With the COVID-19 pandemic impacting us worldwide and showing no signs of letting up, many cybersecurity professionals are working remotely, and taking extra measures to secure their devices and networks. We turn the spotlight on to the role of cybersecurity specialists, who are on the front lines ensuring that applications and underlying IT infrastructure stay secure for enterprises worldwide. To learn what their roles entail, we had a chat with our senior ThreatModeler research engineer, Deep Shah. You’ll discover what his day-to-day looks like and what it takes to make sure cybersecurity is not an afterthought for organizations and the multitudes of work-from-home employees.

A Day in the Life of A Senior Engineer

Cartoon by Lisa Rothstein

What Does a Threat Research Engineer Do?

The position of a cybersecurity engineer does not just entail constructing secure IT systems, it also entails uncovering potential threats and protecting the organization’s technology environment from them.

A threat research engineer:

• Builds security systems
• Searches for vulnerabilities
• Scales threats and finds requirements to mitigate them
• Monitors for attacks

Now that we have a clearer image of what the role of a threat research engineer involves, here are some insights from a real one. Deep Shah graduated from NYU with a master’s degree in computer engineering. He is one of our brightest threat research engineers. He took some time from his busy schedule to give us the scoop on what it means to work remotely and stay on top of the ever growing list of threats that can comprise our privacy, productivity, security and safety.

Interview With a ThreatModeler Research Engineer

What does a Threat Research Engineer day look like?

My day usually starts at 9 am when I wake up. Since we have been working from home, I turn on my computer, and take a quick look at emails to check if there is something pressing or new. If nothing has come up in my inbox, I go to my daily tasks that I get assigned via Jira, which integrates with ThreatModeler.

I am usually working on the threat library, building content, and cleaning it up. Most of my time during the day is spent sorting out the library – also known as the Threat Intelligence Framework – and doing extensive research. My job requires research because it is about mapping the threats and coming up with requirements to mitigate those threats, so that is pretty much how my day goes. I get done around 5 pm – 6 pm depending on the load of work.

We have some CAPEC libraries, which is managed by MITRE. They keep updated with threats and mitigation steps. Then, we link this content to our component data by creating context. There might be some recent events where a large company was breached. When we learn how a vulnerability can be exploited in such a way, we bring that context into the platform.

Can you explain a real-life scenario where you conducted threat research?

I like playing video games. Electronic Arts (EA) makes FIFA games that I really enjoy. Recently the EA servers were attacked with distributed denial of service (DDoS). For approximately 24 hours, their servers were down. That’s a disruption of services for a day.

When I went to play and wasn’t receiving the service, I asked, why isn’t online gaming coming up? What’s happening? Once resolved, EA issued a tweet announcing what happened and that FIFA was not the only game affected.

I started researching more about DDoS attacks, to learn about the possible entry points. I figured out that DoS attacks are everywhere and can happen anywhere; there’s no specific entry point. It’s very tough to mitigate such an attack. In DoS, the servers are bombarded with multiple requests, the DoS requests and actual requests from users. The server just collapses. It just goes down. What we’re seeing is with the remote workforce, there are more gamers, expanding the attack surface, making organizations more susceptible.

Now that we have AI, we can recognize DoS attack patterns. Organizations use network firewall or monitoring tools. If they have AI and ML capabilities, they can identify the traffic patterns, block malicious attacks and avoid DDoS. Combine both tactics, to prevent, mitigate or at least delay DDoS.

In my research, I began to realize the need for a playbook, which would be more of a protocol for if you’re attacked. I just started creating a DDoS playbook that contains:

  • Rules set up in your firewall.
  • Mitigation steps, which are protocols that you activate when you realize you’re having an attack.

A mitigation step example is something called rate limiting. In a second if there are tons of requests from the same source, you don’t process the requests. You limit them. This would automatically reduce your attack surface and the likelihood that the DDoS would succeed.

What are some of the challenges you face as a threat researcher?

Since the cybersecurity industry is constantly changing, there are new threats each day and new techniques attackers use to exploit these threats, so one of the challenges I usually face in this job is to keep up-to date with all the new changes in the industry.

In addition, there are other standards, such as compliance standards, which come with all of the updated requirements to mitigate or help fight all those threats, so it is really tough to keep up-to-date with such an ever-changing industry.

What are the perks of your job?

I think the challenge, which I mentioned before, is probably the biggest perk of my job. With a growing and changing industry like cybersecurity, I get to learn a lot, and if you are into reading then that is definitely one of the perks. There is a lot of innovation, even for the attackers; they discover different pioneering ways to infiltrate attack your systems, so it’s quite interesting to understand how they think and then find mitigations steps to confront these attacks. There is a lot of innovation, a lot of research and a lot of learning.

What are the benefits of using ThreatModeler over other tools?

First of all, ThreatModeler is more like a diagramming tool, but merged with a threat engine. So usually, the traditional way to threat model is to whiteboard everything based on your architecture, other platforms have people get together to figure out where the attack points are and what threats may be applicable. ThreatModeler’s threat engine does that automatically for users.

They come into the platform, build the architecture diagram (which they can choose from pre-built diagrams) and the threat engine tells them where the attack vector (entry point) is, plus what threats and requirements they need to have in place for mitigation. The ThreatModeler platform is extremely easy to use. It’s a user-friendly tool, so I think that is something that makes it better than any other threat modeling tool.

How long does it take to build a threat model using ThreatModeler?

An average of 60-90 minutes.

What makes you succeed at your job?

It is basically my willingness to learn. I have said this many times, but with cybersecurity, many things are constantly changing and that includes threats. There are a lot of new threats each day, so I am constantly learning new things and that is something that I believe makes me succeed at my job.

ThreatModeler: a Leading Automated and Scalable Threat Modeling Tool

A self-service threat modeling solution that accelerates Agile sprint development is critical for organizations to secure their SDLC practices accurately, consistently and at scale. ThreatModeler follows the Visual, Agile, Simple Threat modeling methodology, which is built upon the three pillars of automation, integration, and collaboration. The VAST methodology not only manages risk, it also creates significant payoffs.

For a decade, ThreatModeler has driven automated threat modeling that takes the guesswork out of what was typically a manual, time-consuming activity. And now, with ThreatModeler’s Joint Offering with AWS, CDLC teams can automate and accelerate the design of secure AWS cloud environments. If you would like to see scalable threat modeling in action, contact our team and schedule a live ThreatModeler presentation.