Headline
Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web
Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.
Monday, October 31, 2022 14:10
A case study in why cybersecurity experience is not a prerequisite to work in security
Azim Khodjibaev knows all sides of the “security” industry.
That doesn’t just cover cybersecurity, either — he spent the first part of his career ensuring the physical safety of civilians and military personnel, which is about as high-stakes as it gets.
Today, he’s using his knack for tracking physical threats to hunt down other types of threats on the deepest corners of the internet so Talos can stay one step ahead of threat actors.
Khodjibaev is a senior intelligence analyst with Talos’ Threat Intelligence and Interdiction team. The idea of collecting intelligence of all types has been in his life for years — he’s no stranger to geopolitical conflict growing up in the late days of the Soviet Union.
When his family immigrated to the U.S. in the mid-1990s, he knew he wanted to follow a career in political science, which led him to get his bachelor’s degree in international relations. Since then, the word “threats” has meant all sorts of things to Khodjibaev.
He spent several years in different contracting positions with the U.S. government where he worked in counterintelligence research, utilizing his native Russian language to try and warn potential targets of military action, by infiltrating various online networks and tapping other sources to learn as much as possible about adversaries’ plans. Khodjibaev was also a part of the intelligence-gathering operations in the wake of the Boston Marathon bombing in 2013 and spent time tracking the location of improvised explosive devices (IEDs) on real battlefields.
“After doing that for a while, out of the blue, I got a message on LinkedIn that actually looked like a phish because it was too good to be true,” he jokes now.
The message was a Cisco recruiter reaching out to him about a potential job opportunity at Talos in the cybersecurity space, something Khodjibaev had never directly worked in before. But after a successful interview and a promise of further education in the field, he jumped on board with Talos in 2016. One of his first challenges was to translate the infamous BlackEnergy attacks against Ukraine and pass along his findings to the Talos detection team who needed to react quickly to the cyber attack.
“For about three-and-a-half years, I was blind, I had no idea what was going on. I knew nothing about the network structure, and only knew the very basic levels of cybersecurity,” he said.
But by working on a team with cybersecurity-focused researchers, he grew his knowledge of virtual threats and how to apply his intelligence-gathering skills to focus on cyber attacks rather than kinetic ones.
Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.
“Over time, I realized I could contribute to the entire cybersecurity enterprise by building on those human intelligence skills and cyber intelligence skills,” he said.
When Khodjibaev finds a new potential threat or piece of malware, he tries to get it to Talos’ team of reverse engineers and rule writers to write detection as quickly as possible. He also partners with the Outreach team’s researchers to put together public-facing intelligence on the threat, such as one of Talos’ blog posts or intelligence partner alerts.
“As soon as I see something that’s beyond my ability to do something, we have a very specific mechanism that Talos has developed and refined to be speedy, yet accurate, with our detection,” he said.
Most recently, Khodjibaev’s been researching the LockBit ransomware group and regularly updates his Twitter followers about the group’s ongoing developments, even leading to a mini-series of Talos Takes episodes jokingly dubbed “Days of our Ransomware” as he sees drama between these groups play out on message boards, private chats and more.
These can often be very high-risk situations, though, and Khodjibaev continually imperils himself by trying to infiltrate virtual spaces with well-funded and highly skilled threat actors, so one slip-up could make him a personal target of an attack. But it doesn’t deter him from checking as many spaces as possible for the latest developments.
“There have been times when I’ve been legitimately scared because I pushed the envelope too far,” he said. “I am paranoid and careful in a good way where I’m always documenting things. But I’ve pushed the envelope into how far I’ve gone. The bad guys need to understand and learn that if they create a space that has more than one person in it, it’s only a matter of time before someone like me gets in there and takes advantage of that.”
These high-stress situations are admittedly less of a literal life-and-death situation that Khodjibaev used to work in when he would be forced to watch videos or read plans of “violence, abuse, crimes against innocent, defenseless people.”
So, he enjoys the quieter moments of his life where he can either work in his yard at his home or get out and kayak. He’s also a rowing coach for a local high school program.
“Given that unstable childhood I went through [in the Soviet Union], I am really into just living a really boring suburban life,” Khodjibaev said.
Now several years into his cybersecurity journey, Khodjibaev said he’s learned that cybersecurity isn’t a problem that can only be solved by looking at raw intelligence like datasets, he more so subscribes to Matt Olney’s, the director of Threat Intelligence and Interdiction at Talos, theory that “cybersecurity is a human problem.”
“I’ve always been a curious person and have always had a low tolerance of malicious activity against people who can’t help themselves,” Khodjibaev said. “Most cybercrime is just that — it’s not these state-sponsored actors, it’s cyber criminals ruining people’s days and targeting hospitals, and schools, and I always wanted to do something about it.”