My first year in Cyber Threat Intelligence
As of 1 August, I have been working in the cyber threat intelligence industry for one whole year. It has been a steep, but rewarding, learning curve that gives as much back as you put into it.
In 2016, I started university doing a cybersecurity-specific course as I knew it was what I wanted to do since I was about 15 years old. I graduated in 2019 with a 2:1 in BSc (Hons) Computer and Information Security. Within three weeks of finishing my course I was offered a job in July and started in August. It could not have been better.
It was only until the end of my course that I began to learn about threat intelligence and emerging threats in an interesting module that educated us about 0day vulnerabilities and the darknet. Initially, I wanted to be a penetration tester (like most students on my course), but I was only just about able to make it through the labs on Kali and Metasploit through hard work and frustration. This put me off and made me look elsewhere into other areas of security which included learning about OSINT and malware. Cyber threat intelligence was perfect for my skill set.
In my first role as a Junior Security Researcher I had to learn A LOT. This is a fair warning to anyone entering the cybersecurity industry in general - you need to learn a little bit about everything and keep learning while on the job, it is just a fact. For example, the topics I have to cover includes:
What is Cyber Threat Intelligence?
“Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web.” - Bank of England
My experience of cyber threat intelligence has been as part of an entity that is external of the organisations that it provides intelligence for. This is also known as CTI-as-a-Service. There are a number of firms dedicated to CTI, but other Managed Security Service Providers (MSSP) and Antivirus companies also provide similar offerings.
How to provide CTI:
Identify and analyse relevant threats to targeted organisations
Communicate effectively with Security Operations Centers (SOC)
Perform custom investigations on an adhoc basis
Timeliness is key to provide actionable intelligence
Monitoring - checking sources and evaluating what needs to be reported on
Sources - gathering sources of new information, could be OSINT, RUMINT, HUMINT, and SOCMINT
Networking - working with the CTI community and intel sharing
Writing analytical reports:
Executive summary - explain concisely what is happening / has happened
Analysis - explain why this matters, add context with previous incidents, and evaluate
Spelling, punctuation, and grammar has to be flawless at all times
Write in active tense to describe something that is ongoing
Do not spend too long on one report (10 others still need to be written)
What is a threat?
"If you see dark clouds outside, there's a threat of rain. If you decide to go out without an umbrella, that's a vulnerability. Combine the two and you have the risk of getting soaked." - Anonymous
Cyber threats are negative events impacting technology. This can include malware, phishing, social engineering, data breaches, vulnerabilities and exploits, APT groups, disinformation campaigns, and denial of service attacks. For a comprehensive view of the threat landscape is it necessary to keep track of all of these threats and have an understanding of them. I found it useful to have knowledge of each of the most notable two or three incidents for each example listed.
It has been interesting monitoring the threat landscape throughout the last year. Top-tier cybercrime groups have been generating more funds than ever. This year has been largely dominated by crippling ransomware attacks and data exfiltration that is later released to their respective leak sites. It is expected to continue, with ransom demands increasing in the millions of dollars worth Bitcoin.
In January, I started this blog (bushidotoken.net) to improve my writing. I wanted to improve my analytical skills for intelligence reports and research topics I wanted to learn more about.
The blogs I wrote about which I learned the most from include:
Book Review of Sandworm - https://blog.bushidotoken.net/2020/03/sandworm-new-era-of-cyberwar-and-hunt.html
Deep-dive: The DarkHotel APT - https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
Deep-dive: The Lazarus Group - https://blog.bushidotoken.net/2020/02/deep-dive-lazarus-group.html
CobaltStrike Pentesting Framework - https://blog.bushidotoken.net/2020/06/cobaltstrike-penetration-testing.html
Disclosure of OZH RAT - https://blog.bushidotoken.net/2020/05/ozh-rat-new-net-malware.html
Finally, when I first started my job we were working in a modern office only a 15 minute walk away from me, it was ideal. Then in March we were all sent home, like many others, due to the threat of COVID-19. It was the first time for me to work from home and at first I was unsure if it would be suitable for me. After a few weeks, however, I found myself enjoying it and now I would say I somewhat prefer it to a traditional office. Working from home doesn't necessarily mean from where you live, it is essentially anywhere with an internet connection. I also have a very supportive team that offers plenty of flexibility and opportunities for me to learn new skills and make new connections.
Threat intelligence is so interesting to me as you never really know what the next week will bring. It could be a huge ransomware attack against a multinational firm or an exploit could be dropped and every Fortune 500 firm is immediately under attack. In the next year I hope to earn a certification - such as CTIA or CREST - and attend conferences to meet some of the connections in the industry I have made through Discord and Twitter.