Threat Intelligence

10:30 AM
Travis Farral
Travis Farral
Connect Directly
E-Mail vvv

The Road Less Traveled: Building a Career in Cyberthreat Intelligence

It's hard to become a threat intelligence pro, but there are three primary ways of going about it.

The cybersecurity skills shortage is nothing new, and as the demand for cybersecurity experts continues to grow — an expected 53% through 2018, according to the Bureau of Labor Statistics — organizations and government entities will continue to fall victim to large-scale breaches. Although the need for these experts is clear, a defined career road map for information security experts is not.

Despite a growing urgency to fill these roles, education options and formalized career tracks for cybersecurity professionals are limited. Though some are fortunate enough to find their place through traditional IT jobs, I've encountered far too many budding information security professionals with no clear direction on how to get started. The path to become a cyberthreat intelligence professional is no exception.

In fact, it's even less developed than many other cybersecurity career paths. A career in cyberthreat intelligence still requires many of the same base skills as an incident response analyst, such as understanding malware delivery techniques and the ability to read packet captures, but it also requires a firm understanding of the fundamentals of intelligence theory. This includes the intelligence life cycle, collections, developing various types of intelligence analysis, and creating timely and relevant intelligence products. These intelligence-specific skills have little overlap with other information security disciplines, making this career track a bit of an island in the information security world.

Defining the Threat Intelligence Role
As organizations grow their information security programs, threat intelligence roles are becoming increasingly common. Whether as a partial job responsibility or a full-time role, the needs for information security professionals with skills in threat intelligence are growing. To really get the best value out of a cyberthreat intelligence program, having trained threat intelligence analysts on the team is a must. These analysts should be responsible for analyzing raw external and internal intelligence data and be able to form finished analysis to drive decisions and actions or improve situational awareness for intelligence consumers based on their requirements.

Doing this right really requires training in threat intelligence analysis and specific skills in the information security arena. Specifically, this means being able to define collection requirements to drive required analysis products, develop new intelligence products based on intelligence consumer requirements, and have the ability to at least read incoming logs, packet captures, and other intelligence (both indicators and finished intelligence). All of this is in addition to performing the analysis itself and producing reports or other finished intelligence.

Three Paths
For those looking to pursue a career in the cyberthreat intelligence discipline, there are essentially three primary paths. Some will choose to go the route of traditional intelligence theory training, either through a university or the military, because of the well-rounded threat intelligence classes and programs offered in these institutions. Although these programs aren't specifically geared toward the cybersecurity sector, those who select this path will build a working knowledge of intelligence and its many applications, then ideally be able to leverage that background in an information security setting.

An alternative route is to pursue a degree or self-developed skills in general cybersecurity practices, building intelligence in later on. Though cybersecurity-focused majors aren't yet offered at many schools, there are a number of respected institutions, including Carnegie Mellon and Georgia Tech, with solid programs that teach the fundamentals of security, ranging from programming and scripting to network security and computer forensics. These skills provide a solid foundation for a budding cybersecurity career; however, the average cybersecurity curriculum doesn't include courses geared specifically toward information security intelligence.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Instead, those who choose this route will need to learn intelligence skills while in the field or on their own through diligent self-study and application. This path isn't as straightforward, and often the level of understanding of intelligence principles not as robust as someone coming from a traditional intelligence background. Those that choose this path must seek additional on-the-job training and other resources to round out their intelligence capabilities. Working alongside analysts who have been traditionally trained in threat intelligence is a great way to fill the needed gaps.

With so few formal options available to guide a career in threat intelligence, finding success in the field takes both creativity and tenacity. Ingesting publicly available resources and getting your hands dirty by doing can be an effective way to develop threat intelligence analysis skills. There are a handful of free online resources available to get people started in threat intelligence, such as the Carnegie Mellon University Cyber Intelligence Tradecraft Project, the Level 1 Intelligence Analyst certification on Udemy, and the seminal Psychology of Intelligence Analysis document available free from the Central Intelligence Agency website.

Use virtual machines to test and play around with collecting intelligence (feeds, logs, WHOIS, and other resources) and start doing intelligence analysis. Spend time with more experienced analysts and engineers by attending local security events such as Security BSides or information security meet-ups (Google or can be your friend to find these). Often these events have topics and experts that directly or indirectly relate to cyberthreat intelligence. Join mailing lists and engage in other online groups like Defcon Groups. Watch information security talks on Dark Reading and YouTube.

Although not as abundant as other information security disciplines, there are now several resources available specific to threat intelligence, so find whatever works for you and take your threat intelligence career path into your own hands.

Related Content:

Travis Farral is a seasoned IT security professional with extensive background in corporate security environments. Prior to his current role as Director of Security Strategy at Silicon Valley-based threat intelligence platform provider Anomali, Farral was with ExxonMobil, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Oz Kirkham
Oz Kirkham,
User Rank: Apprentice
6/3/2017 | 3:24:23 PM
Great write up!
Thanks for your article Travis, well written and a great help for a budding threat intel pro.

Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.