What is required to work in threat intelligence jobs ? 


CyberTalents has launched a series of webinars about cyber security jobs named What is required to work in cyber security jobs?. Throughout our webinars series we will be talking about different cyber security jobs, what is required to work in these jobs? Spotting each job, explaining it in detail, describing its daily operations, resources and training needed and much more. There are around 15 to 20 jobs in the cybersecurity field.However, before starting your career, you need to identify which one of those jobs you would like to master. Accordingly, draw your career path, build your plan and reach your ultimate goals.


Starting our series, we were honored to have “Dr. Ahmed Shosha”,  senior threat researcher at FireEye. Dr Shosha received his PhD in Computer Science from University College Dublin. He is currently Senior Threat Researcher at FireEye, his research focuses on malware analysis, reverse engineering and threat intel.

In the webinar, he covered a lot of information including what is threat intelligence, what it is required to work in threat intelligence jobs in addition to that, he gave us some tips about how to start in the field, resources to study and skills needed to have


Before getting into more details, we need to know first:

What is Threat Intelligence?

“Threat Intelligence is considered a new domain in cybersecurity that focuses on gathering intelligence and provides information to organizations related to APT (advanced persistent threats), different threat actors, tactics and techniques used by special groups to attack that specific organization.” Said Dr. Shosha


Another definition that is important to understand is IOCs ( Indication of Compromise)


IOCs (Indication of Compromise): this is a piece of data that indicates computer intrusion and helps organizations to protect themselves from specific APT groups. This can be malware signature, MD5 hashes, malicious URLs or similar.

How Threat Intelligence can help in protecting your organization?

“Imagine that a threat researcher published a report or indication of compromise before a ransomware like wanna cry that infected millions of machines worldwide, raise a flag that this is an imminent threat, we would have protected a huge amount of organizations”. Said Dr. Shosha.


Where can I find the threat intelligence Jobs?


As most of cyber security jobsThreat Intelligence jobs can be divided in two tracks:  


Cyber Threat Intelligence Researcher: This type of job is mainly found on vendor side like Fireeye, Kaspersky, Symantec, TrendMicro or any other Threat intelligence vendor. One of the main roles of a cyber threat researcher is  to keep track of APTs groups (advanced persistent threats), know their motivation, their tools & techniques, malware they write and C&C (command and control center), identify their targets. Are they targeting certain sectors like aviation or oil & gas ?  Who is behind that “threat actor”? Is it an organization or a group of cyber criminals or a nation state?. Also, threat researchers, not only to track existing apt groups, but they expand their role to identify new apt groups.``


Cyber Threat Intelligence Analyst: This type of job you can find most of the time at the customer side like Mobile/telecom operators, banks and large enterprises. Analysts receive feeds ( reports or IOCs) from the cyber threat researchers or from different vendors like fireeye, Kaspersky, Symantec or others where they should understand this feeds, analyse, consume and prioritize it according to their sectors and different threats that target their organizations. 


What kind of resources and skills are needed ? 


“You need to have a combinations of skills to work in Threat intelligence” Dr.shosha said. “ Basic and advanced skills in Incident response, Digital Forensics Malware Analysis and reverse engineering, Red Teaming and penetration testing are needed to join threat intelligence jobs”. He added


As per Dr. Shosha, having different technical skills is crucial to join threat intelligence jobs. More information about malware analysis skills can be found on what is required to work in Malware analysts jobs?  

More information about penetration testing skills can be found on what is required to work in web penetration testing skills ?

Links will be updated once we cover the other topics in our webinar series like incident response and digital forensics soon.


Most of the training is not mature enough. Community is still under development even sans Dr. Shosha also mentioned some resources to help you through your Threat Intelligence journey.

Sans FOR578: Cyber Threat Intelligence course, if the course price is not affordable, have a look on the outline to know what you should start to study 

APTnotes This is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets

Another APTnotes This is a repository for various publicly-available documents and notes related to APT, sorted by year.

https://github.com/Yara-Rules/rules This is a repository where different Yara signatures are compiled, classified and kept as up to date as possible

http://dfir.org/?q=node/8 This is a list of books that is recommended by security professionals in different cyber security topics like crypto, malware analysis, digital forensics and others.


Finally, threat intelligence is a new domain that is slightly different from the cybersecurity field. It focuses on APTs, threat actors, techniques used by threat actors and is a very highly demanded job across the world now like most cyber security jobs especially in different antivirus companies.