Catch the latest newscast about the SOC Prime Developers community! Today we want to introduce Michel de Crevoisier, a prolific developer contributing to our Threat Bounty Program since November 2020. Michel is an active content creator, concentrating his efforts on Sigma rules. You can refer to Michel’s detections of the highest quality and value in Threat Detection Marketplace.
1. Tell us a bit about yourself and your experience in cybersecurity
I started my security career as a SOC analyst in 2017 following different experiences in system administration, network, and virtualization. In my mind, it has always been clear that my career should be built around security. In fact, I was involved in too many projects where security was not a priority, exposing organizations to unnecessary risks. I took up this as a personal challenge by starting a blog and attending different security events, also as a speaker. Recently I attended a SANS security course around threat detection in order to obtain a GIAC certification to expand, beside other things, my knowledge and skills.
2. Why have you decided to focus on Sigma rules as one of the main tools for threat-hunting?
From a threat hunting perspective, SIGMA provides advanced capacities to share simple or complex IOC logic in a common format that is understandable and usable by any analyst, regardless of the SIEM technology in use. With the release of this open format and the rise of the “Githubification of InfoSec” (source), SIGMA was definitely the tool I needed.
3. How much time did it take you to master Sigma rules writing? Which technical background is required to master it? And how much time do you need on average to write a new IOC Sigma rule and threat-hunting Rule?
Mastering in SIGMA rules took me only a very few weeks and writing a rule usually takes me around one hour as I always try to assess the threat in my lab to ensure the quality of the rule. I also try to attach a real log sample so the analyst can easily appreciate the context.
However, understanding the fundamentals of the language is, from my point of view, not enough. Indeed, writing good rules also requires a proper understanding of the threat, its behaviors, and the different IOCs that it can trigger. Knowledge about security frameworks like Metasploit or Cobalt Strike is also quite helpful as well as offensive skills.
4. What are your topics of interest in cyber-security? Which types of threats are the hardest to detect and combat?
Supply chain attacks like CCleaner, SolarWinds, or Codecov are one of the most difficult to detect: threat is embedded into legitimate software known as trustable and used by multiple companies. Intrusion takes months and is very stealthy. Furthermore, cloud intrusions combined with a lateral movement to the on-premise environment (or vice versa) are also quite hard to combat as detection coverage maturity is not always the same on both sides or is handled by different parties with different mindsets. Of course, the common intrusion vectors remain valid and we shouldn’t forget about phishing, web server exploits and PowerShell, DCOM or Windows Management Instrumentation (WMI) abuses.
5. Many threat actor groups exist now and their number is growing, which threat actors in your opinion pose the biggest threat? How would you measure if a threat actor group is more or less dangerous?
Actors like the one behind the SolarWinds supply chain attack have demonstrated how powerful they can be. Analyzing their capacities of preparation and infiltration into 3rd party providers before attacking their final target is really frightening. They are multifaceted, targeting cloud and on-premise infrastructure, capable of compromising build and code signing infrastructure… And all this while remaining nearly invisible under the radar coverage.
6. How did you learn about the SOC Prime Threat Bounty Program? Why decided to join? What is the biggest value for you from participation in Threat Bounty Program?
Joining the Threat Bounty program was above all an opportunity to expand my knowledge, by pushing me out of the comfort zone in order to explore new threats and TTPs. In time, I realized that I was contributing more broadly to strengthen SOC organizations and taking part in a talented developers community.
Eager to monetize your threat hunting skills and boost your cyber defense experience? SOC Prime is looking for skilled Blue Team members keeping a close eye on the latest cybersecurity trends! Our Threat Bounty program pays recurrent rewards for SOC content aimed at threat detection, threat hunting, and incident response – like SIGMA, Yara, Snort, Log Parsers, and Native SIEM Content. Submit detections to address Wanted List requests and double your profits while helping the Threat Detection Marketplace community to withstand emerging cyber threats.
Looking for a way to enrich your cybersecurity knowledge? Explore SOC Prime’s Cyber Library to master your SIEM hard skills, watch deep-dive educational videos, and catch up with how-to guides on threat hunting.