How threat hunters stay informed and collaborate 

In the ever-evolving landscape of cybersecurity, threat hunters play a crucial role in proactively detecting and mitigating security threats. To do this, they need to stay informed and effectively collaborate.

Grayson Milbourne profile picture
Grayson Milbourne

August 20, 20246 minute read

A man is looking at computer screens with threat reports on them. In the bottom right corner, there is a magnifying glass symbol with a bug inside. Everything except the symbol has a blue overlay.

In the ever-evolving landscape of cybersecurity, threat hunters play a crucial role in proactively detecting and mitigating security threats. A recent study by The CHISEL Group at the University of Victoria sheds light on the collaboration and information-sharing practices of threat hunters. Here are some key findings from the report that can help threat hunters and their managers enhance their strategies. 

This is the 7th post in our ongoing “The Rise of the Threat Hunter” blog series. To learn more about the series check out the introduction here or read last week’s post “Understanding Threat Hunter Personas.”  

Collaboration in Threat Hunting 

Diverse collaborators

Threat hunters interact with a wide range of collaborators, both internal and external. Internally, they work closely with teams such as the Security Operations Center (SOC), data science, and threat intelligence. Externally, they collaborate with clients, cybersecurity insurance companies, and supply chain vendors, and other connections in the industry. Having a diverse network of collaborators allows threat hunters keep up with new threats, defense tactics, and best practices to improving everyone’s security.   

Communication channels

Effective communication is vital for successful threat hunting. Teams use various platforms like Slack, Teams, and email for synchronous and asynchronous communication. Regular meetings, both daily and weekly, help maintain alignment and ensure timely information sharing. However, the geographic dispersion of teams can pose challenges, making it essential to establish clear communication protocols. A breakdown of communication can lead to missed threats and vulnerable systems so it is important to plan for how communication will be handled both synchronously and asynchronously. 

Synchronous collaboration

Synchronous communication allows for immediate interaction and quick decision-making. Tools like Slack, Microsoft Teams, and Zoom are essential for facilitating this type of real-time communication. Regular meetings—whether they are daily stand-ups, threat intelligence briefings, or ad-hoc problem-solving sessions—ensure that team members can discuss issues, share updates, and align on objectives promptly. 

To maximize synchronous collaboration, it’s important to establish clear communication standards. This includes setting expectations for response times during working hours, agreeing on communication protocols for different types of information, and using shared documents or dashboards to keep everyone on the same page. 

Asynchronous collaboration 

Asynchronous communication, on the other hand, is key when working across different time zones or when immediate responses aren’t necessary. Managing handoffs effectively is crucial in this context. For instance, when one team member finishes their shift, they can leave detailed notes and action items in shared tools like Confluence, Jira, or Trello. This ensures that the next person picking up the task has all the information they need to continue the work seamlessly. 

Many communication tools also offer features that support asynchronous collaboration, such as thread-based discussions in Slack or Teams, where conversations can be revisited and added to as needed. Documenting decisions, logging key actions, and tagging relevant team members can help keep everyone informed without the need for real-time interaction. 

By blending synchronous and asynchronous methods, teams can maintain momentum and ensure that critical information is communicated effectively, regardless of when or where team members are working. 

Recommendations for improvement

To overcome collaboration challenges, threat hunters from the report recommend automating report generation, reducing the number of meetings, and establishing a formal handoff protocol. Threat hunting is an art as much as a science. By removing report creation and reducing meetings, threat hunters have the time they need to focus on critical, time-consuming tasks. When implemented well, these suggestions can streamline processes and enhance efficiency, allowing threat hunters to focus more on their core tasks. 

Staying informed 

Core skills and learning strategies

As we all know, threat hunters need a blend of technical and non-technical skills. Technical skills include knowledge of operating systems, networking, programming, and cybersecurity basics. Non-technical skills such as communication, problem-solving, and analytical ability are equally important.  

Technical skills essential for threat hunters include knowledge of operating systems, networking, programming, and cybersecurity basics. Proficiency in scripting languages like Python, Bash, and PowerShell is crucial, along with familiarity with command line interfaces and system administration. Understanding malware analysis, computer forensics, and the threat landscape is also vital. 

These skills can be acquired through a combination of formal education (such as degrees in computer science or cybersecurity), certifications (like SANS, OSCP, CISSP), and on-the-job training. Practical experience can be gained through capture the flag exercises, hackathons, and simulations. Additionally, staying updated with the latest cybersecurity news, participating in webinars, conferences, and mentorship programs, and engaging with online communities and resources like GitHub and Stack Overflow are effective strategies for continuous learning. 

Non-technical skills include things like communication, problem-solving, and analytical ability. Effective communication ensures clear conveyance of complex concepts to diverse audiences, while problem-solving and analytical skills enable threat hunters to dissect issues and devise innovative solutions. These skills can be honed through mentorship, on-the-job training, and self-directed learning. Engaging in team meetings, knowledge-sharing presentations, and conferences also helps in refining these abilities. Additionally, reading articles, watching videos, and completing certifications provide continuous learning opportunities, keeping threat hunters updated with the latest cybersecurity trends and practices. 

Information Resources

Threat hunters rely on a variety of information resources, including OSINT, GitHub, podcasts, and threat intelligence platforms not to mention industry conferences and other events. Often I learn the most during events like RSA and Black Hat, not necessarily during the briefings or presentations but during the evenings and after the conference while socializing and talking to others who work in this field. Socializing is great to get their take on what is most relevant to them. 

It should be noted that some resources have limitations, such as unreliability of information and paywalls. It often takes time to find high quality data on emerging threats slowing down the response time. Integrating key resources into threat hunting tools and verifying the trustworthiness of information sources can help mitigate these limitations. 

Recommendations for Improvement

To improve information resources, threat hunters suggest better integration of resources into their main tools and developing ways to verify the trustworthiness of information. This can enhance the reliability and accessibility of critical information, enabling threat hunters to stay ahead of emerging threats. While the industry works on new and better ways to integrate threat intelligence threat hunters can and should continue to engage with industry knowledge sharing and communication to keep informed.  

Learn more about OpenText Cybersecurity 

Ready to enable your threat hunting team with products, services, and training to protect your most valuable and sensitive information? Check out our cybersecurity portfolio for a modern portfolio of complementary security solutions that offer threat hunters and security analysts 360-degree visibility across endpoints and network traffic to proactively identify, triage, and investigate anomalous and malicious behavior. 

Share this post

Share this post to x. Share to linkedin. Mail to
Grayson Milbourne avatar image

Grayson Milbourne

Grayson Milbourne is the Security Intelligence Director at OpenText Cybersecurity, a division of OpenText. Grayson’s nearly two decades of security intelligence expertise include malware analysis, data science, and security education. In his current role, Grayson is focused on efficacy development to ensure the company’s security management products (which include the Webroot portfolio) are able to defend against the most cutting-edge threats. He is a longtime advocate for better 3rd party testing of security products and represents OpenText Security Solutions at the Anti-Malware Testing and Standards organization, AMTSO. Through his efforts, AMTSO released testing standards that greatly improved testing quality when followed. Grayson is an avid participant in the security community and drives awareness of current threats by speaking at major events such as RSA and Virus Bulletin. He is a frequent guest on local NBC affiliates and several cybersecurity podcasts. Beyond his passion for protecting people from cyberthreats, Grayson loves aviation and holds a private pilot license. His other passions include strategic boards games, skiing and playing golf. He lives in Louisville, Colorado with his wife, Danielle and their two cats, Theodore and Aiden.

See all posts

More from the author

OpenText Cybersecurity 2023 Global Ransomware Survey: The risk perception gap

OpenText Cybersecurity 2023 Global Ransomware Survey: The risk perception gap

The cyber landscape continues to evolve at lightning speed; attacks are more frequent and increasingly sophisticated. And while the use of large language models and…

3 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.

Sign up