Mandiant is a company whose business centers around digital forensics and incident response, as well as: information about cyber threats† The company recently released a core competency framework of CTI analysts to answer a question they often get from their clients: what is the optimal team composition for starting and developing a CTI capability within their business environment?
The Mandiant framework groups competencies into four fundamental pillars (Image A† These can be used to identify weaknesses in an already built CTI team, identify areas for team or individual growth, or determine an efficient roadmap for your cybersecurity team.
Image A
Pillar 1: Troubleshooting
Critical thinking
In CTI, critical thinking is required to process information to conceptualize, identify, evaluate, and synthesize it. Once done, the analyst should be able to formulate unbiased judgments, analytical lines and relevant recommendations for each case.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Critical thinking is also about thinking outside the box, especially for trend forecasting and innovation.
Research and analysis
Research is about prioritizing data sets and using tools to investigate technical and non-technical data sources, and it is about the ability to capture stakeholder needs in the form of intelligence requirements. Research helps discover new leads and draw clear analytical conclusions. The analysis part is about interpreting and producing a good synthesis of the research results.
It is about knowing all kinds of indicators of compromise, their uses, their limitations and how to enrich data. It also involves analyzing network traffic, malware and generally completing digital forensics and incident response.
Research and analysis are often fueled by programming knowledge, especially scripting. Python and SQL are very useful here.
Research mentality
Understanding complex challenges and developing solutions to solve them is key to CTI. The investigative mindset requires an experienced understanding of the TTP (tactics, techniques and procedures) of cyber threat actors, as well as CTI tools, frameworks and IT systems. It’s also about recognizing small signals in huge data noise and developing intuition.
Pillar 2: Professional effectiveness
Communication
Communication with different target groups is necessary for CTI. The ability to write analytical conclusions, research and methodologies using different tools and formats (slides, emails, Word documents, briefings, etc.) is mandatory.
Mandiant also emphasizes the fact that “it is important to have the ability to communicate judgments clearly using probabilistic language so that judgments can be decoupled from facts and direct observations. Of related importance is the ability to use accurate language to ensure that the intended message is conveyed properly and does not raise an unnecessary alarm.”
It is necessary to know the different ways of sharing information between machines, but also with specific information exchange groups and private-public information exchange and analysis centers and organizations (ISACs and ISAOs).
Finally, awareness of cyber policies and law enforcement mechanisms is needed to counter cyber actions such as takedowns, sanctions and awareness messages.
Teamwork and Emotional Intelligence
The unique characteristics of individuals help provide peer mentoring and opportunities in filling knowledge and gaps, while building cohesion and trust as teams work together.
Being able to work with stakeholders to gather intelligence about their operations can also help with threat intelligence.
The core skills of emotional intelligence are self-awareness, self-control, social awareness, and relationship management.
Business insight
The ability to understand a company’s environment, mission, vision and goals can influence the organization’s exposure to cyber risk. A CTI analyst may be required to assess potential changes in risk exposure or evaluate the results of threat intelligence.
Pillar 3: Technical literacy
IT networks for enterprises
It is necessary to understand the principles of operating systems and networking at all levels: file storage, access control, log files policies, security policies, protocols used to share information between computers, and so on.
Cybersecurity ecosystem
The core concepts, components and conventions associated with cyber defense and cyber security must be identified, and a thorough understanding of industry best practices and frameworks is mandatory. Another core principle is how defensive approaches and technology are aligned with at least one of the five cyber defense phases: identify, protect, detect, respond, and recover.
Key terms to know here are identity and access management and control, network segmentation, cryptography use cases, firewalls, endpoint detection and response. signature and behavior-based detections, threat discovery and incident response, and red and purple teams.
One should develop a business continuity plan, disaster recovery plan, and incident response plan.
Cyber Security Roles and Responsibilities
This section is about understanding the roles and responsibilities of everyone involved: reverse engineers, security operations center analysts, security architects, IT support and help desk members, red/blue/purple teams, chief privacy officers, and more.
Pillar 4: Cyber Threat Skill
Drivers of offensive operations
Offensive operations must rely on finite resources to outsource elements of the cyber program to procure operational tools, enlist support from contractors, or acquire criminal capabilities. The organizational composition and the constituent functions must also be clearly defined.
\The secondary premise of this competency is to identify the motivations behind the threat actor.
Mandiant reports that “understanding acceptable operations undertaken in peacetime and how they shift in wartime is critical.”
Threat Concepts and Frameworks
Identify and apply the appropriate CTI terms and frameworks to monitor and communicate the adversary’s abilities or activities. This competency is all about the capabilities of threat actors: understanding vulnerabilities and exploits, malware, infrastructure, clustering of attribution/intrusion sets, and naming conventions.
It’s also about knowing CTI frameworks like the Cyber Kill Chain from Lockheed Martin, or MITRE’s ATT & CK framework for example.
Threat Actors and TTPs
Threat actor knowledge implies knowledge of threat actor naming conventions and their TTPs. Identifying key indicators in a cyberkill chain to determine adversary’s operational workflows and habits is critical here.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.
