Blog

What Does a Cyber Threat Intel Analyst Do?

A deep dive into the intelligence practitioners who bring threat intel programs to life

April 13, 2022

What is a threat intelligence analyst?

What does a threat intelligence analyst do?

Combining contextual knowledge about the overall threat landscape with analytical skills, cyber intelligence analysts gather information to monitor, assess, and report on risks that could affect an organization. From private data collections to open source intelligence (OSINT) evaluation, threat intel analysts synthesize a range of sources to build out a complete picture of an organization’s risk posture that informs the actions the company takes to mitigate these risks. They produce short-term and long-term evaluations so that security teams better understand what to expect from a threat perspective, and what they can do to get ahead of any potential attacks or data breaches.

Because much of their value comes from their insights on future risks, as opposed to reactively addressing imminent threats and attacks, cyber analysts are also responsible for keeping up with cybersecurity events to know what to expect. Ideally, a good threat intel analyst will be able to warn their organizations about potential future threats before they even become something to worry about, giving their teams time to build a better defense.

Roles and responsibilities

Cyber intel analysts exercise their technical skills as much as they exercise their communication skills, and cover a wide range of roles that focus on narrowing down what more tactical professionals, like hunt analysts and penetration testers, can do to tangibly bolster their organization’s security measures. 

  • Identifying organizational intelligence requirements
  • Collecting relevant data and conducting all-source analysis to inform decision making process
  • Identifying, monitoring, and assessing potential threats or weaknesses
  • Validating that security qualifications and requirements are met
  • Creating reports that highlight key findings for security teams and other members of the organization 
  • Presenting findings to other teams and proposing counteractions to mitigate threats
A research paper written by Flashpoint intel analysts—one of many reports they regularly product.

Threat intel analyst background and skills

Cyber threat analysts come from diverse backgrounds, and position seniority ranges from entry-level to executive. Depending on the responsibilities of a particular role, it’s possible to become a threat intel analyst with little experience in other areas, like general IT, network security systems, and other cybersecurity roles. However, work in these fields builds the foundational knowledge an individual brings into a threat analyst role, and helps inform their insights and assessments. 

Higher-level threat analyst positions may require certain experience to help enhance analyses and create a more well-rounded view on an organization’s threat landscape. Similarly, technical knowledge, while normally not a requirement for threat intel analysts, is nice-to-have, especially because part of the role requires explaining threats and other findings to teams that may have no technical knowledge. 

Without a CTI analyst, intelligence is simply a wide look at the threat landscape. With a CTI threat intel analyst, intelligence a powerful tool that can keep your organization’s assets, infrastructure, and personnel safe.

For any threat intel analyst, regardless of expertise, a large part of analysis is synthesizing findings into briefer insights that directly inform the actions an organization can take to prevent attacks. The ability to communicate effectively is one of the most important skills an analyst can have, since their findings are only valuable to the team if they can be understood and executed.

Threat intel analyst Vs. hunt analyst

There are similarities in the descriptions of a threat intel analyst and a hunt analyst that can make them confusing to separate. Although these two roles work closely together to fully encapsulate threat intelligence and defense for an organization, from data collection to the execution of a certain tactic, there are important distinctions to be aware of. 

Threat intel analysts are responsible for everything from the gathering of information, all the way up to its dissemination. They pull out the most important threat intelligence insights and communicate them to the team of threat hunters, who then act on these insights and seek out undetected breaches of active security weaknesses that are making the organization vulnerable to an attack. Without threat intel analysts, it would be difficult for threat hunters to know where to start with their searching. Similarly, a threat intel analyst’s work would be less helpful without threat hunters to act on it. 

What does a threat intel analyst bring to your organization?

If a threat intelligence program exists, there must be a threat intelligence analyst to bring it to life. This helps other teams do their work better, which leads to a more secure organization.

Security operations center (SOC)

As cybersecurity becomes more widely recognized as an area worth investing in for organizations,  it’s more common to have a dedicated security operations center that manages the company’s security posture, from its people to its procedures to its technology. 

A threat intel analyst bolsters an SOC’s strategic capabilities, which lets other members of the team, like penetration testers and threat hunters, focus their tactical work in the right areas. Even if your SOC is receiving the right alerts about potential threats, it’s often difficult to appropriately prioritize them to know where to look for weaknesses. Threat intel analysts maximize the value of the security platforms an organization uses and helps the team address the most pressing issues first.

Fraud prevention and risk analysis teams

Teams that benefit from context of the overall threat landscape, as well as general knowledge related to threat intelligence, gain insights from threat intel analysts on TTPs, at-risk targets, and potential attacks that could harm the organization. 

Security, IT, and intelligence analysts

Threat intel analysts strengthen other analysts’ ability to accurately detect and prevent threats, thereby increasing the success they have with defending the organization against attacks. They take existing processes and optimize them to be more effective, which has a long-lasting impact on the organization’s future security.

CSIRT/CERT

As your incident response team learns of threats and discovers events that have impacted the organization, threat intel analysts can advise on how to best prioritize investigations to minimize damage and expedite a resolution. This makes the investigation process more efficient, and enables your team to better manage incidents.

Executives

Threat intel analysts are also called on to communicate their organization’s risks to teams not directly involved with threats on a daily basis. As the C-suite and other executives consider how to best position the company to defend itself against risks, threat intel analysts can help them understand what the organization is facing, and how it can best be addressed. Compared to other types of security professionals, a large part of a threat analyst’s value is in their ability to strategize, rather than just react.

Identify and mitigate cyber risks with Flashpoint