Interview with Threat Bounty Developer: Nattatorn Chuensangarun

January 26, 2022 · 6 min read

Catch the latest newscast about SOC Prime’s community! Today we want to introduce Nattatorn Chuensangarun, a prolific detection content author contributing to our Threat Bounty Program since August 2021. Nattatorn is an active content developer, concentrating his efforts on Sigma rules. You can refer to Nattatorn’s detections of the highest quality and value in the Threat Detection Marketplace repository of the SOC Prime Platform:

View Detection Content

Tell us a bit about your professional career and your experience in cybersecurity.

Hi! I’m Nattatorn Chuensangarun from Thailand. Since I’m interested in cybersecurity, after graduating in Computer Science in 2019, I decided to start my first job in one of Thailand’s biggest banks as a part of the Security Intelligence and Operations Center team. It was very new to me because I only had experience in data analytics. However, with the great support from my team members, I started training to be a SOC analyst. I was assigned a task to oversee the Threat Intelligence section. It was challenging since I had to monitor various threats, tapping into the widespread news feeds related to vulnerabilities, data leakage, or ongoing attack trends. I’ve researched and created rules to detect multiple threats on the Threat Intelligence Platform until I met SOC Prime.

What are your topics of interest in cybersecurity?

I am actually open to many topics in cybersecurity. Still, I’m probably highly interested in writing playbooks to implement with Security Orchestration, Automation and Response (SOAR). It can be extended to Threat Hunting, Automated Incident Response (IR) and could help deal with a large number of basic attacks. This way, the monitoring team can reduce efforts and spend more time researching defenses and new attacks. I am also interested in cloud security, threat actor groups, new ransomware challenges, and bringing big data to analyze attacks and abnormal behaviors.

How did you learn about the Threat Bounty Program? Why decided to join?

Last year, I got to know the SOC Prime Platform to search for threat detection rules that I applied to the SIEM system to hunt for vulnerabilities. That was the first time I met SOC Prime. One of my team members suggested that I should try joining Threat Bounty Program as a developer. I thought it was an exciting idea and decided to participate because I believe that this program could help me to improve my skills. In fact, with Threat Bounty, I can deepen my experience in writing rules for different types of threats, find new knowledge, and share security information with other members of the SOC Prime Threat Bounty community. My published rules can also be applied to strengthen the defenses of my organization or shared with other companies to mitigate cyber threats as well.

Tell us about your journey with the Threat Bounty Program. How much time do you need on average to write a Sigma rule published in the SOC Prime Platform?

I have written rules for security tools before, yet they were quite restricted and complicated since different tools require different ways of writing. After I got to know the SOC Prime Platform and learned how to write the Sigma rules, it opened a borderless world for me. SOC Prime Threat Bounty rewards also inspired me to drive my skills in writing Sigma rules to the next level. I enjoy learning new techniques and energetically writing rules to address new threats. 

In my opinion, the average time it takes to write a Sigma rule may depend on understanding the type of rule, the behavior of the threat actors, and attack techniques. The variety of IOCs also influences writing time because security professionals need to inspect the metadata to identify normal or abnormal behaviors. I mostly spend around 30 minutes analyzing threats and writing a Sigma rule.

How much time did it take you to master Sigma rules writing skills? What technical background is needed for that?

I spent about a week studying how to write Sigma rules, mainly by inspecting examples in GitHub and SOC Prime’s Threat Detection Marketplace. These resources helped me to see the variety of Sigma rule types. Now, I usually make my own templates to separate each service from the different sources. This way, it’s easier for me to implement the rules. Moreover, writing rules efficiently is essential. At first, I often wrote inappropriately, so my rules resulted in missed threats or false positives. However, SOC Prime Platform offers expert help to review my rules before publishing. I can adjust my rules in case of any errors and learn how to improve myself while avoiding mistakes.

How collaborative cyber defense approach can help to mitigate such critical risks of a global scale as log4j?

Closing a gap or mitigating risk is not just about technology. We should go back to the fundamentals, including people, processes, and technology. These are the key components to manage risk, so they should be considered together. Only technology might indeed have the ability to mitigate most of the threats. However, we cannot reach maximum protection in terms of time and quality without people and processes. Using SOC Prime’s Platform is one of the steps that can help reduce risk as well. It provides broad networking opportunities so developers can exchange the hunting techniques or timely find IOCs, which are advantageous to decrease risks.

What do you think is the most significant benefit of the SOC Prime Threat Bounty Program?

The SOC Prime Threat Bounty Program allows me to get a lot of experience writing threat detection rules under the SOC Prime Team supervision and advice. The program helps me improve my skills and assists organizations worldwide by supporting a cybersecurity community. It’s a great honor when someone sends a direct message telling me that my detection rules can help their organization. Such cases motivate me to promptly initiate new rules to encounter new threats and study new techniques, hoping that my attempt can help the community withstand the threats.

What would you recommend for Threat Bounty beginners?

For anyone starting or studying a Threat Bounty Program, you may pave the way by reading threat news feeds, monitoring cyber-attacks around the world, or using reliable attacks logs for writing a Sigma rule at the beginning. Otherwise, you might preview the examples on GitHub and Threat Detection Marketplace. Let’s challenge yourself once and help the cybersecurity community together!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts