The cybersecurity skills shortage is nothing new, and as the demand for cybersecurity experts continues to grow — an expected 53% through 2018, according to the Bureau of Labor Statistics — organizations and government entities will continue to fall victim to large-scale breaches. Although the need for these experts is clear, a defined career road map for information security experts is not.
Despite a growing urgency to fill these roles, education options and formalized career tracks for cybersecurity professionals are limited. Though some are fortunate enough to find their place through traditional IT jobs, I've encountered far too many budding information security professionals with no clear direction on how to get started. The path to become a cyberthreat intelligence professional is no exception.
In fact, it's even less developed than many other cybersecurity career paths. A career in cyberthreat intelligence still requires many of the same base skills as an incident response analyst, such as understanding malware delivery techniques and the ability to read packet captures, but it also requires a firm understanding of the fundamentals of intelligence theory. This includes the intelligence life cycle, collections, developing various types of intelligence analysis, and creating timely and relevant intelligence products. These intelligence-specific skills have little overlap with other information security disciplines, making this career track a bit of an island in the information security world.
Defining the Threat Intelligence Role
As organizations grow their information security programs, threat intelligence roles are becoming increasingly common. Whether as a partial job responsibility or a full-time role, the needs for information security professionals with skills in threat intelligence are growing. To really get the best value out of a cyberthreat intelligence program, having trained threat intelligence analysts on the team is a must. These analysts should be responsible for analyzing raw external and internal intelligence data and be able to form finished analysis to drive decisions and actions or improve situational awareness for intelligence consumers based on their requirements.
Doing this right really requires training in threat intelligence analysis and specific skills in the information security arena. Specifically, this means being able to define collection requirements to drive required analysis products, develop new intelligence products based on intelligence consumer requirements, and have the ability to at least read incoming logs, packet captures, and other intelligence (both indicators and finished intelligence). All of this is in addition to performing the analysis itself and producing reports or other finished intelligence.
For those looking to pursue a career in the cyberthreat intelligence discipline, there are essentially three primary paths. Some will choose to go the route of traditional intelligence theory training, either through a university or the military, because of the well-rounded threat intelligence classes and programs offered in these institutions. Although these programs aren't specifically geared toward the cybersecurity sector, those who select this path will build a working knowledge of intelligence and its many applications, then ideally be able to leverage that background in an information security setting.
An alternative route is to pursue a degree or self-developed skills in general cybersecurity practices, building intelligence in later on. Though cybersecurity-focused majors aren't yet offered at many schools, there are a number of respected institutions, including Carnegie Mellon and Georgia Tech, with solid programs that teach the fundamentals of security, ranging from programming and scripting to network security and computer forensics. These skills provide a solid foundation for a budding cybersecurity career; however, the average cybersecurity curriculum doesn't include courses geared specifically toward information security intelligence.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
Instead, those who choose this route will need to learn intelligence skills while in the field or on their own through diligent self-study and application. This path isn't as straightforward, and often the level of understanding of intelligence principles not as robust as someone coming from a traditional intelligence background. Those that choose this path must seek additional on-the-job training and other resources to round out their intelligence capabilities. Working alongside analysts who have been traditionally trained in threat intelligence is a great way to fill the needed gaps.
With so few formal options available to guide a career in threat intelligence, finding success in the field takes both creativity and tenacity. Ingesting publicly available resources and getting your hands dirty by doing can be an effective way to develop threat intelligence analysis skills. There are a handful of free online resources available to get people started in threat intelligence, such as the Carnegie Mellon University Cyber Intelligence Tradecraft Project, the Level 1 Intelligence Analyst certification on Udemy, and the seminal Psychology of Intelligence Analysis document available free from the Central Intelligence Agency website.
Use virtual machines to test and play around with collecting intelligence (feeds, logs, WHOIS, and other resources) and start doing intelligence analysis. Spend time with more experienced analysts and engineers by attending local security events such as Security BSides or information security meet-ups (Google or Meetup.com can be your friend to find these). Often these events have topics and experts that directly or indirectly relate to cyberthreat intelligence. Join mailing lists and engage in other online groups like Defcon Groups. Watch information security talks on Dark Reading and YouTube.
Although not as abundant as other information security disciplines, there are now several resources available specific to threat intelligence, so find whatever works for you and take your threat intelligence career path into your own hands.