June 21, 2018 • Winnona DeSombre
I like to tell people that I “won the lottery” when it came to finding a job in cyber threat intelligence. Coming into college as an international relations major, I picked up computer science along the way and decided that the most obvious path to combining my two interests was cybersecurity. I assumed that I was narrowing down my career path, but I was totally wrong. The field I had entered into contained a range of technical and non-technical flavors, each with its own specific language. I had never heard of penetration testing1 or security operations centers,2 let alone what GDPR3 was or why it was important.
Because of this, I spent a good chunk of my college career figuring out paths in security that I didn’t want to take. I had some technical internships, competed in CTFs,4 and did compliance research5 for pro-bono projects. At one point, it felt like I was randomly choosing career paths, only to be disappointed by the path I chose. Landing in Recorded Future as a threat intelligence researcher right out of college was my lucky break — had it not been for some great mentors and a Recorded Future advertisement in my favorite security podcast, I might not have known that threat intelligence even existed.
My underlying problem was that even though I knew I wanted to pursue cybersecurity, I had no idea if there was a cybersecurity field that fit my interests. Thus, this blog post will describe threat intelligence, what I’ve already learned from my job, why I enjoy it, and what skills make an individual valuable in this field. To anyone looking to pursue cybersecurity who doesn’t know where to start, I hope that you read this and realize one of two things: either that threat intelligence is the perfect field for you, or that this is a field you know you won’t enjoy and you can now focus on finding something else that better fits your interests. (To be extra helpful to industry newbies, I’ve put definitions for industry-specific jargon in the footnotes).
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” These emerging hazards can be anything from an insider threat (disgruntled employee selling sensitive company data online), to state-sponsored espionage (what the Chinese do all the time). Organizations range from small businesses to governments, and decision makers range from security architects to CEOs.
Effectively, a threat intelligence researcher finds a threat relevant to the organization and turns the information about a threat into a narrative. What do we know about this threat? What makes this threat a danger? What can be done about it? This threat can come from vulnerability disclosures,6 dark web forums,7 malware analysis,8 news stories, or even social media posts. Then, this threat intelligence researcher makes sure the people in charge know three important details:
Threat intelligence researchers find needles in haystacks and then somehow spin those needles into gold.
Malware analysis, data collection, open source research, developing tools and platforms, and mapping out C29 infrastructure are all tasks that I’ve conducted in the last three months. Because threat intelligence focuses on investigating leads and threats, investigations need to be as holistic as possible. Understanding how an actor sets up their C2 infrastructure or writes their malware will help you attribute other campaigns10 to them in the future, while knowing current events within their home country can help you figure out their motives. Of course, investigations also need to be accurate and timely — threat intelligence encourages specialization in the above fields as well as space to explore.
Anyone, regardless of age or specialization, can start a job in threat intelligence if they can do the following:
So far, being a threat intelligence researcher suits me well. I enjoy learning new things and picking apart a problem from both technical and non-technical angles. I have a desire to investigate problems and am fascinated by cyber threat actors — who they are, how they conduct operations, and why they conduct them. In addition, I am good at communicating these threats to others. I also picked up important skills along the way, such as when to follow my gut, how to analyze trends and connections between actors, and how to communicate in a way that engages others.
If you identify with many of these character traits, and if the skills that I have learned also interest you, I highly recommend that you consider a job in threat intelligence. If not, I hope that you eventually find the job you want. Finding a job that fits into this field is just as validating as winning the lottery, and this is one less path you need to try before that happens.
1Finding vulnerabilities in a company system by conducting cyberattacks against it.
2A facility that helps security teams find, analyze, and respond to cyber incidents within a company.
3A data privacy regulation that applies to any company and processes the data of EU residents.
4Capture-the-flag competition: A competition in which you hack into a system to retrieve flags.
5Ensuring a system is compliant with appropriate laws covering data privacy and system security.
6Published analysis on a vulnerability, usually from MITRE, security blogs, or the affected company.
7Forums from sites on the internet that are only accessible via special software, like Tor browsers.
8Picking apart malware or running it to see what it does, where it sends data, etc.
9Command and control: An actor’s server, where they can collect data or send commands to malware.
10A cyberattack or series of attacks an actor conducts against one or more targets.
11Tactics, techniques, and procedures: Patterns of activities or methods associated with a specific actor.