Security Staff Acquisition & Development, Leadership, Threat Management

How I Became a Threat Intelligence Professional

By Katherine Teitler

Cybersecurity practitioners don’t generally fit into a mold. The security industry is relatively new as compared to other fields, which means that many seasoned practitioners got their start in an adjacent field or because they showed an interest in or proclivity towards technology. If you look at successful practitioners across the industry you’ll find just as many different routes that led practitioners to where they are today as you will practitioners themselves.   

For this series, Infosec Insider asked a few of our InfoSec World 2018 presenters to share how they came to practice their current role in security. Crane Hassold, Manager, Threat Intelligence at PhishLabs, shares his background in this second Q&A in the series.

What was your first professional job?

My first professional job was as an Intelligence Analyst with the FBI, where I worked for 11 years before moving over to the private sector. At the agency, after a few years working health care fraud and identity theft cases, I moved to the Behavioral Analysis Units, where I spent most of my career working on serial violent crime investigations, essentially the exact opposite of cybersecurity. 

My introduction into “cyber” occurred when I started working on a development team for a database that was built to catalogue serial crimes and link them together. Initially, I was just responsible for developing user requirements for the analysts, but later, as the manager of the team, I worked more closely with the engineers to get a better understanding of the nuts and bolts of the development process. I really enjoyed the experience of creating technical measures to enhance the effectiveness of traditional intelligence analysis, and in 2012 I helped create the FBI’s Cyber Behavioral Analysis Center (CBAC), which takes an asymmetric approach to examining cyber threats by combining the traditional behavioral concepts used for decades in the violent crime world with technical expertise to gain a holistic understanding of cyber adversary tactics, techniques, and procedures (TTPs). Not only did my time in CBAC immerse me in the world of cybersecurity, it gave me an opportunity to develop innovative new ways to combat various cyber threats. 

Did you have any formal training before entering security? 

While most of my security training was done on the fly as new threats emerged (Google is a threat analyst’s best friend!), one of the great parts of working for the FBI was the amount of training that was provided when necessary. I was able to obtain my GREM, GCIH, GCFE, and GSEC certifications before moving over to the private sector, which gave me a fantastic high-level understanding of the different types of cyber threats and how to analyze them. 

What about your current role now drew you to its specialty?  

In the FBI, one of my primary responsibilities was to analyze the behavioral characteristics of cyber threat actors and exploit those characteristics for various investigative purposes. In my current role as the Threat Intelligence Manager at PhishLabs, a company that primarily investigates phishing-related threats, I analyze the ways threat actors exploit their victims’ behavioral weaknesses via social engineering, which is essentially the reverse of what I was doing at the FBI. The focus on gaining a better understanding of the human side of cyber threats, supplemented with analyzing the technical methods used to carry them out, is what drew me to both roles.

What skills would you recommend to anyone looking to become a manager of threat intelligence?

In my opinion,one of the biggest skills needed to become a successful threat intelligence manager is being able to always look at the bigger picture and make sure your team is doing the same. Threat intelligence is not about collecting threat data and simply plugging it into your organization’s defenses. The primary purpose of threat intelligence is to analyze threat data to understand its context and what it means in the grand scheme of things. If you’re looking at the bigger picture, it allows your team to be more proactive and look beyond the horizon to anticipate threats that are more likely to impact your organization, rather than simply reacting to threats as they occur. 

If your team will regularly write intelligence products, make sure they always answer two questions: “Why?” and “So What?” Context is everything in intelligence analysis and if a product doesn’t answer these questions, it’s likely not very valuable because it doesn’t tell the reader why they should care about the issue or how it impacts them.

Tell us something about your job that people not in that role would not expect. 

Many people think that all jobs in the cybersecurity field are technical by nature; however, a lot of what my team and I do on a day-to-day basis is actually quite non-technical. Sure, we need to understand the technical aspects of how threats work, but most of our day is spent analyzing threats to understand their significance and how they impact our clients. This requires more of an analytical mindset rather than a technical mindset, which I’ve found are two completely different things. A good number of technical analysts I’ve met (malware analysts, reverse-engineers, etc.) are hyper-focused on the technical intricacies of a single artifact. As an intelligence team, though, we don’t generally dig into these technical minutiae; we’re more interested in understanding why/if a threat is important, learning more about the actors behind a specific threat, and assessing the overall risk a threat poses to our clients. This requires us to look at a problem from a different perspective. 

As an industry, attracting more people who have a more traditional intelligence mindset is incredibly important, yet I think many people with the backgrounds we need bypass opportunities in the cybersecurity field because there is a perception that you need to be a technical expert to be successful. While there are certainly roles that require in-depth technical sophistication, many roles are better suited for analytical thinkers who only need a basic understanding of technical concepts to be successful.

Crane will be presenting a talk entitled "Life After Phishing: What's Next?" at InfoSec World Conference in Orlando, Florida, March 19-21, 2018.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.