FAQs on Getting Started in Cyber Threat Intelligence

One of the most frequent messages I get is from people who are looking for advice on getting started in cyber threat intelligence (CTI). I thought it would be useful to compile my answers to some of the most frequently asked questions I receive. It’s important to caveat this post with a note that these are my opinions and experiences only (and I only have so much room to type before you get bored). Others have different perspectives, so I encourage anyone interested in this field to ask around.

This is a good question and I understand why people ask it, but how I got started in CTI may not be the right way for someone else. I got into CTI somewhat unintentionally over a decade ago. In high school and college, I wanted to go into journalism. After I graduated college, I couldn’t get a job in journalism, so I took what I could get — an entry-level job as a researcher for a private investigative firm. During that time, I was fortunate enough to meet my now-husband, who had worked in government and the Intelligence Community. He suggested to me that because I liked to research, write, and analyze information, maybe I would like working as intelligence analyst. With his help and a lot of research and hard work, I applied to a bunch of government jobs, and sure enough, the Department of Defense called me in for an interview for a cyber intelligence position. At that point, I had zero experience in cyber or intelligence! But I carefully prepared for the interview anyway, and they gave me a chance and offered me the job. I actually hesitated before accepting the job — I remember telling my now-husband (in a very disgusted voice) “I don’t want to look at lines of code all day…” 😆 Once I got started, I found that I enjoyed the work because it focused on the human behind the keyboard, not just on the code itself. I was fortunate enough that I got lots of technical training early on. That training, combined with asking a ton of questions of supportive coworkers, was key in helping me learn.

One important part of my story that I want to emphasize for all you hiring managers out there: I had no cybersecurity experience. All I needed was a chance, and I ran with it once I had it. If you’re in a position to hire someone who is truly entry-level without experience, give them a shot — you never know what might happen.

There are many ways to get CTI jobs and get started in this field, and there is no single “best” way. Here are a couple pathways I’ve seen from CTI professionals I respect and admire:

In my opinion? None. If you have the drive to learn CTI, you can teach yourself many of the fundamental concepts and skillsets. (Check out my previous blog post on some recommended reading.) But that’s tough to do, and let’s be honest, a lot of hiring managers might not buy that, so some kind of formal training or education might help you. Also, it’s important to acknowledge that for under-represented minorities in cybersecurity, especially BIPOC and women, having a degree or certification may help demonstrate your skills when people (sometimes unfairly) question your qualifications.

I divide the CTI space into three major types of organizations, all of which have pros and cons that I’ll generalize about. As always, generalizations are inherently inaccurate, so there are exceptions to everything I’m discussing here. (Check out my previous post on choosing jobs for more on thinking through decisions on the type of organization you might want to work for.)

The field of CTI is surprisingly broad, and what a normal day looks like depends a lot on what the CTI team’s requirements are. Some analysts might focus at the strategic level where they read reports about what countries are doing and write assessments for their consumers. Other analysts might be more tactically-focused (like I am) and look at logs and detections every day. Here are a couple common tasks many CTI analysts do:

Here are a couple CTI interview questions I’ve asked and heard of from others — think about how you’d answer these, and think of your own interview questions as well:

Lastly, you’ve heard this before, but networking is key whether you’re trying to get a CTI job or any other position. Social media is a great way to do this. Virtual conferences are another great way to network, as they often have Slacks or Discords where you can interact with attendees. If someone blows you off or is a gatekeeper that tries to keep you out of this field, ignore them and feel bad for them because they’re insecure. Please keep in mind that people are busy and this is a tough time for all of us, so be patient and understanding if someone doesn’t reply to you. (*Raises hand*…sometimes I don’t have the energy to reply to everyone, though I wish I did!)

If you’ve made it this far, wow! 😆 I hope you’ve found some of this content helpful. CTI is a field I love, and I hope you’ll consider joining us— we need new ideas and perspectives to improve!

Related posts:

A key metric for measuring how well you handle system outages is the Mean Time To Recovery or MTTR. It’s basically the time it takes you to restore the system to working conditions. The shorter the…

The number of jobs in cryptocurrency and blockchain grew more than 200% in the US in 2017. (https://www.coindesk.com/blockchains-big-year-competitive-job-market-grows-200/) In 2018, with the number…