From ingesting Indicators of Compromise (IoC) and threat intelligence feeds to building fully-integrated teams that conduct full-scale investigations and threat hunting activities, Cyber Threat Intelligence (CTI) holds a crucial role in an organization. Threat intelligence analysts provide the actionable insights that CTI teams use to inform their decision making, and to effectively bolster and improve an organization’s security posture. 

Without threat intelligence analysts, organizations are often left in the dark, addressing incidents reactively as they occur, rather than preventing them ahead of time in a proactive or offensive way. In contrast, with actionable intelligence in place, resilience against cyberattacks becomes so much easier. 

What Does a Threat Intelligence Analyst Do?

Threat intelligence analysts are responsible for reviewing and analyzing all of the external threats targeting their company. They monitor threat landscapes — including tracking cybercrime forums, ransomware blogs, automated shops, bot marketplaces, database dumps, and Telegram channels, search for intellectual data leaked and offered for sale in the dark web, analyze threat data by correlating information gleaned from open, deep and dark web sources, and turn that raw intelligence into recommendations for wider security teams. 

Additionally, analysts will proactively hunt for threats, identifying risks before they escalate into cyber attacks, and often take responsibility over elements of security awareness, so that employees know what action they need to take. In an enterprise company with senior threat intelligence experts — they may also perform threat actor profiling with a deep understanding of Tactics, Techniques and Procedures (TTPs) of a wide range of adversaries. Sometimes, depending on the day, they might even break for lunch. 

What Skills Does a Threat Intelligence Analyst Need?

To understand the impact of the intelligence an analyst is receiving — they need a general cybersecurity understanding. Many threat intelligence analysts have a background in computer science, information security or network engineering, but the route to this career is not one-size-fits-all. What’s important is having a solid background in IT and cybersecurity, as you need to be aware of the impact of the information you’re receiving. 

An average Joe may think that a criminal stealing your email password means an attacker is going to read that monthly update from your college roommate. A skilled threat intelligence analyst recognizes those credentials can provide access to a network to start a complex cyberattack that includes lateral movement, Advanced Persistent Threats (APTs), ransomware and more. Only a person with a technical background and an understanding of threat impact and mitigation can understand that just because a password is expired, that doesn’t eliminate its threat. With a previous password, attackers can still create social engineering or phishing scams to access a live account.  

As well as a background in cybersecurity, threat intelligence analysts need: 

• Analytical thinking and communication: The ability to process and interpret vast amounts of technical data coming from multiple sources, and to communicate findings into business language for non-technical stakeholders. 
• Knowledge over security domains: In particular, data loss prevention, networking, endpoint security and EDR, and a general understanding of privacy and compliance will be essential. 
• Awareness of the cyber landscape: Threat intelligence analysts need to be able to understand local, global, industry-specific and geopolitical trends as they evolve. Robust platforms will deliver in the moment information, as well as historical data, even once it’s been taken down. 

The Real-world Impact of Threat Intelligence Analysts

Every day, TI analysts work to ensure organizations, industries and communities are safer and more resilient against threat actors. Here are a few real-world examples that demonstrate the scope of what threat intelligence can achieve. 

Preventing ransomware attacks

One U.S. school district, responsible for over 180,000 students, leveraged expert analyst support from KELA to identify compromised accounts associated with their domain for sale on underground markets at the earliest stages. By detecting this quickly, in this case the district could purchase the bot files and avoid a ransomware attack. 

While you can’t avoid being targeted, real-time threat intelligence can make all the difference. In another example, a client integrated the TI platform with Active Directory, and when an infostealer leaked information was able to quickly verify the password was valid and force a reset to reduce the risk. 

Ensuring compliance while mitigating third-party risks

One challenge for threat intelligence analysts is third-party risk management (TPRM) while ensuring privacy and compliance mandates are kept. Today’s complex supply chain opens doors for attackers to make movements from one vendor to multiple customers, and analysts need an eye on this growing risk. To solve for this challenge, passive scanning from a Threat Intelligence platform like KELA allows analysts to access an AI-powered predictive risk score for each vendor, so they can recognize the threat levels without any disclosure of protected information. 

Preventing fraud

By monitoring cybercrime underground forums, Telegram channels, and other sources across the deep dark web for organizational assets, threat intelligence analysts can help mitigate an attack before it escalates. In one example, analysts found the image of a check signed by a police officer as part of monitoring for a U.S. law enforcement agency. This check, stolen from a local mailbox, included the officer’s bank account details, allowing threat actors to potentially steal from the account. The signature could also be forged and sold on to other threat actors. 

By uncovering the risk, the threat could be mitigated, but further than that — it also allowed the U.S. Postal Service to put out an advisory to warn the public about this behavior — showing how threat intelligence can be used for the wider public good. Lots of Grandmas leaving the money out of Christmas cards that year we bet. 

Incident response during an attack

One Financial Services company in Japan benefited from the expertise of KELA’s threat intelligence service when 30,000 credit card numbers were listed on a Telegram group, 188 of which were still active and valid. By detecting exactly which numbers were leaked, the company was able to prevent a loss of more than $750,000 in credit card fraud. 

However, sometimes the information is already gone, as one Telecommunications client found when they attempted to purchase bot files for a compromised account, and found it removed. This could point to the files already being purchased by a criminal. KELA was able to work with threat intelligence analysts at the company to track down a past employee via the malware-infected URLs, an associated WordPress account and finally a LinkedIn profile. By disabling the ex-employees credentials, the company could reduce the threat, while keeping active surveillance moving forward. 

What Challenges do Threat Intelligence Analysts Face?

A lot goes into working as a threat intelligence analyst. Teams often struggle with the sheer amount of information, and how to filter noise away from actionable intelligence. 

Threats change all the time, and adversaries are regularly adapting their TTPs to evade detection, especially as governments crack down on threat actors and push for heavy penalties and even prison time. The scope of what a threat intelligence analyst does is continually growing as new business models for commoditization become popular, such as RaaS, selling clouds of logs, or renting access to the platform for a subscription fee. Analysts need to understand these business models, as well as evolving organizational context — answering questions such as what counts as Intellectual Property, where can social engineering attacks be delivered, and how will AI change the game? 

Despite the growing sophistication, most organizations have many priorities to balance, and are working with limited resources, which means analysts are continually deciding where to place these resources for maximum impact. Collaboration is crucial to see results, but it can be difficult to get everyone on the same page and bridge gaps between technical teams and decision makers in the C-suite. 

Streamlining the Work of Threat Intelligence Analysts with KELA’s Intelligence Operations

KELA’s Intelligence Operations consists of a dedicated team of cyber intelligence experts committed to optimizing our clients’ success in the cyber realm by providing comprehensive support tailored to our clients’ unique needs and challenges. 

Backed by cutting-edge technology and a wealth of experience, our team serves as an extension of our clients’ teams, arming you with the tools, insights, and strategies necessary to stay ahead of emerging threats and navigate the complexities of cyberspace with confidence.

Try our proactive, real-time threat intelligence platform for free.