At DefCamp we had the chance to sit down with Panagiotis Antoniou – a passionate cybersecurity professional with 5 years of experience across the Information Security and Banking sectors. Currently working as a Security Analyst @ Google (Mandiant), he spends his time actively hunting threats and uncovering malicious activity across complex systems.

Over the years, Antoniu has built a strong foundation through roles such as Cyber Analytics Developer, Threat Hunting Analyst, and Incident Response Analyst, bringing a well-rounded perspective to his current work on the front lines of cyber defense.
We invite you to read the interview where he shares insights from his journey, thoughts on threat hunting, and valuable advice for anyone looking to break into the field.
1. As a Cyber Analytics Developer, what specific tools and techniques do you use to analyze and detect cyber threats, and how do you ensure that the analytics remain relevant as threats evolve?
On a daily basis I use a variety of tools to help me analyse, investigate and remediate threats. For an efficient analysis, a Security Information and Event Management (SIEM) product such as Google Security Operations is highly recommended so that review of the available data is done easily. By using the SIEM of choice, common methodologies such as anomaly and Indicator of Compromise (IoC) detection can be leveraged to identify the presence of malice in the environment. Lastly, in order for the analytics to remain relevant with current threats, an analyst needs to monitor and stay informed with current trends in the industry.
2. Can you describe the methodologies you follow in threat hunting? How do you prioritize the types of threats or adversaries you focus on, and how do you continuously refine your approach?
During a Threat Hunt, I primarily focus on using Intelligence or Data driven methodologies to uncover any threats. Intelligence based threat hunts allow you to have some quick wins over detecting malice in the environment, while Data driven allows you to get any anomalies that stand out which have not yet been shared across the intelligence community. When deciding which security threats to prioritize for detection, several factors must be taken into account. This includes the impact and criticality a threat would have on an organization’s operations, as well as the likelihood of it to occur. Last but not least, staying informed with the current threat landscape allows the adaptation of any new methods into the detection rules.
3. What are the key differences between using traditional signature-based detection methods versus behavioral analytics when hunting threats, and what tools do you consider essential in each case?
Traditional signature-based detection methods allow the identification of threats by using known artifacts that malware or threats have left behind during their presence in the environment. On the other hand, behavioral analytics focus on identifying any anomalies in the environment that stand out from normal behaviour, which prompts an analyst to investigate further. While the first method can be easily achieved by placing detections on the host itself, the latter requires the activity, or the logs to be in a centralized location to perform analytics on them. Security information and event management (SIEM) products like Google Security Operations can be used to easily apply these two methods.
4. How do you collaborate with other teams, such as Incident Response or Threat Intelligence, to develop a comprehensive understanding of emerging threats? Can you provide an example of a successful cross-team effort?
Collaboration across different Cyber security teams is crucial when it comes to identifying and remediating emerging threats. One recent example was the identification of the threat actor group UNC4990. The active collaboration and monitoring between the different teams helped in keeping up with the fast changes the threat actor was adopting during the campaign. The information collected during the analysis of these operations helped identify and remediate additional points of compromise, gain deeper understanding of the attacker TTPs, and effectively disrupt the attack chain.
5. In an Incident Response (IR) scenario, how do you balance speed with thoroughness when investigating and mitigating a cyber incident? What challenges do you typically face during the first 24 hours of an active incident?
One of the main challenges in the first few hours of an incident is identifying and collecting key information that will help eliminate the threat in the environment. By automating the collection of such key evidence, it can help with making the right decisions on containing and remediating the threat as fast as possible. In the initial hours of an incident, it’s important to understand the TTP’s being observed and the scope of access which an attacker may have. Containment and remediation actions without this understanding can lead the attacker to pivot TTPs and hide their tracks deeper within the environment.
6. With the rapid evolution of threat tactics, what are some of the most significant trends you’re seeing in terms of adversarial behavior? How do you adapt your threat-hunting and IR strategies to address these changes?
Over the years, adversaries have been heavily adapting their techniques to avoid getting detected by traditional security controls. This consists of a combination of methods including using legitimate binaries that already exist on the compromised system to achieve their purpose, and the use of obfuscated or encrypted payloads to avoid static detection by tools. Detecting such activity requires to initially establish a known baseline of execution of such tools in the environment, and in the event of an anomaly, validate the legitimacy of their execution.
7. How do you view the role of automation in Incident Response? Are there any specific tools or frameworks you’ve used to automate and orchestrate responses to certain types of incidents?
Automation in Incident Response is imperative. By having the right tools and information in place ready to be analysed when an incident occurs, it is vital in remediating the existence of threats in an environment as fast as possible to avoid a bigger impact. This includes, but is not limited, to auto-containment of hosts (where possible and needed), auto-acquisition of files related to the alert, as well as auto-acquisition of additional data sources that would aid with the investigation.
8. Looking ahead, how do you see the role of a Cyber Analytics Developer or Threat Hunting Analyst evolving over the next 5 years? What skills or areas of knowledge should aspiring analysts focus on to stay ahead in the cybersecurity field?
The cyber security landscape is constantly shifting, and artificial intelligence (AI) will become crucial for threat analysis and detection in the coming years. To effectively identify and address these threats, security analysts must learn how to leverage AI agents. While there’s still progress to be made in this area, understanding the application of AI agents in cyber security is essential.