What does a threat intelligence analyst do?

Why Trust Techopedia

Fundamentally, a cyber threat intelligence analyst is someone who specializes in collecting, interpreting and understanding the significance of threat intelligence information. Unlike a security incident responder, who’s looking at threat information generated by an internal system, such as a telemetry system or an endpoint monitoring system, a cyber threat intelligence analyst is primarily looking at external threat intelligence. They’re taking the pulse of the internet, as it were. What are known threat actors talking about? What new threat actors are showing up in dark web bulletin boards and chat rooms? Who’s buying and selling what information, tools and tradecraft? What information is popping up in the botnet world that might be relevant to an individual organization or to a set of clients?

Threat intelligence analysts are looking for indicators that will foster an understanding of what storms may be brewing out over the digital ocean but have not yet hit land — so that when these storms do arrive, we can be prepared. They’re uniquely positioned to help an enterprise proactively position its defenses and to help internal security professionals know where to look for vulnerabilities or potential cracks in the existing cybershield. If they detect discussion of a newly discovered vulnerability in an IoT appliance, for example, they can alert other security professionals to determine if that appliance is part of the corporate IoT infrastructure — and, if so, they can help advise on steps that can be taken to reduce the risk posed by that vulnerability.

It’s important to point out that threat intelligence analysts are not typically looking for known threats. They’re not looking for an improperly configured device on the corporate internet; they’re keeping their eyes and ears open for indicators that someone has begun to discuss how to exploit such an improperly configured device. Upon discovering an indicator that such discussions are taking place, that intelligence can trigger an action within the enterprise to discover whether such devices have been deployed and whether they have been properly configured.

Threat intelligence analysts also operate in a much more speculative manner. They may look at the activities of a known threat actor — actions that might appear on the surface to be perfectly benign — and speculate on the motives that the threat actor might have for undertaking those actions. Because the threat intelligence analyst may be aware of other seemingly unrelated activities — political unrest in this region or an economic tension growing in that region — the threat intelligence analyst is uniquely positioned to connect the dots into a picture that has real meaning, a picture that an AI system or big data analyst might miss entirely. Where an AI system may simply detect that a threat actor is standing dominoes on end, the threat intelligence analyst may be able to infer what effect those dominoes will have when they begin to fall — and prepare accordingly.

Related Terms

Gene Yoo
Chief Executive Officer at Resecurity
Gene Yoo
Chief Executive Officer at Resecurity

Gene Yoo is CEO at Resecurity, which provides endpoint protection, risk management, and threat intelligence for large enterprises and government agencies worldwide. He has more than 25 years of experience in cybersecurity for some of the world’s largest brand names, such as Warner Bros., Sony, Computer Science Corporation, Coca-Cola Enterprise, Capgemini, and Symantec.Most recently, he served as senior vice president and head of information security for Los Angeles-based City National Bank. He also served in an advisory role to Phantom (acquired by Splunk), ProtectWise (acquired by Verizon), Elastica (acquired by Blue Coat), and Vorstack (acquired by ServiceNow).For more information on…