The ever-increasing number of high-profile criminal hacks is creating opportunities for ethical (i.e., “white hat”) hackers. This recent spike in the hacking and selling of corporate secrets is due to a combination of factors—but it’s also unsurprising to anyone who works in tech. Even in 2017, with large-scale breaches on the front page seemingly every week, less than one-third
of corporate networks are free of exploitable vulnerabilities. Couple that with the widespread availability of hacking tools for sale on the dark web
, and it’s clearly easier than ever to find ripe targets for exploitation. (The dark web, which are sites not indexed by Google, are usually accessible via a Tor
browser, which shields users and transactions.) Although the FBI has pursued criminal hackers for decades, many of the latter work outside the U.S., putting them beyond the bureau's jurisdiction. Nonetheless, the agency has brought some high-profile players to justice, includinh Silk Road’s Ross Ulbricht
. In an attempt to plug the security gap, startups and security firms have begun patrolling the dark web, looking for malicious patterns and making connections between players. Sometimes these companies partner with law enforcement to uncover clients’ stolen information. The key tech pros in such efforts: cybercrime intelligence analysts, junior intelligence analysts, and data scientists. What kind of background do security professionals need for these roles? It’s surprisingly varied, and often involves more than just technical skills. “Because the deep and dark web is vast, multifaceted, and facilitates the operations and threatening campaigns emanating from countless malicious actors and exclusive underground communities, most of our analysts have unique skill sets that support different aspects of this process,” said Talie Schwager, Head of Talent Acquisition at Flashpoint, which handles business risk. Flashpoint, founded in 2013, is one of a handful of fast-growing companies in this relatively new space. It searches the dark web for clients’ data—whether names, email addresses, or other vital information. Another company, Recorded Future, collects and analyzes intelligence from technical, open, and dark web sources. It boasts of using a proprietary artificial-intelligence (A.I.) platform in that effort, although it also leverages the creative minds of its analysts. Software can scan structured and unstructured text; but it often takes a human to make sense of it all.
These companies take a holistic approach to evaluating job candidates. Many don’t insist on “firm” education or certification requirements. Indeed, many employees come from nontraditional backgrounds; one analyst might prize his liberal-arts education, while another might fall back on her background in law enforcement. Many of these tech pros have government experience of some sort, although that’s not a prerequisite. All that being said, those who want to hack ethically find the following certifications useful when hunting for a new job:
- Certified Information Systems Security Professional (CISSP)
- Certified Ethical Hacker (CEH)
- Certified Information Security Manager (CISM)
- Any related certifications
When it comes to security and the dark web, it’s not just about technical skills; soft skills such as teamwork are also essential. The lone wolf staring at the Matrix cannot exist in this environment; with that in mind, when applying for a job with a security firm, expect a long interview process to test if you are a fit for the company culture
. These companies look for candidates with an insatiable curiosity, who are always asking “why?” and trying to connect (and re-connect) the dots. Such curiosity often makes these tech pros very proactive. “The default DNA,” Schwager said, “is passion, commitment, intellectual curiosity, humility, flexibility, and empathy; so candidates should be prepared to demonstrate how they emulate these characteristics.” Many threat analysts have a military or government background (which also means that an agency has probably vetted a candidate at some point), which confers an additional benefit: if the company must interact with an agency or department such as the FBI, they have an understanding of the procedures, process, and often the people involved. While Google Translate and other, similar services have improved engineers’ ability to understand the conversations of foreign hackers, they are not a substitute for speaking a foreign language. Translation services often overlook context and syntax, and this kind of detailed work requires an ability to spot a coder’s dialect and local idioms. A sampling of sought-after languages: Russian, Romanian, Spanish, Mandarin, Japanese and Korean. Make no mistake: to work these positions, you’ll need a strong technical background—from understanding the IP stack to mobile and even satellite technology. But don’t forget the omnipresent need for soft skills and analytical thinking.