What methods do you use to collect and analyze data to identify potential cyber threats?
Both open source and closed source intelligence is equally important. Closed source takes form of finished intelligence or tailored alerts supplied by intelligence vendors, that is fairly straightforward.
Open source, by its nature, is collected through various channels means.
Tools like Feedly provide automated collection based on pre-defined queries. Tailored (mostly through notifications on important account postings) feeds on social media like X and LinkedIn often function as an early warning indicator.
Source that lies in-between closed and open sources are community chat groups on Slack, Signal or Discord.
Those often help to filter signal from the noise. Particular care is given to being up-to-date on geopolitical development as it could be an early warning before malicious campaign even begins but very often it just provides more contact to ongoing activity.
How do you differentiate between false positives and actual threats in your analysis?
That is always tough.
Do not act on impulse and always verify. At the same time, analyst needs to be a bit “paranoid” and trust gut feeling.
But of course, not everything can be investigated manually.
As anyone in the business, I rely on automated tools that filter false positives out of the data pool.
Can you describe a recent threat landscape that significantly challenged your analysis skills, and how you managed it?
I focus mostly on Chinese threat actors.
The recent revelations from I-Soon leak made me substantially re-think how the whole Chinese state threat actor ecosystem.
Managing is a matter of understanding that a single contractor may appear as multiple threat actors depending on what intelligence task is given to them by contract-giving intelligence agency.
How do you ensure that your threat intelligence findings are actionable for other teams within your organization?
Some elements are fairly easy. Threat hunting must have different parameters than briefing for executives.
Almost everything else is a matter of seeking feedback.
Threat hunt product would be useless if we ask to hunt for indicators that the receiving team does not have the capability to hunt for.
Executive brief would not be useful if we throw in all the tools threat actor uses but provide no context. Feedback also helps us to identify intelligence gaps. It is always work in progress.
What skills do you think are essential for a cyber threat intelligence analyst to keep developing, and why?
Humility.
Humility may not be a skill per se, but I would say that is the most defining feature of a good analyst.
Understanding that we are trying to make sense from something that constantly shifts. There is always something new and that makes us more students than experts.
And be at peace with that understanding.
As to skills, critical thinking and good writing. Good actionable intelligence is only as good as the write-up.