You might be asking, “Why do I need to understand threat hunter personas? What good will they do me?” Surprisingly, they do a lot! As mentioned in a previous post, threat hunter research has defined four key personas found in the industry. Each persona highlights the diverse skill sets and approaches within the threat hunting community, emphasizing the need for both technical acumen and strong interpersonal abilities. These personas can help communicate the important needs of threat hunters to the communities and organizations that support them. Personas bring the role of threat hunter to life.
This is the sixth post in our ongoing “The Rise of the Threat Hunter” blog series. To learn more about the series check out the introduction here or read last week’s post “Challenges of Being a Threat Hunter.” If you haven’t checked out the full report, I highly recommend you do! This blog series doesn’t do justice to the report’s details.
Meet the personas
Let’s start with an overview of each persona. Detailed personas can be found starting on page 11 of the UVic Report.
Olivia: The creative team lead
Traits: Collaborative, Creative, Toolkit Curator
Role: Olivia is the creative team lead who hunts proactively and excels in leadership, guiding her team, and curating toolkits. Their creativity and leadership skills make them an invaluable asset in developing innovative solutions and fostering a collaborative environment.
Why Olivia matters: Olivia’s ability to curate effective toolkits and lead her team ensures that threat hunting efforts are both efficient and effective. Their proactive approach helps in anticipating and mitigating threats before they escalate.
Jay: The analytical automation expert
Traits: Analytical, Problem Solver, Automation Expert
Role: Jay represents the analytical and automation-savvy newcomer, who approaches threat hunting with a problem-solving mindset and strong academic foundations.
Why Jay matters: Jay’s expertise in automation reduces the manual workload, allowing the team to focus on more complex tasks. Their analytical skills ensure that threats are thoroughly investigated and mitigated.
Thomas: The experienced cyberspace cowboy
Traits: Experienced, Intuitive, Self-Taught
Role: Thomas is the experienced, self-taught threat hunter, often referred to as the “Cyberspace Cowboy,” who uses intuition and vast experience to identify threats in smaller teams.
Why Thomas matters: Thomas’s extensive experience and intuition are crucial for tackling sophisticated threats. Their self-taught background provides a unique perspective that complements the team’s overall strategy.
Ren: The manager and client relations expert
Traits: Good Communicator, Client Relations, Manager
Role: Ren embodies the managerial role, overseeing the threat hunting team, ensuring effective communication and collaboration, and liaising with clients and organizational leadership. While not directly involved in daily threat hunting, Ren’s role is pivotal in ensuring smooth communication and coordination.
Why Ren matters: Ren’s ability to manage client relations and internal communication ensures that the threat hunting team has the support and resources they need. Their strategic oversight helps in aligning the team’s efforts with organizational goals.
Using personas to develop a stronger threat hunting team
Understanding strengths and weaknesses: By identifying the unique strengths and weaknesses of each persona, team leaders can assign tasks that align with individual capabilities. For example, Olivia’s leadership and creativity can be leveraged for team coordination and innovative problem-solving, while Jay’s analytical skills and automation expertise can be utilized for data analysis and tool development.
Enhancing collaboration: Recognizing the different working styles and communication preferences of each persona can improve team dynamics. Encouraging open communication and regular feedback helps ensure all team members, from the experienced Thomas to the newer Jay, feel valued and understood.
Targeted training and development: Personas can guide the creation of personalized training programs. Providing advanced forensics training for Thomas can enhance his intuitive hunting style, while offering leadership workshops for Olivia can further develop her team management skills.
Optimizing resource allocation: Understanding the specific needs and preferences of each persona allows for better resource allocation. Ensuring each persona has access to the tools and support they need can increase efficiency and job satisfaction. For example, providing Jay with the latest automation tools can boost his productivity and innovation.
Building a balanced team: Combining the diverse skills and perspectives of different personas creates a more balanced and resilient team. This diversity ensures that the team can handle a wide range of threats and challenges, from proactive threat detection to effective incident response.
Using personas to build better tools
Cybersecurity is a complex balance: Lifting the crushing weight of caseload from cybersecurity analysts requires a fine balance of process, detection logic, orchestration, and automation to minimize the human capital required to respond efficiently and adequately. Specialized tools that “automagically” detect threats in the system and automate preventative responses deal with only part of the battle – addressing known patterns. The other half involves the ever shifting and unpredictable unknown threats. Threat hunters are catching what these tools aren’t. Until new threats are discovered, understood, and attack dots connected by threat hunters, they cannot be incorporated into future detection and response systems or automated to reduce noise and improve security posture.
Building better gear starts with the athlete, not the shoes: Personas go beyond helping build a better team; they are also an essential tool for guiding the development of relevant and effective cybersecurity solutions. Like digital rock climbers, threat hunters are picking a path through mountains of data and grasping the smallest outcrop of signal. Acting as lead-climbing digital athletes threat hunters perform with equipment historically designed with limited understanding of their unique challenges and working styles. Comprehensive knowledge of organizational challenges, tooling issues, physical and mental limitations as well as awareness of team dynamics, personal motivation, and individual style, all contribute to uncovering solutions that save energy and time with greater effectiveness. Without a complete picture of who these threat hunters are, vendors fail to deliver cyber solutions that lift threat hunters to be exceptional in their discipline.
Our cybersecurity design and engineering teams at OpenText use valuable data from these and other personas to build cybersecurity tools that enhance the end-user experience enabling threat hunters to detect and stop threats faster than ever.
Diverse yet distinct: Although the current research revealed a range of diverse threat hunting personas, this is only the beginning of understanding what modern threat hunting looks like. Many backgrounds of education, career path, and experiences across various industries highlight that diversity is key. Having team members with skills such as analytical and critical thinking, attention to detail, logical reasoning, knowledge and experience, and adaptability, unlocks the ability for teams to overcome challenges and uncover hidden threats creatively and resourcefully.
Conclusion
Understanding threat hunter personas is not just about creating more effective teams; it’s about building a comprehensive framework that supports and enhances the capabilities of those on the front lines of cybersecurity. By recognizing the distinct traits and roles organizations can better allocate resources, tailor training programs, foster a collaborative environment, and build solutions that maximizes the strengths of each team member.
Not all threat hunts carry the title and most have additional responsibilities reflecting the varied and often overlapping roles that contribute to threat detection and response. Principal consultant, platform engineer, security engineer, tech lead, or even CISO wear many other hats. As a security consultant once told me, “We all do a little hunting.”
Learn more about OpenText Cybersecurity
Ready to enable your threat hunting team with products, services, and training to protect your most valuable and sensitive information? Check out our cybersecurity portfolio for a modern portfolio of complementary security solutions that offer threat hunters and security analysts 360-degree visibility across endpoints and network traffic to proactively identify, triage, and investigate anomalous and malicious behavior.