Security Experts:

What Type of Cyber Threat Intelligence Analyst Do You Need?

I am a very practical guy. While I do appreciate industry thought leadership and can appreciate a new framework in a sea of frameworks once in awhile, I tend to always drift towards what is practical, achievable, productive and sellable to my internal organization. In my former role as a CISO, these characteristics were critical.

In the cyber threat intelligence market, many vendors talk about the large volumes of indicators of compromise (IOCs) they have in their database, how many malware signatures, how many sensors, and so on. It’s the traditional “more and faster is better” approach. What’s missing from this approach is the practicality of what is actually useful, and what does all of this data mean? When it comes to threat intelligence, including both the vendors who provide it and the organizations that consume it, what is the goal around all of this data collection? What should be collected? How should it be collected? How should it be evaluated? What finished, refined intelligence product should ultimately be produced? How should it be delivered, who within the organization should it be delivered to and how should it be consumed?

I was recently reviewing a presentation about how to implement threat intelligence in an organization and noticed the author included an organizational chart that basically had a role for each of the basic phases of the intelligence life cycle – Planning, Collection, Analysis, & Presentation – all falling under the CISO. The first thing that popped in my mind was the cost associated with that construct as well as its practicality. The second thing that popped in my mind is the complete lack of definition of what I call the ‘human factors.’ When I talk human factors I am talking about the who, how, when and where of how work is performed. It is a topic area that is rarely discussed, but needs to be raised and debated.

When looking at the human factors around cyber threat intelligence, some questions arise. What is a threat intelligence analyst? What background/expertise should they have? What is their function? What tools and process will they need to effectively do their job? Who is accountable for them and who are they accountable too? What outcome do they change for the organization? What is their mission?

As I discussed in a previous threat intelligence-focused article, at a high level you can categorize intel into three main areas:

Tactical intelligence - This is where “on-the-network” actions take place, typically supported by your “Defenders”, who use tactical threat intelligence to corroborate events coming into the SOC. These are the individuals who consume low-level CTI to support a detection and response mission.

Operational intelligence - One level up from tactical, this type of intel focuses on the immediate operating environment and is more adversary-focused. Operational intel should be supported by what I would call your traditional threat intelligence analyst. These analysts are looking at internally and externally collected information to analyze and distribute intelligence products that focus on the organization's operating environments, and how they relate to Actor campaigns, capabilities, opportunities and intent.

Strategic intelligence - This type of intelligence is of value to senior management, who can use it to measure cyber risk and to guide proper investment and risk management decisions. Support at the strategic level also falls to the traditional threat intelligence analyst, who in this case should have the sole focus of aligning collected intel to the organization's lines of business. This is where cyber threats, cyber risk and business risk are all correlated and analyzed to achieve a more informed decision.

Each area of threat intelligence has a different scope of mission, which by default would require a different set of tools and analyst background. Based on the area of focus, the Cyber Threat Intelligence Analyst should execute the intelligence life cycle, which includes:

• Requirements gathering

• Collection

• Analysis

• Distribution

• Feedback

The goal of the threat intelligence analyst is to produce relevant, timely, accurate intel on cyber threats - especially those associated with espionage, hacktivism, cybercrime, malicious software, social engineering, and other emerging threats. Essentially, the analyst needs to focus on providing the “who, what, when, where, why, how, and importance” of cyber threats to the business, and help the business reduce overall risk.

I have had conversations with CISO’s in the past regarding the following question: “Is it better to hire a cyber security pro and teach them intel practices or is it better to hire an intel pro and teach them cyber security practices?” The answer is obvious - it depends, and it depends on what areas of focus for which you are looking to build out a capability. Obviously a tactical focus area would demand a technical individual, the operational level would demand an individual who has some technical background, but also has a vision for cyber risk across the organization, and an individual who has a strategic focus needs to have a background in enterprise risk and business. All of these scenarios require cyber threat intelligence analysts.

As organizations flesh out plans for implementing a Cyber Threat Intelligence program, following this sort of model should assist you in understanding what type of analyst you may need to hire, train and equip. Not all analysts are created equal and not all consumers of finished intelligence products have the same intelligence requirements.

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.