Fundamentally, a cyber threat intelligence analyst is someone who specializes in collecting, interpreting and understanding the significance of threat intelligence information. Unlike a security incident responder, who’s looking at threat information generated by an internal system, such as a telemetry system or an endpoint monitoring system, a cyber threat intelligence analyst is primarily looking at external threat intelligence. They’re taking the pulse of the internet, as it were. What are known threat actors talking about? What new threat actors are showing up in dark web bulletin boards and chat rooms? Who’s buying and selling what information, tools and tradecraft? What information is popping up in the botnet world that might be relevant to an individual organization or to a set of clients?
Threat intelligence analysts are looking for indicators that will foster an understanding of what storms may be brewing out over the digital ocean but have not yet hit land — so that when these storms do arrive, we can be prepared. They’re uniquely positioned to help an enterprise proactively position its defenses and to help internal security professionals know where to look for vulnerabilities or potential cracks in the existing cybershield. If they detect discussion of a newly discovered vulnerability in an IoT appliance, for example, they can alert other security professionals to determine if that appliance is part of the corporate IoT infrastructure — and, if so, they can help advise on steps that can be taken to reduce the risk posed by that vulnerability.
It’s important to point out that threat intelligence analysts are not typically looking for known threats. They’re not looking for an improperly configured device on the corporate internet; they’re keeping their eyes and ears open for indicators that someone has begun to discuss how to exploit such an improperly configured device. Upon discovering an indicator that such discussions are taking place, that intelligence can trigger an action within the enterprise to discover whether such devices have been deployed and whether they have been properly configured.
Threat intelligence analysts also operate in a much more speculative manner. They may look at the activities of a known threat actor — actions that might appear on the surface to be perfectly benign — and speculate on the motives that the threat actor might have for undertaking those actions. Because the threat intelligence analyst may be aware of other seemingly unrelated activities — political unrest in this region or an economic tension growing in that region — the threat intelligence analyst is uniquely positioned to connect the dots into a picture that has real meaning, a picture that an AI system or big data analyst might miss entirely. Where an AI system may simply detect that a threat actor is standing dominoes on end, the threat intelligence analyst may be able to infer what effect those dominoes will have when they begin to fall — and prepare accordingly.