'm more into research. I like to be the one ahead discovering new stuff. But, how do I get there? Who hires someone like that? What do you need to get the role? How is this job for real? So many questions.

Assuming vulnerability research, you need to be able to recognize bug patterns (buffer overflows, use-after-frees and such), be familiar with fuzzing, code audits, debugging. Of course understanding the code usually in C/C++ and assembly.

Assuming you have the technical skills there are companies that hire for such positions ranging at varying degrees in the "ethical" scale. See Google Project Zero and Zerodium for instance.

You don't need a PhD, CISSP, a cybersecurity bootcamp, a relevant degree or pretty much anything. You need to understand how the computer actually works. Most of the stuff needed are left out of a typical computer science curriculum. And (most) of the people hiring actually know that.

In order to do it you must simply spend so many hours to learn that stuff and then not be disheartened by the work that needs to be done. Example: No one has compiled a binary with ASAN. Do it (by spending an exorbitant amount of time to fix all the linking errors during compilation). Run the binary with literally any input. Boom, you got a bug.

Getting the role is pretty much like any other, you pass the interviews. Solving ctf like challenges is common. Finding all the bugs in a toy C program. Elaborating on the exploit ability of a latest CVE, etc.

My favorite interview question:

1. Write a hello world in C. 2. Run it 3. Explain how it works

You'd be surprised how many people actually have even a vague ideas what happens.

I agree with this comment. I have no degree and no official university courses under my belt but have found bounties worth 10k+.

What helped me is that every layer of the OSI model was something that I dug in to until I understood it well. Nowadays most bounties are happening on the web (layer 7) but you can still find some fun in the other layers too.

There is no formal way to acquire this knowledge? I know lots of stuff, but don't know if it's enough or if it's what is needed. There are certs like OSCP, but I feel that these companies only care about it when it's about pentest

I would like to challenge the conventional approach and suggest starting with reverse engineering, particularly malware reverse engineering, as a foundation before engaging in research. Engaging in activities such as participating in CTFs, hacking boxes, and reproducing CVEs is valuable, but without the fundamental knowledge, it is akin to attempting to run before learning to walk.

I recommend exploring OpenSecurity's courses to gain a comprehensive understanding of topics such as assembly, debuggers, and x86 architecture. It is essential to have a solid grasp of these concepts before diving into malware analysis.

Then, I suggest watching OALab's YouTube channel and streams for excellent malware analysis content, and practicing by following along with his videos, reversing malware with Ghidra (if you do not have access to an IDAPro license). Additionally, if you have the money for it, also participate in virtual machine-based malware analysis exercises, such as those offered by the SANS Institute, to gain hands-on experience.

Once you are confident with the material from these resources, you can choose to specialize in a specific area that interests you. Would you like to delve into Linux Kernel security, Windows internals? Perhaps mobile security or ARM? By having a strong foundation, the research papers, CVEs, and exploits will be easier to comprehend and analyze.

Don't get discouraged by setbacks, it's a difficult field, just always strive to expand your knowledge and skills.

"Cybersecurity research" is a very large domain, so it's hard to offer a wholly encompassing answer here! The company I work for[1] does a great deal of program analysis research, primarily in and around the LLVM ecosystem. Other companies/groups in our domain(s) include Galois, Inria, and GrammaTech.

In terms of working in our domain: we frequently find it difficult to hire for pre-existing compilers or program analysis skills (it's a small community!), so we generally long for strong engineers with security/low-level fundamentals who don't mind making a pivot.

As for how the job is: I personally find it very fulfilling, but it definitely contains a degree of uncertainty (particularly when doing government-funded research) that ordinary SWEs/SREs may not be used to. I've noticed that it takes new hires a decent amount of time to acclimate and become comfortable with the idea of research engineering, meaning engineering where we expect less than 100% of all exploratory avenues to have productive outcomes. This can be a large culture shock compared to typical engineering, where tasking is defined primarily by business requirements that don't contain a large degree of uncertainty or ambiguity in terms of implementation approach.

[1]: https://www.trailofbits.com/

Just a note, you'll also find research like this, even if not as "visible", at most heavily-tech firms: FAANG, Arm, Intel... Though it's quite a niche area still, I get a bit claustrophobic when I think about just how few jobs are relevant to the kind of research engineering that I want to do. :)

Absolutely! This work is by no means limited to the firm that I work for or others in our sphere; it's just the small group I'm familiar with. I happen to know for a fact that Meta, Google, etc. all have excellent security and program analysis research teams (although I'd also say that the smaller firms in this space punch above their general weight class :-)).

Great clarification about the research engineering concept and security. I think the kind of security services a company such as Trail of Bits does involves a lot of craft and craft is difficult to teach, it requires a lot of patience and attitude for trial and error beyond more advanced scientific methods.

Do you want to work for a government contractor?

If so, they're always looking to expand and hire more great minds. Many people who are technically skilled but relatively new to RE/VR get hired because it's such a niche field and they teach on the job.

If you don't want to work for a government contractor, gl;hf because most of the money lies in alphabet agency contracts and the vulnerabilities WILL be weaponized and left open. This will often cause things like the ransomware attack on the NHS.

If you're cool with keeping systems vulnerable for cyber weapons and you're a US citizen, throw a rock in the Northern VA region and you'll hit a building that will hire you.

I’m down to do security contracting. I’m in a similar level of experience as the poster (HTB, CTFs) and work in Security engineering. I’d like to try more typical cybersecurity work, like malware analysis or offsec.

What companies / titles can I apply for to give it a shot? Open to getting a clearance.

Also open to government agencies if they’re in Austin.

> Also open to government agencies if they’re in Austin.

If you are career focused and doing this type of work then relocating near the capital is a no-brainer. It's the difference between being in finance and working on Wallstreet or working in Denver.

Have you considered San Antonio? The headquarters of Air Forces Cyber (aka AFCYBER aka 16th Air Force) and the Texas Cryptologic Center (aka NSA-Texas) are here. Plenty of government civilian/contracting cyber security jobs.

I work in this niche (finding/exploiting C/C++ bugs in operating systems and browsers). Here's the companies I know about: Raytheon, Mitre, L3Harris, Grayshift, Vigilant. Also NSA and CIA will train you if you don't already have the skills, but there's downsides: clearance required, no remote work, DC area only, low pay.

If you find the right contractor or aim for a smaller subcontractor, the pay can be fairly lucrative if you haven't been poisoned by FAANG salaries.

Typically the game in the industry is work for a contractor, quit with a few of your best buds, open an LLC and sub back to the same customer/contractor with your billing rate doubled. Since you lack the overhead of a larger company, you can be a little entrepreneur with your specialization and get very rich very fast.

Agreed! I just meant that working directly for NSA/CIA is low pay. Like ~100k, which certainly isn't poverty wages. Working for a contractor, I think about 250k is normal (but I have very few data points). And I don't know anyone who has started their own LLC, but I'm sure the sky's the limit with that route.

This is a much harder field to break into if you're not a US citizen / eligible for clearance. It's frustrating comparing the jobs available in/around VA/MD/DC to the ones available in other countries.

Great question!

For context, I transitioned from publishing top academic papers in security to building & growing a visual graph AI startup where, for one of our bigger customer bases, we work with top enterprise & military security teams. We're actively hiring here so some quick responses based on what I look for and have seen:

* Red team makes sexy headlines, but it's the blue team who gets the seat on the board. Think prioritizing areas like detection, hardening, new protocols, thorough fuzzing, SDLC, vs finding bugs with a security flavor. Red team does have its niche, as pen testing + compliance audits form an important services industry, but the research opportunities are more limited.

* Education: Cybersecurity fundamentals are super approachable and CS ugrads who did systems courses already have the harder basics: networking, OS, and compilers. Cyber-specific coursework mostly just revisits the harder fundamentals with a "gotcha" perspective. For more modern AI-ish roles, a classical math/cs background is typical.

* Industrial education: Interestingly, SOC/IR/Hunt are NOT taught in school. Likewise, industrial experience in AI/data engineering/software can often be way more valuable than university-flavor, so career pivots are doable.

It can be hard to do R&D within a regular operational security team. However, early-stage vendors like us inherently have to do it, and we work with top enterprise/tech/mil teams who in turn do research internally & through us. US, esp DC-area with clearance (ex: drugs can be problematic), opens a lot of doors. If anyone is like that for cyber AI or sec eng, either US or Australia, we're def looking for senior, and aim to have mid/junior later in the year :)

Trail of Bits does this kind of work (https://www.trailofbits.com)!

Tbh there is a much larger market for application of existing technology (e.g., pentests) than development of new technology (e.g., DARPA programs and the 1% of tech firms that need something new). There are a handful of others, but the market doesn't support dozens of other firms like Trail of Bits. There is some innovation that happens in Series A and B security startups but IMHO that quickly gives way to pressures of building an enterprise sales team.

Lots of folks can make the hop from SRE to pentesting; much of the knowledge space - especially post-exploitation - is very similar! You have the advantage that you know how to operate on a production box without accidentally destroying or interrupting it. There are tools to learn, but I think you would find it to be an easy transition.

In more mature environments I would say up to 20-30% of a pentester's job can be finding bespoke vulnerabilities, 30+% is writing reports, so you get some good exposure to those; these are the exact skills you need in vulnerability research. If possible, request a ridealong with your company's pentesters in your environment, usually they love that: SREs know where the bodies are buried.

Research itself is a bit harder leap to get into straight from SRE; definitely far fewer junior roles. A lot of companies hire up researchers internally from their red and blue teams. Bug bounties are a way in without operational experience; without doing one or the other it's a bit of a tough sell. I would recommend a year or so on a red team and try to spend as much time as possible doing vuln-researchy things. Find some interesting things, communicate them effectively, and you will be well-poised to get into research.

I work for the Adversary Simulation arm at IBM X-Force Red. Prior to that, I worked at Mandiant and left as a technical manager for the proactive (offensive security) consulting branch.

I’d be happy to chat with you and answer any questions. I have interviewed and hired candidates for these positions many times, and have also been the one in the interview chair. My Twitter handle is in my profile.

In case you’re wondering, Adversary Simulation is a mix of research, implementation, and application of techniques to test security gaps in an organization. Typically, we use social engineering to gain access and must avoid detection by a variety of security measures. The goal is usually to gain access to something specified by the organization without being detected, as the testing is not announced to the security team in advance.

What would you recommend engineers learn or develop a practice for on the design and implementation side of software?

I've followed you there, but I think I can't send a DM if you don't follow me

1. Browse through major findings in USENIX security conferences and make note of major authors and their affiliations.

2. Think about what challenges are generally faced in the field in whatever capacity you're interested in (network security, hardware security, etc.) and what organizations (public/private/solo hacker groups) are actively working towards addressing these challenges.

3. Do some work, reach out to people, ask some questions, assert your solutions.

USENIX? Lmao. Nothing of note happens there. Hilariously enough, nothing significant happens at BH or DEFCON either. There are other, much smaller conferences for the actual interesting, and novel things.

Any exemplars that come to mind?

I wouldn't be surprised as other posters have opined (and likely accurately) that industry/hacker groups have progressed past academia.

REcon [1] would probably get OP in closer proximity of who they're looking for

[1]: https://recon.cx

As others have noted, that's a pretty broad question. Are you interested in the theoretical or the practical? Do you prefer a scrappy, creative investigation or one within the walls of a big, well-resourced, legitimizing, and bureaucratic organization? How will you serve the needs of others (aka the only way to make money in this world)? What's your current background, professionally and educationally?

Feel free to DM me if you want... I work in cybersecurity at a major university. My role is primarily operational, but I also manage and conduct research. Before that, I was a more independent sort of security geek.

What do you mean “discovering new stuff”?

New vulnerabilities?

New attack vectors against new technology?

New defensive ideas?

Quite some time ago a colleague and myself put together a seminar paper on binary exploitation techniques and their mitigations. Maybe it's helpful to you:


I know you explicitly said you don't want to, but: participate in all the bug bounty programs you can, responsibly disclose through them, wait until patched (or give a hard deadline), then post a technical writeup of the bug to a Substack or the like. That will become your "resume" to get your foot in doors.

Could you give us a few examples of security research jobs?

It seems pretty obvious that you’d need to go into a PhD program in cybersecurity to work on groundbreaking research. Perhaps you mean industry or implementation specific research?

It's really not pretty obvious...says the non-degreed cybersecurity researcher at a major university in the US.

The majority of academia is further behind in cybersecurity than they think they are. Some bright spots are far ahead than they get credit for. A huge amount of impactful research is being done in the private sector or by hobbyists. Whatever the source or the organizational affiliation of the researcher, the best ones have a solid connection to what's really going on out there in the field, rather than living in a safe little researcher bubble disconnected from the real world.

Most of the actually groundbreaking and useful research in security happens out of necessity in the industry as opposed to in academia, where they seem to rediscover things that are widely known in the hacker community a few years later.

I would argue that the industry may stumble upon a security-related issue first. But stumbling, and being aware of something is not research.

Anecdotally, I vividly remember industry people showing up in academic conferences, bragging how they knew everything about bit-flips already. They didn't. They just happened to know to be aware of the phenomenon, and smart enough to understand that it should have security implications of some kind. But that's not research.

A good amount of the industry has dedicated research departments these days. At least, the better consultancies have.

As for the bitflips example, are you talking about Rowhammer? That and the CPU side channel issues are the kind of area academia really tends to do great work on.

Where I find academia incredibly disappointing is in areas like covert channels - there's a fucking paper mill in Israel that keeps shitting out implausible "covert channel" research.

Also stuff like memory corruption techniques - academia seems to spend a lot of its time reinventing shit that has been done to death in industry or even has papers in Phrack.

We have 2 senior openings right now, and both feel representative in not requiring a PhD. We're pretty cutting edge here (end-to-end GPU acceleration, graph neural networks, win R&D competitions, ...), and our team is split pretty evenly on PhD vs not, so I likewise feel pretty comfortable writing this:

* Security AI : ugrad-level math ability (linear algebra, prob, stats, info theory, ...) is required, as well as experience with deep learning and operational AI problems. PhD more strongly suggests you can communicate & plan, such as for giving talks, pitching crazy projects, and writing DARPA grants... but not necessarily, nor required.

* Security engineer: We care more that someone has worked with big operational security systems, getting things like large & gnarly Splunk deploys and how tools like Spark, AI, Python, notebooks, and viz can seriously augment them. You don't learn that at school.

landing a cyber job isn't too hard but getting a "research" based position is going to be extremely difficult even if you already have a decade+ of cyber experience. "Research" may be a better home/fun activity. If you want a security-based job, first figure out what niches you enjoy the most: mobile, vulnerability writing, mobile, reversing, web apps, forensics, etc.

please add contact info to your profile or reply here. i work for a team you would be interested in, and we're looking for people exactly like you.

Hey, I am currently a application pentester and also interested in looking for something more focused on security research.

I would also be interested in hearing from you, thanks. (see my profile)

A side question, for Canadians, which gigs offer "teach on the job" as MSFT_Edging mentioned in his comment? Maybe government too?

Find out ways to completely obviate classes of bugs.

Start doing research, find some 0day, publish work.

Something not covered by the many knowledgeable commenters here:

What’s the pay?

Is it competitive with FAANG? (See levels.fyi)

find some bugs

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact