Catch the latest newscast about the SOC Prime community! Today we want to introduce you to Kyaw Pyiyt Htet, an active member of our Threat Bounty Program. Kyaw joined the Program in Q3 2020 and swiftly became one of the most prolific authors with a variety of Sigma, YARA, and SNORT rules published. You can refer to Kyaw’s content of the highest quality and detection value via the following link: https://tdm.socprime.com/?authors%5B0%5D=Kyaw+Pyiyt+Htet+%28Mik0yan%29
Kyaw, tell us a bit about yourself and your experience in cybersecurity.
Hello, I’m Kyaw Pyiyt Htet, from the Republic of the Union of Myanmar. I’ve been working in the cyber-security field already for 4 years, and my prominent focus of interest is cyber threat intelligence. The first time I stumbled upon a cyber-security topic was after the Edward Snowden case thundered across the global community. It was my starting point. I began to google, to dive in, and this search ended up with eLearnSecurity Threat Hunting Professional Certification. That was followed by a real practice as a threat hunter and analyst. My last employment place was Telenor Myanmar. I worked there in a Digital Forensics and Incident Response position.
What are your top points of interest among threat types? Which types of threats are the most complicated to detect?
You see, geopolitical factors really matter in this case. First and foremost, I pay attention to Chinese-based hacker groups and state-sponsored actors, striving to learn as much as I can in this field. The reason is obvious: their activities might influence the digital routine in my country.
And chasing APTs is challenging. No doubt, it is the most complicated threat to detect. From my digital forensics experience, it is too immature to think you can thwart an adversary without proper planning and attacker skills. Threat actors will come back with new sophisticated techniques, so you need to constantly keep abreast, deepen your knowledge, and master the skills.
Was it difficult for you to develop your first Sigma rules? Which technical background is required to master Sigma?
SOC content production requires intense preparatory work. And it is true not only for Sigma but for any other threat detection rule. You should have a solid understanding of how the attack works in the background. Then, you can easily make it out. Otherwise, you don’t know where to start.
Actually, the research is the most time-consuming part. Many cyber activists know how to attack with powershell scripts or metaspolit. However, they lack the knowledge of the protocol and networking concepts. Honestly, sometimes I come back to TCP/IP and protocol basics to revive the knowledge and be ready to conduct the research. And I’m not ashamed to say that.
In terms of Sigma rules development, I usually make templates from various resources. Most of my Sigma contributions to SOC Prime are based on the same templates with a few changes included.
How did you learn about the Threat Bounty Program? Why decided to join?
I’m living in a third-class country. Sadly, but cyber-security is a rare career in Myanmar, so I don’t have many opportunities for professional growth here. During the pandemic, we can’t go outside the country, therefore, employment abroad is almost impossible. I was very excited when I came across SOC Prime’s Threat Bounty. I’ve immediately decided to join to sharpen my axe, learn new, and team up with the cross-border community of threat hunting enthusiasts.
What do you think is the biggest benefit of the SOC Prime Threat Bounty Program?
Along the way with the SOC Prime Threat Bounty Program, I gained tremendous experience in writing threat detection rules effectively. Definitely, SOC Prime feedback is a treasure for me, because an experienced team carefully reviews my rules before publishing. It’s a great opportunity to grow and master, with some kind of supervision provided by the team.
Enjoy threat hunting and want to develop your own Sigma rules? Join our Threat Bounty Program for a safer future!
Read more interviews with content developers on our blog: https://socprime.com/en/tag/interview/