Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones of such metadata, but an average Joe could only dream about it.
This is where HijackThis came to play. At a certain point in history, lots of people were using it and were posting its logs on forums – for hobbyist malware analysts to review. And since HijackThis Log has a very specific ‘look and feel’, it was pretty easy to parse it. And find it.
In order to collect as many logs as possible, I wrote a simple crawler that would google around for very specific keywords, collect the results, then visit the pages, download them to a file, and parse the result. Each session would end up with a file like this:
There are plenty of uses for the collected data — one of the handy ones back then was a comprehensive list of CLSIDs — knowing these, you could incorporate these into a simple binary/string signature and search for them inside analyzed samples. If a given, specific CLSID was found, it was quite easy to ID the sample association or at least, some of its features. Another interesting list of artifacts is rundll32.exe invocations. There are many legitimate ones and it’s nice to be able to query them all and put them together on a ‘clean’ list. Of course, URLs are always a good source for downloads, and directories and paths, as well as registry entries and process/service list handy for generating statistics on which paths are normal and which are not. A list of ‘known clean’ that could be a foundation for a more advanced version of Least Frequency Occurrence (LFO) analysis. And even browsing file paths is an interesting exercise as well as – for example, it allowed me to collect information about many possible file names of interest (f.ex. these that could be used in anti-* tricks).
I had a lot of ideas around that time on incorporating these research ideas into my forensic analysis workflow. For instance, if we knew certain paths are very prevalent, it kinda makes sense to exclude them from analysis. Same goes for other artifacts. And a twin idea from around that time was filelighting – it’s common for software directories to include a list of files that are referenced in at least one of the other files. That is, if I find a file foo.bar inside program directory, there is a high possibility that at least one of the other files – be it executables, or configuration files – will reference that foo.bar file! It actually works quite well. And the main deliverable of this idea was that if we can find orphaned files, they are suspicious. And, from a different angle, if we know what clusters belong to what software package, we could use that tree of self-referencing file names to eliminate them from analysis.
Times have changed, of course, and while these ideas may still have some value, reality is that we live in a completely different world today.
In the end, I cannot say the database helped me a lot, but it was an interesting exercise, and since the data is quite obsolete by now I decided to drop its content online. It’s not a very clean data set, mind you. You will find errors in parsing, some HJT logs were truncated, referred to non-English characters, etc. Still, maybe you will find some use for it. Good luck!
If you work for FAANG & live in the richest part of US, or are uniquely positioned elsewhere you can make 450K/year and some make more than that. But this is an exception on a global scale. If you want to make this money make any effort possible to join these companies and relocate. Outside of these privileged areas optimize your salary negotiations for base salary, because it’s the only solid income you can rely on & the higher you bid the more it will help you negotiating better future higher salaries.
Update
The term total compensation is used here quite loosely. From experience, even recruiters are often not clear (or honest) what that means exactly and they often bundle different numbers and perks together in order to close the deal and w/o thinking of it in terms of ‘what you take home, annually’, as they should. As edx pointed out on twitter, the RSUs grants may be much higher to make that 450K total comp annually work. I am leaving the numbers below as they are, but bear in mind the calculations may need to be adjusted and the new values may shift your decision making process quite a bit. In any case, it really is a must to understand the numbers you are presented before you sign the deal. Note that as far as I know no companies would ever promise grant refreshers annually. It’s all under their discretion (which is fair as they can’t predict company’s performance & make promises that may cost them). So you may get a nice first grant, but no refreshers. Approach all promises with skepticism – unless it’s written and presented to you as a formal offer — it doesn’t exist.
Old post
Every once in a while someone drops a salary bomb discussion on social media and the speculations follow. The salary bomb value du jour it is the mythical 450K USD that some claim is pretty much ‘a standard’ pay in infosec. The other line I keep hearing being repeated is ‘200K is new 100K’.
Of course, these claims are both… only selectively true.
As the real estate agents like to repeat – the most important thing in real estate is…
Yes!
Location. Location. Location…
It works in cyber security too. If you work in Bay area, New York, tax-free, low tax, or high-personal-risk countries you may score that high, and higher, but most of the people in this industry simply do not earn that much.
For instance, London is a really expensive place, and 2022 Barclay Simpson Salary brochure offers us the following salary guidance for the Cyber Security leadership in UK:
These are salaries of Directors, VPs, SVPs, Partners. And these are already very high salaries in UK, yet far from that mythical 450K USD (345K GBP). I doubt any of the EU countries come any closer, to be honest. And if they do, this is probably because their taxation system is even harsher than in UK, so they have to give more, so… they can take more away. And Asia, South America, Africa, Australia are really FAR behind. Yes, Singapore and Hong Kong pay well, you can get a break in Riyadh, Abu Dhabi, Dubai, or warzones but hey.. we talk ‘global normal’ here.
The devil is in the details. Of course.
The mythical 450K is not a base salary, but a total comp aka total compensation. It’s extremely difficult to evaluate what that even means w/o a break down of its components. And these may vary. For instance:
The base salary could be 150K USD
The Restricted Stock Units (RSU) that are granted to the employee could form another 300K. (note: these are usually vested over a period of 4 years; you get that whole 300K only at the end of 4th year of working there; of course, grant refreshers are a thing too, so keep on reading). (as per Update at the top of this post: make sure that when presented with a total comp it covers RSU/year, not per 4 years and you understand its vesting scheme, plus ask about annual refreshers)
That is a simple scenario though. Many companies include various perks f.ex.:
(performance) Bonus – say.. 1-40% of the salary, annually; subject to grade, negotiations
Car Allowance – varies, subject to grade, negotiations
Sign-on bonus – subject to grade, negotiations
Early RSU vesting – subject to grade, negotiations
Annual RSU grant refreshers – depending on the company
Relocation support – aka relo package (if you move countries it tends to be very expensive so having f.ex. visa service, 1 month accommodation, and help with searching for a property you want to rent can be really a savior; higher grades get support with more exotic demands f.ex. I heard of employees moving their horses between countries and companies paid for it!!!)
Stock Options – usually available for everyone joining
OTE (On-Target/On-Track Earnings) bonus – typically in a sales-ish, consulting-ish function – depends on the company
Various Upsell bonuses – as above
Pension contribution matching schemes – typically for all employees
Medical / Dental – typically for all employees (especially important in US, but it’s a great perk)
Access to gym and similar facilities – typically for all employees
Many Discounts / Corporate Deals / Corporate shops – typically for all employees
and many others
Unless you have that broken down on a paper you can’t even properly compare two different 450K offers! Details really do matter.
Now… imagine you are on a $170,000 base salary job today. And you may be just after the end of your first year of employment and the first 1/4 of your grant being already vested.. say $100,000 in RSUs, vested over 4 years (your total comp could be seen as $270,000). Over a year you got like $170,000+$25,000=$195,000. What if someone came over now and said to you: I will hire you for $450,000 total comp (update as per the intro: make sure total comp calculation includes ‘annual’ RSU intake, not per 4 years). What would you say?
Yes, you would ask for details first!
The number is high, so it’s most likely that a big part of this number will be RSUs. What about… $100,000 base salary and $350,000 in RSUs grant (with a standard setup that you need to work for a year before vesting starts, so you get 1/4 after a year, and then grant’s 1/16 will be released every quarter)?
A knee jerk reaction is to accept it. You can’t go wrong with this, right? It’s nearly 2x more than what your total comp is today!
The devil is in details again…
You are currently taking $170,000 in paychecks home, plus you just got your first 4 batches of 1/16 grant RSUs vested at the end of first year, plus are promised to get a quarterly bump up from the RSUs that are being vested, plus there are grant refreshers.
In a new job, you will only take home $100,000 and have to wait for a year before you can get your first 1/4th of the grant vested. That first year will be a hell of a financial and emotional roller-coaster. Let’s name it: lower monthly salary, stress of being made redundant (trust me, many people experienced it and this means you won’t see any of the RSUs monetized!), plus a lost income of $70,0000 coming from a reduced base salary, and finally a loss of the grant(s) from your old employer that would surely vest every quarter as it did so far!
That’s a very high risk right there! Are you ready to take it?
There are other variables in this puzzle.
Many companies offer RSU refreshers. They usually happen every year and while they tend to be lower than the original ‘hiring’ grant, they still offer certain comfort of stability. As long as you continue working for the same employer, the annual refresher acts as a nice carrot and is a great preventative control from people abandoning the ship. It is, in fact, a very successful preventative control against employee attrition. I literally know people who talked to me over 10 years ago about leaving the company we both worked for, and today they still work there. Too scared to make a move. Actually, not scared, but too comfy! RSU refreshers alone, if you are lucky, can make you a millionaire.
So… be very careful. Unless you can go to a new employer and negotiate a good deal where they take over your current vesting scheme, give you a solid sign on bonus, and perhaps can add a clause to your contract that in any circumstances you won’t be the loser in the ‘unlikely’ event of things going South within next year…
How many people can do it though ? Even if the market is good for employees, only a few can go and dictate the terms of their employment contracts. There is a very high chance we are not them. So… we may want to choose options that are a bit more predictable and controllable.
In my view, it’s always better to optimize for a better base salary. It keeps you safe, makes you less paranoid about your company’s stock price (believe me, it is VERY destructive to your soul when you end up checking the stock price every single day, multiple times), and in any case.. and this is really crucial… gives you a MUCH better negotiating position when you change the job again in the future.
Why?
Not all your future employers will be living in a RSU-driven ‘total compensation’ sphere! You may move up, or laterally and if RSUs are not there, then what is your leverage? Yup. The base salary! It is your goal to improve it every time you change the job. It’s a rule of thumb I follow like a religion: I do not accept job offers where my base salary drops. I tried once, suffered, and I know it does cost you dearly…
Make it a habit to look for new opportunities. Talk to recruiters, peers, discuss on social media. The biggest secret of cybersecurity employment is … there is none. We are VERY privileged to live and work in conditions that support our growth unconditionally. Recognize it, make yourself visible and useful, thrive in it, until market correction comes… and it will.
