Tell us a bit about yourself and your experience in threat-hunting.
Hello, I’m Osman Demir. I live in Istanbul, Turkey, and I’m 25 years old. I finished my education in Computer Engineering in 2017, and I work as a Security Engineer in a private institution.
I have been dealing with threat hunting for 2 years. I work in a SOC team at the detection of current threats and their integration.
I follow the world’s hot news about threat hunting, research methods of attack groups, and develop detection rules. I do my best to keep pace with the attack groups.
What is the difference between threat hunting and threat detection?
Threat hunting is the process of detecting the attack as soon as possible before the attacks that appear to be a threat to the institution without being fully successful. The human factor is more important in threat hunting.
Threat detection covers the overall detection processes of an attack. It is necessary to have a good command of threat detection products and check the logs in the system well.
In your opinion, what makes Sigma such an efficient instrument for threat-hunting?
Sigma offers people a universal language. In this way, Sigma rules can be easily integrated into SIEM systems without no matter what product is.
The institutions can easily share the detection rules of the attacks they have identified with other institutions regardless of the product.
Thanks to the simple and flexible structure of Sigma, comprehensive rules can be written.
What skills are necessary to develop Sigma rules for threat-hunting?
First of all, it is necessary to be curious and be a researcher. Trend threat rules should be researched and detection methods are extracted. Sysmon and Auditd logs are should be well known. Web access logs must be mastered to detect attack vectors that appear on the Web side. Generally Log sources must be mastered
What types of threats are the most complicated to detect? Maybe you can give an example from real life?
Most the difficult to detect 0day threats. Since no information is published for the 0day attack, an idea of the event records cannot be carried out, only predictive detection methods can be written.
If we give an example from daily life, a detection method could not be written for smbv3 RCE (CVE-2020-0796) attack, only predictive detection rules can be written.
What do you think is the biggest benefit of SOC Prime’s Threat Bounty Program?
If I give an example from myself, Soc Prime’s Threat Bounty Program helps me maintain my researcher identity.
It is an honor to know that your rules help companies cybersecurity processes.
The most important part is that you can make money from this program
Data leakage is a very common problem for many organizations now, which measures do you think could be the most efficient to avoid data breach (if it is not caused by irresponsible employees)
The most effective detection methods for this, you should use the DLP product and record the exit traffic of the users as full packet data. In this way, you can analyze the package that comes out and improve the detection rules.
Critical data (personal information, customer data) should be well monitored and unauthorized access/abnormal hours always be questioned.
As an experienced threat hunter, what do you think should be #1 priority for organizations that want to build a robust cyber defense? (and why)
Strong Cyber Security should consist of an active community of people. This can be possible by bringing together researchers and developers.
Investments in the product do not make sense unless made for human education.