Introduction

Cyber Threat Intelligence (CTI) analysts come from diverse backgrounds, and their roles can vary a lot depending on the type of organisation they work for. The path to becoming a CTI analyst can follow one of several routes, such as moving from Security Operations Center (SOC) and other information security roles, joining from university, or from law enforcement or military backgrounds. I’ve also met many who have radically changed trades and reskilled from jobs such as secondary school teachers to bar and hotel staff with great success.

CTI teams can also vary significantly in their structure and focus. Some analysts work for vendors, providing intelligence to multiple clients across industries like, for example, Recorded Future’s Insikt Group. Others serve as defenders within a single company, working to protect that organization’s assets like, for example Equinix’s ETAC team. There are analysts who operate within government agencies as well, such as intelligence, security, or law enforcement bodies, often focusing on national security or large-scale cyber threats.

I should also highlight that all these resource have either been created by myself or with the help of colleagues from Curated Intel, or are collections created by me that I personally vouch for as I saved them to be used for my job over the last five years.

Starting Out

When starting out in CTI, it’s essential to become familiar with key frameworks and resources that shape the field. At the core is the Intelligence Lifecycle, a process that involves planning, data collection, processing, analysis, dissemination, and feedback. Another core concept are the three levels of intelligence: strategic, operational, and tactical. Understanding analysis frameworks like the Diamond Model, MITRE ATT&CK, the Cyber Kill Chain, and the Pyramid of Pain, as well as landmark case studies like the APT1 report are critical for grasping how adversaries operate and how CTI can counter their tactics.

Resources:

Adversaries

Understanding the broad array of adversaries may seem like a daunting challenge for new CTI analysts. This due to the plethora of threat groups and campaigns, from state-sponsored adversaries belonging to “The Big 4” (Russia, China, North Korea, Iran), to thousands of hacktivist groups, to hundreds of ransomware gangs, and the broader cybercrime underground. Getting a handled on all of these types of cyber threats is a huge undertaking. Hopefully some of the resources below will help new analysts get started on this mammoth task, but will hopefully help highlight why CTI analysts are always constantly learning.

Resources:

Requests For Information (RFIs)

Responding to Requests for Information (RFIs) is a crucial aspect of a CTI team’s function. RFIs typically come from internal stakeholders, such as security, executive teams, or external partners, who need in-depth analysis on specific threats or incidents. CTI analysts should answer RFIs by conducting their own research and produce clear, actionable reports that detail their findings, and their assessment of the potential impact on the organisation.

Resources:

Threat Actor Profiles

Creating detailed threat actor profiles is a key part of a CTI analyst’s job. These profiles help organisations understand an adversary’s tactics, techniques, and procedures (TTPs) as well as who their victims are, their motivations, and their potential origin. By compiling data on malicious cyber adversaries, such as their preferred tools, infrastructure, and methods, CTI analysts can provide valuable insights that enable proactive defenses against future threats. Threat actor profiles can also serve as a valuable resource for internal teams and leadership to prioritise risk management.

Resources:

Threat Landscape

Another type of intelligence product, CTI analysts are likely to create are threat landscape reports, which offer a high-level view of the current threat environment. These reports are often produced on a periodic basis (monthly or quarterly) and provide insights on emerging threats, trends in adversary behavior, or significant incidents affecting the industry.

Resources:

Threat Hunting & Malware Analysis

 Supporting threat hunting operations and malware analysis services are also standard responsibilities for CTI teams in the industry. The main prerequisite for this includes having security operations teams, such as SOCs and CERTs, as stakeholders. CTI teams can then provide detection rules, using behavioural signatures, based on intelligence gathered from proactive research or in response to an incident. These detection rules then enhance security measures, enabling teams to detect and mitigate attacks more effectively.

Resources:

Brand Monitoring

CTI analysts will often play a role in brand monitoring, keeping a close eye on mentions of the organisation in the news and cybercrime underground. This involves tracking chatter on news sites, social media, underground forums, dark web marketplaces, or Telegram channels to detect any references to the company, its assets, or its personnel to identify potential incidents. Early detection of these mentions can help respond to potential attacks, data breaches, or fraud attempts. This can also include monitoring for breaches impacting your organisation’s supply chain, partners, or large customer organisations.

Resources:

Indicators of Compromise (IOCs)

CTI analysts will often be handling indicators of compromise (IOCs) during daily operations. Triaging IOCs received from various sources is a big part of the role. Understanding what makes an indicator useful is vital to be able to provide context about attacks. Collecting IOCs in threat intelligence platforms (TIPs) and vetting them to support their implementation into security controls is another duty that is often split between a CTI team and a security engineering program. However, it is important for CTI analysts to know how research, pivot on, vet, and disseminate IOCs. Due to CTI teams often having access to commercial TIPs or being able to conduct open source intelligence (OSINT) research on IOCs, this duty often fall to them.

Resources:

Vulnerabilities

 CTI teams often play a key role in threat and vulnerability management (TVM). Many organisations have standalone TVM teams that interface with CTI teams who provide the latest news about vulnerabilities exploited in the wild from monitoring their sources. Another discipline that may come under a CTI team’s remit is attack surface scanning and looking for exposures. This is because as CTI teams tracks the latest exploitation campaigns of adversaries and will know which products and devices are being currently targeted. Therefore, it pays for organisations to have another team that performs an attack surface check based on threat intelligence.

Resources:

Community

Lastly, once you start working in CTI you quickly realise that the CTI industry is very close knit. Due to the nature of working with the other organisations to share information, long-term bonds between analysts and teams are inherently forged. As an individual CTI analyst, CTI manager, or CTI team it is vital build up a network of contacts and form official intelligence sharing partnerships.

This all starts however from being a member of the community. This includes going to conferences, talking to other analysts over social media (Twitter or LinkedIn), or participating in online communities, such as those on Discord. While participating in these communities and talking to other CTI practitioners it is always important to keep operational security (OPSEC) in mind and maintain trust, as well as obeying the Traffic Light Protocol (TLP).

Resources:

Further Reading

If you have gone through all the resources in this blog (well done!) but you’re still looking for more things to read, then luckily enough for you, there’s still plenty more out there. I recommend taking a look at other guides created by renowned CTI experts, such as Katie Nickels’ CTI Self Study Guide Part 1 and Part 2 as well as Andy Piazza’s CTI Study Plan here.