Let me paint you a picture. You’re at a networking event, and someone inevitably asks, “So, what do you do?” You reply, “I’m a Cyber Threat Intelligence Analyst.”
The response is almost always the same: “Oh, so you hack things?”
It’s a common misconception, and one that irritates me a lot more than I care to admit. Hacking, or better put, penetration testing is a great skillset to have; it just isn’t the heart of what I do.
My Journey: From “Hacking” to Hunting
Like many, my path to cybersecurity was motivated by the excitement of not knowing what happened. I can still remember the exhilaration-since college-along with finding a successful exploit on a vulnerable web server. That was the sense, there was some magic, invisible door opened inside cyberspace. Of course, this initial curiosity laid the path for me, and brought along one of the more common misconceptions: “He’s a hacker.”
Fast-forward a few years, and I found myself on a small incident response team, fighting day in and day out against determined adversaries to figure out how they had breached our systems and what their objectives were. This experience gave me incredible insight into the tactics, techniques, and procedures that real-world threat actors put to use.
One particularly memorable incident involved a sophisticated phishing campaign targeting our CEO. The attackers had meticulously crafted a convincing email, complete with social engineering tactics and a realistic-looking attachment. Analyzing the email, the attachments, and the subsequent activity within our network helped me understand the adversary’s motivations and the potential impact of such attacks.
It completely flipped my focus on its head. I knew that “why” was as important as “how,” so I moved to a Cyber Threat Intelligence position, whereby I could bring in all of my technical background into analyzing global threat landscapes and emerging threats for actionable intelligence to our security teams.
What CTI Really Is (and Isn’t)
Myth 1: CTI Analysts are “Cybersecurity Oracles”
The general impression in most people’s mind about CTI analysts is the notion that they have some mystic ability to foresee any form of cyber threat. How wrong this is.
I recall a meeting where our CEO, with urgency, asked me, “Have you heard anything about this new vulnerability that’s being exploited in the wild?”
The vulnerability in question was publicly disclosed that morning. While I am informed about the latest vulnerabilities through various channels, it was rather unrealistic to expect me to be the first to know every single one.
CTI is about analyzing available data, whether it be threat feeds, open-source intelligence, internal security logs, and determining patterns and trends that can pose a significant risk to our organization. It is about connecting the dots and not predicting the future.
Myth 2: CTI is Just “Repackaging” News
Some perceive CTI as an exercise in summarizing recent cybersecurity news articles and issuing them to other parts of the organization. True CTI is a great deal more than this, beyond merely keeping one’s ears open to what is taking place around one.
Envision an e-mail titled “New Ransomware Strain Found” or “Phishing Attacks on Increase” coming in every morning. In their nature, this is not at all intelligence at all.
True CTI provides context. Instead of reporting on a new family of ransomware, for example, we would reverse-engineer its TTPs to identify who it was targeting and what type of impact it could have on our organization. From there, we could make some very specific recommendations to our security teams about things like updating EDR signatures or placing greater controls on email.
The Value of CTI: A Real-World Scenario
For illustration purposes, let’s say that our organization is currently developing a new cloud-based application that will deal with sensitive customer data; this will be a great use case for CTI to feed into.
- Identification of the Potential Threat: By researching threat actor activity against similar cloud environments, we can identify common attack vectors that include misconfigurations, vulnerability in third-party libraries, and social engineering of the developer population.
- Security Controls Prioritization: We could go further in recommending specific security controls, such as robust access controls, regular penetration testing, and a security awareness training program for developers.
- Informing Risk Management Decisions: Our insights can help inform risk management decisions, such as whether to proceed with the project as planned, implement additional security measures, or even reconsider certain design choices.
The Challenges and Rewards
One of the biggest challenges in CTI is actually articulating value for our work. These are not always easy impacts to reduce into dollars and cents. However, should our insights help prevent that big breach, or whether our analysis leads to some disruption of a malicious campaign, the reward is just huge.
A Final Thought
The reality of CTI, however, is far from the “cybersecurity hacker” stereotype. It’s about understanding the adversary and trying to stay one step ahead of him or her, with a mission of equipping our organization to defend itself effectively. A bit demanding but rewarding too, this career field requires a mix of technical, analytical, and deep knowledge in the threat landscape.
I am proud to be part of this community, and look forward with interest to the continuing developments that CTI will doubtless make against a tide of ever-rising cyber threats.
){kind=link}