The Recorded Future Blog
7 Habits of Smart Threat Intelligence Analysts
by Amanda McKeon on January 26, 2016
A day in the life of a threat intelligence analyst is often hectic and ever-changing. Threats and related data abound, and an analyst must look at all angles and scenarios before making recommendations.
As information security, in general, garners more interest throughout the enterprise, an analyst’s time is more in demand and he or she might be required to provide frequent updates or participate in meetings to which they’ve never previously been invited. Collaboration with IT, incident response, SOC (security operation center), and architecture teams is increasingly important, too. And then there’s the constant need to keep abreast of new tools, technologies, and procedures (TTPs) of adversaries and geopolitical events that could impact the threat landscape.
How can a threat analyst keep up?
With so much to do each and every day, smart threat intelligence analysts practice habits that make them more effective and efficient. Below we’ve outlined the seven habits of smart threat analysts so you can start 2016 off with a resolution to provide your organization even more value in the year ahead.
Turn Off to Tune In
One of the hardest things for most people is temporarily ignoring emails, instant messages, social media, and other digital communications while we work on projects and assignments throughout the day. It isn’t that we all have attention deficit disorder; we’re trying to be responsive and communicative, which are prized attributes of any co-worker, partner, vendor, or boss.
This “always-on” communication style, however, can be detrimental to the quality of our work. If there’s one thing smart intelligence analysts don’t want to do, it’s lose sight of the potential threats to our strategic assets because of trivial distractions.
Allotting dedicated research time allows threat analysts to focus on the task at hand without becoming distracted by external chatter. Sure, some chatter might be relevant to a project scope, but for the most part, emails can wait and social media posts will still be there at the end of the day. If an emergency arises, that antiquated technology called “the telephone” can be an alternate form of communication.
Smart threat intelligence analysts are in the habit of setting boundaries and letting co-workers know there will be certain times throughout the day that they will focus on threat research without distraction: Open, read, and respond to email, internal chat (instant messages, Skype, water cooler talk), and social media no more than twice a day. I promise they will still be there awaiting your reply at lunch and at 5 o’clock.
Keep Yourself in Check
Have you ever had a day when you finally look up at the clock and think, “Wow! It’s 3:00 PM already,” yet you can’t account for that time?
Of course; we all have.
Another habit of savvy threat analysts is keeping track of his or her time and accomplishments throughout the day.
Per the suggested habit above, it’s incredibly easy to spend the bulk of one’s time lost in email chains or social media discussions, which brings us to the second habit of highly productive analysts: Keep a detailed time management journal to understand where the bulk of your time and effort is spent. Most threat analysts are surprised at the results after only a few weeks of logging their time. Just as it is recommended for people trying to lose weight to keep a food journal, a time-management journal will keep a threat analyst on track and identify the places where “cheating” occurs.
Sometimes a threat analyst will find that he or she isn’t wasting time at all. And the opposite may be true; the analyst is taking on too many responsibilities and cannot focus as precisely as the job requires. A time management journal will not only help keep your actions in check, but it will help the department understand how much effort is already spent identifying threats and indicators of compromise.
Broaden Your Horizons
For many threat analysts, their number one problem is finding the time during the day to accomplish everything (see points one and two above). Even with laser-focused task management, the sheer amount of data that needs to be identified, correlated, and analyzed is overwhelming, so the idea of dedicating time to something other than threat research is laughable … on the surface only.
Successful analysts understand that threat analysis doesn’t exist in a vacuum. An analyst needs to have an idea of how threat actors think (behavioral analysis), grasp new technologies and techniques actors might be using (technical skills), and have a sense of what’s going on in the world (situational awareness) that might impact threats to the organization.
The third habit of smart intelligence analysts is that they dedicate 30 minutes each day to education outside their core competency. Spend a bit of time every morning before embarking on regular projects to learn a new coding or spoken language or watch a webinar on how to use a new tool.
Taking time to do these things will increase your skill set and make you a better, more well-rounded threat analyst. There is a fallacy in information security that technical skills are the only ones that matter. Not true; the best security, risk, and threat professionals are those that understand context and see beyond the bits and bytes to proactively put protective measures in place. Make ongoing learning a habit and you will see dividends pay off in spades.
Slow Down, You Move Too Fast
Remember this Simon and Garfunkel song? It turns out that, while written in 1966, right at the start of the hippie movement, the songwriters were onto something. They probably could not have foreseen the go-go-go culture security professionals live in today, but the fact is that there is so much data everywhere and we’re all so connected all of the time that we often don’t slow down and pay enough attention to some of the things that really matter.
Effective threat analysts are intentional about slowing down and focusing on critical reading. Take the time to think about what you’re reading: what does this mean? Is it relevant to your organization? If it’s a general risk, could it become a targeted threat? How?
Smart threat analysts know that not all direct threats come wrapped in a package with a note that reads: “I’m here!” Honing in on the context of critical reading will allow you to find the subtleties that others might miss while they’re “multitasking.”
Getting to Know You
Technology is a fantastic tool and enabler, and cyber threats leverage technology for malicious purposes. The problem, however, is human behavior, not code.
The adversaries behind the tools and techniques are the ones writing the malware that infects corporate systems and steals the data. Someone has to program the bots, and it’s only through the understanding of human behavior and what motivates specific types of people that a threat analyst will be effective. Sharp threat analysts take time to understand the person or people perpetrating cyber crimes. Make it a habit to continually ask:
- Who is an adversary?
- What are some common traits?
- What motivates them?
- What are their TTPs?
- Who is a temporary threat actor, and are the TTPs they use dramatically different?
The psychology behind threat actor motivations is not an easy task, and threat analysts can’t be expected to also be psychologists. However, learning to identify certain types of characteristics and habits of threat actors will help threat analysts follow a more logical path. Learn about adversary motivations and TTPs — and always keep learning — and you’ll be one step closer to identifying the threats launched against your company.
Prioritize Based on Available Information
Because there are so many potential threats and so much data that could support any given threat, analysts are challenged by information overload and knowing when to put a stake in the ground. And while strategic threat intelligence is becoming more commonplace, it is still the norm to chase threats.
What this means is that, while we still have a plethora of data at hand, and projects could live on indefinitely, another habit of smart threat analysts is to prioritize information and reporting based on available information and use that to estimate the time it will take to deliver finished intelligence.
Reporting is a key component of successful threat intelligence, and executives and the board will expect updates. By examining information at hand and using that to calculate how long any given project will take, threat analysts can focus on meeting timelines.
Incidentally, a timeline doesn’t mean that an intelligence project is complete; it only means that there are logical points throughout the process when others in the organization can expect to receive intelligence updates and plan workflows around them.
For example, the architecture team might need to tune controls based on the current threat status. While the status might change, it’s important to reflect the level of controls needed for the situation at the moment. While timelines are helpful — they set a goal — the timeline should be adjusted once the threat analyst knows what information s/he is working with and has, at least, a high-level understanding of what can reasonably be delivered.
Know Your Audience
Smart intelligence analysts make it a habit to focus on the people most likely to impact the business.
In other words, key business leaders with the ability to influence organizational operations are the primary people for which threat analysts should tailor their work. If the director of IT, for instance, is the one holding the purse strings when it comes to implementing new technologies or dedicating resources to a project, focus on delivering timely and actionable information to the director of IT. If the CEO calls the shots on all strategic projects, make sure she receives and understands the work you deliver.
The goal of threat analysis is to provide the intelligence that allows the organization to ward off threats before they impact the business and allow the business to run seamlessly and efficiently so profits and market share increase. To accomplish this, know your business decision makers and influencers and produce a product that helps them do their job more effectively. In doing so, you will increase the value of threat intelligence and become an even more valued team player.
By practicing these seven habits you will learn to work smarter and improve the quality of your threat intelligence product.
Old habits are hard to change. As the late, great David Bowie sang, “Turn and face the strange.” While these habits might not seem comfortable at first, with these guidelines and a little effort, incremental changes will exponentially increase your accuracy with and efficiency of your threat predictions and recommendations.