Connect with us

Hi, what are you looking for?


Security Infrastructure

What Type of Cyber Threat Intelligence Analyst Do You Need?

I am a very practical guy. While I do appreciate industry thought leadership and can appreciate a new framework in a sea of frameworks once in awhile, I tend to always drift towards what is practical, achievable, productive and sellable to my internal organization. In my former role as a CISO, these characteristics were critical.

I am a very practical guy. While I do appreciate industry thought leadership and can appreciate a new framework in a sea of frameworks once in awhile, I tend to always drift towards what is practical, achievable, productive and sellable to my internal organization. In my former role as a CISO, these characteristics were critical.

In the cyber threat intelligence market, many vendors talk about the large volumes of indicators of compromise (IOCs) they have in their database, how many malware signatures, how many sensors, and so on. It’s the traditional “more and faster is better” approach. What’s missing from this approach is the practicality of what is actually useful, and what does all of this data mean? When it comes to threat intelligence, including both the vendors who provide it and the organizations that consume it, what is the goal around all of this data collection? What should be collected? How should it be collected? How should it be evaluated? What finished, refined intelligence product should ultimately be produced? How should it be delivered, who within the organization should it be delivered to and how should it be consumed?

I was recently reviewing a presentation about how to implement threat intelligence in an organization and noticed the author included an organizational chart that basically had a role for each of the basic phases of the intelligence life cycle – Planning, Collection, Analysis, & Presentation – all falling under the CISO. The first thing that popped in my mind was the cost associated with that construct as well as its practicality. The second thing that popped in my mind is the complete lack of definition of what I call the ‘human factors.’ When I talk human factors I am talking about the who, how, when and where of how work is performed. It is a topic area that is rarely discussed, but needs to be raised and debated.

When looking at the human factors around cyber threat intelligence, some questions arise. What is a threat intelligence analyst? What background/expertise should they have? What is their function? What tools and process will they need to effectively do their job? Who is accountable for them and who are they accountable too? What outcome do they change for the organization? What is their mission?

As I discussed in a previous threat intelligence-focused article, at a high level you can categorize intel into three main areas:

Tactical intelligence – This is where “on-the-network” actions take place, typically supported by your “Defenders”, who use tactical threat intelligence to corroborate events coming into the SOC. These are the individuals who consume low-level CTI to support a detection and response mission.

Operational intelligence – One level up from tactical, this type of intel focuses on the immediate operating environment and is more adversary-focused. Operational intel should be supported by what I would call your traditional threat intelligence analyst. These analysts are looking at internally and externally collected information to analyze and distribute intelligence products that focus on the organization’s operating environments, and how they relate to Actor campaigns, capabilities, opportunities and intent.

Advertisement. Scroll to continue reading.

Strategic intelligence – This type of intelligence is of value to senior management, who can use it to measure cyber risk and to guide proper investment and risk management decisions. Support at the strategic level also falls to the traditional threat intelligence analyst, who in this case should have the sole focus of aligning collected intel to the organization’s lines of business. This is where cyber threats, cyber risk and business risk are all correlated and analyzed to achieve a more informed decision.

Each area of threat intelligence has a different scope of mission, which by default would require a different set of tools and analyst background. Based on the area of focus, the Cyber Threat Intelligence Analyst should execute the intelligence life cycle, which includes:

• Requirements gathering

• Collection

• Analysis

• Distribution

• Feedback

The goal of the threat intelligence analyst is to produce relevant, timely, accurate intel on cyber threats – especially those associated with espionage, hacktivism, cybercrime, malicious software, social engineering, and other emerging threats. Essentially, the analyst needs to focus on providing the “who, what, when, where, why, how, and importance” of cyber threats to the business, and help the business reduce overall risk.

I have had conversations with CISO’s in the past regarding the following question: “Is it better to hire a cyber security pro and teach them intel practices or is it better to hire an intel pro and teach them cyber security practices?” The answer is obvious – it depends, and it depends on what areas of focus for which you are looking to build out a capability. Obviously a tactical focus area would demand a technical individual, the operational level would demand an individual who has some technical background, but also has a vision for cyber risk across the organization, and an individual who has a strategic focus needs to have a background in enterprise risk and business. All of these scenarios require cyber threat intelligence analysts.

As organizations flesh out plans for implementing a Cyber Threat Intelligence program, following this sort of model should assist you in understanding what type of analyst you may need to hire, train and equip. Not all analysts are created equal and not all consumers of finished intelligence products have the same intelligence requirements.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.