Mandiant A company that focuses on digital forensics and incident response as well as cyber threat intelligence. Recently the company Release A CTI Analyst Key Skills Framework to answer a question they often get from their clients: What is the best team composition for starting and maturing a CTI capability in their corporate environment?
Mandiant’s framework divides efficiency into four pillars (Figure A) They can be used to identify vulnerabilities in a pre-formed CTI team, to identify areas for it Team or individual growth Or set an efficient roadmap for your cyber security team.
Figure A
Pillar 1: Problem Solving
Critical thinking
In CTI, critical thinking is required to manage information in order to conceive, identify, evaluate and synthesize information. Once completed, the analyst should be able to formulate impartial judgments, analytical lines, and relevant recommendations in each case.
Views: Mobile device security policy (TekriPublic Premium)
Thinking outside the critical thinking box, especially for trend prediction and innovation.
Research and analysis
Research is about prioritizing the use of data sets and tools to investigate technical and non-technical data sources and is about the ability to capture stakeholder needs in the form of intelligence requirements. The research helps in uncovering new leads and reaching clear analytical conclusions. Part of the analysis here is about the interpretation and production of better synthesis of research results.
It involves knowing all kinds of compromise indicators, their usage, their limitations and how to enrich the data. It also deals with network traffic, malware analysis and, in general, digital forensics and completion of incident response.
Research and analysis are often encouraged by programming knowledge, especially scripting. Python and SQL are very useful here.
Investigative mindset
Understanding complex challenges and developing solutions to address them is key to CTI. The investigative mindset requires cyber threat actors to have an experienced understanding of TTP (Tactics, Strategies and Methods) as well as CTI tools, frameworks and IT systems. It is also about developing small signals and developing insights into huge data noise.
Pillar 2: Professional Efficiency
Communication
CTI requires communication with different audiences. The ability to write analytical decisions, research and methods using a variety of tools and formats (slide deck, email, word document, briefing, etc.) is mandatory.
Mandiant also highlights the fact that “it is important to have the ability to articulate judgments using potential language so that judgments can be linked to truth and direct observation. The key is the ability to use precise language so that the intended message is conveyed accurately and without unnecessary alarms.” “
There is a need to know different ways of sharing information between machines but with specific data sharing groups and private-public data sharing and analysis centers and organizations (ISACs and ISAOs).
Lastly, familiarity with cyber policy and law enforcement is needed to help address cyber actions such as takedowns, bans, and public awareness messages.
Teamwork and mental intelligence
Helps to provide peers unique features of individuals Advice And as teams work together, it brings opportunities for knowledge and to fill gaps while building coordination and trust.
Being able to gather information about their business activities with stakeholders can also help threat intelligence.
The key skills of mental intelligence are self-awareness, self-control, social awareness and relationship management.
Business skills
A company’s ability to understand the environment, mission, vision and goals can affect an organization’s cyber risk exposure. A CTI analyst may provide an assessment of potential risk changes to exposure, or assessment of outcomes from threat intelligence.
Pillar 3: Technical Literacy
Enterprise IT Network
Understand operating system and network policies at all levels: file storage, access management, log file policy, security policy, protocols used for sharing information between computers, etc.
Cyber ​​security ecosystem
Key concepts, elements and rules related to cyber defense and cyber security should be identified and a strong Knowledge of the best practices in the industry And the framework is mandatory. Another key principle is how defensive methods and technologies align with at least one of five cyber defense stages: detect, protect, detect, respond, and recover.
The key concepts here are identity and access management and control, network segmentation, use of cryptography, firewalls, endpoint detection and response. Signature and Behavior Based Identification, Threat Victims and Incident Responses and Red and Purple Teams.
One should create a business continuity plan, disaster recovery plan and incident response plan.
The role and responsibilities of organizational cyber security
This section is about understanding the roles and responsibilities of everyone involved: reverse engineer, security operations center analyst, security architect, IT support and helpdesk member, red / blue / purple team, chief privacy officer and more.
Pillar 4: Cyber ​​Threat Skills
Offensive operation driver
Offensive activities for purchasing operational tools, outsourcing contractor support, or purchasing criminal power to outsource elements of cyber programs need to be based on limited resources. Organizational structure and structural work functions also need to be clearly defined.
The secondary principle of this skill is to identify the motivation behind the threatening actor.
Mandiant reports that “a deeper understanding of what is acceptable in peacetime and how it changes during war is important.”
Threat concepts and structures
Identify and apply appropriate CTI terms and structures to track and communicate adversarial capabilities or activity. This skill is all about threatening actor’s abilities: vulnerability and exploitation burden, malware, infrastructure, attribution / infiltration set clustering and naming rules.
It’s also like learning about the CTI framework Cyber ​​kill chain From Lockheed Martin or MITRE This and CK Framework, for example.
Threat Actors and TTPs
Threat actor knowledge refers to the rules of naming threatening actors and knowing their TTP. Identifying key indicators across a cyber kill chain is important here to determine the opponent’s operational workflow and habits.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are mine.