What does a day in the life of a cyber threat intelligence analyst look like?
I often thought this when starting out, along with what a SOC analyst actually does and exactly how busy are CISOs. I have been a senior cyber threat intelligence (CTI) analyst for quite some time now and can divulge the secrets!
Whether you are new to cyber security or just curious about what other cyber security professionals get up to, this article will answer your questions. It details what my typical workday looks like, what daily tasks I perform, and how this improves the cyber security of my organization.
I have split my day into two chunks. The morning, where I get my daily tasks completed, and the afternoon where any follow-ups from the morning happen and the focus shifts to program or personal development. Let’s start from the beginning.
Morning
I typically start my day at 6:00 AM. I get up, make myself a nice cup of black coffee (instant), hydrate, and stare at the sun for 10 minutes. I’m told this is supposed to help you wake up, but I have no idea at this point, and I’m just trying to make the most of the British summer. Finally, I feed the dog and begin my day.
From 6:30 to 9:00 AM, I work on any side projects or side hustles I have on the go. I need to complete these tasks by the end of the day or make significant progress, so I like to get these out the way first. Then the workday begins with my daily tasks, which can be split into threat intelligence, vulnerability intelligence, and threat hunting.
Threat Intelligence Tasks
To start our day, the team will analyze threat intelligence from a range of open sources and our Threat Intelligence Platform (TIP) to see if any new threats are relevant to our organization. If we find a new threat, we validate any indicators related to it (to ensure the indicator won’t trigger false positives when we hunt for it) and then add it to our CTI database.
The team focuses daily on ingesting operational and tactical intelligence that we can make actionable and hunt for. The strategic intelligence is collected and added to a backlog that is reviewed every month to shape the direction of our CTI program.
For more information on how a CTI team uses intelligence, read Threat Intelligence vs Threat Hunting: What is the Perfect Pipeline?
Vulnerability Intelligence Tasks
Aside from threat intelligence, the team also analyzes vulnerability intelligence from various sources to check if any new vulnerabilities may impact our organization.
Exploiting public-facing vulnerabilities is a common initial access method for threat actors. Hence, your organization must have a vulnerability management program to ensure up-to-date and patched systems.
Our CTI team looks for new vulnerabilities, then checks if these are relevant to our organization and meet a minimum impact threshold where immediate patching or mitigation is required. These vulnerabilities are then reported to our vulnerability management team, who are responsible for implementing the patches or mitigation measures.
Threat Hunting Tasks
CTI teams are usually responsible for threat intelligence and threat hunting. This means they use the threat intelligence they gather to track down potential threats in their environment based on Indicators of Compromised (IOCs), malicious/suspicious behavior, and the tactics, techniques, and procedures (TTPs) used by threat actors.
IOC-based Hunting
To hunt for the IOCs, we use our CTI database. This contains a list of domains, URLs, hashes, and IP addresses related to threat actors likely to target our organization. Each indicator has a description, the threat campaign the indicator is related to, when the indicator was added, and a link for more information.
This extra context is used when we perform our weekly analysis of threats targeting our organization to better understand which campaigns we need to focus on (e.g., write more detection rules or hunting queries).
We use automation to extract only the indicator values and insert these into our threat hunting queries or detection rules (depending on the technology) to find if any IOCs present in our environment. If they are, we investigate further.
Behaviour-based Hunting
Hunting for behavior is left up to our SIEM and EDR solutions. The detection engineering team has crafted detection rules that flag anomalous behavior, such as suspicious logon times/locations/accounts or uncommon file transfer activities. If one of these rules triggers, then we are responsible for investigating.
TTP-based Hunting
To hunt for TTPs, the team maintains a database of Sigma rules relevant to adversaries likely to target our organization. Each rule has a description, time added, and accompanying translation into the query languages of the SIEM, EDR, and other security solutions we use. These queries are automatically or manually extracted from this database and run depending on the security solution.
Sigma is an open standard for describing cyber security detection rules and provides a structured and standardized format for expressing detection logic. This logic can be shared between security analysts and translated into various query/rule languages that different security products use. Read How to Arm Yourself with Threat Intelligence for more information.
These queries help us detect suspicious or malicious activity that we can investigate further. To track these hunts, we maintain a database of queries we have run for each month, along with the query results and any evidence obtained during our investigations.
This database contains data such as the query’s name, the date it was run, results found, actions taken, and lessons learned. The hunting database is then reviewed monthly to highlight threats we need to focus on, queries that need to be refactored to reduce false positives or run time, and any other areas for improvement.
Daily Meeting
Once the daily tasks are complete, we have a team meeting to discuss any findings, actions to take, or any projects the team is working on to develop the program. This is typically a brief catch-up unless something significant happens, like a Log4j or MOVEit vulnerability, which sends everyone into panic mode. Thankfully, panic mode is saved for rare occasions, and the meeting is usually short.
Afternoon
After completing all the daily tasks and reporting anything relevant in the daily meeting, I take the dog for a walk to get some fresh air and take lunch – typically a chicken and spinach wrap but sometimes I splash out and have last night’s leftovers. Then back to work to follow up on investigations from the hunts run in the morning, complete any program development tasks, and try to get in some personal development if possible.
Follow Up
The afternoon typically starts and is periodically interrupted with follow-up calls, emails, and investigation activities based on the morning’s threat intelligence and threat hunting. This could be following up with a user who ran a suspicious executable, creating threat hunting queries to address a new threat, or an external request by another security team for help in an investigation.
These tasks tend to be sporadic, so we use our hunting database to keep track of them and maintain evidence files that are shared using various Microsoft products. This allows one team member to pick up from where another left off and maintain a chain of evidence during investigations.
Program Development
Aside from follow-ups, the afternoon is usually dedicated to activities that help develop our CTI program. These can generally be grouped into three categories::
- Expansion activities: These build the maturity of the CTI program in new directions and include tasks such as adding new threat hunting queries, implementing new threat hunting methods, or researching new strategies.
- Optimizations: This involves doing things that help the current processes run more efficiently, such as building automation, creating more efficient processes, or trimming down the CTI database and TTP databases to keep them streamlined and relevant.
- Refinement activities: These tasks solidify the program and are the catchup work from the expansion activities. They include building documentation, improving onboarding, or turning hunting queries into detection rules.
There are also long-term projects the team steadily works on to build out our CTI capabilities and further mature the program. These tend to be confidential.
Personal Development
At the end of the day, I like to work on projects or certifications that help me develop my own set of cyber security and technology skills. This can range from home lab projects focusing on getting to grips with the latest open-source C2 framework to studying for certification exams like SAN’s GIAC Reverse Engineering Malware.
I love honing my craft and learning new things every day. It is a driving factor in my success, but, more importantly, it keeps me engaged with my work and provides me with a great sense of accomplishment to finish my day. You can find my thoughts on cyber security training in Free vs Paid Cyber Security Training: The Secret to Career Success.
Conclusion
This article has been vague regarding the specific details of the technologies and processes we use due to the sensitivity of my work. However, it should give you a good idea of what my day typically looks like. Hopefully, you now better understand what a CTI analyst does and, perhaps, what you can bring to your organization.
It is important to include things in your day other than work. Tackle personal projects, get out for a walk on your lunch break, take regular breaks to reset and refocus, and try to finish with some personal development time to learn something new or hone your craft. Even the most interesting jobs can become routine and monotonous over time, so try to structure your day to keep it fresh and interesting.
If you want me to go into any more detail about a specific part of my typical day, please leave a message in the comments!
