Meet Sreeman, one of the most active participants of SOC Prime Threat Bounty Program. Sreeman has been participating in the Threat Bounty Program since December 2019.
Before he started publishing his own developed content to Threat Detection Marketplace, Sreeman had contributed a bulk of changes and improvement to the existing TDM content translations for Azure Sentinel and Microsoft Defender ATP.
Check the link to view the Rules developed by Sreeman: https://tdm.socprime.com/?searchValue=tags.author%3Asreeman
Sreeman, tell us a bit about yourself and your experience in cybersecurity.
My first introduction to security was when I watched the cult favorite “Wargames”. I immediately knew that information security was what I was going to major in when I attended University. I’ve been in the security field for just about 6 years now, starting off as a security analyst and currently doing more threat hunting and incident response. I spend way too much time in a week reading, researching, and trying to understand the logic of new exploit methods. I am also an active crew member of the Hack In The Box security conference.
How hard is it to master the Sigma language having experience in writing rules for different security systems?
Honestly, it’s as easy as learning to ride a bike. Once you understand the basics and remove the training wheels it’s pretty much the same moving forward as the format and syntaxes become familiar quickly. It’s a surprise it was never created much earlier, but Florian Roth thought outside of the box and came up with the idea that truly helps everyone who works in a blue team/SOC environment. Different SIEM’s have different ways to write rules, but the core logic is essentially the same. This is exactly what SIGMA does. We’re just writing down what the detection strategy needs to be in basic layman, and then people just convert it to their SIEM query language.
I’ll admit I still make a number of syntax mistakes, and I’m sure the folks at TDM are probably annoyed at my rashness – but thankful they take the time to let me know what’s wrong so that I can amend it.
You take an active part in the development of the community: you not only publish your detection content but also check other published community rules and offer your own translations to platforms if the rule can’t be translated via Uncoder automatically. How much time does it take?
As mentioned earlier, the logic conveyed by a SIGMA rule is pretty easy to understand. If we know what the rule is about, it’s really straight forward to replicate it on other platforms. It’s knowing how to write efficient queries in that platform that dictates the time. Some queries can take up as little as a couple of minutes, and some slightly longer.
All threat-detection content contributed by you to Threat Detection Marketplace is available free of charge and helps the cybersecurity specialists from all over the world to detect threats. What motivates you to publish only community rules?
The great thing about the security community is that everyone shares their knowledge and findings. You find people like Samir Bousseaden, Florian Roth, @hexacorn , Oddvar Moe and many many more who take the time to explain and demonstrate an exploit as well as write rules for hunting. I have learned a lot from all of these people, and without paying a cent. I feel it’s only fair that I contribute back to the community without asking for anything after absorbing all this knowledge.
What do you think is the biggest benefit of SOC Prime Threat Bounty Program?
It’s a really good platform (maybe the only?) that helps blue-teamers/threat-hunters around the world to come to a single glass pane and identify and use threat detection rules needed by them. Not only that, it may be the world’s largest repository of detection rules that cater to all SIEM/log collectors out there. A SOC that is just starting out can leverage on these rules and get an immediate head start on their rule maturity. The MITRE ATT&CK mapping also allows teams to onboard detection rules that are apt for their industry and to increase detection rules for tactics that were lacking. SOC Prime and freelance developers are adding rules daily based on newer security findings.
Furthermore, the TDM market allows for organizations to request for detection rules that are more tailored to their organizational needs (APT specific rules which may not be out there). This not only provides a benefit to the organization, but as incentives to developers who create rules. Think of it as a “bug bounty” program for detection rules, which I don’t think many other platforms offer!
Check our latest Rule Digest and look at the example of content developed by Sreeman: https://socprime.com/en/blog/rule-digest-trojans-cyberspies-and-raticate-group/
Read interviews with other developers: https://socprime.com/en/tag/interview/