Today, we want to introduce to our readers one of the new authors of detection content on Threat Detection Marketplace. Meet Sittikorn Sangrattanapitak, active member of SOC Prime Threat Bounty Program.
Tell us a bit about yourself and your journey as a cybersecurity professional.
My name is Sittikorn. I’m from Thailand. I am interested in Cyber Security since I was in university. I started my job in this field as an Information Security Engineer. I provided customers with support for security solutions such as WAF, NGFW, and SIEM. I was especially interested in the SIEM solution because it aggregates relevant data from multiple sources, multiple products and then correlates many events to identify deviations from the normal activity. When I changed my job, I worked at a local MSSP. Then, back in 2016, I first heard about SOC Prime when I was looking for a hunting package for ArcSight. I worked in many roles as SIEM Engineer, SOC Analyst Specialist, Threat Intelligence Analyst. Today, I am working as a Threat Hunting, Threat Intelligence and Security Researcher.
Sittikorn, once you joined the Threat Bounty Program, you become one of the leaders for contributing threat detection content. What motivates you to share your content with the community?
Bug Bounty Programs where you need red team skills are already well known. I was wondering if that some companies have already created a bounty program for challenging blue team skills as well. It is a good way to develop your skills, vision, new ideas, and make money as a pentester.
When I started a new job this year, I faced the need for some new detection content and recalled about Threat Detection Marketplace. I visited the SOC Prime website and decided to join this program. My experience in Security Operation Center and Threat Hunting is more than 10 years, and I believe that I can create new detection content that is useful to the Threat Detection Marketplace community members. And this year, I research Cloud Cyber-Attack and I want to share my experience with the community for preventing a lot of cloud cyber attacks.
You write a lot of content related to the cloud and that’s great. What is the reason for this?
Today, most organizations are move to the cloud because they are easily managed, reduce costs, and scalable. Many people still lack knowledge and understanding about the cybersecurity of the cloud but the business owner wants to deliver the product as quickly as possible to their customers. This reason can lead to a number of vulnerabilities or weaknesses that will be target for hackers to try to penetrate into the cloud system and steal your data. It is an easy target for a hacker if the administrator ignores cybersecurity about the cloud. Over the past year, a large amount of important information and customer data has been leaked from many cloud systems such as British Airways. These reasons are why I try to study and find new detection methods to keep up with the current situation.
How much time did it take you to master Sigma rules writing? Which technical background is required to master it? Sittikorn, how much time you need on average to write new IOC Sigma rule and threat-hunting Sigma Rule?
Basically, I started to learn writing Sigma rules last month. I read an article about Sigma Rule writing from Thomas Patzke’s website and viewed a lot of Sigma rules on Threat Detection Marketplace and GitHub. I tried to translate my rule for ArcSight SIEM to Sigma Rule to further submit to Threat Detection Marketplace. I had to fix it several times to get “approved” status, and that helped me to understand Sigma better. In my opinion, if you want to become a master, you just start to write a Sigma rule based on the behavior or log sources that you understand very well. It won’t take long.
The average time required to write a new Sigma rule depends on the complexity of the rule, example of event log, and specific conditions for decrease false detection too. Generally, I will take about 15 – 60 minutes per rule.
Sittikorn, Pandemic is another challenge for a cybersecurity practitioner since many threat actors have increased their activities. Tell us how it influenced your everyday work.
We must think as a hacker. I believe that we should increase security monitoring about remote channels, cloud console management, client management, and monitoring Threat Intelligence about Pandemic campaign up-to-date then take IoC to apply with security protection.
What do you think is the biggest benefit of the SOC Prime Threat Bounty Program?
Threat Bounty program is a perfect program for blue teamers to monetize their SOC and Threat Hunting experience. It is not inferior to Bug bounty programs for pentesters. It is a new passion for learning new detection methods on new attacks and new malware and creative thinking.