Interview with Threat Bounty Developer – Mustafa Gurkan Karakaya
Today, we want to introduce to SOC Prime’s community one of the most active members of the Threat Bounty Program and the author of validated detections available on the SOC Prime Platform. Meet Mustafa Gürkan Karakaya, who has been demonstrating his expert cybersecurity knowledge and the potential for further development since he joined the Program in December 2022.
Rules by Mustafa Gurkan KARAKAYA
Tell us a bit about yourself and your experience in cyber security.
My name is Mustafa Gürkan KARAKAYA. I’m 25 years old. I live in Ankara, Turkey. I graduated from the Department of Computer Engineering at Ankara Yıldırım Beyazıt University in 2020. I started my journey in the field of cybersecurity by focusing on pentesting. Later on, I expanded my interests to include various activities related to the purple team, particularly in the areas of SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), malware analysis, DFIR (Digital Forensics and Incident Response) analysis, and forensic investigations. In my first job, I primarily engaged in technical support and consulting activities for military institutions by providing assistance and advice in various technical aspects. At my second company, I continued to provide technical support and consulting services, specifically focusing on implementation and SIEM maintenance. Currently, I am working as a Cyber Security Engineer.
How did you learn about SOC Prime? Why did you decide to join Threat Bounty Program?
I first discovered SOC Prime on LinkedIn, but I heard about the opportunity to write rules on the platform from my team leader at the company I currently work for. I joined this program because I enjoy researching new attack methods every day.
Based on your own experience, what skills are required to create rules with higher chances of being published? What can you recommend to those who have just started writing Sigma rules with Threat Bounty?
In my opinion, the most important criterion for content publication is for the rule to be specific and capable of making precise determinations, which will reduce the false positive rate. My advice for content authors who have just started writing Sigma rules is to analyze adversary activities in an attack scenario according to the MITRE ATT&CK framework and try to understand the intentions of attackers. Additionally, examining pre-existing rules and understanding which traces the attack would leave in which log sources will be highly beneficial in developing appropriate rules.
Based on the detections you research and create, what are the most critical threats for modern organizations? Which measures do you consider the most efficient for protecting infrastructures?
I think the most important threat is the human factor. No matter how advanced or sophisticated security measures and technologies may be, human actions and behaviors can compromise security. Human errors, negligence, lack of awareness, and malicious intentions can all pose significant risks to the confidentiality, integrity, and availability of sensitive information. It is crucial to prioritize user education, awareness training, and establishing a strong security culture to mitigate these human-related risks. Therefore, I believe that the primary threat detection methods are located at the endpoint. Organizations must collect endpoint logs for threat detection methods and detailed analysis. Rules are like lights shining on hidden threats. And the more we increase the amount of light, the more the visibility of threats will increase.
Which types of threats are the most complicated to detect? Maybe you can give an example from real life?
I believe that detecting attacks occurring within the paths of seemingly legitimate applications is the most challenging for organizations. If I need to provide an example from my own rule, let’s take Suspicious QakBot Malware Behavior With Associated Commandline by Spreading Malicious OneNote Document (via process_creation). In this rule, attackers spread the Qakbot malware on the victim’s machine using a OneNote document. No security product, including AV and EDR, can detect this attack because all the processes involved are Microsoft-signed and appear to be legitimate. However, when these legitimate processes are used together, the malicious behavior is triggered. It connects to a C2 server, downloads other malicious payloads, and spreads the Qakbot malware on the victim’s machine.
As an experienced security specialist, what do you think should be the #1 priority for organizations that want to build a robust cyber defense?
For organizations striving to establish a robust defense, the most crucial priority is to raise awareness among employees about cybersecurity so that they will avoid opening unsafe emails. Additionally, my recommendation for cybersecurity teams is to monitor abnormal user activities, filter unusual network activities, collect client logs across the organization (which many organizations neglect), and define corresponding rules in security products.
What are the key benefits of being SOC Prime’s Threat Bounty Program member?
I believe the most important benefit is that it enables me to stay informed about newly emerging vulnerabilities and malware every day, as well as keep myself updated on the latest techniques used by attackers. I recommend that individuals who are curious, hardworking, and eager to learn new things should participate in Threat Bounty Program.
