What is CTI and what makes a good CTI analyst?

ComradeCookie
Aug 22, 2017 · 4 min read

I’ve been in the intelligence business for just shy of a decade now in both the governmental and private sectors. I’ve seen what works, what doesn’t, and what’s just head-scratching.. Having experienced intelligence work from both the public and private sector , I thought for my inaugural blog post that I’d go into some depth (without beating a dead horse) about what cyber threat intelligence (CTI) is (and isn’t), and what makes a well-rounded, capable CTI analyst.

What is (Cyber Threat) Intelligence?

First of all, CTI is merely a subset of traditional intelligence, which is outlined in DOD Joint Publication 2–0:

The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.

The key takeaway here (one I see often overlooked in private industry) is that intelligence is a cycle. It’s a continual process that must be maintained constantly. Each part of the process is no less important than any other within. I understand the impulse to get excited about sexy “intel” vendors who provide all of the cool, whizbang indicators of compromise (IOCs), but without proper planning, organizational engagement, and trained analysts, those FANCYBEAR IOCs aren’t going to be of much use.

The other critical component of intelligence is that it is ultimately aimed at guiding decision-making, be it strategic procurement, internal defense architecture, or just the decision to block a domain. Intelligence serves everyone, and it’s important to solicit and engage all the potential customers of intelligence to identify their needs, requirements, and desired deliverables.

To drive one more point home about intelligence, I’m going to start to meld traditional intel and CTI. The key to both is that they are adversary-focused. Actions in cyberspace aren’t conducted by computers autonomously (at least not yet). Malicious actors, be they state-sponsored groups, cybercriminals, or hacktivists, use cyberspace to achieve objectives critical to their group or sponsor’s needs. From a CTI perspective, intelligence ultimately strives to contextualize what network defenders encounter on the front-line, so to speak. If CTI can help put a more tangible “actor” behind the malware, it may help network defenders get ahead of their attackers.

With that, I’d like to borrow Rob Lee’s, one of my CTI idols, definition of CTI :

The process and product resulting from the interpretation of raw data into information that meets a requirement as it relates to the adversaries that have the intent, opportunity and capability to do harm.

Rob’s definition succeeds in shifting the conversation away from technology being a threat in a vacuum, and toward the human operatives behind the technology. Additionally, it highlights the critical need for intelligence production to meet specific requirements, lest intelligence be generated just for the sake of it. Finally, it specifically outlines the components of a threat — intent, opportunity, and capability — that go by the wayside in lieu of hyper-sensationalized reporting on malware and adversary operations.

What Makes a Good CTI Analyst?

Now that I’ve laid out my thoughts on CTI in general, I’d like to discuss what I think makes a good CTI analyst.

CTI analysts must have technical knowledge and experience.

We are doing ourselves a disservice if we think that purely non-technical folks can succeed in CTI. Despite being adversary/threat focused, a CTI analyst needs to have an understanding of networking, computer science, programming basics, incident response, and basic network and host forensics. I’m not saying that every CTI analyst needs to be a master reverser or forensicator, but how can we as CTI analysts talk about how the adversary operates if we don’t understand how their tools work or what to look for on a compromised host, etc.?

CTI analysts must be able to communicate clearly and effectively.

This sort of goes without saying, but the ultimate deliverable of a CTI analyst is some form of intelligence product. Ideally, a CTI analyst needs to do three things: be seen, be brief, be gone. Time is a valuable asset to the C-Suite and the SOC alike. CTI analysts must be able to give the right information to the right group to inform whatever action or decision. Verbosity, vague language, and passive language kill otherwise sound analysis.

CTI analysts *should* have regional expertise.

Analysts should have some sort of subject matter knowledge (history or culture) of a given area. If they don’t have that natively, then organizations should encourage and foster that sort of professional development. Threat actors are people too — history and societal drivers can help explain why a given actor behaves in a certain way .

CTI analysts must be able to transition between levels of intelligence.

At the end of the day, it’s about knowing the audience . Does the CISO need a 60 page paper on the entire history of the PLA General Staff Department? Nope! Does the SOC need it? Nope. There is a time and place for tactical, operational, and strategic reporting, and it’s imperative that the reports are scoped correctly. Being able to shape a product for the audience is harder than it seems. Oftentimes CTI analysts fall into the trap of trying to impress ( or perhaps show worth to ) their audience by writing a long-winded but ultimately irrelevant report .

CTI analysts must be aware of their biases.

Far too frequently, good analysts go down certain research paths because of personal biases. Just because an analyst loves all things Chinese cyber, doesn’t necessarily mean what they’re looking at is China, nor should they try to make the case despite evidence suggesting no correlation.

That wraps up my high-level thoughts on what constitutes CTI and what makes a good CTI analyst. For my next post, I will dive into the importance of intelligence requirements and collection management, as without proper planning in either, CTI programs can and will fall apart.

Cheers!

)

ComradeCookie

Written by

Threat Intelligence Analyst at CrowdStrike. Aspiring malware analyst. Kendoka. #FUZZYSNUGGLYDUCK. Thoughts are my own.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade