Interview with Threat Bounty Developer: Onur Atali
Meet the latest newscast about the SOC Prime Developers community! Today we want to introduce Onur Atali, a keen developer contributing to our Threat Bounty Program since June 2021. Onur is an active content creator, concentrating his efforts on Sigma rules. You can refer to Onur’s detections of the highest quality and value in Threat Detection Marketplace.
Tell us a bit about yourself and your experience in cybersecurity
I’m 26 years old and I’ve been in the cybersecurity industry for about 4 years. I worked in the Red and Blue Teams. Particularly, I was thrown into the cybersecurity sector when I was doing a web application program during my high school years. While reviewing the code of my own web application, I saw it could trigger a vulnerability, so I started researching security coding and became interested in web application security. That is how I entered the cybersecurity field.Â
I was curious about networks and security during my high school years, and in fact, learned the basics there. Also, back then, my university had introduced an Information Security Technology section, which included basic network security, network programming, web app security, which are key topics I learned about cybersecurity in college. Simultaneously, I discovered the concept of CTF and tested myself through multiple CTF competitions to win awards and receive degrees. The competitions have motivated me quite a lot and increased my curiosity about cybersecurity even more, so I started working as a pentester after graduation.
How did you decide to engage in threat hunting activities? What are your topics of interest in cybersecurity?
When I worked as a pentester, I had to do extensive research on the targets and search for weaknesses. The better we know the service, the more information we have to capture the flaw and prevent negative consequences. I worked as a pentester for about 2 years and saw many exploit codes, exploit methods, lateral movement techniques. Back then I decided to dive into threat detection practices and attack analysis, becoming a member of the Blue Team. While researching attack techniques and creating defense methods, I spent lots of time developing specific detection rules based on the attack traces. In fact, I reproduced the attacks on my own virtual machine to perform the research. The number of cyber-attacks has grown significantly compared to previous years. Types of attacks, types of malware, and threat actors’ profiles are quite different and numerous. Therefore, threat hunting studies should be done precisely and require fine research.
My areas of interest in cybersecurity include threat hunting, hunting rules and playbooks writing, security software development, secure network architecture creation, and mobile/web application security. I also prepare phishing simulation software and phishing templates.
Which tools are the most commonly used by different threat actors and what would be your recommendation to improve defense against those tools? Examples would be great!
Attackers concentrate their efforts on legitimate system applications in an effort to hide the traces. Hackers think that this way they will circumvent both security analysts and security threat detection solutions. During my research, I have seen tools such as Impacket, Bloodhound, Rubeus, Mimikatz for lateral movement. Other tools I have come across very often are open source software such as Proxychains, Tor, Hdyra, Nmap. In order to detect special threat tools used by attackers, it is important to log commands running at the operating system level. Many attackers run commands such as “whoami,ipconfig, ping 8.8.8.8”, and it is necessary to treat them as suspicious. For example, an alarm should be generated if authorized administrators are queried on systems that provide Active Directory service in SIEM for lateral motion detection. Attackers may want to hijack, change, or download malicious applications on the system they have seized, so it is useful to check internet traffic and web addresses from your systems, especially when a request occurs to Tor services. The alarm may indicate a possible threat. Brute Force attacks are the most common type of attack today, so the SIEM service must detect and automatically block IP addresses that scan at least 10 different ports in 5 minutes or attempt to log in to critical services such as RDP, SSH, FTP with at least 10 different user names. I think SOC Prime is the richest platform in the world in terms of threat detection rules.
How much time did it take you to master Sigma rules writing? What technical background is needed for that?
I think it is necessary to know the logging services well, especially at the operating system level, to write Sigma rules. To write a rule, you need to monitor attackers’ movements well and minimize false positive detection. Otherwise, too many alarms may occur and you may miss the actual threat. Sigma rules are very efficient in terms of threat detection and help us make point shots. I improve my ability to write rules by studying malware analysis, Incident Response review, and cyber threat reports. When writing a rule, it is necessary to make sure that the detection source and content of the written rule meet the expected alarm.
How did you learn about the SOC Prime Threat Bounty Program?
I was using the SOC Prime platform to search for threat hunting rules, but I learned about the reward program from my friends. I’m so happy to be in the program, because I’m learning a lot of things here and improving myself.
Tell us about your journey with Threat Bounty Program. How much time do you need on average to write a Sigma rule that will be published in Threat Detection Marketplace without any corrections?
I was really interested when I heard about the SOC Prime Threat Bounty reward program and immediately applied. The SOC Prime Team approved my application pretty quickly and contacted me, which made me very happy. Before writing the rules, I studied the existing rules and learned about the process.
To write rules flawlessly on the platform, especially in malware analysis and Incident Response, developers do need to have at least 1 year of experience in cybersecurity. However, the first try might be done already in 1-2 weeks after examining the existing rules within the platform and reading the guidelines.
What is the biggest value for you from participation in Threat Bounty Program?
The best value of participating in the Threat Bounty Program is that the rules I write are interesting and help the community. Because if the rules you write are not functional, they obviously don’t make sense. Along with the Threat Bounty program, I had the opportunity to improve myself at the point of writing a Sigma rule, and when writing a rule, you can also learn about detailed security configurations at the operating system level, which technically gives you an improvement. I’m happy to participate in the Threat Bounty Program, both improving myself and contributing to the community.