We keep interviewing the members of the Threat Bounty Program (https://my.socprime.com/en/tdm-developers), and today we want to introduce you to Emir Erdogan. Emir has been participating in the program since September 2019, he has 110+ Sigma rules published to his name, but Emir also publishes YARA rules to detect actual threats. His rules are often found in our blog posts: Rule Digests, Threat Hunting Content, and Rule of the Week.
Emir, tell us a bit about yourself and your experience in cybersecurity.
After I graduated from university in 2015, I started work at the OS project (Pardus) that is supported by the government as a Business Analyst.
Then, I changed my job, because I wanted to improve myself as a cybersecurity specialist. I have worked at many different areas in cybersecurity as a SIEM Engineer, SOC operations specialist, project member of building Information Security and Management Systems in civil aviation company in Turkey.
Now, I am still working as a SOC analyst and SOC Team lead at one of the most important companies in Turkey
How much time did it take you to master Sigma rules writing? Which technical background is required to master it? And how much time you need on average to write a new IOC Sigma rule and threat-hunting Sigma Rule?
I have been writing Sigma rules for 6 months. Actually, it is necessary to write a lot of Sigma rules in different log sources to become a master. In my opinion, it is not relevant to the time. Log types of different OS and security products must be known by anybody who wants to be a master on Sigma.
The time required to write a Sigma rule depends on the complexity of the rule. Generally, if a Sigma rule is more complex and includes different log types, it takes about half an hour.
Which types of threats are the most complicated to detect? Emir, maybe you can give an example from real life?
Everybody knows that some kinds of malware like rootkits are really difficult to detect. However, the usage of evading techniques and obfuscation methods have been recently increased and some of them would be complicated to detect. Therefore, I want to mention these techniques.
Traditional detection tools can be easily defeated by obfuscated malware and files. I am sure that every cybersecurity specialist has encountered obfuscated PowerShell script or malware. It is not easy to analyze these files.
There are many evading techniques to bypass security controls. For example, lots of people have encountered with extortion bitcoin blackmail. The emails say that they hacked into your computer and recorded you visiting adult websites. They threaten to distribute the video to your friends and family within hours unless you pay into their Bitcoin account. The most effective solution is to write content filtering rules on a secure mail gateway to protect against these kinds of emails. Even if the rule is written according to some keywords like bitcoin and hack, attackers can send their blackmail text as an attachment, password protected pdf, image file on body. So, they bypass the content filtering rules in this way.
Pandemic is another challenge for a cybersecurity practitioner. Tell us how it influenced your everyday work. Maybe you can share home lifehacks with us?
It can be said that I am working harder now because cyberattacks are increasing each passing day. For instance, the number of phishing attacks on the delivery of cargo companies and COVID-19 themed campaign has increased.
As in the whole world, I continue my work at home. I don’t think that it’s a problem for cybersecurity experts, because we love to be at home in front of our computer.
I hope I have not observed any negative effects yet other than sociological ones. Thanks to this question, I wish everyone a healthy life.
Which tools are the most commonly used by different threat actors and what would be your recommendation to improve defense against those tools? Examples would be great!
Actually, there are many common tools used by different threat actors.
I think PowerShell would be a great example. It is legitimate and really powerful. Not only attackers but also most of system administrators need PowerShell and generally use PS scripts to do their daily jobs. Because of this reason, it is difficult to understand whether it is used for malicious purposes; however there some clues to detect malicious activities. If PowerShell is not necessary to do a job, please disable it. If it is necessary, PowerShell logging must be enabled and monitored by SOC. PowerShell SIEM rules should be written and should always be enriched.
Apart from PowerShell, webshell is commonly used by different threat actors. Webshells are malicious scripts that are uploaded to target and remotely access compromised servers. It is known that webshell is one of the most common and effective backdoors. Attackers firstly exploit a vulnerability on a webserver to upload webshell or they can upload it from different server/host which was compromised before. Therefore, the most important thing is to ensure that all servers/hosts are up-to-date with security patches. With sysmon logs of all web servers being monitored, you can develop correlation rules to detect webshell. There are lots of Sigma rules on TDM to detect webshells. I want to give a quick example. If the IIS process (w3wp.exe) calls cmd.exe, this should be tagged as suspicious and analyzed by a SOC analyst.
Lots of threat-detection content contributed by you to Threat Detection Marketplace is available free of charge and helps the cybersecurity specialists from all over the world to detect threats, what motivates you to share your content with the community?
Attackers are always one step ahead. Therefore, it is necessary to learn their methods, tactics, and techniques to prevent their attacks.
In my opinion, sharing intelligence and knowledge between researchers and institutions is very important to prevent cyber attacks and prevent any material and moral losses.
Actually, as I see that some groups attack the hospitals during pandemic and attackers benefit from people’s panic mood, I get more motivated to share my content with the community.
Emir, what do you think is the biggest benefit of SOC Prime Threat Bounty Program?
There are many benefits of Threat Bounty Program for companies and developers. Developing new SIEM rules by following new threats is a big challenge for all companies. With the help of Threat Bounty Program, companies can reach many detections for specific and current threats. This content could be easily implemented to SIEM solution. In addition, developers are following the new threat and develop new content. This program offers a big opportunity for developers to publish their content, improve themselves, get awarded, and honored by SOC Prime.
Read more interviews with participants in the Threat Bounty Program on our blog: https://socprime.com/en/tag/interview/