Interview with Threat Bounty Developer – Aung Kyaw Min Naing
It has already become a good tradition in SOC Prime when Threat Bounty members share stories about their professional paths and their experience and achievements with Threat Bounty. Today we are here with Aung Kyaw Min Naing, who joined the program in June 2022 and has already proven himself as an active contributor to the collective cyber defense.
Please tell us a bit about yourself and your experience in cybersecurity.
Hello there! I am Aung Kyaw Min Naing, and I come from the city of Mandalay in Myanmar. Ever since I graduated in Electronics Engineering in 2017, my interest in cybersecurity has driven me to pursue a career in this field. Currently, I am working as a Cyber Security Analyst (Threat Hunting) in a Thailand-based Managed Security Service Provider company. My primary responsibilities include proactive searching for malicious activities in cyber threat news, conducting in-depth research to enhance behavior-based detections addressing emerging cyber threats and attack techniques, and effectively managing critical security incidents. In the early days of my career, I gained practical experience as a network engineer in an Internet Service Provider Company while simultaneously delving into the realm of cybersecurity. Taking my passion further, I embarked on my Cybersecurity professional journey as a Security Operation Center Engineer specializing in DDoS prevention at a local IT solution and security company. Additionally, I had the opportunity to work with the biggest local private bank and Beverage Public Corporate in Myanmar as a cybersecurity professional, where I played this role in implementing PCS-DSS projects and CIS security controls from a technical standpoint. This involved conducting VA scans, engaging in daily security monitoring operations to detect and mitigate cyber attacks, and collaborating with system engineers and developers from internal teams and external third-party organizations. Also, while working in this position, I examined many international cybersecurity certifications from various platforms, such as eLearnsecurity penetration tester, CompTIA Cybersecurity Analyst (CySA+), Microsoft Security Operation Analyst, etc.
How did you learn about SOC Prime? Why did you decide to join the Threat Bounty Program?
After discovering SOC Prime on LinkedIn, my ex-team members recommended that I join the Threat Bounty Program as a developer to write rules and contribute to detecting cyber attacks, which aligns perfectly with my passion for researching new attack methods daily and assisting organizations in enhancing their cybersecurity capabilities. I firmly believe that participating in the Threat Bounty Program will not only allow me to improve my knowledge and skills but also make a meaningful impact on the cybersecurity community. And then, I am particularly interested in the activities of the APT collectives, and I’m curious to know what could be inside the mind of an APT group member. Therefore, I have decided to acquire the skills in writing Sigma rules and apply them to detect adversary activities.
Nowadays, organizations are facing the challenge of withstanding the attacks of the global cyber war. Which measures do you think could be the most efficient for protecting infrastructures?
Leveraging the Sigma language and community-driven approach, SOC Prime’s Threat Bounty Program helps organizations strengthen their infrastructure protection by proactively detecting emerging threats and fostering collaboration among cybersecurity professionals. In my perspective, the prevailing notion in the field of cybersecurity is that Prevention is Ideal, but Detection is a Must. Therefore, Sigma emerges as a valuable resource, enabling robust detection capabilities against modern malware threats, the latest CVEs, and targeted APT activities.
Based on your experience, which threats are more difficult to detect?
In my opinion, the first step is to identify which types of log sources and data sources are required to capture the evidence for a specific detection point. Abuse of legitimate applications and memory injection attacks are challenging to detect. The benefits of Sigma are that it is a unique, flexible, easy-to-write, and generic language for detection rules against sophisticated and complex emerging cyber threats that enables cross-platform security operations. The limiting point is that it does not support all vendors, and some of the rules do not function correctly for the existing security use cases.
Which skills do you find necessary to develop threat-hunting Sigma rules that have more chances of being published on the SOC Prime Platform?
Regarding the development of Sigma rules, my usual approach involves creating templates derived from diverse resources. The majority of my Sigma contributions to SOC Prime are built upon these templates, with some minor adjustments incorporated. My method for creating the Sigma rule is outlined in the following list, step-by-step:
- Stay updated and research the threat news and reports.
- Track threat actor groups and learn new attack patterns.
- Deeply understand the Sigma language and syntax.
- Have a solid understanding of cybersecurity attack concepts, logging services, and data sources.
- Browse the existing detection stack in SOC Prime Platform using Lucene search before writing the rule.
- Use Uncoder AI to validate the rule and convert it to the required language format.
What benefits do you see in participating in SOC Prime’s Threat Bounty Program? Can you recommend others to join the program? Why?
The SOC Prime Threat Bounty Program provides both companies and individual developers with equal benefits. Participating in this program enables organizations to stay ahead of emerging threats while providing opportunities for developers to contribute, improve their skills, and be rewarded for their valuable work.
Â