5 Mistakes I Made as a New Cyber Threat Intelligence Analyst
A Cyber Threat Intelligence (CTI) analyst plays a critical role in defending an organization from cyber attacks. They need to gather information about the latest cyber threats, assess the relevance and potential impact they could have on their organization, and provide actionable intelligence to other defenders in the organization to protect against these threats.
This is a challenging job. You need strong cyber security knowledge across various disciplines, an understanding of the red and blue sides, and data analysis skills to prioritize which challenges to tackle across the vast threat landscape. You must also communicate these findings to security professionals who transcend your organization’s hierarchy, from junior SOC analysts who need tactical intelligence (IOCs) to C-suite executives who need strategic intelligence.
There are pitfalls around every corner that can have you spending weeks or even months prioritizing the wrong things, poorly communicating your findings, or wasting your time chasing red herrings.
I made several mistakes while working in a SOC and later as a senior CTI analyst. Here are the big ones you can hopefully avoid on your quest to learn about cyber threat intelligence or become a CTI analyst. Along with practical advice on how to avoid them!
You can learn more about a typical day for a threat intelligence analyst in Day in the Life of a Senior Threat Intelligence Analyst.
Mistake #1: Thinking All Indicators Are Equal
The first thing you learn about when you join a SOC, or any technical blue team role, are Indicators of Compromise (IOCs). These things get left behind in log files and “indicate” something bad has happened. There are two main types of IOCs:
- Endpoint-based indicators: Things you will find on endpoint devices (e.g., workstations, laptops, servers), such as file hashes, registry keys/values, filenames, etc.
- Network-based indicators: Things you find in network logs (e.g., firewall logs, VPN logs, WAF logs), such as IP address, domain names, URLs, user agents, etc.
The trouble with IOCs is that they are not all created equally. You can change a file’s hash by adding a single character, get a new IP address by simply restarting your cloud server, and change the user-agent of your command and control (C2) traffic by using a malleable profile. I did not know all these when I started and treated all IOCs equally.
This is a huge mistake when engineering detections because you will not prioritize the right indicators and waste a lot of time creating blocklists for IOCs that an attacker can easily change. Instead, you need to prioritize IOCs that cannot be easily changed by an attacker and, as such, are used over and over again. This could be their tactics, techniques, and procedures (TTPs) or the tools they reuse.
The Pyramid of Pain by David Bianco is a great visual for showing what indicators to prioritize. You can learn how to use this conceptual model in Elevate your Threat Detections using the Almighty Pyramid of Pain.
Mistake #2: Not Verifying IOCs
Just because you see an IOC listed in a threat intelligence report or on a threat feed doesn’t mean it is malicious. You should always verify if an IOC is actually malicious and needs to be blocked or if it is just related to a security incident. Not verifying if an IOC is malicious can cause many headaches when you see hundreds of alerts triggering in your environment for a legitimate executable or file.
For instance, threat actors often abuse the Windows Sysinternals tool psexec during an attack to execute code on a remote system and perform lateral movement. However, psexec is also a tool system administrators and network engineers use for remote administration and automation. If you see this tool’s file hash in a report, assume it is malicious, and tell your security solution to trigger an alert if it is seen in your environment, you will be having a very busy day.
There are a variety of threat intelligence tools you can use to verify your IOCs. Popular ones include:
- VirusTotal: An online service for analyzing suspicious files, domains, IPs, and URLs using a combination of antivirus and threat intelligence search engines.
- Maltiverse: A threat intelligence aggregator that lets you search for data about an IOC from hundreds of different public, private, and community sources.
- GreyNoise: A threat intelligence database that scans Internet traffic and allows you to look up if an IP or domain is malicious.
- Alienvault Open Threat Exchange (OTX): A community-driven resource that collects and distributes IOCs. You can verify your IOCs against associated malicious activities in this database.
- Urlscan.io: A free online service that lets you scan URLs and websites to determine if an IOC is malicious.
You can even automate IOC verification by integrating a threat intelligence tool API (e.g., the VirusTotal API) with a Continuous Integration and Continuous Deployment (CI/CD) pipeline like Github Actions. When you upload a list of IOCs to Github, a Github Action will run and check if that IOC is malicious or not. If not, it will remove it from the list, and you can upload a verified block list to your security solution.
Mistake #3: Trying to Cover All TTPs
The MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge) matrix is a comprehensive framework that details the tactics, techniques, and procedures (TTPs) adversaries use to perform cyber attacks. You can learn about this framework in Lock & Load I: The Holy Bible of Threat Intelligence.
When starting as a threat intelligence analyst, I thought it would be a great idea to try and cover all the TTPs on this list. Have a hunting query or detection rule for everything from initial access to impact and in between. Theoretically, this should be achievable (be it a lot of work). However, this was a misinterpretation of the MITRE ATT&CK framework.
The framework includes information on the following:
- Tactics: The high-level objectives or goals adversaries aim to achieve during an attack (e.g., initial access, execution, privilege escalation, etc.).
- Techniques: The methods or actions adversaries use to accomplish their tactical objectives (e.g., phishing as an initial access technique).
Unfortunately, adversaries can use many different ways to perform these tactics and techniques (known as procedures). The framework lacks detailed information on these procedures because there are tens or hundreds of ways to accomplish them, and new ones are being created by attackers every day.
To create effective threat hunting queries or detection rules, you need specifics. You need detailed information about the procedure a threat actor used to accomplish a tactic or technique so you can search for artifacts left behind in the log files using YARA or Sigma rules. These specifics are described in threat reports, such as The DFIR Report. However, keeping up with the constant flow of new attacks is a fool’s errand. You need to prioritize the TTPs you cover!
You can learn how to discover and prioritize TTPs in Threat Profiling: How to Understand Hackers and Their TTPs. This article describes how to practically threat profile adversaries, software, data sources, and past incidents so you can generate a list of TTPs to prioritize.
Mistake #4: Not Using a Feed Aggregator
Where do you gather your threat intelligence from?
A primary source for threat intelligence is open-source threat intelligence feeds, such as AlienVault OTX, CISA Alerts, and RiskIQ Community Edition, to name a few. These feeds detail a wide range of threats you must sift through to find those relevant to the organization. This can be time-consuming as you often look for new open-source intelligence from various sources and find yourself opening 10, 20, or even 30 Google Chrome tabs to cover all your bases.
When I started, I would have a list of open-source intelligence feeds bookmarked and go through this list at the start of every day to see if there were any new threats the organization needed to be aware of or prioritize. Apart from having a drain on my computer’s RAM (if you use Chrome, you know), this also was an inefficient way of consuming information. Then I was introduced to feed aggregators.
Feed aggregators are applications or web services that collect and consolidate content from multiple sources into a single pane of glass. They collect articles from websites, blogs, news feeds, and other online content into an easily accessible interface that allows you to track what’s happening in the world efficiently. You can decide what feeds you add to your feed aggregator and even filter for specific content within those feeds so you don’t become overwhelmed with data.
I use a feed aggregator to efficiently find and consume open-source threat intelligence relevant to my organization, whether CVEs, threat reports, or Medium articles on the latest TTPs. Examples of feed aggregators include; Feedly (which has an awesome threat intelligence version, although expensive), Inoreader, and NewsBlur. I recommend starting with a free version of these platforms and seeing what is possible.
Feed aggregators have many more features I have not listed here. You can set up your aggregator with automation tools like Zapier to share the news with colleagues, archive posts to read later, add social media searches for platforms like Twitter, and much more. Learn more in Creating Your Own CTI Aggregator for Free: A Complete Guide.
Mistake #5: Stopped Innovating and Learning
Once you spend some time in cyber security, you may become complacent. I certainly did. I relied on the same tools and processes to do my daily work, my learning became stagnant, and my job satisfaction slowly faded. I fought so hard to break into the industry, but when I did, it only took a couple of years for me to get lazy and stop trying to innovate or learn!
This is a trap that we seem to be attracted to as humans. We work hard to achieve our goals, reap the rewards and comforts, and then become lazy and stagnant as we rely on the same old tools and processes. It’s not you’re fault. We enjoy the comforts of a routine, knowing exactly what to do daily, and having a system we can rely on. However, this trap can be a killer for your career and your mental well-being!
If you’re in cyber security, especially on the technical side, you probably love finding solutions to complex problems and learning about new technologies. If you become complacent at your job and stop trying to innovate or learn, you rob yourself of this joy and any opportunities to progress your career.
You should try to do more of what you enjoy for your mental well-being and workplace happiness. Talk to your manager and ask for some time to find a new innovative process, make time outside of work to learn new things, and take back control of your career!
Innovation could be anything from using an API to verify your IOCs to creating custom Sigma rules to hunt for the latest threats. You don’t need to reinvent the wheel. Just keep an eye out for what tools are out there and how you could use them to make your life easier (usually through automation).
Those were my top five mistakes during my threat intelligence journey. Perhaps they are obvious blunders to you, and with hindsight, they are to me now. But in the moment, we all make mistakes, and CTI is no exception. There are few great (and affordable) courses on this cyber security discipline, and much of the knowledge I have gained comes from late nights reading blog posts, extrapolating practices from other disciplines (e.g., military intelligence, data analysis, red teaming), and just giving things a go.
That’s the greatest advice I can give you. Just get stuck in and give it a go. Read everything you can find, from the technical details of the latest attacks to the speculative essays from industry experts. Try that latest open-source tool or new methodology, and don’t be afraid of making mistakes.
Everyone makes mistakes. It’s how we learn and develop as cyber security professionals. They help us become better versions of ourselves so that the next time we tackle a similar challenge, we can ace it. Don’t be afraid of making a mistake. Just make sure you learn from it and never stop learning!