Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Travis Farral
Travis Farral
Connect Directly
E-Mail vvv

The Road Less Traveled: Building a Career in Cyberthreat Intelligence

It's hard to become a threat intelligence pro, but there are three primary ways of going about it.

The cybersecurity skills shortage is nothing new, and as the demand for cybersecurity experts continues to grow — an expected 53% through 2018, according to the Bureau of Labor Statistics — organizations and government entities will continue to fall victim to large-scale breaches. Although the need for these experts is clear, a defined career road map for information security experts is not.

Despite a growing urgency to fill these roles, education options and formalized career tracks for cybersecurity professionals are limited. Though some are fortunate enough to find their place through traditional IT jobs, I've encountered far too many budding information security professionals with no clear direction on how to get started. The path to become a cyberthreat intelligence professional is no exception.

In fact, it's even less developed than many other cybersecurity career paths. A career in cyberthreat intelligence still requires many of the same base skills as an incident response analyst, such as understanding malware delivery techniques and the ability to read packet captures, but it also requires a firm understanding of the fundamentals of intelligence theory. This includes the intelligence life cycle, collections, developing various types of intelligence analysis, and creating timely and relevant intelligence products. These intelligence-specific skills have little overlap with other information security disciplines, making this career track a bit of an island in the information security world.

Defining the Threat Intelligence Role
As organizations grow their information security programs, threat intelligence roles are becoming increasingly common. Whether as a partial job responsibility or a full-time role, the needs for information security professionals with skills in threat intelligence are growing. To really get the best value out of a cyberthreat intelligence program, having trained threat intelligence analysts on the team is a must. These analysts should be responsible for analyzing raw external and internal intelligence data and be able to form finished analysis to drive decisions and actions or improve situational awareness for intelligence consumers based on their requirements.

Doing this right really requires training in threat intelligence analysis and specific skills in the information security arena. Specifically, this means being able to define collection requirements to drive required analysis products, develop new intelligence products based on intelligence consumer requirements, and have the ability to at least read incoming logs, packet captures, and other intelligence (both indicators and finished intelligence). All of this is in addition to performing the analysis itself and producing reports or other finished intelligence.

Three Paths
For those looking to pursue a career in the cyberthreat intelligence discipline, there are essentially three primary paths. Some will choose to go the route of traditional intelligence theory training, either through a university or the military, because of the well-rounded threat intelligence classes and programs offered in these institutions. Although these programs aren't specifically geared toward the cybersecurity sector, those who select this path will build a working knowledge of intelligence and its many applications, then ideally be able to leverage that background in an information security setting.

An alternative route is to pursue a degree or self-developed skills in general cybersecurity practices, building intelligence in later on. Though cybersecurity-focused majors aren't yet offered at many schools, there are a number of respected institutions, including Carnegie Mellon and Georgia Tech, with solid programs that teach the fundamentals of security, ranging from programming and scripting to network security and computer forensics. These skills provide a solid foundation for a budding cybersecurity career; however, the average cybersecurity curriculum doesn't include courses geared specifically toward information security intelligence.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Instead, those who choose this route will need to learn intelligence skills while in the field or on their own through diligent self-study and application. This path isn't as straightforward, and often the level of understanding of intelligence principles not as robust as someone coming from a traditional intelligence background. Those that choose this path must seek additional on-the-job training and other resources to round out their intelligence capabilities. Working alongside analysts who have been traditionally trained in threat intelligence is a great way to fill the needed gaps.

With so few formal options available to guide a career in threat intelligence, finding success in the field takes both creativity and tenacity. Ingesting publicly available resources and getting your hands dirty by doing can be an effective way to develop threat intelligence analysis skills. There are a handful of free online resources available to get people started in threat intelligence, such as the Carnegie Mellon University Cyber Intelligence Tradecraft Project, the Level 1 Intelligence Analyst certification on Udemy, and the seminal Psychology of Intelligence Analysis document available free from the Central Intelligence Agency website.

Use virtual machines to test and play around with collecting intelligence (feeds, logs, WHOIS, and other resources) and start doing intelligence analysis. Spend time with more experienced analysts and engineers by attending local security events such as Security BSides or information security meet-ups (Google or Meetup.com can be your friend to find these). Often these events have topics and experts that directly or indirectly relate to cyberthreat intelligence. Join mailing lists and engage in other online groups like Defcon Groups. Watch information security talks on Dark Reading and YouTube.

Although not as abundant as other information security disciplines, there are now several resources available specific to threat intelligence, so find whatever works for you and take your threat intelligence career path into your own hands.

Related Content:

Travis Farral is a seasoned IT security professional with extensive background in corporate security environments. Prior to his current role as Director of Security Strategy at Silicon Valley-based threat intelligence platform provider Anomali, Farral was with ExxonMobil, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Oz Kirkham
Oz Kirkham,
User Rank: Apprentice
6/3/2017 | 3:24:23 PM
Great write up!
Thanks for your article Travis, well written and a great help for a budding threat intel pro.

A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.