How to Develop Skills in Cyber ​​Threat Intelligence Capabilities

Image: enzozo/Adobe Stock

Mandiant is a company focused on digital forensics and incident response as well as cyber threat intelligence. The company recently released a core competency framework for CTI analysts to answer a question they often receive from their clients: what is the optimal team mix to start and mature a CTI capability in their environment. business?

Mandiant’s framework groups competencies into four fundamental pillars (Figure A). These can be used to identify weaknesses in an already assembled CTI team, identify areas of team or individual growth, or determine an effective roadmap for your cybersecurity team.

Figure A

Image: Mandiant. CTI Analyst Core Competency Pillars.

Pillar 1: Problem solving

Critical mind

In CTI, critical thinking is required to process information in order to conceptualize, identify, evaluate and synthesize it. Once done, the analyst should be able to formulate unbiased judgments, analytical lines and recommendations relevant to each case.

TO SEE: Mobile Device Security Policy (TechRepublic Premium)

Critical thinking is also about thinking outside the box, especially for trend forecasting and innovation.

Research and analysis

Research is about prioritizing data sets and using tools to investigate technical and non-technical data sources, and it is about the ability to capture stakeholder needs in the form of business requirements. of intelligence. Research helps uncover new leads and draw clear analytical conclusions. The analysis part here is about interpreting and producing a good synthesis of the research results.

It is about knowing all the types of indicators of compromise, their use, their limits and how to enrich the data. It also involves analyzing network traffic, malware, and generally carrying out digital forensics and incident response.

Research and analysis are often stimulated by knowledge of programming, especially scripting. Python and SQL are very useful here.

Inquiry spirit

Understanding complex challenges and developing solutions to solve them is key at CTI. The investigative mindset requires a seasoned understanding of the TTP (tactics, techniques, and procedures) of cyber threat actors as well as CTI IT tools, frameworks, and systems. It’s also about identifying small signals in huge data noise and developing intuition.

Pillar 2: Professional efficiency


Communication with different audiences is necessary for CTI. The ability to write analytical conclusions, research and methodologies using different tools and formats (slideshows, emails, Word documents, briefings, etc.) is mandatory.

Mandiant also points out that “it is important to have the ability to clearly convey judgments using probabilistic language so that judgments can be dissociated from facts and direct observations. Of related importance is the ability to use precise language to ensure that the intended message is delivered correctly and does not raise unnecessary alarms.

It is necessary to know the different modes of information sharing between machines but also with specific information sharing groups and private-public information sharing and analysis centers and organizations (ISAC and ISAO).

Finally, familiarity with cyber policy and enforcement mechanisms is required, helping to counter cyber actions such as takedowns, sanctions, and public awareness messages.

Teamwork and emotional intelligence

The unique characteristics of individuals help provide peer mentorship and provide opportunities to bridge knowledge and gaps while building cohesion and trust when teams work together.

Being able to work with stakeholders to collect information about their business operations can also help with threat intelligence.

The core emotional intelligence skills are self-awareness, self-control, social awareness, and relationship management.

Business acumen

The ability to understand a company’s environment, mission, vision and goals can influence an organization’s exposure to cyber risk. A CTI analyst may be required to provide an assessment of a possible change in risk exposure or to assess the results of threat intelligence.

Pillar 3: Technical Literacy

Enterprise computer networks

It is necessary to understand the principles of operating systems and networks at all levels: file storage, access management, log file policies, security policies, protocols used to share information between computers, etc.

Cybersecurity ecosystem

Basic concepts, components, and conventions associated with cyber defense and cybersecurity should be identified, and a solid knowledge of industry best practices and frameworks is mandatory. Another fundamental principle is how defensive approaches and technology align with at least one of the five phases of cyber defense: identify, protect, detect, react and recover.

Key concepts to know here are identity and access management and control, network segmentation, cryptography use cases, firewalls, endpoint detection and response. signature and behavior-based detections, threat hunting and incident response, and red and purple teams.

A business continuity plan, disaster recovery plan and incident response plan should be developed.

Organizational Cybersecurity Roles and Responsibilities

This part is about understanding the role and responsibilities of everyone involved: reverse engineers, security operations center analysts, security architects, IT support and help desk members, red/blue/purple teams, privacy officers, etc.

Pillar 4: Cyber ​​Threat Competencies

Offensive Operations Pilots

Offensive operations must be based on limited resources to outsource elements of the cyber program to purchase operational tools, contract out, or purchase criminal capabilities. The composition of the organization and the functions within it must also be clearly defined.

The secondary principle of this skill is to identify the motivations behind the threat actor.

Mandiant reports that “a thorough understanding of acceptable operations undertaken in peacetime and how this changes in wartime is essential.”

Threat concepts and frameworks

Identify and apply appropriate CTI terms and frameworks to track and communicate adversary capabilities or activities. This competency addresses threat actor capabilities: understanding vulnerabilities and exploits, malware, infrastructure, clustering of attribution/intrusion sets, and naming conventions.

It is also to know the CTI frameworks like the Cyber ​​​​Kill Chain of Lockheed Martin, or the ATT&CK framework of MITER for example.

Threat actors and TTPs

Knowing threat actors involves knowing the naming conventions of threat actors and their TTPs. Identifying the key indicators of a chain of cyber attacks is essential here to determine the adversary’s workflows and operational habits.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

About Geraldine Higgins

Check Also

Stores refuse plastic straws from July

NEW DELHI: Retailers are asking beverage companies not to supply plastic straws to tetra-paks as …