Cyber Threat Intelligence guides decision-making within an organisation through assessments that are underpinned by rigorous analysis. If dealing directly with clients, this involves supporting with tactical and operational assessments which enable the clients to identify, track and satisfy their intelligence needs. 

Specialist tools are used to help curate personal news aggregators which help Cyber Threat Intelligence teams to focus on the most critical topics. These need to be interpreted to construct a credible view of emerging threats and the development of existing ones.  

It is also very important to work closely with colleagues who are responsible for identifying vulnerabilities and deciding how to manage them, which feeds into risk assessments and the planning and management of security controls. 

If there’s a security incident involving an intrusion, there needs to be an analysis of the attack and its attribution to an external actor. In some roles, this may involve liaising with other organisations – either cyber threat intelligence specialists or government agencies – to maintain a common view of threats. In some sectors, such as finance, it is common for businesses to share intelligence in order to better protect the whole sector. 

Cyber Threat Intelligence research and report on the cyber threats to organisations’ security, to enable the organisation to focus its resources on addressing the risks it faces. 

In detail, you might: 

• support and lead the delivery of cyber security assessments and action recommendations to stakeholders at technical, managerial and executive level 
• act as part of the Incident Response team where appropriate and provide operational cyber intelligence support during ongoing incidents 
• research threats, Indicators of Compromise (IoCs) and threat actor Tactics, Techniques and Procedures (TTPs) to support Threat Hunting, Signature Development and Threat Intelligence Platform (TIP) processes 

• evaluate and refine available technical intelligence feeds to drive maximum value 
• work closely with the vulnerability management team to keep them updated on the latest threats 
• maintain detailed threat actor profiles on adversaries of interest, covering their tactics, techniques and procedures, motivations, goals and strategic objectives 
• establish mutual technical intelligence sharing with credible external sources 
• identify research gaps and opportunities 

Job Titles 

For Cyber Threat Intelligence role, titles include: 

• Cyber Threat Intelligence Analyst  
• Intelligence Analyst 
• Threat Analyst 

• Cyber Risk Modeler 
• Cyber Threat Intelligence Specialist  

For more experienced Cyber Threat Intelligence, titles include: 

• Senior/Lead Cyber Threat Intelligence (Manager) 
• Director of Security Operations 

Salaries 

An apprentice starting in Cyber Threat Intelligence might earn a salary of around £22,000. 

A Cyber Threat Intelligence role could earn between £22,000 and £60,000. The median figure in February 2021 was £37,875. 

A senior Cyber Threat Intelligence role could earn between £60,000 and £90,000. The median figure in February 2021 was £65,000. 

These figures are dominated by the salaries for jobs in the UK's larger cities; salaries elsewhere may be lower. 

The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Threat Intelligence. 

Core knowledge – you will need a very good understanding of these areas 

Malware & Attack Technologies 

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches. 

Security Operations and Incident Management 

The configuration, operation and maintenance of secure systems including the erection of and response to security incidents and the collection and use of threat intelligence.  

Adversarial Behaviours 

Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation.  

Related knowledge – you will need a solid understanding of these areas 

Law & Regulation 

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare. 

Wider knowledge – these areas will help to provide context for your work 

Network Security 

Explaining the challenges associated with securing a network under a variety of attacks for a number of networking technologies and widely used security protocols, along with emerging security challenges and solutions. 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Forensics 

The application of scientific tools and methods to identify, collect and analyse digital (data) artefacts in support of legal proceedings. 

Skills 

Personal attributes 

• critical thinker with an investigative mindset 
• have a genuine interest in cyber security, international affairs and geo-political dynamics 
• synthesising multiple and divergent sets of data/ information into concise and clear analyses 

• written and spoken communication 
• strong interpersonal and team skills  
• the ability to think like an adversary 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills  

• analytical tradecraft 
• intelligence analysis 
• handling open-source intelligence (OSINT) research and common tool sets 
• application of formal methodologies (for example: Kill Chain, MITRE ATT&CK, Diamond Model) 

For the more experienced professional: 

• subject matter expert in Advanced Persistent Threat (APT) groups 
• subject matter expert in adversaries Tactics, Techniques and Procedures (TTPs) 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

B1 – Threat Intelligence, Assessment and Threat Modelling 

Principles: 

• assesses and validates information from several sources on current and potential Cyber and Information Security threats to the business, analysing trends and highlighting Information Security issues relevant to the organisation, including Security Analytics for Big Data 
• processes, collates and exploits data, taking into account its relevance and reliability to develop and maintain ‘situational awareness’ 
• predicts and prioritises threats to an organisation and their methods of attack. Analyses the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities 
• predicts and prioritises threats to an organisation and their methods of attack. Uses human factor analysis in the assessment of threats 
• uses threat intelligence to develop attack trees 

• prepares and disseminates intelligence reports providing threat indicators and warnings 

D4 – Penetration Testing and conducting Simulated Attack Exercises 

Principles: 

• contributes to the scoping and conduct of vulnerability assessments and tests for public domain vulnerabilities and assessment of the potential for exploitation, where appropriate by conducting exploits 
• reports potential issues and mitigation options 

• contributes to the review and interpretation of reports 
• co-ordinates and manages Remediation Action Plan (RAP) responses 
• this Skill Group covers, but is not limited to, penetration testing against networks and infrastructures, web applications, mobile devices and control systems 
• this Skill Group also covers contributing to the conduct of testing and simulated attack exercises based on scenarios derived from threat intelligence, potential threat agents and their capabilities 
• predicts and prioritises threats to an organisation and their methods of attack 

• uses human factor analysis in the assessment of threats 
• uses threat intelligence to develop attack trees 
• prepares and disseminates intelligence reports providing threat indicators and warnings 

F1 – Intrusion Detection and Analysis 

Principles: 

• monitors network and system activity to identify potential intrusion or other anomalous behaviour 
• analyses the information and initiates an appropriate response, escalating as necessary 
• uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings 
• monitors, collates and filters external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes 
• ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available 

• produces warning material in a manner that is both timely and intelligible to the target audience(s) 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role that has developed an aptitude for working in the intelligence analysis and threat cycle and instilled an ability to conduct the kind of analysis required for Cyber Threat Intelligence work could, with additional specialist training, provide a good foundation for working in this specialism. 

Such careers and roles include: 

• intelligence and investigative roles in police services 
• intelligence roles in military services 
• security and intelligence services 

• technical intelligence 
• business intelligence 
• intelligence analysis 

Linked Specialisms 

• Digital Forensics 
• Incident Response 
• Vulnerability Management 
• Network Monitoring and Intrusion Detection 

Moving On 

With experience, you might progress to become a: 

• Threat Intelligence Manager 

• Senior/Lead Threat Intelligence Analyst 

Alternatively, you may move into one of these cyber roles: 

• Secure Operations 
• Incident Response 
• Vulnerability Management  

• Digital Forensics 
• Cyber Security Governance & Risk Management 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

Gareth Pritchard and Jules Farrow-Lesnianski are from Sapphire. In this webinar recording, they talk more about a typical day in the Cyber Threat specialism.