Getting started in cyber threat intelligence: 4 pieces of advice

Editor’s Note: This post is a summary of a longer article that was originally published on Katie Nickels’ personal blog, Katie’s Five Cents. We’re reposting the key takeaways because we’re passionate about helping people from all backgrounds discover fulfilling work in information security.

One of the most frequent messages I get is from people who are looking for advice on getting started in cyber threat intelligence (CTI). I’ve worked in the industry for more than a decade and love sharing what I’ve learned with others, so I thought it would be useful to summarize my opinions and experiences into a few key takeaways.

Note that these are my opinions and experiences only. Others have different perspectives, so I encourage anyone interested in this field to ask around!

1: Cybersecurity experience is not required. Hard work and curiosity are.

I got into CTI somewhat unintentionally over a decade ago. In high school and college, I wanted to go into journalism. After I graduated college, I couldn’t get a job in journalism, so I took what I could get—an entry-level job as a researcher for a private investigative firm. During that time, I was fortunate enough to meet my now-husband, who had worked in government and the intelligence community. He suggested to me that because I liked to research, write, and analyze information, maybe I would like working as an intelligence analyst. With his help and a lot of research and hard work, I applied to a bunch of government jobs, and sure enough, the Department of Defense called me in for an interview for a cyber intelligence position.

At that point, I had zero experience in cyber or intelligence! But I carefully prepared for the interview anyway, and they gave me a chance and offered me the job. I was fortunate enough to get lots of technical training early on. That training, combined with asking a ton of questions of supportive coworkers, was key in helping me learn.

There are many ways to get into this field; I’ve seen others start out in system administration, military/government, international relations, and seemingly “unrelated” fields like journalism. There is no single “best” way—it’s all a matter of hard work and constant self-improvement.

2: You can teach yourself many of CTI’s fundamental concepts.

Educate yourself as much as you can about key CTI terms, topics, and frameworks. Try downloading and using tools like MISP. Read a blog post and then look up domains, IPs, and hashes in tools like AlienVault OTX, RiskIQ Community or VirusTotal. (There are many other free tools and resources listed here, and you can check out my blog post on recommended reading.) Watch presentations from events like the SANS CTI Summit and think critically about the content—what do you agree or disagree with? Be active on social media and ask questions when you don’t understand. (If people are jerks, ignore them and move on to nicer people.)

Check out training courses and certifications like SANS FOR578 (which I teach) and the associated GCTI certification. If you want to take a SANS course at lower cost, check out the Work Study program or CyberTalent programs. You can also check out a webcast I did with selected content from FOR578. Some other great, lower-cost CTI training options include courses from Chris Sanders, Joe Slowik, and Sergio Caltagirone. Some of these courses provide certifications as well.

As far as formal degrees go, I believe the type of degree you have, especially for undergrad, doesn’t matter all that much. My undergraduate degree was in American Studies. (Yes, you read that correctly—American Studies.) Some excellent analysts I know have no degrees. If you do want a degree that will help you in CTI, though, computer science might provide a good foundation, as will cybersecurity programs. Degrees in intelligence studies might also be helpful.

3: When trying to get a job, apply to ALL THE JOBS!!!!

When I first got out of college, I must have applied to over a hundred jobs. It’s not easy, but keep at it! There are lots of places to look for job listings, and one I like is NinjaJobs.

Get a friend or colleague to help you with your resume, and take advantage of resume clinics that occur at security conferences. If you don’t have CTI experience, think about what aspects of experience you have could apply to CTI. For example, do you research security alerts or write reports? Do you have experience doing investigations, even through a field like journalism? Try to write about your experience in a way that emphasizes CTI skillsets.

I like this breakdown of CTI traits skillsets from INSA, so I recommend thinking about how you could emphasize each of these in your resume:

Here are a few CTI interview questions I’ve asked and heard of from others. Think about how you’d answer these, and think of your own interview questions as well:

• What is the Diamond Model (or MITRE ATT&CK or the Cyber Kill Chain) and how would you use it?
• Tell me about a recent report you read on a cyber threat.
• What is attribution and does it matter?
• What are key differences between Russian, Chinese, and Iranian adversaries?
• What are indicators, and when are they useful or not useful?

4: Network!

You’ve heard this before, but networking is key whether you’re trying to get a CTI job or any other position. Social media is a great way to do this. Virtual conferences are another great way to network, as they often have Slacks or Discords where you can interact with attendees.

If someone blows you off or is a gatekeeper that tries to keep you out of this field, ignore them and feel bad for them because they’re insecure. Please keep in mind that people are busy and this is a tough time for all of us, so be patient and understanding if someone doesn’t reply to you. (*Raises hand*…sometimes I don’t have the energy to reply to everyone, though I wish I did!)

***

I hope you’ve found some of this content helpful. CTI is a field I love, and I hope you’ll consider joining us—we need new ideas and perspectives to improve!

One important point to emphasize for all you hiring managers out there: I had no cybersecurity experience when I got started. All I needed was a chance, and I ran with it once I had it. If you’re in a position to hire someone who is truly entry-level without experience, give them a shot. You never know what might happen.