Threat intelligence is evidence-based information, including context, mechanisms, indicators of compromise, implications and actionable advice, about existing or emerging hazards to assets. Threat intelligence allows IT professionals to make decisions and take action accordingly.
Historically, intelligence tactics, techniques, and procedures as well as various types of intelligence operations existed long before cyberspace was conceived. Intelligence often seen as “offensive” in nature when viewed through the lens of spying, but the ultimate purpose of intelligence is actually to enable entities to defend against attack. Information is power. This is true for cyber threat intelligence as well.
Why Is Cyber Threat Intelligence Necessary?
Threat intelligence is often thought of as just a collection of “indicators of compromise”, or limited to information about specific security threats. However, there is much more to the story than just this. If an organization does not first understand its assets, infrastructure, personnel and business operations, then it cannot understand if it’s presenting opportunities to malicious actors. Cyber threat intelligence can help us identify and address potential vulnerabilities in our operations and prepare accordingly.
In the corporate world, organizations hire cyber threat intelligence analysts or engage with threat intelligence service providers to perform the task of identifying potential risks and threats in an organization. Cyber threat analysts conduct all-source analysis, digital forensics, and adversary targeting to identify, monitor, assess, and counter the threat posed by foreign cyber actors against US information systems, critical infrastructure and cyber-related interests.
Cyber threat analysts are professional intelligence officers who apply their scientific and technical knowledge to solving complex intelligence problems, produce short-term and long-term written assessments and brief the organization. This work demands initiative, creativity, analytical skills, and technical expertise.
However, the most important piece of an intelligence analyst is analytical skill. At times, this skill is more of an art form than a hard science. However, it can be developed in a few ways. First, it requires that an analyst become a technical expert.
Unfortunately, many analysts who are just starting out feel that intelligence tradecraft is a “fuzzy” field in which people without technical skills can still be experts. As they work in the field, however, they’ll find that the opposite is actually the case: cyber threat intelligence analysis, when performed correctly, is also very demanding from a technical perspective. A good analyst should be able to pick out what is obviously true or obviously false almost instantly, which requires extreme technical skills and experience in cyber security. When looking for a job as a cyber threat intelligence analyst, you should be well-qualified and solid in your skills. Earning a certification like Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP) will definitely help prepare you for this job, but in general, the minimum qualifications are:
- Bachelors or Master's degree in computer science, computer engineering, digital forensics, cyber security, telecommunications, information assurance or security studies.
- A minimum GPA of 3.0 on a 4-point scale.
- Hands-on experience.
- Strong verbal presentation and writing skills, including the demonstrated ability to write clear and concise text.
- Excellent analytical abilities and a strong ability to think creatively when approaching issues.
Although many individuals think that they are qualified enough to start a career as a cyber threat intelligence analyst, unfortunately the job is quite difficult. Because this position requires a combination of strong computer skills and language skills, plus excellent analytical abilities, it can sometimes be hard to find people with the right combination.
If you want to pursue career as a cyber threat intelligence analyst, you should be able to answer certain questions. No organization wants their threat intelligence guy to be unaware of the market criteria and practices that they are following, so be sure that you have a physical presence in specific local and regional attacker communities to stay updated about the latest developments.
To address threats and meet market standards, a threat intelligence analyst may decide to be part of a threat intelligence service provider team. The primary task of these service providers is to deliver intelligence solutions to their customers. However, there are a number of questions that should be answered before you make a decision about a service provider. Here are some questions that are worth asking anyone who is trying to sell you intelligence:
- What types of professional backgrounds do your analysts have?
- What is the underlying philosophy that drives your intelligence capability? If I am going to pay for intelligence, then I want to be sure I understand what makes a vendor tick.
- What kind of data do you collect? It shouldn’t just be one or two different types of data from one or two different sources. Real intelligence comes from a wide variety of data types and sources.
- How does a piece of information make its way from the field into your database?
- What does the overall collection architecture look like? While you shouldn’t expect vendors to reveal their secrets, they ought to be able to articulate why the data they collect is accurate, reliable, and high-fidelity.
- What volume of data are you collecting on a daily basis?
- In how many locations do you store and analyze the data you collect? What you want to hear is that they have high availability and redundancy. You should feel secure that a power outage, for example, wouldn’t wipe out their entire operation.
- How do you analyze the data? I don’t expect you to reveal your tradecraft secrets to me, but I want to be confident that you have a sound methodology. I want to be sure your intelligence is not based on educated guesses, or worse, just rolling the dice.
- How can you help me assess and prioritize risk? I know that doing so can help me optimize security spending and show good return on investment, but I need help.
- How can you integrate easily into my workflow? Whether I am looking to leverage intelligence to help with alerting, adding additional context to investigations, or otherwise, I want to make sure that this partnership is not going to create additional work for my already overworked team.
These are the general questions that should be asked by organizations who are evaluating threat intelligence service providers. Knowing what organizations are looking for in cyber threat intelligence services is important for anyone aspiring to a career in the field, whether they end up working as an employee for an organization in that capacity, or working for a service provider.