Behind the scenes: A day in the life of a cybersecurity “threat hunter”
Here’s how one security operations analyst, an expert at incident reporting, began her career, collaborates with her colleagues and prioritizes incoming threats.
Twenty-six-year-old Cherlynn Cha, born and raised in Singapore, thought cybersecurity was “so cool” as a teenager. “The good guys get the bad guys,” she said, “or help each other using cool, cutting-edge technology.”
Cha attended the National University of Singapore and studied computer science with a focus in cybersecurity, where she learned “the theory behind all of the things we take for granted.” She first got a security job in a consulting firm, where she worked in identity and access management, then she worked at a bank, as a security operations center analyst before landing her current job, as a “threat hunter” at ExpressVPN.
SEE: Security incident response policy (TechRepublic Premium)
Essentially, her role is to “look for threats to the environment, and we try to contain them. So it’s going to be things like trying to detect and stop phishing attacks or investigating suspicious activity, or hunting for potential attacks,” she said.
Cha took the job both for learning opportunities and because she “wanted to make a difference,” she said. “I wanted to contribute to something that, I guess somebody could stand for, something that I believed in.”
Working at ExpressVPN is helping her expand her skillset. And because of the nature of the company “really cares about the privacy and security of the customers,” she said. “If I’m contributing to the security of that, something I look for as a consumer as well, and as an employee, I’m contributing to something that I believe in.”
Her role at ExpressVPN involves triaging and investigating potential security events.
On a typical day–she has been working from home in Singapore since the onset of COVID–Cha could start anywhere from 9 to 11 am. “Normally I start by checking my emails in case there are any urgent requests coming in, and then I check if we had any overnight requests that came in from other teams because we also help other teams to complete their request,” she said. When another team requests it, she’ll take a look.
On a high level, Cha works on improving security controls, “looking at what controls, what security detections that we have currently, and thinking of how we get better,” she said, which can include reviewing existing rules, building new rules, or implementing new security features. Her day-to-day responsibilities include investigating suspicious activities such as phishing attacks or malware downloads.
In addition, there are long-term projects–things like implementing new detection features, for instance. “We want to add a new kind of information as telemetry to help in detecting potentially suspicious activities,” she said.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Anything can come up, of course, and whenever an urgent situation arises, such as a potential attack, “we’ll have to quickly search to prioritize the new event depending on the severity of it,” Cha said. The team is highly collaborative, she said, which is a highlight of the job–even in the current remote-working environment–and there’s a lot of “skill sharing, knowledge sharing sessions across the company.”
Cha participates in this, herself, by giving internal presentations to make sure that employees continue to keep a “security mindset.”
Cybersecurity is a very broad field, with many areas to specialize in. If they need information in that particular area, “we just ask someone else in a team who’s an expert,” Cha said. Her expertise is incident reporting: “reacting to, responding to, potentially suspicious activities. And determining if they’re suspicious, determining the impact and also limiting impact events.”
In terms of longer term systems, Cha said that’s one of the most exciting parts–embarking on new systems, new architecture. She loves working with teammates and sharing ideas. Another continual focus is automation–how to automate anything that they can.
As far as her own entry into cybersecurity, and what it may hold for the future, there is no “one generic route” to a cybersecurity career, Cha said. Instead, “there are many, many paths–even within security.”
“I think there’s a misconception that it’s just this one career path,” she added, “which is not accurate.”