Cyber Threat Intelligence (CTI) analysts come from diverse
backgrounds, and their roles can vary a lot depending on the type of
organisation they work for. The path to becoming a CTI analyst can follow one
of several routes, such as moving from Security Operations Center (SOC) and
other information security roles, joining from university, or from law
enforcement or military backgrounds. I’ve also met many who have radically changed
trades and reskilled from jobs such as secondary school teachers to bar and hotel
staff with great success.
CTI teams can also vary significantly in their structure and
focus. Some analysts work for vendors, providing intelligence to multiple
clients across industries like, for example, Recorded Future’s Insikt Group.
Others serve as defenders within a single company, working to protect that
organization’s assets like, for example Equinix’s ETAC team. There are analysts
who operate within government agencies as well, such as intelligence, security,
or law enforcement bodies, often focusing on national security or large-scale
cyber threats.
I should also highlight that all these resource have either
been created by myself or with the help of colleagues from Curated Intel, or
are collections created by me that I personally vouch for as I saved them to be used for my
job over the last five years.
When starting out in CTI, it’s essential to become familiar
with key frameworks and resources that shape the field. At the core is the
Intelligence Lifecycle, a process that involves planning, data collection,
processing, analysis, dissemination, and feedback. Another core concept are the
three levels of intelligence: strategic, operational, and tactical.
Understanding analysis frameworks like the Diamond Model, MITRE ATT&CK, the
Cyber Kill Chain, and the Pyramid of Pain, as well as landmark case studies like
the APT1 report are critical for grasping how adversaries operate and how CTI
can counter their tactics.
Resources:
Description |
Link |
To help CTI
analysts learn more about the theory and frameworks related to the field of
CTI, here is a project containing various important resources called CTI
Fundamentals |
|
Here’s a
project contains a collection of acronyms used often by CTI
analysts |
Understanding the broad array of adversaries may seem like a
daunting challenge for new CTI analysts. This due to the plethora of threat
groups and campaigns, from state-sponsored adversaries belonging to “The Big 4”
(Russia, China, North Korea, Iran), to thousands of hacktivist groups, to
hundreds of ransomware gangs, and the broader cybercrime underground. Getting a
handled on all of these types of cyber threats is a huge undertaking. Hopefully
some of the resources below will help new analysts get started on this mammoth
task, but will hopefully help highlight why CTI analysts are always constantly
learning.
Resources:
Description |
Link |
Here’s a
project which contains a large list of threat group names
and their AKAs |
|
Here’s a project that contains information about ransomware groups and their tools |
|
Here’s a similar project that contains all the vulnerabilities exploited by ransomware gangs |
|
Here’s a project that contains a collection of reports by companies who have been breached |
|
Here’s a blog about various types of APT groups |
|
Here’s a blog about hacktivist groups and how they often lie and overhype their claims |
Responding to Requests for Information (RFIs) is a crucial
aspect of a CTI team’s function. RFIs typically come from internal
stakeholders, such as security, executive teams, or external partners, who need
in-depth analysis on specific threats or incidents. CTI analysts should answer
RFIs by conducting their own research and produce clear, actionable reports
that detail their findings, and their assessment of the potential impact on the
organisation.
Resources:
Creating detailed threat actor profiles is a key part of a CTI analyst’s job. These profiles help organisations understand an adversary’s tactics, techniques, and procedures (TTPs) as well as who their victims are, their motivations, and their potential origin. By compiling data on malicious cyber adversaries, such as their preferred tools, infrastructure, and methods, CTI analysts can provide valuable insights that enable proactive defenses against future threats. Threat actor profiles can also serve as a valuable resource for internal teams and leadership to prioritise risk management.
Resources:
Another type of intelligence product, CTI analysts are
likely to create are threat landscape reports, which offer a high-level view of
the current threat environment. These reports are often produced on a periodic
basis (monthly or quarterly) and provide insights on emerging threats, trends
in adversary behavior, or significant incidents affecting the industry.
Resources:
Supporting threat
hunting operations and malware analysis services are also standard
responsibilities for CTI teams in the industry. The main prerequisite for this
includes having security operations teams, such as SOCs and CERTs, as
stakeholders. CTI teams can then provide detection rules, using behavioural
signatures, based on intelligence gathered from proactive research or in
response to an incident. These detection rules then enhance security measures,
enabling teams to detect and mitigate attacks more effectively.
Resources:
CTI analysts will often play a role in brand monitoring,
keeping a close eye on mentions of the organisation in the news and cybercrime
underground. This involves tracking chatter on news sites, social media,
underground forums, dark web marketplaces, or Telegram channels to detect any
references to the company, its assets, or its personnel to identify potential
incidents. Early detection of these mentions can help respond to potential
attacks, data breaches, or fraud attempts. This can also include monitoring for
breaches impacting your organisation’s supply chain, partners, or large
customer organisations.
Resources:
CTI analysts will often be handling indicators of compromise (IOCs) during daily operations. Triaging IOCs received from various sources is a big part of the role. Understanding what makes an indicator useful is vital to be able to provide context about attacks. Collecting IOCs in threat intelligence platforms (TIPs) and vetting them to support their implementation into security controls is another duty that is often split between a CTI team and a security engineering program. However, it is important for CTI analysts to know how research, pivot on, vet, and disseminate IOCs. Due to CTI teams often having access to commercial TIPs or being able to conduct open source intelligence (OSINT) research on IOCs, this duty often fall to them.
Resources:
CTI teams often play
a key role in threat and vulnerability management (TVM). Many organisations
have standalone TVM teams that interface with CTI teams who provide the latest
news about vulnerabilities exploited in the wild from monitoring their sources.
Another discipline that may come under a CTI team’s remit is attack surface
scanning and looking for exposures. This is because as CTI teams tracks the
latest exploitation campaigns of adversaries and will know which products and
devices are being currently targeted. Therefore, it pays for organisations to
have another team that performs an attack surface check based on threat
intelligence.
Resources:
Lastly, once you start working in CTI you quickly realise
that the CTI industry is very close knit. Due to the nature of working with the
other organisations to share information, long-term bonds between analysts and
teams are inherently forged. As an individual CTI analyst, CTI manager, or CTI
team it is vital build up a network of contacts and form official intelligence
sharing partnerships.
This all starts however from being a member of the
community. This includes going to conferences, talking to other analysts over
social media (Twitter or LinkedIn), or participating in online communities,
such as those on Discord. While participating in these communities and talking
to other CTI practitioners it is always important to keep operational security
(OPSEC) in mind and maintain trust, as well as obeying the Traffic Light
Protocol (TLP).
Resources:
If you have gone through all the resources in this blog (well done!) but you’re still looking for more things to read, then luckily enough for you, there’s still plenty more out there. I recommend taking a look at other guides created by renowned CTI experts, such as Katie Nickels’ CTI Self Study Guide Part 1 and Part 2 as well as Andy Piazza’s CTI Study Plan here.