We are starting a series of interviews with participants of the Developer Program (https://my.socprime.com/en/tdm-developers) to introduce you to these wonderful people who are searching the web for relevant threats and create unique content for their detection. Meet Lee Archinal!
Hello Lee, hope you are inspired enough today to write a bit about yourself and your experience with the Developer Program.
Grab a coffee and let me please know a bit about your cybersecurity experience.
My Cybersecurity experience began in 2015, when I left my previous position as a Junior Network Administrator. A very good friend of mine heard that I was looking for a next step in my career and introduced me to life as a Security Analyst working in a Security Operations Center. Since then I have never looked back! I started as a level I analyst simply responding to use-case events when I stumbled across Sysmon, which gave my career focus and a path. I started researching and testing Sysmon on my personal laptop and then moved to a test group at my organization and eventually ended up deploying Sysmon enterprise wide and I was given the title (responsibility) as the end-point S.M.E (still trying to live up to that title). Since then I was also given the responsibility to begin creating content around end-point detection which led me to SOC Prime. Then the road took another turn when I stood up a malware lab at work and began to detonate and analyze different pieces of malware and different attack techniques (Red Tests). That brings us to where I stand today and my goal is to become a more rounded analyst and attempt to get expertise in more than just end-points.
Tell us please about Sigma – what was your first experience with Sigma, when you started to use it.
I began researching Sigma in 2017. A fellow analyst had returned from a security conference and told me I should look into SOC Prime as well as the Sigma language. Once I learned what SOC Prime offered, mainly the Threat Detection Marketplace, I was hooked. I continued to research Sigma while Jorda Camba reached out to me. We discussed SOC Prime capabilities and how Sigma could be a powerful tool when designing content. Once I got the main idea and a little bit of experience, I began designing content for my SOC in strictly Sigma. This would give us future flexibility when it comes to which SIEM we use AND it gave me a lot of experience in developing in the Sigma language.
What about your experience with Sigma UI. Do you have any ideas on how to make it more useful/convenient for developers?
Since I started writing in Sigma at the beginning of 2018, I have created many pieces of content using it. My SOC now has a nice repository of the rules that I created in case we ever switch SIEMs and maintain the content that we still have. The only thing that I can think of to increase convenience for developers is either possible cheat sheets regarding the field mappings from Sigma to other SIEMs (Mainly for a junior analyst or researcher, such as myself that does not have much experience outside of two SIEMs) or, in the Uncoder.io site maybe provide drop-downs or tabs to give developers possible ideas of what fields could be used. Personally, I have really stuck with the fields that I know but in the future I want to learn more.
How long does it take you to create one rule?
Depending on what my source is, I can create a rule in under 10 minutes (This would be from a report that is VERY analytic) to over 4 hours. The rules that take me hours to create are the rules that my source is a piece of malware that I have downloaded from a source, such as the Any.Run site. I will pull down multiple pieces that are the same type, detonate them in a sandbox and a malware lab. This way I can take the sandbox results, compare them to the manual results and find the common processes and actions. Once I feel comfortable with my results (hours later) I write the rule in Sigma then I translate it to the SIEM of choice. I then wipe all the data and run the malware again from a snapshot and test my sigma translation to determine if it can find the results I expect. If I do, I publish it and if not, I start all over.
How do you make a decision what rule to create?
I really don’t decide, I let the internet. I keep up with security websites and their reports and if I read about a new malware, I do my best to find a sample or an analytic report and create it. Once I have exhausted these reports (this rarely happens) I then turn to the SOC Prime Threat Detection Marketplace. After Jordan introduced me to the RedCanary Red tests, my goal is to create content that reflects the blue team side of those red tests. My main log, for now, is Sysmon, so a lot of my content will be end-point detection content.
What do you think, can the Developer Program help organizations worldwide improve their cybersecurity?
This is an easy “Yes”. The Developer Program is offering an open seat to developers around the world that have different levels of experience help keep up with the malicious actors. A seat in the Developer Program is not just an honor, but really a responsibility to security teams and organizations around the world, and should not be taken lightly.
You can explore the detection content developed by Lee Archinal here.
Interviews with other participants in the Threat Bounty Program: https://socprime.com/tag/interview/