SOC Prime is presenting another interview with a participant of the SOC Prime Threat Bounty Developer Program (https://my.socprime.com/en/tdm-developers). We want to introduce to you Den Iuzvyk who published 60+ community rules of the highest quality and detection value during six months of his participation in the Threat Bounty Program.
Read more interviews with content developers on our blog: https://socprime.com/en/tag/interview/
Tell us a bit about yourself and your experience in threat-hunting.
My name is Den Iuzvyk, I’m from Kyiv, Ukraine, and I am 34 years old. I am CTO in a company called Simplerity.
I started my career in 2003 as a software developer. I got interested in cybersecurity in 2015. Later on, I became a co-founder of a company where we created a platform for log analysis and threat hunting. I created various malware detection tools, automated attacks simulators, checked the modern-day detection systems for weaknesses.
Den, what is the difference between threat hunting and threat detection?
Threat hunting is a part of the threat detection process that is focused on the proactive detection of threats that filtered through existing security and alarm systems. Threat detection is a set of actions that aim at the detection of threats on each stage of their lifecycle.
In your opinion, what makes Sigma such an efficient instrument for threat-hunting?
Sigma is the ideal choice for a threat-hunter because its high-level format enables using, storing, and sharing analytics without being bound to any particular backend. Sigma helps to put aside the field names in logs and focus on results. My favorite part of Sigma is “references” – the source that inspired the author to create the detection.
Which skills are necessary to develop Sigma rules for threat-hunting?
First of all, it is the analytical approach in data processing. Because you should spot the patterns which you can use for creating effective detections.
The second skill is knowing the attackers’ TTP.
The third point is a good command of the internal arrangement of operating systems.
The fourth one is the understanding of network security and data security.
Which types of threats are the most complicated to detect? Den, maybe you can give an example from real life?
The hardest thing to detect is rootkits. The next one is signed drivers which were released with bugs that allow exploiting and working directly in kernel mode and as a result, a fraudster can bypass security systems. Then come the threats with .NET Framework(AppDomainManager and assembly loading). But what can keep us happy is the growth of understanding of probable threat vectors, and as a result, there appear new visibilities like integration AMSI with .NET version 4.8, and ETW (Event Tracing for Windows)
What do you think is the biggest benefit of SOC Prime’s Threat Bounty Program?
From the detection rule creator’s perspective, Threat Bounty Program presents customers’ needs and allows deep dive into research where you get knowledge and experience, and get awarded by SOC Prime.
Data leakage is a very common problem for many organizations now, which measures do you think could be the most efficient to avoid data breach (if it is not caused by irresponsible employees)
It depends on the chosen strategy which may differ depending on the company type. But the following steps are essential:
Assessment of the current security system, troubleshooting the vulnerability areas.
Data classification. It is highly important to know where and what information is stored. Not all the information needs to be protected.
Access classification. It is essential to know who has access to the information, both physical and network.
Continuous monitoring. Collection and analysis of logs received from data storage and workstations.
Educating and timely informing the personnel.
Encryption. All the stored and transferred data must be encrypted.
As an experienced threat hunter, what do you think should be #1 priority for organizations that want to build a robust cyber defense? (and why)
Enabling MFA 🙂 In my opinion, first of all, you should understand the importance of each step. There is no magic silver bullet, it is a continuous process. The proactive approach would be the best choice here, though it is rather expensive at the beginning but is most cost-effective in the future. The priority in the development of a cybersecurity approach for a company is defining the business-critical assets that the entire business operation depends on.