Guide to Careers in Cyber Intelligence and Threat Analysis
Identifying and collecting information about potential cyber threats in order to deploy countermeasures, reduce or eliminate network vulnerabilities, and prevent successful cyberattacks is an integral part of effective cybersecurity operations. Accomplishing these goals requires analysts with data collection, interpretation, and reporting skills, professionals who are familiar with typical vectors of attack and the actors commonly involved in cybercriminal activities, and targeting specialists who are able to mount counteroffensive cyber operations in order to track and impede the actions of adversaries.
These functions are all part of cyber intelligence and threat analysis, an area of defensive and offensive cybersecurity operations that an increasing number of large companies, non-governmental agencies, political entities, and international organizations now rely on to prevent incursions and breaches, and safeguard sensitive information.
Employment Opportunities in Cyber Intelligence and Threat Analysis
Cyber intelligence operations have several important components and thus there are a number of distinct work roles that are associated with employment in this field. The process of creating actionable cyber intelligence begins with collections, specifically the collection of raw data and other potentially useful information from any and all relevant sources. Often referred to as all-source intelligence, the data amassed in cyber intelligence operations is commonly the product of internet, social media, and deep web searches, internal computer network scans, database queries, and/or formal and informal interviews and queries.
Intelligence collected for these purposes commonly includes text, audio, and video evidence, emails, metadata, and evidence of suspicious internal network activity. It can come from an array of digital sources, news reports, classified briefings, data mining, and, in some cases, offensive cyber operations. Once collected, the data is then subject to analysis, verification, and contextualization so that it can be reported and acted upon.
At the same time, cyber intelligence operations specialists are commonly involved in identifying vulnerabilities in internal computer systems, mobile networks, databases, and other parts of an enterprise’s cyber infrastructures in order to defend against attacks. When possible, these vulnerabilities may be reduced or eliminated, or they can become the source of additional intelligence gathering operations in which incursions are monitored and analyzed in order to identify the nature and source of cyberthreats. When these threats are identified, cyber intelligence specialists are typically responsible for logging relevant incidents, characterizing suspected bad actors, and reporting their findings to others within an organization, clients and other interested parties, and law enforcement agents and judicial authorities.
Defensive cyber intelligence specialists who collect and analyze data and mitigate system vulnerabilities, and thus protect an organization’s cyber infrastructures, are sometimes referred to as blue team members. The analogue of a blue team, often referred to as a red team, consists of cyber intelligence specialists tasked with deploying offensive cybersecurity measures. Red team operators use ethical hacking tools and other means of penetrating an adversary’s defenses to obtain relevant data, monitor suspicious activities, and preempt cyber incursions. Blue and red team members, researchers, analysts, and collections specialists commonly work together to mount integrated cyber intelligence and cybersecurity operations.
Thus, cyber intelligence and threat analysis involves a number of specialized functions and work roles, each of which require distinct technical proficiencies and subject-matter expertise. While small and mid-size companies and organizations may employ one or two IT or cybersecurity professionals who have general cyber defense and intelligence capabilities, cyber intelligence work is most commonly carried out by teams of specialists employed by military and governmental agencies, defense contractors, large companies in fields like banking, finance, manufacturing, and technology, and cybersecurity consultancy groups.
Among the common titles for professionals working in cyber intelligence and threat analysis include:
- All-Source Analyst
- Cyber Defense Analyst
- Cyber Exploitation Analyst
- Cyber Intelligence Analyst
- Cyber Threat/Warning Analyst
- Language Analyst
- Target Network Analyst
- Technical Surveillance Countermeasures Specialist
- Vulnerability Analyst
Knowledge, Skills, and Abilities (KSAs) for Cyber Intelligence and Threat Analysis Professionals
Cyber intelligence is an area within cybersecurity that draws a particularly diverse array of knowledge, skills, and abilities (KSAs), some of which are highly technical, while others are in areas that fall outside of narrow training in computer science and information security. As a result, intelligence operations in cybersecurity are generally carried out by teams of individuals who possess complementary skill sets and proficiencies. While most aspects of cyber intelligence require a general knowledge of computer networks, operating systems, databases, mobile communications, and other functional elements of cyber infrastructures, many of the proficiencies cultivated by intelligence operations professionals as they advance in the field are related to specific tasks and work roles.
For example, all-source analysis requires broad knowledge of potential information sources, the skill to handle large amounts differentiated data, and the ability to use various tools and methodologies to store, sort, and analyze that data. In contrast, exploitation analysis requires knowledge of potential weaknesses in cyber systems, the skills necessary to locate those weaknesses, and the ability to use sophisticated network monitoring and data collection tools to exploit those weaknesses. Language analysts, who are integral to cyber intelligence operations that involve actors outside of the US, bring an entirely different skillset to the table, including a knowledge of one or more foreign languages, familiarity with key social, cultural, political, and economic aspects of foreign countries and governments, and the ability to translate the results of intelligence gathering operations involving foreign entities into English.
The National Initiative for Cybersecurity Education (NICE) lists dozens of KSAs for cyber intelligence operations work roles in its NICE Workforce Framework for Cybersecurity. The lists below draw on the NICE Framework and offer an overview of some of the key KSAs that are valued in the field of cyber intelligence.
General Technical Knowledge
- Common cyber threats and cyber vulnerabilities
- Computer networking concepts and network security protocols
- Computer network traffic analysis methods
- Computer programming languages
- Data communications systems
- Database systems and SQL
- Human-computer interface concepts
- Physical components of computers and computer systems
- Technical specifications of computer and telephone networks
Cyber Intelligence Knowledge and Skills
- Ability to think like a threat actor
- Classification and control markings standards, policies, and procedures
- Common cyber obfuscation techniques, such as TOR, VPN, VPS, and encryption
- Common cyber risks, including viruses and other malware, trojan horses, DDoS attacks, and social engineering
- Common networking and routing protocols and how they facilitate internal and external communications
- Cyber operations concepts, terminology, and protocols
- Data mining methods
- Deep web research tools and methods
- Encryption algorithms
- File signature analysis
- Firewalls, authentication protocols, and perimeter protection measures
- Geospatial analysis techniques
- Multi-source intelligence integration methods
- Metadata collection tools and analysis methods
- Network security encryption protocols
- Network visualization software
- Real-time forensic analysis tools, such as Helix and LiveView
- Stages of cyberattack, covering reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, and covering tracks
- Laws, regulations, policies, and ethics of cybersecurity and digital privacy
- Risk management processes
- Technical and interpersonal verbal communication skills
- Technical and non-technical writing skills
Training and Credentials in Cyber Intelligence and Threat Analysis
There are three basic ways to cultivate cyber intelligence and threat analysis proficiencies: military intelligence training; on-the-job training; and academic or vocational training. Traditionally, intelligence operations, including cyber intelligence operations, have been the domain of the military and defense industry, which is where many cyber intelligence and threat analysis specialists typically learned their trade.
Cyber intelligence collections and analysis outside of the military, government agencies, and the defense industry was generally conducted by computer programmers, IT management professionals, and others as part of general data and information security and protection operations. However, the prioritization of cyber intelligence and threat analysis expertise in the private sector and beyond has led to the emergence of academic and technical training programs in which topics like malware, cyberattack vectors, penetration testing, cryptography, metadata analysis, and red and blue team operational methodologies are addressed.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Intelligence and Threat Analysis
Currently, many accredited colleges and universities offer students the option of majoring in cybersecurity while earning a bachelor’s degree. While some of the more advanced tools, techniques, and methodologies associated with cyber intelligence are not typically taught at the undergraduate level, many of the foundational computer science, information security, IT management, communication, and critical thinking skills needed to begin work in cyber intelligence and threat analysis can be cultivated by students in a bachelor’s program with a cybersecurity major. Some bachelor’s programs may also offer one or more electives and/or upper-division courses in cyber intelligence topics.
At the graduate level, there is a broader array of options for training in cybersecurity, including master’s in cybersecurity programs that have a designated concentration in cyber intelligence, as well as master’s in cyber intelligence degree programs. Even master’s in cybersecurity programs without a concentration in cyber intelligence provide training and instruction in many subject areas that have applications in cyber intelligence, including but not limited to database systems, computer coding, cryptography, cyber infrastructures, digital forensics, malware and other cyber threats, and network security protocols.
For students and mid-career professionals who have already earned a bachelor’s degree and who are not interested in a full master’s degree program, there are graduate certificate programs in cybersecurity and cyber intelligence that offer targeted training in many of the KSAs that have applications in the cyber intelligence field.
Professional Credentials and Certifications in Cyber Intelligence
Outside of academia, there are private industry groups and companies that have bootcamps and training programs in various cybersecurity specializations, including cyber intelligence and threat analysis. For example, the International Council of Electronic Commerce Consultants (EC-Council), a private industry organization that offers training courses and credentialing in various cybersecurity proficiencies, has several courses related to cyber intelligence, including a threat intelligence analysis module that leads to the Certified Threat Intelligence Analyst (CTIA) credential.
The SANS Institute, a private, for-profit cybersecurity training and certification company, has several Global Information Assurance Certification (GIAC) courses and credentials in areas of cyber intelligence, including an intensive Intrusion Detection In-Depth six-day training course that leads to the GIAC Certified Intrusion Analyst (GCIA) credential and an Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course that leads to the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) credential. These credentials and several others are listed below.
- Certified Threat Intelligence Analyst (CTIA), offered by the EC-Council
- GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Penetration Tester (GCPT), GIAC Cyber Threat Intelligence (GCTI), GIAC Enterprise Vulnerability Assessor (GEVA), and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), offered by the SANS Institute
- Rocheston Cyberthreat Intelligence Analyst (RCIA), offered by Rocheston
- CREST Practitioner Threat Intelligence Analyst (CPTIA), and CREST Registered Threat Intelligence Analyst (CRTIA), offered by the Council for Registered Ethical Security Testers
Examples of Jobs in Cyber Intelligence and Threat Analysis
Below are several examples of the types of jobs for which employers are typically hiring in the area of cyber intelligence and threat assessment. The details are drawn from actual job listings.
Cyber Defense Analyst
- Primary Responsibilities: Collect and analyze information from a variety of sources to monitor network activity, identify evidence of anomalous behavior, and report events that occur in order to protect data, information systems, and infrastructure.
- Education: Bachelor’s degree.
- Credentials: None specified.
- Experience: No prior experience required.
- Technical Proficiencies: Knowledge of cyber defense tools, commonly used operating systems, and network protocols and detection methods.
- Other Attributes: Written and verbal communication and presentation skills.
Cyber Intelligence Analyst
- Primary Responsibilities: Monitor raw IP network traffic data and identify malicious cyber activity; process and enrich data to provide timely, actionable intelligence to be shared with designated stakeholders; and review threat reports and counterintelligence operations.
- Education: Bachelor’s degree.
- Credentials: Certified Ethical Hacker (CEH) and/or GIAC Cyber Threat Intelligence (GCTI) credentials preferred.
- Experience: Four years or more of prior work experience in cyber threat hunting and network log analysis.
- Technical Proficiencies: Expertise with malware, Netflow, DNS, DomainTools, VirusTotal, Chameleon, Maltego, and managed attribution accounts.
- Other Attributes: Effective verbal and written communication skills and the ability to produce high-level reports and provide professional briefs; familiarity with conducting research through general academic databases and scientific journals and repositories.
Cyber Security Operations Specialist
- Primary Responsibilities: Conduct emerging threat analysis; analyze cyber intelligence reports; develop comprehensive threat models; and provide formal reports, briefings, and other intelligence products.
- Education: None specified.
- Credentials: Department of Defense’s Cyber Security Service Provider (CSSP) certification preferred.
- Experience: One or more years in cyber threat intelligence preferred.
- Technical Proficiencies: Advanced cybersecurity analytics, programming, and computer systems knowledge.
- Other Attributes: Interpersonal communication skills and the ability to work independently with minimal supervision.
Cybersecurity Technical Collections Analyst
- Primary Responsibilities: Research cyber threat landscape facing specific client and provide regular reporting on potential cyber threats; and gather all-source information on cyber threats and assist in turning that information into actionable intelligence.
- Education: Bachelor’s degree in computer science, cybersecurity, or a related technical field preferred.
- Credentials: None specified.
- Experience: Prior academic or professional experience in intelligence research and analysis related to political, security, or technology issues preferred.
- Technical Proficiencies: Microsoft Office suite, Python, and SQL.
- Other Attributes: Qualitative and quantitative research skills; and professional reporting and communication skills.