Mandiant is a companies whose business centers around digital forensics and incident response as well as cyber threat intelligence. The company recently released a CTI analyst core competencies framework to answer a question they often get from their customers: What is the optimal team composition for starting and maturing a CTI capability inside their corporate environment?
Mandiant’s framework groups competencies into four foundational pillars (Figure A). Those can be used to identify weaknesses in an already built CTI team, identify areas for team or individual growth or determine an efficient roadmap for your cybersecurity team.
Pillar 1: Problem solving
In CTI, critical thinking is necessary to handle information to conceptualize, identify, evaluate and synthesize it. Once done, the analyst should be able to formulate unbiased judgements, analytic lines and relevant recommendations for every case.
SEE: Mobile device security policy (TechRepublic Premium)
Critical thinking is also about thinking out of the box, especially for trend forecasting and innovation.
Research and analysis
Research is about prioritizing data sets and tools usage to investigate technical and non-technical data sources, and it is about the ability to capture stakeholders needs in the form of intelligence requirements. Research helps uncover new leads and reach clear analytic conclusions. The analysis part here is about interpreting and producing good synthesis of the research results.
It involves knowing all types of indicators of compromise, their use, their limitations and how to enrich data. It is also about analyzing network traffic, malware and generally completing digital forensics and incident response.
Research and analysis is often boosted by programming knowledge, especially scripting. Python and SQL are very useful here.
Understanding complex challenges and developing solutions to solve them is key to CTI. The investigative mindset needs experienced understanding of cyber threat actors’ TTP (tactics, techniques and procedures) as well as CTI tools, frameworks and IT systems. It is also about identifying small signals in huge data noise and developing intuition.
Pillar 2: Professional effectiveness
Communication with various audiences is necessary for CTI. The ability to write analytic conclusions, research and methodologies using different tools and formats (slide decks, emails, Word documents, briefings, etc.) is mandatory.
Mandiant also highlights the fact that “it is important to have the ability to clearly convey judgements using probabilistic language so judgements can be uncoupled from facts and direct observations. Of related importance is the ability to use precise language to ensure the intended message is properly conveyed and does not prompt unnecessary alarm.”
It is necessary to know the different ways of sharing information between machines but also with specific information sharing groups and private-public information sharing and analysis centers and organizations (ISACs and ISAOs).
Finally, familiarity with cyber policy and law enforcement mechanisms is needed, helping to counter cyber actions like takedowns, sanctions and public awareness messages.
Teamwork and emotional intelligence
Individuals’ unique characteristics help provide peer mentoring and bring opportunities in filling knowledge and gaps while building cohesion and trust as teams work together.
Being able to work with stakeholders to collect information about their business operations can also help threat intelligence.
The core skills of emotional intelligence are self-awareness, self-control, social awareness and relationship management.
The ability to understand a company’s environment, mission, vision and goals can influence the organization’s cyber risk exposure. A CTI analyst might be required to provide an assessment on possible risk exposure change, or evaluate outcomes from threat intelligence.
Pillar 3: Technical literacy
Enterprise IT networks
It is necessary to understand operating systems and networks principles at all levels: File storage, access management, log files policies, security policies, protocols used to share information between computers, et cetera.
The core concepts, components and conventions associated with cyberdefense and cybersecurity should be identified, and a strong knowledge of industry best practices and frameworks is mandatory. Another core tenet is how defensive approaches and technology align to at least one of the five cyber defense phases: Identify, protect, detect, respond and recover.
Key concepts to know here are identity and access management and control, network segmentation, cryptography use cases, firewalls, endpoint detection and response. signature and behavior based detections, threat hunting and incident response, and red and purple teams.
One should develop a business continuity plan, disaster recovery plan and incident response plan.
Organizational cybersecurity roles and responsibilities
This part is all about understanding the role and responsibilities of everyone involved: Reverse engineers, security operation center analysts, security architects, IT support and helpdesk members, red/blue/purple teams, chief privacy officers and more.
Pillar 4: Cyber threat proficiency
Drivers of offensive operations
Offensive operations need to be based on finite resources to outsource elements of the cyber program to purchase operational tools, enlist contractor support or purchase criminal capabilities. Organizational composition and constituent job functions also need to be defined clearly.
\The secondary tenet of this competency is to identify the motivations behind the threat actor.
Mandiant reports that “a keen understanding of acceptable operations undertaken during peacetime and how this shifts during a wartime is critical.”
Threat concepts and frameworks
Identify and apply appropriate CTI terms and frameworks to track and communicate adversary capabilities or activities. This competency is all about threat actor capabilities: Understanding vulnerabilities and exploits, malware, infrastructure, attribution/intrusion set clustering and naming conventions.
It is also about knowing CTI frameworks like the Cyber Kill Chain from Lockheed Martin, or MITRE’s ATT&CK framework, for example.
Threat actors and TTPs
Threat actor knowledge implies knowing threat actor naming conventions, and their TTPs. Identifying key indicators across a cyber kill chain to determine adversary operational workflows and habits is critical here.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.