A day in the life of a threat researcher

Thoughts of security fill almost every minute of senior threat researcher Ryan Benson's day.

After leaving security intelligence platform provider Exabeam at the end of the workday, Ryan Benson’s mind doesn’t shut off when it comes to thinking about designing new defenses against black Hats. He heads to the gym to work out, still with his mind on security. He sits down to dinner with his wife Kelly ... to keep the family life happy. We’ll say he takes a break from security at this time.

Once family time is done, he is back at it. Many nights, he does a lot of research/blogging on browser forensics and maintains an open source tool (Hindsight).

ryan benson Ryan Benson

Ryan Benson

But much of the 31-year-old senior threat researcher's day is targeting how to combat bad guys from taking down Exabeam’s network or taking over the internet. With such dedication, we thought we’d trace a day in Benson’s life to illustrate what strains he entails daily.

He has been at Exabeam for a year now after starting his career as an intern at the FBI’s Silicon Valley Regional Computer Forensics Lab (SVRCFL) from June 2008 to August 2008 while he was still in school getting his Bachelor of Science in Computer Engineering. He has also held positions at Kaiser (as a senior information security engineer), Mandiant (as an incident analyst and operations lead) and Stroz Friedberg as a manager of digital forensics. (He held an incident response role there as well.)

We’ll skip the minute-by-minute mundane activities of waking up, eating breakfast, brushing his teeth etc. as he leaves his San Mateo, Calif., home for Exabeam.

He has no typical day. It changes depending on the project, but for the past six months he has been mostly working on Exabeam’s incident responder product, developing playbooks (ways of responding to types of incidents) and actions (Python scripts that do discreet tasks).

“I have a unique background at Exabeam in that I’ve been in the positions of the analysts that would be using this product, so I get to drive a lot of how it is designed and functions to make it a tool I would want to use,” Benson said.

Previously, Benson has worked on other research projects, including finding early warning signs that an employee is planning to leave a company, researching changes in the new Apple File System (APFS), and dissecting a wide range of ransomware families for commonalities that can aid Exabeam’s products in detecting them. All the while he is also involved in any internal security issues that may arise.

Right now he is working on a presentation for the SANS DFIR Summit called “Deciphering Browser Hieroglyphics”.

Why did he get into this field?

Benson was at the University of the Pacific studying computer engineering when he got the bug for the computer security field. A requirement of the engineering school was that all students complete internships, and to facilitate that, the school invited a variety of companies to campus to interview potential interns.

“One of the companies was a small, local computer forensic consulting firm. I went into the interview not knowing a whole bunch about computer forensics, but came out of it very interested and ended up doing an internship with them in 2007. Up to that point, I didn’t really know what I wanted to do with my computer engineering degree, but the more I was exposed to digital forensics, the more I was certain I’d found my niche,” he said. “I liked the combination of needing technical knowledge, solving puzzles and trying to understand (and prove) what another person did. Many other engineering problems are about solving some abstract problem or making something more efficient. I like that at the core, I’m trying to figure out what a person did.”

Some of his the most notable incidents that he responded to included when he was working at Mandiant on their MCIRT team right after they released the APT1 report. He and his team provided services for a number of high-profile companies that were battling APT intrusions. “It was very exciting to be combating a threat that was in the national spotlight and be privy to all sorts of details months before the public,” he said.

Another project he was proud to be a part of was when he was at Stroz Friedberg, There were several intellectual property theft disputes. One case was Cisco v. Arista, which was a dispute between the two companies regarding patent infringement. Benson performed forensics and data recovery on networking gear to investigate some of the allegations, and testified about it before the International Trade Commission in Washington, D.C.

When asked what advice he would you give to those aspiring to come into the field, he suggested reading the many good books, blogs and conference videos online that cover pretty much every facet of DFIR. “Dive into that topic. Replicate what the author did, see if you can verify his or her findings, and maybe pursue a slightly different approach to it. Even if you come back with the same conclusion as the author, you will pick up valuable skills in the process by getting your hands dirty,” he said.

He also recommended starting a blog or writing a white paper. “A huge part of DFIR is communicating to your client (whether that’s a lawyer, a corporate client or your manager) what you did and what you found. When you are just starting out it is important to show that you can articulate your process and findings, even if the level of your analysis is fairly basic,” Benson said. Demonstrating that you have good communication skills can get you a foot in the door, even if your technical skills are still under development, he said.

….And then his head hits the pillow and we can only guess he dreams of ways to outmaneuver black hats.

Show Comments