Threat Intelligence

10:30 AM
Travis Farral
Travis Farral
Connect Directly
E-Mail vvv

The Road Less Traveled: Building a Career in Cyberthreat Intelligence

It's hard to become a threat intelligence pro, but there are three primary ways of going about it.

The cybersecurity skills shortage is nothing new, and as the demand for cybersecurity experts continues to grow — an expected 53% through 2018, according to the Bureau of Labor Statistics — organizations and government entities will continue to fall victim to large-scale breaches. Although the need for these experts is clear, a defined career road map for information security experts is not.

Despite a growing urgency to fill these roles, education options and formalized career tracks for cybersecurity professionals are limited. Though some are fortunate enough to find their place through traditional IT jobs, I've encountered far too many budding information security professionals with no clear direction on how to get started. The path to become a cyberthreat intelligence professional is no exception.

In fact, it's even less developed than many other cybersecurity career paths. A career in cyberthreat intelligence still requires many of the same base skills as an incident response analyst, such as understanding malware delivery techniques and the ability to read packet captures, but it also requires a firm understanding of the fundamentals of intelligence theory. This includes the intelligence life cycle, collections, developing various types of intelligence analysis, and creating timely and relevant intelligence products. These intelligence-specific skills have little overlap with other information security disciplines, making this career track a bit of an island in the information security world.

Defining the Threat Intelligence Role
As organizations grow their information security programs, threat intelligence roles are becoming increasingly common. Whether as a partial job responsibility or a full-time role, the needs for information security professionals with skills in threat intelligence are growing. To really get the best value out of a cyberthreat intelligence program, having trained threat intelligence analysts on the team is a must. These analysts should be responsible for analyzing raw external and internal intelligence data and be able to form finished analysis to drive decisions and actions or improve situational awareness for intelligence consumers based on their requirements.

Doing this right really requires training in threat intelligence analysis and specific skills in the information security arena. Specifically, this means being able to define collection requirements to drive required analysis products, develop new intelligence products based on intelligence consumer requirements, and have the ability to at least read incoming logs, packet captures, and other intelligence (both indicators and finished intelligence). All of this is in addition to performing the analysis itself and producing reports or other finished intelligence.

Three Paths
For those looking to pursue a career in the cyberthreat intelligence discipline, there are essentially three primary paths. Some will choose to go the route of traditional intelligence theory training, either through a university or the military, because of the well-rounded threat intelligence classes and programs offered in these institutions. Although these programs aren't specifically geared toward the cybersecurity sector, those who select this path will build a working knowledge of intelligence and its many applications, then ideally be able to leverage that background in an information security setting.

An alternative route is to pursue a degree or self-developed skills in general cybersecurity practices, building intelligence in later on. Though cybersecurity-focused majors aren't yet offered at many schools, there are a number of respected institutions, including Carnegie Mellon and Georgia Tech, with solid programs that teach the fundamentals of security, ranging from programming and scripting to network security and computer forensics. These skills provide a solid foundation for a budding cybersecurity career; however, the average cybersecurity curriculum doesn't include courses geared specifically toward information security intelligence.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Instead, those who choose this route will need to learn intelligence skills while in the field or on their own through diligent self-study and application. This path isn't as straightforward, and often the level of understanding of intelligence principles not as robust as someone coming from a traditional intelligence background. Those that choose this path must seek additional on-the-job training and other resources to round out their intelligence capabilities. Working alongside analysts who have been traditionally trained in threat intelligence is a great way to fill the needed gaps.

With so few formal options available to guide a career in threat intelligence, finding success in the field takes both creativity and tenacity. Ingesting publicly available resources and getting your hands dirty by doing can be an effective way to develop threat intelligence analysis skills. There are a handful of free online resources available to get people started in threat intelligence, such as the Carnegie Mellon University Cyber Intelligence Tradecraft Project, the Level 1 Intelligence Analyst certification on Udemy, and the seminal Psychology of Intelligence Analysis document available free from the Central Intelligence Agency website.

Use virtual machines to test and play around with collecting intelligence (feeds, logs, WHOIS, and other resources) and start doing intelligence analysis. Spend time with more experienced analysts and engineers by attending local security events such as Security BSides or information security meet-ups (Google or can be your friend to find these). Often these events have topics and experts that directly or indirectly relate to cyberthreat intelligence. Join mailing lists and engage in other online groups like Defcon Groups. Watch information security talks on Dark Reading and YouTube.

Although not as abundant as other information security disciplines, there are now several resources available specific to threat intelligence, so find whatever works for you and take your threat intelligence career path into your own hands.

Related Content:

Travis Farral is a seasoned IT security professional with extensive background in corporate security environments. Prior to his current role as Director of Security Strategy at Silicon Valley-based threat intelligence platform provider Anomali, Farral was with ExxonMobil, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Oz Kirkham
Oz Kirkham,
User Rank: Apprentice
6/3/2017 | 3:24:23 PM
Great write up!
Thanks for your article Travis, well written and a great help for a budding threat intel pro.

13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.