Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Hiring the Right Cyber Threat Intelligence Analyst for Your Organization

With the coming new year comes new strategies to implement, new budgets to work with, and new threats to prevent from harming your business. I’ve personally seen a shift in the past year where more organizations are moving beyond the basic understanding of what threat intelligence is and moving into a planning and implementation process to start benefitting from the value that good intel can provide. 

With the coming new year comes new strategies to implement, new budgets to work with, and new threats to prevent from harming your business. I’ve personally seen a shift in the past year where more organizations are moving beyond the basic understanding of what threat intelligence is and moving into a planning and implementation process to start benefitting from the value that good intel can provide. 

The first step in planning to add threat intelligence into your security and risk program should really focus around the following key questions:

• What is the goal of the intel we want to have?

• Who are the key stakeholders that the intel should serve?

• What are the assets and information we are most concerned about protecting?

• What decisions and outcomes should the intel impact? 

• How will results be measured?

• Are we collecting any internal intel already? If not, this is where we should start.

Advertisement. Scroll to continue reading.

• Should we outsource our intel operation, build in-house or go with a hybrid approach?

Cyber Threat Intelligence AnalystAt the end of the day, whatever your cyber threat intelligence plan and process is, it should drive faster and smarter decisions that minimize your risk exposure. If it’s not aiding this goal, then it’s time to stop and think through what needs to change in order for the intel to make your business safer. 

I’ve worked with a wide range of organizations across industry that have SOCs with analysts working around the clock. I’ve worked with smaller, less cyber-mature organizations that did not have the staff or tools and needed cyber risk guidance through more of an outsourced approach. And I’ve also worked with organizations that are using intel and have a small intelligence operation, but wanted to get a “force multiplier” with a hybrid/co-managed approach.

Regardless of whether you’re hiring a threat intelligence analyst, working with a vendor or doing a combination of both, you need to ensure the right people are in place (along with the tools) to do the job. The complexity here is that just like not all threat intelligence is the same, not all threat intelligence analysts are the same. Intel analysts can have different areas of expertise (for example, some are more technical, some are more risk focused, some may have more experience with specific tools, etc.). Before looking at vendors and/or in-house cyber threat intelligence analysts to hire, you should determine your end goal first to make sure it is a good fit. 

In my previous role as a CISO and as my current role as head of the SurfWatch Labs analyst team, I’ve hired many intel analysts over the years and have a few suggestions in terms of the core traits and capabilities to look for as a baseline.

As far as the overall role, the intel analyst should have the capability to map out and collect intel from a wide range of sources, track threat actors, identify and track malicious assets and infrastructure, and the ability to synthesize and analyze a wide set of threat and incident data to produce finished intelligence with supporting evidence. Having good interpersonal skills is also an important trait to have since requests and questions will come in from stakeholders and the analyst may need to also present or explain the intel to different groups. Attention to detail is also important as it relates to the breadth and depth of the analysis and conclusions.

Below are additional “required” and “desired” skills that I look for in an analyst:

Requirements

• Familiarity with intelligence analysis or a high desire to learn, including analytic tradecraft, and demonstrated critical thinking skills

• Familiarity with and understanding of current hacking techniques, adversary methodology, vulnerability analysis, incident and breach analysis, and cyber defense techniques

• Excellent character and discretion in handling sensitive information

• Ability to conduct independent research on intelligence targets under minimal oversight with absolute attention to detail as well as a desire to understand the full picture of an event

• Proven ability to design, draft, and publish high-quality technical and business-level intelligence reports, studies, whitepapers, and blogs 

Desired Skills

• Previous experience with major operating system technologies and an understanding of database technologies

• A robust level of networking expertise and understanding of routing principles

• Knowledge of and experience with security monitoring methodologies such as packet capture, flow data (NetFlow), patterns, watch lists, black lists, log parsing, correlation, classification, event generation, taxonomy, and filtering

As I mentioned previously, there are many different types of intelligence analysts out there, some are more technical in nature, while others come from more of an analytical and tradecraft background. There is no textbook definition of what the “perfect” analyst should be. The bottom line here is you first need to understand what problem you are looking to solve and then hire based on that organizational need. 

An observation that I routinely make is that we all see the news reports regarding how security budgets are increasing but yet for some reason nothing ever seems to get better. That observation tells me that is because we are not placing the proper resources to address the biggest problem areas. The prime mission of your intelligence efforts should be focused on answering that very question. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.