With the coming new year comes new strategies to implement, new budgets to work with, and new threats to prevent from harming your business. I’ve personally seen a shift in the past year where more organizations are moving beyond the basic understanding of what threat intelligence is and moving into a planning and implementation process to start benefitting from the value that good intel can provide.
The first step in planning to add threat intelligence into your security and risk program should really focus around the following key questions:
• What is the goal of the intel we want to have?
• Who are the key stakeholders that the intel should serve?
• What are the assets and information we are most concerned about protecting?
• What decisions and outcomes should the intel impact?
• How will results be measured?
• Are we collecting any internal intel already? If not, this is where we should start.
• Should we outsource our intel operation, build in-house or go with a hybrid approach?
At the end of the day, whatever your cyber threat intelligence plan and process is, it should drive faster and smarter decisions that minimize your risk exposure. If it’s not aiding this goal, then it’s time to stop and think through what needs to change in order for the intel to make your business safer.
I’ve worked with a wide range of organizations across industry that have SOCs with analysts working around the clock. I’ve worked with smaller, less cyber-mature organizations that did not have the staff or tools and needed cyber risk guidance through more of an outsourced approach. And I’ve also worked with organizations that are using intel and have a small intelligence operation, but wanted to get a “force multiplier” with a hybrid/co-managed approach.
Regardless of whether you’re hiring a threat intelligence analyst, working with a vendor or doing a combination of both, you need to ensure the right people are in place (along with the tools) to do the job. The complexity here is that just like not all threat intelligence is the same, not all threat intelligence analysts are the same. Intel analysts can have different areas of expertise (for example, some are more technical, some are more risk focused, some may have more experience with specific tools, etc.). Before looking at vendors and/or in-house cyber threat intelligence analysts to hire, you should determine your end goal first to make sure it is a good fit.
In my previous role as a CISO and as my current role as head of the SurfWatch Labs analyst team, I’ve hired many intel analysts over the years and have a few suggestions in terms of the core traits and capabilities to look for as a baseline.
As far as the overall role, the intel analyst should have the capability to map out and collect intel from a wide range of sources, track threat actors, identify and track malicious assets and infrastructure, and the ability to synthesize and analyze a wide set of threat and incident data to produce finished intelligence with supporting evidence. Having good interpersonal skills is also an important trait to have since requests and questions will come in from stakeholders and the analyst may need to also present or explain the intel to different groups. Attention to detail is also important as it relates to the breadth and depth of the analysis and conclusions.
Below are additional “required” and “desired” skills that I look for in an analyst:
• Familiarity with intelligence analysis or a high desire to learn, including analytic tradecraft, and demonstrated critical thinking skills
• Familiarity with and understanding of current hacking techniques, adversary methodology, vulnerability analysis, incident and breach analysis, and cyber defense techniques
• Excellent character and discretion in handling sensitive information
• Ability to conduct independent research on intelligence targets under minimal oversight with absolute attention to detail as well as a desire to understand the full picture of an event
• Proven ability to design, draft, and publish high-quality technical and business-level intelligence reports, studies, whitepapers, and blogs
• Previous experience with major operating system technologies and an understanding of database technologies
• A robust level of networking expertise and understanding of routing principles
• Knowledge of and experience with security monitoring methodologies such as packet capture, flow data (NetFlow), patterns, watch lists, black lists, log parsing, correlation, classification, event generation, taxonomy, and filtering
As I mentioned previously, there are many different types of intelligence analysts out there, some are more technical in nature, while others come from more of an analytical and tradecraft background. There is no textbook definition of what the “perfect” analyst should be. The bottom line here is you first need to understand what problem you are looking to solve and then hire based on that organizational need.
An observation that I routinely make is that we all see the news reports regarding how security budgets are increasing but yet for some reason nothing ever seems to get better. That observation tells me that is because we are not placing the proper resources to address the biggest problem areas. The prime mission of your intelligence efforts should be focused on answering that very question.