As a threat intelligence analyst in Unit 42, global cybersecurity leader Palo Alto Networks research arm, my job is to understand who is attacking who in the cyber world, and then why. It's also my responsibility to understand how particular cyber-attacks manifest themselves.
Cyber-attacks are inevitable in today's digital age. Understanding how an attack works, and then sharing this knowledge with others, is the only way to mitigate the effects in future. The intelligence cycle is a time-tested methodology for hunting bad guys on a network. It includes gathering information on how threats are delivered, how they exploit their victims or target systems, perform their actions on objectives and how, if at all, they then communicate back to the adversary.
Since the answer to each of these questions is unique to each specific strain of malware, finding out how the attacker operates is vital to finding and stopping it in future.
Where to start
In my day-to-day role, there are numerous ways in which I learn of new attacks occurring. Irrespective of the source however, my goal is to better understand what's happening and which Tactics, Techniques and Procedures (TTPs) the adversary employed during their attack campaign. Understanding these factors, together with others, such as understanding and mapping out the attacker's online infrastructure, could aid potential attribution.
Working in the Unit 42 threat intelligence team means that I am at the centre of an operation that reports on cyber threats around the world. Such intelligence includes outlining– where possible – who could be behind an attack, the tools and malware used, and the motivations for said attack. On occasion, our research includes large-scale attacks, such as cryptocurrency mining which has affected tens of millions of people.
Palo Alto Networks is all about prevention and protection rather than rehabilitation. We work to protect businesses, and the public in general, against malicious threats. We also support our clients in reaching their full digital potential through use of the most effective security applications – whether cloud or endpoint-based – and, ultimately, preventing attacks against a network.
Fighting fire with fire
I've worked in the industry since leaving school eighteen years ago, but lots has changed as the scale and sophistication of attacks has evolved.
In the past, working as a security researcher was limited to being reactive to threats and any intelligence that came about from attacks. Now, however, it's much more about being proactive. A lot of the work around the initial threat detection is now handled by machines as there's far too many threats every day for a human to monitor themselves. Another element to my role today is harnessing the power of Artificial Intelligence (AI) – at least the Machine Learning aspect of AI– to spot patterns in data that may indicate maliciousness, so that we as analysts can concentrate on higher-level information such as identifying how different pieces of the attack connect together, disseminating intelligence and ultimately preventing future attacks.
My approach to cybercrime, which is one aspect of the myriad of cyber threats out there, is the same as the police's approach to any other crime – by firstly gathering evidence, on a cyber level, in an attempt to solve the proverbial whodunnit. It can be difficult to be certain about who the attackers are. Threat actors are very skilled in hiding their identities and masquerading as other nationalities or being located in other countries. Instead, we can track which tactics and malware types they're using and mitigate the impact so that they can't be used again.
Typically, we see a lot of malware that is high-volume, and, in that instance, it can typically be attributed to organised criminals; but, for the most part, there is no benefit to "building a picture" of the attacker over the malware itself. Broadly speaking, attacks are random and not calculated and often carried out using tools that can be downloaded from the internet for a pittance. It is much more worthwhile to build a picture of the malware trends growing in popularity, and ways in which we can fight them, than focusing on those distributing the threats.
How to become a threat intelligence analyst
I first got into threat intelligence during a gap year between school and university with an antivirus company, but I'd always had an interest in computers and gaming at school. In fact, I spent much of my time building hardware from scraps and building the machines and cables that connected everything together– this was way back when Wi-Fi had yet to become mainstream. There was a lot of variation day-to-day in the tasks I was doing which is why I stayed at the company for the next twelve years.
I didn't complete my degree until recently – I spent the last six or so years doing a computer science degree through the open university and received a 2:1 just last year. I relocated to the US with that company before joining Palo Alto Networks two years ago and used to have to fly back to the UK to sit my exams.
But this job isn't as one-size-fits-all as you might think, and there's no such thing as a typical threat intelligence analyst. Although most have come from a computing and technology background, there is a lot of value in those that have studied humanities who are typically better at predicting where certain malware types will strike again based on their previous patterns. Threat research degrees have only recently become available – as the cybersecurity industry has continued to boom – and while maths degrees would certainly be necessary for certain threat intelligence roles, marketing, politics and psychology graduates are often just as valuable to a threat intelligence team.
Mind the skills gap
The cybersecurity skills gap in the UK – and indeed the world – has become increasingly problematic, and those with a passion for computing are increasingly in high-demand and, therefore, have an opportunity to monetise and develop their passion, like no other generation before them. This passion might have been only a hobby while at university, but its an invaluable asset once you've left – regardless of the type of degree you possess.
When you stop to consider the cyber threats that are unleashed on new networks, using new technology, every day, compared with the number of schools that now actively discourage computer learning at an early age, it's no surprise that our industry lacks the manpower to keep on top of these vulnerabilities.
Cyber skills are increasingly valuable
We live in an increasingly digital world, where computing skills and data have become the new oil. In the wake of GDPR, targets of cyber-attacks have become much more interested in finding out who it is that attacked them for their own peace of mind. Why were they attacked? What was the target? How do we prevent it? For this, we create playbooks of previous attacks, malware types and tools used, and the techniques used by the actors – whether known or unknown – so that the public can use this information, and our customers can benefit from a greater level of knowledge and context when using our products and seeing attacks occur.
Each time a new tech company, for instance, becomes popular enough that it is recognised online, and, in the press, threat intelligence analysts must assume that a cyber-attack is forthcoming and address any vulnerabilities before that fact. If a company or individual is powerful, they are vulnerable to a dangerous cyber attack, and that's where we come in.
When it comes to the future of threat intelligence analysis, the industry will certainly continue to grow and evolve alongside the cyber threats we protect against and the new technologies they utilise. Automation, for instance, will become especially prominent as the scale of threats grows and humans can no longer manage the sheer volume of possible threats across multiple virtual environments.
That said, humans are still very much needed to fight through the hodgepodge of excessive alerts to identify what is just anomalous and what is truly suspicious, and when to notify customers to a danger. As such, successful threat analysis will – in future – derive from a symbiotic relationship between man and machine.
Alex Hinchliffe is a threat intelligence analyst at Unit 42, Palo Alto Networks