Threat Intelligence

10:30 AM
Travis Farral
Travis Farral
Connect Directly
E-Mail vvv

The Road Less Traveled: Building a Career in Cyberthreat Intelligence

It's hard to become a threat intelligence pro, but there are three primary ways of going about it.

The cybersecurity skills shortage is nothing new, and as the demand for cybersecurity experts continues to grow — an expected 53% through 2018, according to the Bureau of Labor Statistics — organizations and government entities will continue to fall victim to large-scale breaches. Although the need for these experts is clear, a defined career road map for information security experts is not.

Despite a growing urgency to fill these roles, education options and formalized career tracks for cybersecurity professionals are limited. Though some are fortunate enough to find their place through traditional IT jobs, I've encountered far too many budding information security professionals with no clear direction on how to get started. The path to become a cyberthreat intelligence professional is no exception.

In fact, it's even less developed than many other cybersecurity career paths. A career in cyberthreat intelligence still requires many of the same base skills as an incident response analyst, such as understanding malware delivery techniques and the ability to read packet captures, but it also requires a firm understanding of the fundamentals of intelligence theory. This includes the intelligence life cycle, collections, developing various types of intelligence analysis, and creating timely and relevant intelligence products. These intelligence-specific skills have little overlap with other information security disciplines, making this career track a bit of an island in the information security world.

Defining the Threat Intelligence Role
As organizations grow their information security programs, threat intelligence roles are becoming increasingly common. Whether as a partial job responsibility or a full-time role, the needs for information security professionals with skills in threat intelligence are growing. To really get the best value out of a cyberthreat intelligence program, having trained threat intelligence analysts on the team is a must. These analysts should be responsible for analyzing raw external and internal intelligence data and be able to form finished analysis to drive decisions and actions or improve situational awareness for intelligence consumers based on their requirements.

Doing this right really requires training in threat intelligence analysis and specific skills in the information security arena. Specifically, this means being able to define collection requirements to drive required analysis products, develop new intelligence products based on intelligence consumer requirements, and have the ability to at least read incoming logs, packet captures, and other intelligence (both indicators and finished intelligence). All of this is in addition to performing the analysis itself and producing reports or other finished intelligence.

Three Paths
For those looking to pursue a career in the cyberthreat intelligence discipline, there are essentially three primary paths. Some will choose to go the route of traditional intelligence theory training, either through a university or the military, because of the well-rounded threat intelligence classes and programs offered in these institutions. Although these programs aren't specifically geared toward the cybersecurity sector, those who select this path will build a working knowledge of intelligence and its many applications, then ideally be able to leverage that background in an information security setting.

An alternative route is to pursue a degree or self-developed skills in general cybersecurity practices, building intelligence in later on. Though cybersecurity-focused majors aren't yet offered at many schools, there are a number of respected institutions, including Carnegie Mellon and Georgia Tech, with solid programs that teach the fundamentals of security, ranging from programming and scripting to network security and computer forensics. These skills provide a solid foundation for a budding cybersecurity career; however, the average cybersecurity curriculum doesn't include courses geared specifically toward information security intelligence.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Instead, those who choose this route will need to learn intelligence skills while in the field or on their own through diligent self-study and application. This path isn't as straightforward, and often the level of understanding of intelligence principles not as robust as someone coming from a traditional intelligence background. Those that choose this path must seek additional on-the-job training and other resources to round out their intelligence capabilities. Working alongside analysts who have been traditionally trained in threat intelligence is a great way to fill the needed gaps.

With so few formal options available to guide a career in threat intelligence, finding success in the field takes both creativity and tenacity. Ingesting publicly available resources and getting your hands dirty by doing can be an effective way to develop threat intelligence analysis skills. There are a handful of free online resources available to get people started in threat intelligence, such as the Carnegie Mellon University Cyber Intelligence Tradecraft Project, the Level 1 Intelligence Analyst certification on Udemy, and the seminal Psychology of Intelligence Analysis document available free from the Central Intelligence Agency website.

Use virtual machines to test and play around with collecting intelligence (feeds, logs, WHOIS, and other resources) and start doing intelligence analysis. Spend time with more experienced analysts and engineers by attending local security events such as Security BSides or information security meet-ups (Google or can be your friend to find these). Often these events have topics and experts that directly or indirectly relate to cyberthreat intelligence. Join mailing lists and engage in other online groups like Defcon Groups. Watch information security talks on Dark Reading and YouTube.

Although not as abundant as other information security disciplines, there are now several resources available specific to threat intelligence, so find whatever works for you and take your threat intelligence career path into your own hands.

Related Content:

Travis Farral is a seasoned IT security professional with extensive background in corporate security environments. Prior to his current role as Director of Security Strategy at Silicon Valley-based threat intelligence platform provider Anomali, Farral was with ExxonMobil, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Oz Kirkham
Oz Kirkham,
User Rank: Apprentice
6/3/2017 | 3:24:23 PM
Great write up!
Thanks for your article Travis, well written and a great help for a budding threat intel pro.

6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.