Interview with Threat Bounty Developer – Mehmet Kadir CIRIK
As we continue to tell about our keen members of SOC Primeās Threat Bounty community sharing stories about their professional growth and extending their expertise to developing rules contributing to global cyber defense, today we introduce Mehmet Kadir CIRIK, who joined the program in January 2023 and has been actively contributing his detections since then.
Tell us a bit about yourself and your experience in cybersecurity.
Hello! I am Mehmet Kadir CIRIK, 22 years old. I was born in Mersin, Turkey, in 2001 and grew up there. I am currently a senior student in the Forensic Informatics Engineering and Computer Engineering departments at Firat University. In my 2nd year of university, I studied at the Computer Science department in North Macedonia for about 8 months under the scope of Erasmus. I have been working full-time in the field of cyber security since my sophomore year of university. I am currently working as a Blue Team Engineer and Threat Researcher in an Istanbul-based company. My primary responsibilities include proactive investigation of the malicious activity within cyber threat news feeds, in-depth research to develop behavior-based detections that address emerging cyber threats and attack techniques, and effective management of critical security incidents. I first started my career in Cyber Threat Intelligence. Then I worked as an MDR analyst and developed my forensics skills.
How did you learn about SOC Prime? Why did you decide to join Threat Bounty Program?
I first discovered SOC Prime through posts on LinkedIn. I was interested in writing Sigma Rules before, but I had never written a single Sigma Rule myself by that time. At the company I am currently working for, I received support and guidance from my senior fellows on how to write Sigma rules and how to submit them for publication on the SOC Prime platform. By writing Sigma rules, I can improve my skills and gain knowledge about many vulnerabilities and attack techniques in a very short time. I am particularly interested in the activities of APT collectives, and I wonder what might be in the mind of an APT group member. That’s why I joined as a member of SOC Prime’s Threat Bounty, and I take care to write my rules regularly.
Which skills do you find necessary to develop Sigma rules that have more chances of being published on the SOC Prime Platform?Ā
In order to increase the chances of being published on the SOC Prime Platform, I take care to write rules, paying exceptional attention to the content of the rule so that it doesnāt create any false or misleading perception about the detection. Also, I make sure to build my rules so that they will be capable of detecting malicious activities for a long time. By targeting any APT group or a malware’s TTP behavior directly, I write my rules according to these TTPs. Thus, even if the attackers change the behavior (file names, file hashes, and domain names), I ensure that the rules I have written are constantly catching the attacks.
Nowadays, organizations are facing the challenge of withstanding the attacks of the global cyber war. Which measures do you think could be the most efficient for protecting infrastructures?Ā
Organizations can protect their infrastructure using detection algorithms within the SOC Prime Platform, especially the Sigma rules developed and shared by Threat Bounty members. Such rules act as a valid detection mechanism for newly released vulnerabilities, APT group activities, and malware. That’s why Sigma emerges as a valuable resource, providing powerful detection capabilities against modern malware threats, the latest CVEs, and targeted APT activities.
Which types of threats are the most complicated to detect? Maybe you can give an example from real life?Ā
Advanced cyber attacks or targeted attacks are generally considered the most complex types of threats to detect. These are attacks that require sophisticated techniques, privacy measures, and advanced skills. Such attacks are usually carried out by state-sponsored collectives, advanced persistent threats (APTs), or experienced attackers.
For example, the cyberattack known as “Stuxnet” was an advanced worm virus very complex to deliver and spread. This attack was carried out against the Iranian nuclear program in 2010 and infiltrated its targets, disrupting the control systems of nuclear reactors. Although the identities of the perpetrators are unknown, the attack is thought to be highly sophisticated and possibly a state-sponsored operation.
I suggest that companies pay attention to the recently published rules in the SOC Prime Platform because cyber-attacks become increasingly sophisticated, with more and more companies, institutions, and individuals being affected by these attacks.
What do you think should be priority #1 for organizations that want to build a robust cyber defense?
As an experienced threat hunter, I can say that the #1 priority for organizations should be continuous monitoring and gathering threat intelligence. Good threat intelligence is critical to detect attacks and strengthen defenses. In an environment where threats are constantly changing and evolving, it is vital to establish a defense strategy based on up-to-date threat information. In particular, the following topics are areas where threat hunters can offer valuable insights:
- New attack methods and techniques: Detecting new attack techniques and methods that are constantly emerging is critical to keep defensive measures up to date.
- Vulnerability discovery: Detecting and reporting vulnerabilities in systems make a great contribution to defense against attacks. In particular, discoveries made with techniques such as penetration tests and vulnerability scans play an important role in cyber defense.
- Malware and malicious activity: Detection, analysis, and prevention of malware is vital to maintain the security of an organization. Detections made in this area contribute to shared threat intelligence.
What do you think is the biggest benefit of SOC Primeās Threat Bounty Program?Ā
In my opinion, the biggest benefits of SOC Prime’s Threat Bounty Program are:
- Community Engagement: Threat Bounty Program fosters a global community of threat hunters, encouraging cybersecurity experts to network and share knowledge. This ensures effective threat detection and defense by leveraging different experiences and perspectives.
- Rewards and Motivation: the program offers participants financial rewards for their contributions. This motivates threat hunters and encourages greater engagement. In addition, participants get the opportunity to showcase their talents and be recognized in the industry.
- Threat Intelligence Development: the program enables participants to specialize in threat intelligence. Published detections contribute to shared threat intelligence and can be used to provide a stronger cyber defense.
From my experience, I believe that individuals who wish to participate in the Threat Bounty Program and earn money with their detections should have the following minimum cybersecurity competencies:
- Network Security: it is important to have knowledge and experience in basic network security issues. It is necessary to have a good set of skills, such as network traffic analysis, firewall rules, and detection of network vulnerabilities.
- Malware Analysis: malware analysis capabilities are essential for detecting and analyzing malicious files and understanding malicious activity. It is crucial to have a good understanding and technical skills.
- Penetration Testing: penetration testing capabilities are essential for detecting vulnerabilities and exploits in systems. The ability to see systems through the eyes of an attacker and detect vulnerabilities is vital.
Interested in joining Threat Bounty Program? Donāt hesitate to apply for participation and join the crowdsourcing initiative that encourages you to develop professionally while monetizing your detections.
