Skip to content

Cyber Threat Intelligence

Cyber Threat Intelligence is the assessment, validation and reporting of information on current and potential cyber threats to maintain an organisation’s situational awareness.

Cyber Threat Intelligence icon

More about a career in Cyber Threat Intelligence

You have an interest in security, technology and current affairs, because you're likely to be researching emerging threats and generating forward-looking assessments of their trajectory.  Your colleagues and senior managers in Cybersecurity Operations have confidence that your assessments are underpinned by rigorous analysis, because the intelligence you produce guides decision-making within the organisation.  And, if you deal directly with clients, you support them with tactical and operational assessments which enable them to identify, track and satisfy their intelligence needs.

You follow news reports, especially in specialist cyber security media. But you're also imaginative about finding and interpreting a wide range of information sources, including social media. You may use specialist tools that exist to help curate personal news aggregators; these tools help CTI teams see through the noise in order to focus on the most critical topics. You interpret what you read to construct a credible view of emerging threats and the development of existing ones. You may also carry out your own research direct into potential threats, by studying attempted and successful breaches and the actors behind them.

You work closely with colleagues who are responsible for identifying vulnerabilities and deciding how to manage them. Your work feeds into risk assessments and into the planning and management of security controls. Depending on the size of the organisation, you may be involved in some of this work or even do it yourself.

If there's a security incident involving an intrusion, you support the analysis of the attack and its attribution to an external actor. In some roles, you may liaise with other organisations - either cyber threat intelligence specialists or government agencies - to maintain a common view of threats. In some sectors, such as finance, it's common for businesses to share intelligence in order to better protect the whole sector.

Part of your responsibility may be to contribute to or develop the strategy for Security Operations. Depending on the organisation for which you work, you're likely to be required to provide support to the security operations centre (SOC) or computer incident response teams (CIRT). In many organisations, you're part of a SOC.

In this specialism, you’ll research and report on the cyber threats to organisations’ security, to enable your organisation to focus its resources on addressing the risks it faces.

In detail, you might:

  • supporting and leading the delivery of cyber security assessments and action recommendations to stakeholders at technical, managerial and executive level
  • acting as part of the Incident response team where appropriate and providing operational cyber intelligence support during ongoing incidents
  • researching threats, Indicators of Compromise (IoCs) and threat actor Tactics, Techniques and Procedures (TTPs) to support Threat Hunting, Signature Development and Threat Intelligence Platform (TIP) processes
  • evaluating and refining available technical intelligence feeds to drive maximum value
  • working closely with the vulnerability management team to keep them updated on the latest threats
  • maintaining detailed threat actor profiles on adversaries of interest, covering their tactics, techniques and procedures, motivations, goals and strategic objectives
  • establishing mutual technical intelligence sharing with credible external sources
  • identifying research gaps and opportunities

In most organisations, Cyber Threat Intelligence roles will be part of the Security Operations Centre. Some organisations have a dedicated Cyber Threat Intelligence team with two or more people. In general, there are two levels of responsibility.  

A Cyber Threat Intelligence practitioner:

  • analyses and learns about the current and future threats, identifying the tactics, techniques and procedures used by threat actors
  • will usually be involved with scenario-based testing initiatives and supporting the management of incidents

A Cyber Threat Intelligence senior practitioner:

  • will have additional responsibilities for briefing at a high level, providing influence and situational awareness on the current and future cyber threat
  • may, depending on the size of the organisation, be the sole cyber threat intelligence specialist on whom the organisation relies; or
  • may lead a cyber threat intelligence team

Personal attributes

  • critical thinker with an investigative mindset
  • have a genuine interest in cyber security, international affairs and geo-political dynamics
  • synthesising multiple and divergent sets of data/ information into concise and clear analyses
  • written and spoken communication
  • strong interpersonal and team skills 
  • the ability to think like an adversary
  • evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action

Specialist skills 

  • analytical tradecraft
  • intelligence analysis
  • handling open-source intelligence (OSINT) research and common tool sets
  • application of formal methodologies (for example: Kill Chain, MITRE ATT&CK, Diamond Model)

For the more experienced practitioner:

  • subject matter expert in Advanced Persistent Threat (APT) groups
  • subject matter expert in adversaries Tactics, Techniques and Procedures (TTPs)

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)

B1 – Threat Intelligence, Assessment and Threat Modelling

Principles:

  • assesses and validates information from several sources on current and potential Cyber and Information Security threats to the business, analysing trends and highlighting Information Security issues relevant to the organisation, including Security Analytics for Big Data
  • processes, collates and exploits data, taking into account its relevance and reliability to develop and maintain ‘situational awareness’
  • predicts and prioritises threats to an organisation and their methods of attack. Analyses the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities
  • predicts and prioritises threats to an organisation and their methods of attack. Uses human factor analysis in the assessment of threats
  • uses threat intelligence to develop attack trees
  • prepares and disseminates intelligence reports providing threat indicators and warnings

D4 – Penetration Testing and conducting Simulated Attack Exercises

Principles:

  • contributes to the scoping and conduct of vulnerability assessments and tests for public domain vulnerabilities and assessment of the potential for exploitation, where appropriate by conducting exploits
  • reports potential issues and mitigation options
  • contributes to the review and interpretation of reports
  • co-ordinates and manages Remediation Action Plan (RAP) responses
  • this Skill Group covers, but is not limited to, penetration testing against networks and infrastructures, web applications, mobile devices and control systems
  • this Skill Group also covers contributing to the conduct of testing and simulated attack exercises based on scenarios derived from threat intelligence, potential threat agents and their capabilities
  • predicts and prioritises threats to an organisation and their methods of attack
  • uses human factor analysis in the assessment of threats
  • uses threat intelligence to develop attack trees
  • prepares and disseminates intelligence reports providing threat indicators and warnings

F1 – Intrusion Detection and Analysis

Principles:

  • monitors network and system activity to identify potential intrusion or other anomalous behaviour
  • analyses the information and initiates an appropriate response, escalating as necessary
  • uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings
  • monitors, collates and filters external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes
  • ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available
  • produces warning material in a manner that is both timely and intelligible to the target audience(s)

 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.

Coming soon

Any role that has developed an aptitude for working in the intelligence analysis and threat cycle and instilled an ability to conduct the kind of analysis required for Cyber Threat Intelligence work could, with additional specialist training, provide a good foundation for working in this specialism.

Such careers include:

  • intelligence and investigative roles in police services
  • intelligence roles in military services
  • security and intelligence services
  • technical intelligence
  • business intelligence
  • intelligence analysis

Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.

Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.

As an experienced practitioner in a Cyber Threat Intelligence role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail.

You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still have a good understanding of the Related Knowledge but not to quite the same degree. You may have a much less detailed understanding of the elements of Wider Knowledge, which provides context for their work.

Coming into such a role, you will not be expected to have all his knowledge initially.

Core knowledge

Malware & Attack Technologies

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.

Security Operations and Incident Management

The configuration, operation and maintenance of secure systems including the erection of and response to security incidents and the collection and use of threat intelligence. 

Adversarial Behaviours

Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation. 

Related knowledge

Law & Regulation

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.

Wider knowledge

Network Security

Explaining the challenges associated with securing a network under a variety of attacks for a number of networking technologies and widely used security protocols, along with emerging security challenges and solutions.

Risk Management and Governance

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.

Forensics

The application of scientific tools and methods to identify, collect and analyse digital (data) artefacts in support of legal proceedings. 

You might start in this specialism as an apprentice.

Alternatively, you may start as a graduate with a degree in:

  • cyber security or information security
  • computer science
  • international relations
  • maths
  • economics
  • history
  • or a similar discipline requiring strong research and analysis skills

Or, you might transition from one of these cyber security specialisms or general business roles: 

With experience, you might progress to become a:

  • Threat Intelligence Manager
  • Senior/Lead Threat Intelligence Analyst

Alternatively, you may move into one of these cyber roles:

A practitioner level role may be described as a:

  • Cyber Threat Intelligence Analyst 
  • Intelligence Analyst
  • Threat Analyst
  • Cyber Risk Modeler
  • Cyber Threat Intelligence Specialist 

A senior practitioner role may be described as a:

  • Senior/Lead Cyber Threat Intelligence (Manager)
  • Director of Security Operations

An apprentice may expect a salary of around £22,000.

A cyber threat intelligence practitioner may earn between £22,000 and £60,000. The median figure in February 2021 was £37,875.

A senior cyber threat intelligence practitioner may earn between £60,000 and £90,000. The median figure in February 2021 was £65,000.

These figures are dominated by the salaries for jobs in the UK's larger cities; salaries elsewhere may be lower.

The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk