What Is Cybersecurity Research Today?
Cybersecurity has two main thrusts — offense and defense.
Join the DZone community and get the full member experience.Join For Free
Cybersecurity research has, it seems, two main thrusts. Both of them seem similar at first glance, but one is more lucrative (though not as impactful) while the other has much more impact (but doesn't seem to pull in the cash). Let's give an overview of various cybersecurity careers first, and then segue into what cyber R&D is today.
From a career perspective, you can first split jobs into either offensive or defensive specialties. Now, granted, this is a somewhat artificial delineation. After all, if you work in any corporate cybersecurity department, you've got someone either on staff or on call that can analyze suspected malware or do some post-incident forensics. But generally, offensive folks do things like pen testing and vulnerability analysis while defensive folks implement and monitor cybersecurity controls and policies in organizations. We can include forensics work and malware analysis as defensive fields. They're not a perfect fit, but as they're not focused specifically on attacking systems, let's lump them in with defensive fields.
Then, of course, there's criminal organizations, which consist of folks that develop malware, design and implement C&C systems, run and rent botnets or exploit kits, and that kind of thing.
So, that's an overview of what you can do to get paid in cyber. With that out of the way, let's look at R&D.
Today, most R&D is related to finding and either reporting or selling 0-days. If you just report your findings, well, I hope you can eat well on the feeling of moral superiority that gives you. The rest of us need to sell our stuff. And if you're doing this kind of thing, you end up selling to companies like Zerodium or TrendMicro (via the Zero-Day Initiative) or similar. Or you can contact various underground brokers and they'll sell your stuff. Usually, if you sell to an above-board company, your stuff is more likely to be used by western nation-states. Via brokers, you never really know. These kinds of exploits are rare, but tens of thousands of them are created every year, of which 10s of them are significant and have widespread impact. This is, I think, the most common avenue of cyber R&D you'll find.
The other avenue is more impactful but doesn't really generate much direct cash. In the previous case, the researchers were finding 0-days in existing applications and systems and selling the findings. This has multiple significant findings per year. This other area has findings, maybe, every five years.
I'm talking about discovering entirely new classes of exploits.
In the past five years, we've had two — row hammering attacks, where attackers cause specific bits in memory to flip by taking advantage of electrical leakage in DRAM, and speculative execution attacks, characterized by Spectre and Meltdown. These kinds of flaws are usually reported in academia and result in multiple exploitable 0-days later as they're refined. They may not result in immediate cash via 0-day sales, but they sure can give you job security.
I frequently have conversations with folks looking to get into cyber R&D, and these seem to be the two R&D career paths open today. We need both of them, and you can move from one to the other. They are both equally frustrating as well, punctuated by brief periods of excitement when you actually get your exploits to work.
Opinions expressed by DZone contributors are their own.