Cyberintelligence Analysts: A Keen Eye for Anomalies

Sponsored School Search


The most famous IT security analyst in history might have been a moonlighting astronomer.

In 1986, an unemployed astronomer named Clifford Stoll who happened to know a little bit about Unix system administration got a gig running the computer systems at Lawrence Berkeley Laboratories (LBL). His first task in his new job was to track down a trivial $0.75 billing error in the time share system: an easy matter of auditing a few logs and locating the offending user– or so Stoll thought.

Instead, as he looked into the minor accounting error, a world of deception and espionage began to unfold on the screen in front of him. A fake user account had generated the error, and then immediately gone about trying to break into another computer on the far side of the country with the obscure name “Dockmaster.” Stoll had uncovered a hacker, one using LBL’s systems as a cover for attacking even more sensitive networks.

Dockmaster, Stoll would discover months later, was a gateway server for the NSA—the National Security Agency, one of America’s most secret intelligence agencies.

Over the course of ten months, Stoll poured through his own system logs, set traps, and traced the hacker in action while coordinating with other system administrators and law enforcement agencies around the country. Eventually, he tracked the intruder to his lair in Germany: a hacker named Markus Hess, who was working for the KGB to steal and sell American military secrets to the Russians.

With the cooperation of the FBI and West German authorities, Hess was arrested and convicted in 1990 on charges of espionage. Stoll went on to detail his odyssey of detection and pursuit in the classic book “The Cuckoo’s Egg,” an inspirational read for anyone interested in a career in cyberintelligence.

Stoll got his man many years before there were any official positions for information security professionals of any stripe, least of all cyberintelligence analysts. Still, Stoll blazed the trail for the kind of investigative work that security analysts routinely perform today.

Analyzing hacking attempts, tracking down hackers, and staying on top of emerging threats and the methods used to defend against them are all in a day’s work for information security analysts.

Security Analysts Follow the Hackers Home at Night

Cyberintelligence analysis is the quintessential knowledge work, consisting in large part of researching, thinking, and writing.

The type of research and analysis performed will vary depending on what sort of target the analyst’s employer represents. A typical enterprise security analyst in the healthcare sector, for instance, might devote most of their time to generic background study on trending virus threats and recent developments in worm virus vectors and behavior. The primary threats to the organization would largely be random attacks– essentially the same types of viral and phishing attempts that any private home user would face, but on a larger scale with substantially more at risk.

A security analyst working for a major retailer, however, might have a more focused agenda. With a substantial trove of credit card numbers being processed through their systems each day, the retailer would be a prime target for any number of highly organized, disciplined credit card theft rings operating worldwide. The analyst team, in this instance, in addition to evaluating and responding to generic threats, would probably also research their presumed opposition: what countries they work out of, IP addresses and attack techniques they are known to use, perhaps even signature elements of code or spearphishing messages that could be used to “fingerprint” individual hackers.

Fighting Hackers Where They Live

In both cases, the analysts use various open and closed intelligence sources to accumulate information on the opposition. Such sources can include the Internet Storm Center, CERT,  and the OWASP (Open Web Application Security Project) Top 10 list. In some cases, cybersecurity intelligence specialists attempt to infiltrate and monitor darknet message boards and IRC (Internet Relay Chat) channels where black hat hackers congregate.

They might conduct pattern analysis of known attacks that other companies or the government have reported, and compare the successful breaches against their own company’s security posture. Files are maintained specific to the threats and recommendations made to security administrators and architects to ensure the company’s defenses are oriented toward the most likely threats. Analysts help security administrators devise policies and select tools most appropriate to the current threat environment.

Analysts also review access and traffic logs, using tools like Splunk and WireShark.

Cyberintelligence Analysts: The First Responders of IT Security

Security analysts are usually part of the on-call team in any organization that is responsible for responding to security incidents or emergent threats. In the event of a breach, analysts are among the first security professionals to review the damage and survey the compromised systems to uncover the path the hackers used to gain access. As part of this process, they are expected to understand and know how to use digital forensics tools like Magnet Axiom.

Analysts might assist engineers and administrators in closing the hole and securing the breach, or they might actively monitor and attempt to gain additional data from the hackers as they move within the system. Security firms like TrapX and Cymmetria, for example, create honeypot devices that mimic vulnerable systems and can be installed on a network to attract hackers and monitor their techniques.

In other cases, security analysts have taken compromised information from multiple targets and tracked down surprisingly large and well-organized hacking groups. One of the most famous of these incidents was undertaken by security firm ThreatConnect, whose cyberintelligence analysts established incontrovertible evidence that the Chinese military was behind many major hacking attacks on U.S. firms and government agencies.

Security Analyst Qualifications: Degrees and Certification

The overriding qualifications for an IT security analyst are curiosity and diligence.

Many analyst positions do not require a college degree or any particular certifications, but almost all of them require actual experience working in information technology and a demonstrable familiarity with the underlying software and network protocols of modern information systems, including:

  • TCP/IP (Transmission Control Protocol/Internet Protocol) and the 7-layer OSI (Open System Interconnection) network model
  • Windows and Unix operating system internals
  • Firewall and router configuration and the basics of Intrusion Detection Systems (IDS)
  • Basic precepts of computer programming including logic flow and API (Application Programming Interface) uses

When certifications are required for analyst positions, they tend to be among those focused on penetration testing and other aggressive assessment techniques mimicking those used by black-hat hackers, including:

Some security analyst positions traffic heavily in sensitive or classified information. This means job candidates might need official clearances to deal with Top Secret or Sensitive Compartmentalized Information (SCI).

Cyberintelligence specialists often hold a two-year or four-year degree, though employers tend to show preference to job candidates with graduate degrees in cybersecurity. When selecting an online or campus-based program, it is worth considering institutions that are part of the joint NSA/DHS (National Security Agency/Department of Homeland Security) Centers of Academic Excellence program. CAE-designated colleges offer bachelor’s and master’s degrees focused on information assurance, while two-year degrees are available at designated community colleges. In either case, a program offered through a CAE-designated school ensures the best possible educational experience and cutting-edge cybersecurity coursework, as evidenced by a stamp of approval from the preeminent federal intelligence gathering and counterterrorism agencies.

Back to Top