One of the most frequent messages I get is from people who are looking for advice on getting started in cyber threat intelligence (CTI). I thought it would be useful to compile my answers to some of the most frequently asked questions I receive. It’s important to caveat this post with a note that these are my opinions and experiences only (and I only have so much room to type before you get bored). Others have different perspectives, so I encourage anyone interested in this field to ask around.
How did you get started in CTI?
This is a good question and I understand why people ask it, but how I got started in CTI may not be the right way for someone else. I got into CTI somewhat unintentionally over a decade ago. In high school and college, I wanted to go into journalism. After I graduated college, I couldn’t get a job in journalism, so I took what I could get — an entry-level job as a researcher for a private investigative firm. During that time, I was fortunate enough to meet my now-husband, who had worked in government and the Intelligence Community. He suggested to me that because I liked to research, write, and analyze information, maybe I would like working as intelligence analyst. With his help and a lot of research and hard work, I applied to a bunch of government jobs, and sure enough, the Department of Defense called me in for an interview for a cyber intelligence position. At that point, I had zero experience in cyber or intelligence! But I carefully prepared for the interview anyway, and they gave me a chance and offered me the job. I actually hesitated before accepting the job — I remember telling my now-husband (in a very disgusted voice) “I don’t want to look at lines of code all day…” 😆 Once I got started, I found that I enjoyed the work because it focused on the human behind the keyboard, not just on the code itself. I was fortunate enough that I got lots of technical training early on. That training, combined with asking a ton of questions of supportive coworkers, was key in helping me learn.
One important part of my story that I want to emphasize for all you hiring managers out there: I had no cybersecurity experience. All I needed was a chance, and I ran with it once I had it. If you’re in a position to hire someone who is truly entry-level without experience, give them a shot — you never know what might happen.
How do I get into the field of CTI?
There are many ways to get CTI jobs and get started in this field, and there is no single “best” way. Here are a couple pathways I’ve seen from CTI professionals I respect and admire:
- Technology Reporter > CTI Analyst: My friend Selena Larson was a technology reporter at CNN, where she reported on privacy and security issues within the technology industry including ICS threats. Dragos was impressed with her work, so hired her as an intelligence analyst, where she has done amazing work. I believe a strong background in writing is a critical skill for CTI teams, and Selena is a great example of this.
- System Administrator > Detection Engineer > CTI Analyst: My teammate Tony Lambert started out as a system administrator at a college, where he learned how systems should and shouldn’t be configured in a very hands-on way. Tony worked hard and got involved with the cybersecurity community by learning more about DFIR. That work led him to be hired at Red Canary as a Detection Engineer. He was excellent at identifying adversaries and showed curiosity in pulling apart detections and figuring out details of what adversaries did, so he was a natural fit to be one of the founding members of the Red Canary Intelligence Team. (Here’s an awesome blog post he wrote on a new group he identified!) I’ve seen other analysts take a similar path to Tony’s by starting out as a Tier 1 Security Operations Center (SOC) analyst, a network administrator, or a similar entry-level position, and then shown an interest and curiosity in CTI. Depending on the type of organization, you might be able to move within your own organization if there is an existing CTI team.
- Military > Consultant, et al. > Threat Intel and Ops Lead > Director of Security Engineering: I first met Chris Cochran at the SANS CTI Summit almost two years ago, and I was so impressed with his background and how he carried himself. Chris started his cyber career in the US Marine Corps — many CTI analysts got started in the military, and this is a great pathway to CTI. From there, he worked in different roles, including as a Consultant at Mandiant and a Lead Associate at Booz Allen Hamilton, where he added to his threat intelligence experience. Chris worked his way up and became the Threat Intelligence at Operations Lead at Netflix before moving on this year to be the Director of Security Engineering at Marqeta. Chris is a great example of how hard work and constant self-improvement helps you move up to leadership roles. He also is active in the community (especially on LinkedIn!) and hosts a podcast called Hacker Valley Studio.
What degrees, training, or certifications do I need to work in CTI?
In my opinion? None. If you have the drive to learn CTI, you can teach yourself many of the fundamental concepts and skillsets. (Check out my previous blog post on some recommended reading.) But that’s tough to do, and let’s be honest, a lot of hiring managers might not buy that, so some kind of formal training or education might help you. Also, it’s important to acknowledge that for under-represented minorities in cybersecurity, especially BIPOC and women, having a degree or certification may help demonstrate your skills when people (sometimes unfairly) question your qualifications.
- Degrees: My undergraduate degree was in American Studies. Yes, you read that correctly — American Studies. I believe the type of degree you have, especially for undergrad, doesn’t matter all that much. Some excellent analysts I know have no degrees. If you do want a degree that will help you in CTI, though, computer science might provide a good foundation, as will cybersecurity programs. Degrees in intelligence studies might also be helpful. (I got my Master’s at Georgetown University’s Security Studies Program, for example.)
- Training Courses and Certifications: I teach SANS FOR578, so it’s natural that I recommend it as a training course along with the associated GCTI certification. This course is expensive, and I realize it’s most accessible to those who have employers who will pay for it. If you want to take a SANS course at lower cost, check out the Work Study program or CyberTalent programs. You can also check out a webcast I did with selected content from FOR578.
However, SANS is not the only CTI training option! I firmly believe it benefits the community to have many CTI training choices. Some other great, lower-cost CTI training options include courses from Chris Sanders, Joe Slowik, and Sergio Caltagirone. Some of these courses provide certifications as well. There are other options out there like EC-Council’s Certified Threat Intelligence Analyst, but I’m not familiar with those so can’t recommend them either way.
What types of organizations hire CTI analysts?
I divide the CTI space into three major types of organizations, all of which have pros and cons that I’ll generalize about. As always, generalizations are inherently inaccurate, so there are exceptions to everything I’m discussing here. (Check out my previous post on choosing jobs for more on thinking through decisions on the type of organization you might want to work for.)
- Government, military, government contracting, and consulting: Yes, I realize there is a lot of diversity in this category, so take this with a grain of salt. 😃 This category includes federal/state/local governments, contractors like MITRE, ManTech, and Raytheon (where I’ve worked), and consulting organizations like Deloitte. Some positions in these organizations might require clearances, and these organizations are often large bureaucracies, which is both good because they are often more stable and bad because it’s sometimes slow to get things done. Some people find it rewarding to work in public service jobs like government because of the mission — I know when I worked for government, I felt a sense of pride in protecting my country’s security. When I got started in this field over a decade ago, many CTI analysts had a government/military background, but I’ve found that’s changed quite a bit and many CTI analysts start their careers in the private sector and stay there.
- Cybersecurity vendors: This category includes organizations that sell cybersecurity products or services, like Red Canary, FireEye, CrowdStrike, Proofpoint, and Digital Shadows, just to name a few. While I used to think vendors were just out to make money, with maturity, I’ve realized we are a fundamental part of the cybersecurity community and drive a lot of research — plus, we help customers, which makes me feel good. One benefit of vendors is that you can get visibility into many customer environments, which can be fun for CTI analysts to see different threat models. Depending on the type of vendor, though, you might be limited in the type of collection or data you look at — some vendors focus more on endpoints versus networks, or some focus on Dark Web collection. For vendors in particular, you should ask questions about their business practices and make sure you feel good about them,
- Private non-vendor corporations: This category includes organizations like banks, retailers, or technology companies. Large corporations can be a great place to get started in CTI because they tend to have large security teams (which often means they have a CTI team). These corporations can also be a good place to start as a Tier 1 SOC analyst or another entry-level position and grow into a CTI team. One consideration for working at a private corporation like this is that you often will have deep visibility into a single organization — you can see many types of systems and logs, but just for your organization.
What do CTI analysts do?
The field of CTI is surprisingly broad, and what a normal day looks like depends a lot on what the CTI team’s requirements are. Some analysts might focus at the strategic level where they read reports about what countries are doing and write assessments for their consumers. Other analysts might be more tactically-focused (like I am) and look at logs and detections every day. Here are a couple common tasks many CTI analysts do:
- Read open and closed source reports like blog posts, government reports, and social media posts.
- Analyze logs and artifacts to try to identify malicious activity or patterns, especially in intrusions.
- Pivot on strings, indicators, and artifacts in internal and external data sources to try to identify additional infrastructure or malware. Use Microsoft Excel, the best CTI tool of all time, to organize findings.
- Create signatures (like YARA signatures or behavioral analytics) and identify useful indicators of compromise to help defenders identify malicious activity.
- Share information with other analysts in the community about threat activity.
- Talk to consumers in their organizations about what they need and share information to help them better do their jobs.
- Present on their findings to their organization or other community members. (In other words — be PowerPoint ninjas!)
- Write reports to provide assessments or information to consumers.
How can I get a CTI job?
Apply to ALL THE JOBS!!!! There are lots of places to look for job listings, and one I like is NinjaJobs. When I first got out of college, I must have applied to over a hundred jobs. It’s not easy, but keep at it! Get a friend or colleague to help you with your resume, and take advantage of resume clinics that occur at security conferences. If you don’t have CTI experience, think about what aspects of experience you have could apply to CTI — for example, do you research security alerts or write reports? Do you have experience doing investigations, even though a field like journalism? Try to write about your experience in a way that emphasizes CTI skillsets. I like this breakdown of CTI traits skillsets from INSA, so I recommend thinking about how you could emphasize each of these in your resume:
Educate yourself as much as you can about key CTI terms, topics, and frameworks (many of which I discuss here). Try downloading and using tools like MISP. Read a blog post and then look up domains, IPs, and hashes in tools like AlienVault OTX, RiskIQ Community or VirusTotal. (There are many other free tools and resources listed here.) Watch presentations from events like the SANS CTI Summit and think critically about the content — what do you agree or disagree with? Be active on social media and ask questions when you don’t understand. (If people are jerks, ignore then and move on to nicer people.)
Here are a couple CTI interview questions I’ve asked and heard of from others — think about how you’d answer these, and think of your own interview questions as well:
- What is the Diamond Model (or MITRE ATT&CK or the Cyber Kill Chain) and how would you use it?
- Tell me about a recent report you read on a cyber threat.
- What is attribution and does it matter?
- What are key differences between Russian, Chinese, and Iranian adversaries?
- What are indicators, and when are they useful or not useful?
Lastly, you’ve heard this before, but networking is key whether you’re trying to get a CTI job or any other position. Social media is a great way to do this. Virtual conferences are another great way to network, as they often have Slacks or Discords where you can interact with attendees. If someone blows you off or is a gatekeeper that tries to keep you out of this field, ignore them and feel bad for them because they’re insecure. Please keep in mind that people are busy and this is a tough time for all of us, so be patient and understanding if someone doesn’t reply to you. (*Raises hand*…sometimes I don’t have the energy to reply to everyone, though I wish I did!)
Thanks for reading!
If you’ve made it this far, wow! 😆 I hope you’ve found some of this content helpful. CTI is a field I love, and I hope you’ll consider joining us— we need new ideas and perspectives to improve!