The Role of a Cyber Threat Intelligence Specialist for Effective Cybersecurity

In today’s digital age, cybersecurity has become a top concern for organisations of all sizes and industries. The rise of cyber threats has created a need for professionals who specialise in the collection, analysis, and dissemination of intelligence related to cyber threats. This is the role of a Cyber Threat Intelligence Specialist – one of the 12 key cybersecurity roles defined by ENISA in its European Cybersecurity Skills Framework.

Who is the Cyber Threat Intelligence Specialist?

A Cyber Threat Intelligence Specialist is an expert in gathering, analysing, and sharing information about potential cyber threats. They specialise in identifying and understanding the tactics, techniques, and procedures (TTPs) used by threat actors to target businesses, leveraging a variety of sources to collect the information, including open source intelligence.

Offering strategic and operational intelligence to support decision-making processes within the organisation, they collaborate with internal and external stakeholders to share their insights and intelligence and facilitate responses to threats.

Some of the main use case scenarios for this role include:

• Threat Detection and Analysis: to monitor the organization’s digital footprint and analyze data from various sources to detect potential threats. They use their knowledge of the threat landscape and threat actors’ TTPs to identify suspicious activity and investigate it further.
• Incident Response: in the event of a cyberattack, Cyber Threat Intelligence Specialists work closely with incident response teams to provide critical information and insights. They identify the type of attack, the threat actor behind it, and the scope of the breach to help the incident response team take appropriate measures to contain the attack and prevent further damage.
• Risk Management: to help organizations identify and mitigate potential risks before they turn into security incidents. By analyzing threat intelligence data, they can identify vulnerabilities and recommend security controls and procedures to reduce the risk of a successful attack.
• Strategic Planning: by analyzing threat trends and forecasting future threats, they can help organizations develop a proactive approach to cybersecurity, prioritizing security investments and developing a roadmap for improving the organization’s security posture.
• Threat Intelligence Sharing: through collaboration with other organizations throughout the supply chain they share threat intelligence information to prevent attacks.

Cyber Threat Intelligence Specialists vs. Cyberattacks

The Cyber Threat Intelligence Specialist plays a key role in protecting corporate assets and reputation, being essential for strengthening the security and resilience of the cybersecurity posture. His support allows withstanding various cyberattacks, including the most sophisticated ones.

Advanced Persistent Threats (APT): In an APT attack, threat actors gain unauthorized access to an organization’s network and remain undetected for an extended period, stealing sensitive information. When in 2017, the Italian Leonardo S.p.A, was targeted by an APT and had sensitive data – some of which were strategic to Italy’s defence – stolen, a Cyber Threat Intelligence Specialist may have been key in detecting and responding to this attack by analyzing network traffic and threat intelligence data to identify the APT group behind the attack.

Ransomware attack: In a ransomware attack, threat actors encrypt an organization’s files and demand payment in exchange for the decryption key. In 2021, Region Lazio’s IT systems were hit by a ransomware attack that caused widespread disruption to daily operations. The ransomware variant used in the attack was identified as Egregor, which is known for targeting healthcare organizations. In this situation, a Cyber Threat Intelligence Specialist may have been critical in identifying the ransomware variant used in the attack and the threat actors behind it, by analyzing ransomware samples and monitoring the dark web for any signs of the decryption key being sold.
Supply chain attack: In a supply chain attack, threat actors compromise a trusted vendor’s software or hardware to gain access to an organization’s network. In 2020, the Italian multinational energy company Enel was targeted by a supply chain attack that originated from a third-party contractor. The contractor’s software was compromised, allowing threat actors to gain unauthorized access to Enel’s network. A Cyber Threat Intelligence Specialist may have been helpful in identifying the source of the attack, analysing the vendor’s software and hardware for vulnerabilities, as well as recommending security controls to mitigate the risk of similar attacks in the future.

Phishing attack: In a phishing attack, threat actors send fraudulent emails that appear to be from a legitimate source to trick recipients into disclosing sensitive information or clicking on a malicious link. In 2021, the Italian postal service, Poste Italiane, was hit by a phishing attack that targeted its customers. The attack involved fraudulent emails that appeared to be from Poste Italiane and asked customers to click on a link to verify their account information. A Cyber Threat Intelligence Specialist may have been instrumental in identifying the source of the attack and analyzing the email headers and content to recommend security controls to prevent similar attacks in the future.

DDoS attack: In a DDoS attack, threat actors flood an organization’s network with traffic to disrupt its operations. In 2017, the Italian bank UniCredit was hit by a DDoS attack that disrupted its online banking services for several hours. The attack was believed to have been launched by a cybercriminal gang operating out of Russia. A Cyber Threat Intelligence Specialist may have been useful in identifying the source of the attack and working with Internet Service Providers ISPs to block the malicious traffic, as well as recommending security controls to prevent future attacks.

A Look at the Benefits

Bringing a specialised skill set and expertise, a Cyber Threat Intelligence Specialist carries with it several advantages for a company, including:

• Early Detection of Threats. The Cyber Threat Intelligence Specialist can detect threats earlier, allowing the organisation to respond more quickly and reduce the potential impact of the attack.
• Proactive Defence. The specialist can provide insights into emerging threats and new attack methods, allowing companies to develop proactive defence strategies and strengthen their cybersecurity posture.
• Effective Incident Response. The professional can work with other stakeholders to develop effective incident response plans, ensuring that the organisation is prepared to respond to cyber-attacks promptly and effectively.
• Reduced Risk. The Cyber Threat Intelligence Specialist can help identify and prioritise vulnerabilities within the company, reducing the risk of successful attacks and data breaches.
• Increased Awareness: The specialist can educate the stakeholders on the latest threats and attack methods, increasing awareness and promoting a culture of cybersecurity.

Taking everything into consideration, the role of a Cyber Threat Intelligence Specialist is critical in today’s cybersecurity landscape. While this role comes with unique challenges, effective navigation of these obstacles is essential to safeguard organisations from potential cyber threats.