Cyber security researchers work hard to keep the digital world safe, but every once in a while their own physical security is at risk. Anyone who has been in this field long enough has stumbled upon stories of infosec professionals receiving threats or has experienced incidents themselves.
A security expert who wanted to remain anonymous to protect his family said that "several people focusing on cyber crime have received death threats" in the past few years, and some of them even decided to fly under the radar or move to do other things. They don't want to put their loved ones at risk "because dad is a security researcher and attracts bad guys," he said.
On infosec Twitter and at conferences, researchers share incidents and talk about ways of protecting themselves in these situations. They say calling the police or the FBI hardly helps.
"I want to tell you to go contact federal law enforcement, I want to tell you to go contact a local police department, but from what I've seen, it does nothing," said security expert Matt Smith of Citadel Lock Tools. "It can take months to get an arrest in for a single incident, let alone that person being at large for a rather long time."
While a few researchers wear these threats as a badge of honour, most of them do everything in their power to stay safe.
They minimise their digital footprint, run background checks on every unknown person who approaches them through social media, use post office boxes instead of addresses, and refrain from posting anything online that might link them to their families.
With the recent rise in ransomware and the escalation of geopolitical tensions between Russia, China, North Korea and NATO, the job of at least some infosec professionals tends to become dangerous. "I don't know if it's gotten worse, but I can say it has not gotten better at all," said Ronnie Tokazowski, principal threat advisor at Cofense.
Increasing threat to researchers from ransomware groups
Cyber criminal groups are having a terrific year so far. The number of ransomware attacks is at an all-time high, and the average payment has exceeded $900,000.
Moreover, the timid cooperation between the U.S. and Russia to curb the phenomenon appears to have stopped after Russia invaded Ukraine and the West responded with sanctions. A few weeks ago, the case against alleged members of the REvil hacker group "reached a dead end," according to Russian newspaper Kommersant.
"A lot of these ransomware groups live with a sense of impunity," said Allan Liska, intelligence analyst at Recorded Future. "As long as they don't leave Russia, there are literally no consequences for all the bad stuff they do. So, they can be bolder and brasher and have the cover of the Kremlin to protect them."
As Liska put it, this kind of protection has allowed gangs to do "some pretty vicious things" to security experts over the years. While he personally hasn't received any direct threats, he's heard about such incidents, particularly when infosec professionals engaged on a personal level with criminals.
"I know that in at least one case, the ransomware group threatened a researcher's child," he said.
There were situations in which cybercriminals learned where security experts lived and gathered information about every family member. Then, they posted that information on underground forums, inviting other people within their community to target them.
Liska notes that gangs tend to work together and share information more than they did a few years ago. "They have extortion sites; they have the ability not only to post information about victims but also spout off whatever's on their mind," he added.
In recent months, cyber criminals have also become more aggressive, with potential effects on the safety of the researchers. One example is the Conti group, which targeted dozens of organisations in Costa Rica and prompted president Rodrigo Chaves to declare a national state of emergency. The hackers announced they aimed to overthrow the government, an unusual goal for a ransomware gang.
This unprecedented attack "marks a new escalation in ransomware activities," said Lauren Zabierek, executive director of the cyber project at Harvard Kennedy School's Belfer Center. "If they see they can hold an entire country hostage and extort a ransom with impunity, that's going to make the environment more permissible."
To Liska, incidents like these prove that the lines between ransomware groups and nation-state actors are becoming more blurry. Still, nation-state actors are a lot more resourceful, including when targeting security researchers, and their threats can be more subtle.
For example, there have been instances where experts who traveled to conferences had their rooms checked or received small presents suggesting they stop their investigations.
Individuals working for nation-state actors also target infosec professionals on LinkedIn, Twitter, Telegram, Keybase, Discord, email, or other channels, sometimes claiming they want to offer consulting jobs or collaborate with them on vulnerability research.
In January 2021, Google's Threat Analysis Group found that North Korean hackers pretended to be cyber security bloggers and sent a Visual Studio Project to security experts.
"Within the Visual Studio Project would be… an additional DLL that would be executed through Visual Studio Build Events," Adam Weidemann wrote on Google's blog. "The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains."
Weidemann and his colleagues also discovered that a few researchers had been compromised after visiting a link sent by these North Korean hackers.
"If you are concerned that you are being targeted, we recommend that you compartmentalise your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research," Weidemann wrote.
The story did not end there. In November 2021, Google announced that North Korean hackers also claimed to be recruiters at Samsung, sending PDFs detailing job opportunities with the actual purpose of installing a backdoor Trojan on researchers' computers.
Hunting bugs and receiving legal threats
Threats are not limited to infosec professionals investigating state-sponsored groups or ransomware gangs. Bug hunters and experts in physical security can also be targeted, sometimes by the same organisations they try to help. It happened to lockpicker Matt Smith on a couple of occasions.
"The first time I was working on a lock independently, and the company learned about it," he said. "They went to great lengths to try and find me and sue me, including threatening a subpoena to an online forum to give up my IP address."
The second time, though, it was much worse. Smith received a physical threat.
"I was working on Abloy Protec II, and one of their American dealers got very angry that his most secure lock could possibly be vulnerable," he recalled. "So, he started sending me abusive emails demanding that I tell him what I was doing. When I didn't reply with the answers he wanted, he threatened to 'have me sorted out' and 'didn't care how much money it cost.'"
Some of the emails Smith received were particularly brutal. "He was sending me screen grabs of my face from online talks and photos from Google Earth of the street where he thought I lived. It wasn't right, but it was close enough to be a worry," he said. Smith never replied to that person and changed his email address.
Bug hunters also must learn to navigate threats.
"Although the reactions you get are usually unpleasant, the longer you work in this industry, the more you get used to those," said Tom Van de Wiele, principal technology and threat researcher at WithSecure.
Working in this field has made him "more cautious," and it has also taught him "to be better prepared to hunt down and discover even bigger issues, what language to use considering the target group," and how to align his expectations depending on the company he deals with.
Often, bug hunters are intimidated by organisations that threaten to sue them. One way to bypass that is to build detailed reports. When writing about the impact of the vulnerability, researchers should start with the technical risk, then translate that to business risk, and add who might be impacted. Van de Wiele said that researchers should also show that no laws have been broken in the process.
"Above all: make sure you can offer different mitigation paths and recommendations to rectify what it is you discovered," Van de Wiele added.
"It is easy to end a whitepaper or report with 'fix it' and to resort to outrage-as-a-service on social media. It is better to think along with the company that is affected on how they can soften the blow right now short-term while thinking about more long-term solutions on how to bring down the risk to a non-issue."
Protecting the security research team
Working in cybersecurity often means taking some risks. "It's the nature of the beast or the nature of labor," as Cofense's Tokazowski puts it.
Some security experts have to walk a fine line between protecting their families and publishing research under their name. It is why companies doing sensitive work, such as tracking terrorist organisations, may decide not to include the researchers' names in the reports they publish.
Security researchers try to learn from each other and constantly upgrade their defence. Realistically, though, there's not much they can do. "It's tough because, for individuals, it doesn't seem like there is much recourse, other than going to the police or FBI to report the crime," said Harvard Kennedy School's Zabierek.
"There are groups like the Cybercrime Support Network geared toward helping individual victims of cybercrime, and it would be great if they could receive institutional support to scale their activities to help people across the U.S."
Companies that want to do that to protect their employees should constantly make sure that their internal security practices are up to date. They should also plan for worst-case scenarios, having procedures in place for situations in which one of their employees is targeted.
These should be based on multiple threat models, taking into account the work each internal team does. Teams can receive checklists for these kinds of situations, which list things to do and not to do, and people to call. Of course, these procedures must be revised from time to time and tested whenever possible.
Securing homes and offices
Infosec professionals are well versed when it comes to digital security and their equipment. Some walk the extra mile and avoid sharing any personal information online. Others, like Smith, only post fake information on their social media profiles.
"You need to make sure that you're taking whatever the proper precautions are to protect your house, your family," Liska said.
In addition to online security, infosec professionals also must pay attention to physical security. Smith suggests having several rings of security: fences, walls, strong doors, and even internally lockable doors. "I use locks I can't force/pick, doors I can't bypass, and keys that are hard to copy," he said. "Even if someone can access my keys, the blanks are restricted, so they are harder to copy."
Among the locks he recommends are ASSA Twin, EVVA MCS, and Abloy Protec II, which he considers to be the most secure. Still, even these can be beaten. "But if your adversary is capable of opening these without the key, then you are in a lot of trouble," he said.
The door itself needs to be solid, too. It has to have a sturdy frame without gaps at the bottom or round edges to prevent things from getting inside the home.
"The hinges on a door are a weak point, so it is best to have them on the inside," Smith added. The researcher also recommends using an external letterbox instead of a slot for mail embedded in the door because it could give an attacker access to the rear of the door.
In addition to a solid multipoint locking door, homes and offices should also use CCTV. "Make sure it is wired, not wireless, because jamming or just throwing deauth packets at devices can stop them working," Smith said. "The same with alarm systems. Wired, always. Alarm sensors need to be properly installed because many alarm companies leave blind spots."
According to the researcher, the wiring for CCTV and alarms needs to be inaccessible from the outside, and the CCTV recording box should backup everything to the cloud. "If possible, give CCTV access to more than one person, so that there is redundancy in case of an incident," Smith said. The best systems check communications periodically and issue an alarm if comms go down.
A few other things to consider: Pay attention to security lighting, which should be sensor-driven. Use a post-office box so that your address is harder to trace, vary when you leave the house to make your movements less predictable, and be nice to your neighbours so that they will alert you if someone is entering your house.
How far a researcher should go to protect their home depends on their work and the risk levels they are comfortable with. "Everybody has to measure their own risk and take the appropriate precautions," Liska said.
Still, more should be done to support infosec professionals and allow them to carry on with their work. They "need to have confidence that the government can help protect them or help them recover from these threats," Zabierek said.