Becoming a ‘Well Rounded’ Cyber Threat Intelligence Analyst
Trident Exec Summary
This blog is aimed at both experienced CTI Analysts and anyone looking to get into the field. With the on-going geo-political crisis’ and the increase in e-cyber-crime around the world, the demand for well-rounded Analysts within the Cyber Intelligence space is ever increasing.
So, we have partnered with Tim Haines, to bring you a guide to becoming a “well-rounded” CTI Analyst. Tim is a seasoned Cyber Threat Intelligence Manager who is highly experienced in recruiting and building teams of Analysts within the private and public sector.
Tim:
Cyber Threat Intelligence (CTI) is a growing field, with plenty of exciting opportunities in it. If you’re looking to get into the field, or if you’re already in a CTI role, but are looking to progress, it’s worth considering the question: “What do employers look for in ‘well-rounded’ CTI analyst?”
In my view, there are four broad categories of knowledge and experience which are likely to be the key to success, and the ‘well rounded’ analyst sits at the heart of these interlocking-circles, as shown in the diagram below:
Let’s have a look at each of these in turn:
Threat Actor Knowledge: A good CTI analyst will have a good understanding of the capability and intent of a broad spectrum of cyber threat actors, as well as an understanding of their Tactics, Techniques and Procedures (TTPs). The Mitre Attack Framework is excellent in this regard, as are the free malware reports and threat actor profiles put out by commercial CTI providers.
Analytical Tradecraft: A good knowledge of the analytical process and common pitfalls is essential. A conceptual understanding of the Intelligence Cycle is useful, but an understanding founded on its practical implementation is even better. Knowledge of specific analytical techniques (e.g. Analysis of Competing Hypotheses) and frequently encountered cognitive biases is useful here, as is knowledge of relevant threat models (e.g. the diamond model).
Industry Sector / Organisation Specific Knowledge: The ultimate aim of CTI is to allow people to make better formed decisions to protect their organisation. Without some knowledge of the organisation that you are helping to defend, this is almost impossible. Therefore, it’s imperative to know not only what assets you are seeking to protect, but also what technologies have been deployed, how different processes operate, and how different sub-elements interact. Time spent understanding key business processes is well spent. This is perhaps the hardest to ‘learn’ as an outsider, and most employers will not expect you to have significant pre-existing knowledge in this sphere.
Technical Competence: Increasingly, the collection and analysis of data relies on technology, and as such a good analyst is increasingly expected to have a strong set of technical skills. Not all analysts have to have ninja-like malware reverse engineering skills but being able to engage effectively with – for example – python, SQL and Elasticsearch to automate data processing is increasingly fundamental.
The Soft Skills Wrap: The outer circle on the diagram above represents soft-skills which are not specific to a CTI analyst, but which are nevertheless absolutely vital. As an example of this, imagine a brilliant analyst who cannot present their findings in clear and concise language (spoken or written) – without these skills, their capabilities are unlikely to ever by fully recognised.
Tim:
Clearly, the vast majority of people are going to have spheres where they are comparatively weak. That’s not a problem, and it’s something that most employers will expect. But knowing what employers are potentially looking for is useful, and can potentially guide your personal development agenda to maximise your chances of finding the perfect CTI analysis role for you!
Trident:
All the above from Tim is great advice. We would advise that you reflect on your personal armoury, where do you believe you are strong vs. weak. Match that against the criteria for a particular opportunity or the general type of CTI job you are looking for, then conduct your personal development.
We are seeing a rise in the demand for “technical” analysts.If you are a geo-pol specialist, do not worry, you won’t suddenly be required to reverse engineer malware. 99% of this “technical” demand is what Tim referred to: data processing (SQL etc.) and the general understanding of network infrastructure set ups. If you can understand how a vulnerability becomes critical/relevant for an organisation due to their infrastructure set up or patching schedule, you are in high demand.
