My name is Kostas, and I have been a Cyber Threat Intelligence analyst for over a year. I want to share my thoughts and experiences with anyone that is thinking of entering this field. There is plenty of useful information below for anyone looking to get a start in this field.
You will find in straightforward terms, what is cyber threat intelligence, why we need it, and what are the requirements to enter it.
All the opinions and views discussed here are mine and do not necessarily represent the views of my employer. I am not an expert; I am just sharing my views on topics that interest me the most, and I’m open to other perspectives.
Why do we need Cyber Threat Intelligence?
Information Security was always playing the non-ending cat and mouse game with adversaries. No matter how many resources are provided by an organization, adversaries would be one step ahead of the game. This is mainly because most organizations and their security vendors take a reactive approach to battle this problem. They are adding rules on security appliances to create detections for the threats that come and go without looking at the bigger picture.
After a certain point, the industry realized that there must be a better way to deal with this issue, and this is where cyber threat intelligence comes into action.
Regardless of the recent hype, threat intelligence is not a new field or one of those buzzwords like “AI” that we hear over recent years. Government agencies and, later on, finance organizations were the first to implement it in day-to-day operations. Cybersecurity took some of these well-known and established threat intelligence concepts and applied them to combat adversaries. Businesses realized that threat intelligence can help take a proactive approach by providing context into everyday threats.
- For example, information security teams can leverage threat intelligence to consume information related to threats associated with a narrowed-down scope that only matches the organization’s needs and field of practice (e.g., finance). In that way, security managers can overcome the feeling of loss and despair against the unknown.
There are many other applications for threat intelligence, but ultimately, threat intelligence exists to provide actionable information (intelligence) to leadership teams to support critical decisions.
What are the responsibilities of a cyber threat intelligence analyst?
Daily operations and responsibilities depend on the goal of each organization. Threat intelligence can help in many areas of the information security program; therefore, the role’s duties could be slightly different. Nevertheless, I can speak according to my experience and what I perceive to be the most common approach to solving a problem by implementing threat intelligence.
Threat intelligence could split into three primary topics.
Tactical focuses on day-to-day technical operations. An excellent example of this would be guiding security analysts on threats that they come across daily. To achieve that, a threat intelligence analyst should provide context and relevant indicators. This would enable the security analysts to concentrate on threats that matter and resolve the issue faster and efficiently. As discussed above, intelligence is nothing more than:
- E.g. About a threat.
- E.g. Organization’s environment and its risk to the threat.
Strategic threat intelligence focuses on bringing the intelligence to the eyes of senior-level officials who are tasked with making decisions. For this reason, the ability to communicate risk becomes essential.
- For example, as a threat intelligence analyst, you are required to translate any technical information to your organization’s leaders in the form of a finished intelligence product. Examples of this could include visual presentations, written reports or one-to-one meetings. The delivery and the product should be professional and concise. Topics may include threat analyses, trends or ongoing risk to the business.
It is important to highlight that strategic threat intelligence work is the most crucial piece. That being the case, all members of the threat intelligence team should contribute, cross-check and analyze the final product before any communication takes place.
Operational threat intelligence focuses on understanding the adversary by looking into the Tactics, Techniques and Procedures (TTPs). The primary source of information that provides us with the information we need comes from internal incidents. The main focus here is to understand the adversary’s intent, capability, and motive behind attacks and prioritize threats that could impact the organization you are trying to protect.
- For example, a threat intelligence analyst would analyze internal intrusion attempts to understand the threats that the organization is phasing. The objective here is to provide related information to multiple teams, including incident response, threat hunting and vulnerability management.
Operational threat intelligence must be able to have an understanding of technical language and day-to-day tactical level operations and also be able to communicate risks to decision-makers. It can be seen as a function of a threat intelligence program that bridges the gap between tactical operations and, higher-level, strategic duties.
How do I become an intelligence analyst?
There is a huge misconception that cyber threat intelligence is a very technical field and the minimum requirement of entry is to know how to reverse engineer malware.
A big part of the job is concentrating on analyzing information and documenting your findings through technical writing. Of course, you have to have high-level knowledge of threats and how they work, but this is easy to grasp thanks to multiple free resources on the internet.
You don’t have to be perfect on any of the above to consider a threat intelligence career. You can be technical, or you can come from a non-technical background and improve upon the job’s technical aspects. Although, a certain balance is required if you want to become good on the job.
Many career paths could lead you to threat intelligence. Some technical ones could be:
- systems/network administrator
- security analyst
- penetration tester
All the above roles would provide you with the foundational knowledge and give you a head start on the job’s technical aspects. However, as discussed above, technical knowledge is only a small piece of the puzzle. Here are some of the non-technical backgrounds that one may have before entering this field:
- Technical writer
These are only examples, and they can only provide an idea of the necessary skills and different perspectives that different roles can bring to the threat intelligence role. No matter your background, you need to enjoy some essential parts of the job before considering a career in this field. Keeping up with the recent threats and being a lifelong learner are essential to the role.
I hope you found this article useful and I hope you feel inspired to consider a career as a cyber threat intelligence analyst.
Before I finish this article, I want to provide you with a couple of sources to get you started. There is plenty of free material out there, but sometimes this is a problem on its own. Please see below my recommendations that will give you a high-level understanding of this field.
- Katie Nickels, an expert in this field, has written another helpful blog on starting a career in threat intelligence. She goes deeper into the path one could take to find herself being a cyber threat intelligence analyst. She also provides some great resources to get you started. You can read her post here:
FAQs on Getting Started in Cyber Threat Intelligence
One of the most frequent messages I get is from people who are looking for advice on getting started in cyber threat…
- Very nice summary of what threat intelligence is and its purpose by RecordedFuture:
Threat Intelligence: Everything You Need to Know | Recorded Future
Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they…
- Into to cyber threat intelligence:
Cyber Threat Intelligence Training Online
In its core, this course will explain what approaches and frameworks are available to implement a Cyber Threat…
- Excellent webinars and presentations of experts in the field powered by SANS:
SANS Digital Forensics and Incident Response
Over 80% of all breach victims learn of a compromise from third-party notifications, not from internal security teams…
As the leading organization in computer security training, the SANS Institute is known for providing intensive…
Books and papers:
- Very nice intro to threat intelligence and compliments incident response. It is written by two great individuals in this field; Scott J. Roberts and Rebekah Brown.
Intelligence-Driven Incident Response: Outwitting the Adversary
Intelligence-Driven Incident Response: Outwitting the Adversary: Roberts, Scott J., Brown, Rebekah: 9781491934944…
- An excellent paper for describing almost all elements of cyber threat intelligence. Definitive Guide to Cyber Threat Intelligence:
You can reach out to me here: