Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

What Type of Cyber Threat Intelligence Analyst Do You Need?

I am a very practical guy. While I do appreciate industry thought leadership and can appreciate a new framework in a sea of frameworks once in awhile, I tend to always drift towards what is practical, achievable, productive and sellable to my internal organization. In my former role as a CISO, these characteristics were critical.

I am a very practical guy. While I do appreciate industry thought leadership and can appreciate a new framework in a sea of frameworks once in awhile, I tend to always drift towards what is practical, achievable, productive and sellable to my internal organization. In my former role as a CISO, these characteristics were critical.

In the cyber threat intelligence market, many vendors talk about the large volumes of indicators of compromise (IOCs) they have in their database, how many malware signatures, how many sensors, and so on. It’s the traditional “more and faster is better” approach. What’s missing from this approach is the practicality of what is actually useful, and what does all of this data mean? When it comes to threat intelligence, including both the vendors who provide it and the organizations that consume it, what is the goal around all of this data collection? What should be collected? How should it be collected? How should it be evaluated? What finished, refined intelligence product should ultimately be produced? How should it be delivered, who within the organization should it be delivered to and how should it be consumed?

I was recently reviewing a presentation about how to implement threat intelligence in an organization and noticed the author included an organizational chart that basically had a role for each of the basic phases of the intelligence life cycle – Planning, Collection, Analysis, & Presentation – all falling under the CISO. The first thing that popped in my mind was the cost associated with that construct as well as its practicality. The second thing that popped in my mind is the complete lack of definition of what I call the ‘human factors.’ When I talk human factors I am talking about the who, how, when and where of how work is performed. It is a topic area that is rarely discussed, but needs to be raised and debated.

When looking at the human factors around cyber threat intelligence, some questions arise. What is a threat intelligence analyst? What background/expertise should they have? What is their function? What tools and process will they need to effectively do their job? Who is accountable for them and who are they accountable too? What outcome do they change for the organization? What is their mission?

As I discussed in a previous threat intelligence-focused article, at a high level you can categorize intel into three main areas:

Tactical intelligence – This is where “on-the-network” actions take place, typically supported by your “Defenders”, who use tactical threat intelligence to corroborate events coming into the SOC. These are the individuals who consume low-level CTI to support a detection and response mission.

Operational intelligence – One level up from tactical, this type of intel focuses on the immediate operating environment and is more adversary-focused. Operational intel should be supported by what I would call your traditional threat intelligence analyst. These analysts are looking at internally and externally collected information to analyze and distribute intelligence products that focus on the organization’s operating environments, and how they relate to Actor campaigns, capabilities, opportunities and intent.

Strategic intelligence – This type of intelligence is of value to senior management, who can use it to measure cyber risk and to guide proper investment and risk management decisions. Support at the strategic level also falls to the traditional threat intelligence analyst, who in this case should have the sole focus of aligning collected intel to the organization’s lines of business. This is where cyber threats, cyber risk and business risk are all correlated and analyzed to achieve a more informed decision.

Advertisement. Scroll to continue reading.

Each area of threat intelligence has a different scope of mission, which by default would require a different set of tools and analyst background. Based on the area of focus, the Cyber Threat Intelligence Analyst should execute the intelligence life cycle, which includes:

• Requirements gathering

• Collection

• Analysis

• Distribution

• Feedback

The goal of the threat intelligence analyst is to produce relevant, timely, accurate intel on cyber threats – especially those associated with espionage, hacktivism, cybercrime, malicious software, social engineering, and other emerging threats. Essentially, the analyst needs to focus on providing the “who, what, when, where, why, how, and importance” of cyber threats to the business, and help the business reduce overall risk.

I have had conversations with CISO’s in the past regarding the following question: “Is it better to hire a cyber security pro and teach them intel practices or is it better to hire an intel pro and teach them cyber security practices?” The answer is obvious – it depends, and it depends on what areas of focus for which you are looking to build out a capability. Obviously a tactical focus area would demand a technical individual, the operational level would demand an individual who has some technical background, but also has a vision for cyber risk across the organization, and an individual who has a strategic focus needs to have a background in enterprise risk and business. All of these scenarios require cyber threat intelligence analysts.

As organizations flesh out plans for implementing a Cyber Threat Intelligence program, following this sort of model should assist you in understanding what type of analyst you may need to hire, train and equip. Not all analysts are created equal and not all consumers of finished intelligence products have the same intelligence requirements.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon