A Cyber Threat Intelligence (CTI) analyst plays a critical role in defending an organization from cyber attacks. They need to gather information about the latest cyber threats, assess the relevance and potential impact they could have on their organization, and provide actionable intelligence to other defenders in the organization to protect against these threats.
This is a challenging job. You need strong cyber security knowledge across various disciplines, an understanding of the red and blue sides, and data analysis skills to prioritize which challenges to tackle across the vast threat landscape. You must also communicate these findings to security professionals who transcend your organization’s hierarchy, from junior SOC analysts who need tactical intelligence (IOCs) to C-suite executives who need strategic intelligence.
There are pitfalls around every corner that can have you spending weeks or even months prioritizing the wrong things, poorly communicating your findings, or wasting your time chasing red herrings.
I made several mistakes while working in a SOC and later as a senior CTI analyst. Here are the big ones you can hopefully avoid on your quest to learn about cyber threat intelligence or become a CTI analyst. Along with practical advice on how to avoid them!
You can learn more about a typical day for a threat intelligence analyst in Day in the Life of a Senior Threat Intelligence Analyst.
Mistake #1: Thinking All Indicators Are Equal
The first thing you learn about when you join a SOC, or any technical blue team role, are Indicators of Compromise (IOCs). These things get left behind in log files and “indicate” something bad has happened. There are two main types of IOCs:
- Endpoint-based indicators: Things you will find on endpoint devices (e.g., workstations, laptops, servers), such as file hashes, registry keys/values, filenames, etc.
- Network-based indicators: Things you find in network logs (e.g., firewall logs, VPN logs, WAF logs), such as IP address, domain names, URLs, user agents, etc.
The trouble with IOCs is that they are not all created equally. You can change a file’s…