My Cyber Pathway: Threat Intelligence

What initially sparked your interest in cybersecurity and led you to choose it as a career, specifically in threat intelligence?

I’d always liked breaking/fixing things and had worked within IT support, so for me, it seemed like the next logical step. I didn’t want to be in IT Support/Service Desk forever.

Could you provide an overview of your current role?

I collate and analyse things in order to tie things together. For example, if we have a ransomware job, I can identify who the actor is, their potential initial access point (based on research and analysis) the Incident Response team will help piece together the incident as it unfolded and then ascertain the most likely path of attack. I also hang around in the dark web on forums – This shouldn’t be done unless you have an explicit agreement in place with your employer.

How long have you been in the industry and specifically threat intelligence?

So I’ve been hanging around in the Security Operations Centre realm for approx. 5 years but my roles were pretty interchangeable. Threat Intelligence just sort of “happened” as I wanted to make it easier to get things in to the right place for automation and I worked with a great colleague who helped me achieve that.

What steps did you take to transition into the field of threat intelligence from your previous background?

There wasn’t really much of a transition as it was something that I was already doing alongside my SOC role. I had a special interest, but in my previous role, I wasn’t able to delve to the extent I can currently; which limited what we were able to achieve.

Were there any specific certifications or training programs that you found particularly valuable for developing your skills?

At my previous role, there was limited training opportunities but once I moved to my current role, we agreed that I would do the SANS GCTI. I currently hold this certification.

What are some of the key skills you believe are essential for a successful career in threat intelligence?

I would definitely say that the person needs to have a healthy interest and be passionate about the topic. I’m constantly reading news about Cyber/CTI/hacking and looking at how attacks happen. Having the ability to understand what’s being asked of an intelligence requirement is also a key skill. It can be very easy to go down a rabbit hole with a piece of information, but you also have to remember to bring it back round to what’s been asked – If it can help uncover some other links, this can be valuable, but make sure you know when to draw the line. If the intelligence requirement isn’t clear, make sure that you are able to go through this with the stakeholder/requester to ascertain exactly what they want from the request – This saves a LOT of time!

How do you stay up-to-date with the latest developments in the cybersecurity landscape and the evolving tactics of cyber threats?

This is a really tricky challenge, but there are great resources out there – such as news channels dedicated to cyber, that help this sort of thing. Here are a couple:

• https://www.newsnow.co.uk/h/Technology/Cyber+Security/Cyber+Attacks
• https://www.newsnow.co.uk/h/Technology/Cyber+Security
• https://www.ncsc.gov.uk/section/keep-up-to-date/ncsc-blog

Can you provide insights into the collaborative aspects of threat intelligence? How do you work with other teams, such as incident response or security operations?

Sure. If there is something that I’ve come across while lurking where I do, I will pass this information over to the Security Operation Centre or Security Engineering team in order to see if proof of concept code does what it says it does. If it does, we use the PoC in order to counter-defend. Running through the steps which the PoC carries out and match this against behaviours within certain tools to alert if we see it in action anywhere.

With the incident response team, it’s more of a reactive thing. When we get a job in, it’s generally something like ransomware/business email compromise or a payment diversion and it’s my job to help try and identify the actor(s) who have carried out the attack, their modus operandi and anything else that we can provide the victim with which may help harden their defences to prevent future attacks.

In your opinion, what are some of the most pressing cyber threats that organisations are facing today?

You’re going to laugh. Ransomware and phishing. The two really go hand in hand. Initial access brokers really take the effort out of the reconnaissance stage for the threat actor as they sell access into companies and mean that a threat actor only has to sign on to conduct their attack.

What advice would you give to someone who is considering a career path in threat intelligence within the cybersecurity field?

Passwords are like underwear. Don’t let people see it, change it often and don’t share it with anyone.

(Unless you’re the person who wrote it on a post-it note and lost his password):
People horrified by story of man who lost password to $220m worth of bitcoin: ‘Panic inducing to read’ | The Independent

How has threat intelligence evolved since you started your journey? Are there any emerging trends you find particularly interesting?

It has evolved massively. When I was first starting out, it was something just for mature organisations, but now, thanks to buzz words, a lot more people are getting on board and actually investing in threat intelligence. It’s so important to not just match against easy things (hashes/ips/domains) but to collate this information with other things so that the SOC doesn’t get overwhelmed with false positives and can focus on the important incidents which come in.