By Phil Buck, Senior Threat Intelligence Analyst

Introduction

I was recently asked to provide a blog post about my role at Nettitude. Words cannot describe the emotion I felt; this particular Senior Threat Intelligence Analyst was overjoyed to start beating the Threat Intelligence drum, explaining the mission critical role I fulfil, the cutting edge technology I use and the countless lives I have saved so far (fine, the last point might be slightly outside the job description….) The actual reason I was asked is because I am part of the growing team of ex-service personnel currently employed at Nettitude. The time has come to build on the great blog post that Phil Kimpton produced in 2017. Here is my story.

First, a bit of background about me: I left the Intelligence Corps in 2015 after 10 years of service. My last role was as a Sergeant at the military training wing at Chicksands where I taught Operator Military Intelligence (OPMI) Class 3 and Class 1 soldiers on their Command, Leadership and Management (CLM) career courses. Prior to this, I had served in Germany and the UK, supporting a range of strategic and tactical customers. By the time May 2014 had arrived, I knew I wanted to leave the military and pursue a career in civilian street. I handed in my notice and spent the next 12 months figuring out what I wanted to do. What exactly would my career look like after I left the military?

I had GCSEs and A Levels, but I didn’t have a degree. I spoke to several of my colleagues prior to leaving and they told me about the Intelligence and Security degree being run by Staffordshire University. At the time, all tri-service intelligence personnel were able to apply for a place on the course. Time served and seniority meant that certain elements of the degree were accredited, which for me meant that I only had to complete the final year of a BSc Hons to get a degree. The course included modules such as terrorism, ethical hacking, cyber warfare and malicious software, computer networks and security as well as international security. After 15 months of distance learning, I was awarded 1^st Class Honours. Whilst I wouldn’t agree that a degree is necessary in gaining employment in Threat Intelligence, it does prove that you have the capacity to learn and analyse large sets of data to extract the pertinent points. There are certainly cheaper ways of learning that skill set, however a degree does look good on a CV, especially one related to the field of intelligence.

Towards the end of my studies, I started looking for roles in cyber security. I was hooked on a career in this industry, thanks in part to my degree. It soon became apparent that threat intelligence would be a perfect match, allowing me to incorporate my military experience with threats faced in cyber space. A colleague I used to work with suggested I look at a company called Nettitude, located in Royal Leamington Spa.

I spent a couple of days researching them and found their marketing material extremely appealing. At the time, they were recruiting for a Threat Intelligence Analyst and I knew immediately that that was a role I wanted to apply for. I turned my attention to my CV. I gave it a facelift and soon I was confident enough to send it to the recruitment email address at Nettitude. After some arrangements, I had an initial conversation with Ben Densham, the CTO.

I spoke to Ben and only after around 20 minutes did I realise it was a telephone interview. The call lasted around an hour and I remember thinking afterwards “well I totally screwed that up.” I immediately began researching other companies that were looking to fill similar positions. The following day I received a phone call asking if I could meet Ben at the Leamington office for a second interview. I had to prepare a presentation on a cyber-attack as well as answer technical and intelligence related questions. Once again I left the interview feeling that I had definitely messed things up that time. It was only my second ever interview and I felt like a swan; calm above water, kicking like mad below it.

I must have done something right as two weeks later I started at Nettitude as a Senior Threat Intelligence Analyst! No cuff too tough!

The State of Threat Intelligence

Threat Intelligence is growing from strength to strength. From a consultancy perspective, such as the role I fulfil at Nettitude, we look to understand the holistic attack surface of our clients. This involves looking at their people, processes and technology and finding out what information they may be divulging that may be used against them. The weakest part of any organisation is its people. We look to find information about employees that could be leveraged against them in order to get them to click on a link or open a document. The purpose of threat intelligence is to highlight some of the weaknesses an organisation has and to suggest ways in which those weaknesses could be improved or mitigated against. Threat Intelligence is also used as a pre-cursor to intelligence led penetration testing (also known as Red Team testing).

This methodology has been implemented by the Bank of England through their CBEST scheme, a process that involves banks going through periodic testing to ensure they are doing everything they can to protect their environments. Threat intelligence plays a major part in this scheme, not only by identifying information about the clients themselves, but also understanding the threat actors that are likely to target them. This can be anything from nation state advanced persistent threats to an insider threat; the lone wolf that has already bypassed security measures through legitimate access. The challenge is tying all this information together and presenting it to the customer in a clear and concise fashion. This is where Intelligence Corps training kicks in, such as training on using accuracy, brevity and clarity. Don’t waste people’s time with wordy analogies. Just say what you see.

How has my military career helped?

My time in the military certainly stood me in good stead. I still dial into meetings five minutes early (not the five minutes before the five minutes before the five minutes before that we are all used to in the military) and I can’t help but dish out a little banter in the office when the opportunity presents itself! There is also the can-do attitude, ability to engage with people from different backgrounds as well as being polite and courteous. One of the many gifts that we all possess coming from a military background is the ability to be heard in a room. This doesn’t mean shouting people down, rather that you have the ability to articulate yourself and back up your assessments when you get challenged on them. In terms of threat intelligence, having the ability to analyse large datasets and focusing on the key snippets that will have the biggest impact is certainly a skill that is hard to teach.

Then there is the part about working in a team. I will freely admit that my technical skills are no way near those of the guys and girls in the red team (the group of people at Nettitude that actually attack clients’ networks off the back of the information that the Threat Intelligence analysts find!) but then there are those in the Threat Intelligence team who are gifted at the more technical aspects of the role. Together we combine our strengths and produce an awesome product every time thanks to the collective strengths of the team. True, there are times when you are alone on an engagement, but that does not mean you are not able to talk to the rest of the team and pick their brains about the best way to proceed.

Another attribute that military and ex-military have in abundance is moral courage; the ability to do the right thing on a difficult day. Whether this means informing a client that they are perhaps not as secure as they might think, or telling a senior member of staff that the assessment you have produced is correct and that you stand by your assessment, there are times when the slightly harder path has to be taken. This is where our collective military training and mindset helps us; the ability to stand tall and get your point across succinctly and accurately whilst maintaining a professional image. It’s not an easy task, but it is one we have all had to do at some point.

Useful Cyber Security Certifications

Below are some of the certifications that will stand you in good stead for a career in threat intelligence. There is no right or wrong answer as to when you should take these exams, however I would recommend sitting the analyst exam before the managers one. It gives you a feel for the way the exams are structured. As with all CREST exams, there is a suggested reading list for each exam. Below are some useful links to learn more about these certifications:

• Crest Practitioner Threat Intelligence Analyst
• Crest Certified Threat Intelligence Analyst (CCTIA)
• Crest Certified Threat Intelligence Manager (CCTIM)
• Certified Threat Intelligence Analyst
• GIAC Cyber Threat Intelligence

These will cover the basics, but there are some other publications that will also assist. Have a look at the Bank of England’s ‘Understanding Cyber Threat Intelligence Ops v2.0’ in order to understand how threat intelligence is used to test the resilience of the UK financial industry. The latter publication will also provide you with an overview of how threat actors are defined and analysed.

Summary

Threat intelligence is an excellent career choice for anyone from a military intelligence background looking to start a career in cyber security. Your technical skills do not have to be red hot, though your attitude, and your ability to engage with clients and produce exceptional work does have to be. Anyone doubting themselves need not worry. The civilian workplace is a fantastic place to be. Civilians do have some decent chat (mostly) and they are diligent and motivated just like their military counterparts. Sure, some of them can’t smash out a sub 8 minute mile and a half run, nor are they ‘good with weight.’ They are however awesome at what they do and you’ll be relying on them for help soon enough. Civilian street isn’t scary; it is just the next logical step.