Today, we want to introduce to our readers one of the detection content authors whose name you can see on the SOC Prime Threat Detection Marketplace Leaderboards. Meet Roman Ranskyi, Threat Hunting/Content Developer Engineer at SOC Prime.
Roman, tell us a bit about yourself and your experience in cybersecurity
I became interested in information security back in the year 2008, when I used to spend time on such cult forums of that time like hackzona, zloibiz, antichat, and for some time even was moderating one of the forum threads. While studying in college, I worked as a sysadmin. Also, I taught Cisco CCNA laboratory classes and courses of basics of practical information security.
Later, I started to work in an integrator company where I worked as an engineer and presales for security solutions, also I was dealing with all solutions, AV, DLP, NGFW, different sandboxes, systems for protection from DDoS attacks. I got several certifications as it was required by business – Arbor, Fireeye. And the second one really sparked my interest with their fascinating reports in their blog, and the technologies looked revolutionary. Also, I took the stage on several closed conferences for partners and customers where I tried to tell not only about our solutions, but also about techniques, methods, and vectors of attackers and grey markets. Some presentations are still available in my LinkedIn profile.
And how your hobby grew into threat hunting?
I took a course in Certified Ethical Hacking, which I found rather theoretical and even boring because of a lack of practical tasks. I always hold to the opinion that to know to defend, you should know how to break. I had a habit of sitting far into the night in our lab where we tested solutions that we present to customers and tried out various scenarios of real attacks to study the reaction in detail and try to bypass security measures. In between, I studied course materials of Offensive Security (PWK), SANS courses, and others.
After the system integrator company, I was working for a company where I dealt with development as a senior Information Security Engineer. Then, I joined SOC Prime as a Threat Hunting/ Content Developer Engineer.
What is Threat Hunting for you?
Basically, threat hunting rises from Digital Forensic and Incident Response. It is about all the environment-wide insights and analysis. Threat hunting doesn’t consist of incidents investigation, it is a proactive search of known and unknown threats, so a threat hunter can’t just sit and wait until something happens.
In your opinion, what are the necessary skills for a threat hunter?
On the one hand, you must think like an attacker – how can you achieve the goal, how to bypass the measures by Blue Team, and slip under the radar.
On the other hand, you should have an analytical way of thinking, have knowledge of Big Data and, have a good command of different instruments though they are pretty alike.
To sum up, it is a mixture of Red Team and Blue Team skills.
Roman, is it possible to forecast attacks by different threat actors and what would be your recommendation to improve defense against their tools? Examples would be great!
It is impossible to predict all the threats. To a great extent, the success of an attack depends on knowledge of the subject area. And speaking about a corporate infrastructure in general, where there is a protection, there exists a circumvention.
Speaking about domain infrastructures that are vital for big companies, the first thing is a good configuration including hardening and extended audits. I like the Red Forest Design concept, and if you do everything right, you can spot almost all the steps and activities of an attacker.
Roman, tell us more about such type of Sigma as Threat-Hunting Sigma, what is the main value of this tool and how it can help organizations to improve their detection capabilities?
The main value of Sigma is that you can stick to certain patterns of abnormal activity which you can use as a pivot point for the further deep diving, and as a consequence – approve or reject the fact of suspicious activity.
In your opinion, can SOC Prime’s Threat Bounty Program content & experience sharing within the cybersecurity community and why it is important?
Threat Bounty is a perfect place with healthy competition to monetize your threat hunting experience. It inspires for quarry for various new detection methods for known and novel attacks.