Threat intelligence Analyst is an analytical position that requires practical experience in determining why the attacker is focused on a given target and what methods and tactics are used to breach the target network, traverse laterally, and steal data. The Threat Intelligence Analyst is concerned with the entire lifecycle of an attack, including reconnaissance, persistence, as well as attack trend analysis. This analytical role profiles the organization’s risk as well as the various threat actors in the wild; supplying this information to the SOC/CIRC. The analyst should have a strong understanding of the current financial climate.
Responsibilities: This role manages all threat intelligence program directives by conducting extensive internal and external research while working closely with Incident Response staff. This candidate will need to compile information on attacker campaign analysis, frequency, and predictive attacker/victim relationship models. An individual in this role will develop actionable information in the form of reports, lists, rules, and feeds from raw and technically extracted threat information. The Threat Intelligence Analyst must evaluate information to determine the organization’s risk profile at any given time. Open source intelligence, subscription service data, internal incident response data, and industry vertical threat intelligence will be archived in a central repository by the candidate, referentially accessible to the SOC staff.
Skills required: Logic, correlation, analytical, and communication skills are paramount for a successful Threat Intelligence Analyst. The ability to deliver succinct and fact-based communications, both verbally and in writing will be evident on a daily basis. They also must interface and establish rapport with multiple roles within the SOC, as well as other business units to validate trust and information sharing. During escalations, they must be able to correlate disparate pieces of data and information to supply threat environment situational awareness to SOC/CIRC stakeholders. Self-motivated employees are most successful in this role. Typically a candidate has research and logic experience paired with some technical background. This role must have a basic understanding of indicators and security metrics within a SOC/CIRC. Any experience developing feeds/IOCs or past military intelligence work will benefit the SOC immensely. This role requires the ability to prioritize tasks, give a high level of attention to detail, and successfully interface with all facets of the organization.
Qualifications: A bachelor’s degree (or equivalent experience) is required. A strong understanding of security principles and concepts exists. A qualified individual has the ability to analyze and communicate complex logical patterns and commonalities. Basic understanding of developing indicators through XML creation is a plus.
Experience: Individuals with a minimum of two (2) years of security experience. A minimum of five (5) years exposure to threat intelligence modeling is required by the candidate. He/she should have demonstrated analytical and research skills as well as:
- Statistics background
- Strong in logical problem solving
- Experience in intelligence sources such as Shadowserver, Malware Domains, Symantec Deep Insight, VeriSign iDefense
- Government and or military experience a plus, however, not required
Technical Interview: The technical interview should demonstrate exceptional logical thinking skills. Consumption and analysis of information to determine a story will be critical in this role. During the hiring of an intelligence analyst, the candidate should be asked a series of questions including:
- What is the greatest cyber threat to the financial industry?
- How can the SOC/CIRC and specific toolsets leverage threat intelligence?
- Have you ever built a threat intelligence program?
- What attributes would you extract from each incident? What pieces of data?
- Why is threat intelligence important to the SOC/CIRC capability?
As part of the interview process, the candidate should also submit a sample writing of a security related incident, intelligence, or other security related content.