Threat Intelligence Analyst

The Research on Request Team at Recorded Future is looking for a Threat Intelligence Analyst to assist in producing consistently high quality cyber threat intelligence to clients based on their specific intelligence requirements. This production will likely involve the review and analysis of infrastructure associated with a specific threat actor or campaign, or analysis of indicators associated with a specific incident. In additional, this analysis will be expected to product analysis in line with more general requirements, such as research into overall threats to an industry, region, or technology. The analyst will be primarily responsible for ad hoc intelligence requests. Writing either ad hoc or regular reports requires the ability to work with or automate regularly recurring datasets, while also requiring flexibility to quickly research and analyze a broad spectrum of cyber threat activity, from new attacks against automotive technology to patterns in malware development.

• Produce and review finished intelligence reports that address clients’ priority intelligence requirements across a broad range of cyber threat activity topics
• Research indicators of threat activity in the form of netflow / networking data, website / domain / IP infrastructure, security tooling logs, and email metadata
• Engage with clients across report lifecycle: initial scoping, finished intelligence delivery, and follow-up review / support
• Develop novel, automated, or simpler processes for research and analysis
• Work on projects across multiple research teams with sometimes tight deadlines

• 2+ years experience as a threat intelligence analyst or in similar position
• BA/BS or MA/MS degree or equivalent experience in Computer Science, Information Security, or a related field
• Strong understanding of TCP/IP, DNS, HTTP/S, SMTP, and common application-layer protocols
• Ability to analyze netflow data (e.g., source/destination IPs, ports, protocols, volumes, timing)
• Familiarity with routing, ASNs, CIDR, and IP ownership (WHOIS, RIRs)
• Experience investigating malicious domains, URLs, and IP addresses
• Familiarity with attacker infrastructure patterns (e.g., fast-flux, bulletproof hosting, VPS abuse, CDNs, domain generation algorithms)
• Ability to pivot across infrastructure artifacts to identify related activity
• Understanding of email headers and metadata (SPF, DKIM, DMARC, Message-ID, Received headers)
• Experience analyzing phishing, spoofing, and campaign-level email infrastructure
• Practical experience using common threat intelligence analysis models such as MITRE ATT&CK, the Diamond Model, and the Cyber Kill Chain
• Familiarity with and use of common cyber threat intelligence tools such as DomainTools, VirusTotal, SHODAN, etc.
• Ability to understand and analyze malicious scripts or artifacts written in common scripting languages such as Python, JavaScript, XML, etc.
• Demonstrable experience researching and analyzing cyber threats across either a) multiple industries or b) multiple timeframes. Including but not limited to finance, manufacturing, IT  services, healthcare, and public sector. 
• Managing client expectations based on pre-established scope of work and delivery timeframe 
• Ability to convey complex technical and non-technical concepts with intent of delivering value to each client
• Excellent writing skills are mandatory, to be assessed via a writing sample

• Ability to analyze malware samples, including both static and dynamic analysis
• Working knowledge of at least one language other than English, with relevance preferred for regions with more active or sophisticated cyberattackers
• Experience working with clients to produce intelligence requirements, or reports / research in line with such requirements
• Demonstrable experience of conducting cyber threat investigations 

#LI-Remote