Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

What Do You Ask Your Cyber Threat Intelligence Analyst?

As a former CISO and as head of an analyst team at a threat intelligence vendor, I’ve written a lot about cyber threat intelligence – what it is/should be, the different types of threat intel (strategic, operational, tactical), raw intelligence versus finished intel, how it can be used, how threat intel fits into your overall cybersecurity program, and so on.

As a former CISO and as head of an analyst team at a threat intelligence vendor, I’ve written a lot about cyber threat intelligence – what it is/should be, the different types of threat intel (strategic, operational, tactical), raw intelligence versus finished intel, how it can be used, how threat intel fits into your overall cybersecurity program, and so on.

When it comes to intel, there is no “one-size-fits-all” approach that is effective. While cyber threat intelligence has been defined by many practitioners and analysts, there are so many variables involved that threat intelligence really means something different to each organization in terms of their setup, their goals and their expertise.

To try to put this into more real life context, I thought it would be helpful to simplify all of this down to one question: “what would you ask your threat intelligence analyst?” This can obviously go in a lot of different directions, but that’s the point. This is a question you should think about whether you have an existing threat intel team/operation or are exploring how to establish one.

I’m of the belief that effective threat intelligence requires several key components, including access to threat data, automated processing to quickly filter the data to what is specific and useful to an organization, and human intel experts who can analyze and make meaningful recommendations to an organization on how to mitigate identified risks, and how to best prepare for impending cyber threats.

Questions to ask Threat Analyst

When it comes to threat intel, many vendors and organizations focus on how much data they have. Now d on’t get me wrong, without data, you can’t create intel, but data alone is just that – and it does not lead you to smart decisions by itself. Whether you have an in-house team of analysts or outsource this function, your threat intel operation should be capable of a wide range of research, analysis and risk mitigation actions. 

I’m a big believer of things that are practical. If your threat intelligence isn’t practical, it’s not really useful. How does threat intelligence solve a problem? Threat intelligence needs to do more than just inform… here are a few examples of practical questions you can ask your threat analyst team:

• Do we have sensitive information on the dark web? If so, what is the information and can you confirm that it is a real risk, i.e. the info stolen/leaked is what it is advertised to be? (Confirmation can really only be done by acquiring at least a sample of that data). And what courses of action should we implement to limit our risk here?

• We’re seeing a spam or phishing campaign that is hitting our company… can you help us to enforce a takedown effort with the appropriate hosting provider?

• We are concerned about a particular IP and a potentially malicious web instance that we’ve seen several times… can you tell us more about these and give us a threat assessment that includes TTPs along with the potential impact to our company, and also provide us with specific guidance on how to address that threat before it becomes a serious problem for the organization? Do we have the right capabilities in place against current threat scenarios? If not, where/how should we pivot?

• We need to explain to our executive team how we are positioned from a cyber risk perspective… Can you help me determine if we are well positioned for current cyber risks and provide findings in an executive-level format that is easy to understand?

• We’d like to understand the threat landscape targeting our industry… what does that look like, how has it evolved and what actions should we be taking? Who in our industry is feeling the pain? What have been the outcomes? 

The above examples and many others all tie into what I wrote about in my last few articles – threat intelligence playbooks, which can provide you with essentially a script to run based on a cybersecurity event. They include up-to-date research and analysis and tie into an organization’s ecosystem and processes to ensure the fast deployment of effective countermeasures.

Your threat analyst team should also be updating these playbooks as necessary because as we all know, cyber threats and cybersecurity are dynamic. So whether you have an existing threat intelligence operation or are looking to establish one, keep in mind the importance of having not only breadth and depth of threat data, but how quickly that data can be turned into intel and the threat intel analyst skillset that you have at your disposal.

As I have stated in the past, at the end of the day, whatever your cyber threat intelligence plan and process is, it should drive faster and smarter decisions that minimize your risk exposure. If it’s not aiding this goal, then it’s time to stop and think through what needs to change in order for the intel to make your business safer. A good first step is to simply start asking the right questions.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.