What is a Threat Intelligence Analyst?
A threat intelligence analyst, also known as a cyber threat intelligence analyst is a specific research role within the cybersecurity industry. Threat intelligence analysts are usually monitoring external threats and landscapes for signs of attacks, investigative work to identify threats, and varied landscape detection.
A cyber threat intelligence analyst is critical to any organization’s security, as they can help identify threats and weaknesses before they even happen, and therefore are paramount for security. Saying this, threat intelligence can also be outsourced within itself and therefore doesn’t need to always be done in-house.
What are the responsibilities of a Cyber Threat Intelligence Analyst?
There are a number of roles and responsibilities that any CTI analyst may need to work through on any given day. In no particular order, this is what you can expect in a CTIA role.
Internal Threat Monitoring
Although is likely won’t be your day-in day-out, internal threat monitoring could come across as one of your responsibilities within your team. Internal threat monitoring is more for SOC Analysts or Security analysts, but could still very much be included in your role. This would involve monitoring alerts and threats occurring within your organization or toolsets.
One of the main responsibilities of a CTI analyst is to gather intelligence. This comes in many forms, it may be self-created, collaborated, or completely 3rd party but somehow – you should be gathering intelligence. This intelligence can then be used both internally and shared with customers, 3rd parties, or any stakeholders within your organization. This intelligence should be the source of your changes for detection and response.
Threat analysis requires you to do a deep dive into any known or unknown threats that have occurred. These could be internal to your business or team or could be from another business that has experienced a cyberattack. No matter the source, threat analysis could be as in-depth as reverse engineering, or purposeful detonation of a file. This can then be made into a report and disseminated to other teams or stakeholders – or used for internal improvement.
As a threat intelligence analyst, you will likely also participate in a risk assessment of some kind, the same goes for vulnerability assessments. As someone who will be known to dig into the technicals and try to find holes, participating in a risk assessment will likely mean you’re trusted to deliver and true, accurate, and functional risk and vulnerability review.
Incident Response Support
As part of most business cybersecurity incident response policies, you will likely need to write up and report on findings. Should a major incident come your way, you will likely be asked to report, write up and deliver a high-quality report for your stakeholders and or customers.
Threat Intelligence Reporting
With this role, you will likely find yourself creating a lot of reports. These will be named and owned by you or your team. You will be responsible for creating pretty and well-informed reports based on incidents, breaches, or anything of that nature that could be useful for you, your customers, your business, or even just your team. This reporting is the key deliverable of the role.
Whilst this does cover a grey area of the CTI analyst role and a SOC analyst role, threat hunting is a major part of cybersecurity, especially if you’re trying to discover undiscovered threats. As an intelligence analyst, you will be required to hunt for threats using TTPs (tactics, techniques, procedures) or IOCs.
Collaboration & CTI (Information) Sharing
As an intelligence analyst, you may be required to share or read shared reports from colleagues or other companies in your country or industry. This collaboration is a fantastic way that cybersecurity experts to keep up to date, but also ensure their businesses are learning from other companies’ security failures.
If each company shared the ins and outs of breaches that have happened, then we can do more to prevent similar types of attacks in the future. The UK’s CISP (Connect, Inform, Share, Protect platform) is a great example of this.
Industry and Threat Research
Just like threat hunting, you may required to do industry or threat specific research on your own, or as part of a team both internally or as part of a formed-group by a 3rd party to help investigate threats that could relate to your industry or a specific on-going threat that has a lack of information. These all come under threat hunting and reporting.
Where do Threat Intelligence Analysts usually Work?
Threat intelligence analysts can sit in various teams, or standalone but will almost always sit underneath the CISO/Security Team within an organization. Some common placements (team-wise) as follows;
- SOC Team (Security Operations Center)
- Cybersecurity or SecOps Team
- Security Leadership Team
- Services Department (If you outsource services).
Whilst this list doesn’t cover everything, in most instances, you will be able to find a position within one of these teams. Realistically, any team that focuses on cybersecurity for a business, or as a service.
Read More: How to become a Cybersecurity Expert (2023)
What is the average Salary for a Threat Intelligence Analyst?
The average salary for a Threat Intelligence Analyst does vary from county to country, and even for expertise and experience. The average salary is as follows for the various country.
- United Kingdom – Average Salary for a Threat Intelligence Analyst: £50,000
- United States – Average Salary for a Threat Intelligence Analyst: $100,000
- Europe/ROW – Average Salary for a Threat Intelligence Analyst: £32,000
Overall, a threat intelligence analyst will be a great position for you to take up. If you love reporting, or digging into the technicalities of everything, then this is for you. Whilst positions for Threat Intelligence Analysts are not super common, you should still be able to break into it. Be sure to read some more of our Hakubi articles, and see how they can help you grow as a CTI Analyst!