SOC Prime Threat Bounty Program keeps uniting enthusiastic and keen detection content developers who joined the community to contribute to collective cyber defense and monetize their exclusive detections on the SOC Prime Platform. Please meet Wirapong Petshagun who joined the Threat Bounty community in June 2022 and has been regularly publishing high-quality rules to help SOC Prime users timely detect existing and emerging threats. In September 2022, Wirapong was one of the 5 most rated Threat Bounty content developers.
Detections by Wirapong Petshagun
Greetings, My name is Wirapong Petshagun, and I’m from Thailand. I graduated with a Master of Science program in Cybersecurity Management. I’ve been interested in cybersecurity since I was in university. My first job was as a cybersecurity incident response at one of Thailand’s largest telecom firms. It was difficult for me because I was new to the field. I was assigned to create detection rules for security solutions such as IPS, WAF, EDR, and SIEM. Aside from that, I’ve handled numerous cyber incidents and also designed and created automated playbooks to implement with SOAR.
Currently, I work as a Cyber Incident Responder for a security consulting company. I was assigned to provide security news and detection methods to a customer. I researched a lot of websites until I found SOC Prime. Other than that, I’ve created a lot of CTF challenges, which has helped me get a deep understanding of how to attack and detect.
2. What are your topics of interest in cybersecurity and why? How do you want to grow as a cybersecurity professional?
I’m interested in cyber incidents because it’s exciting to see new techniques being used by various APT groups. As an Incident Responder, I am not afraid to put myself through challenging tasks because I believe it is the most efficient way for me to improve my skills.
3. How did you learn about the Threat Bounty Program and why did you decide to join?
I discovered SOC Prime Platform when looking for a detection rule to use with the SIEM to detect new CVEs and techniques. After that, I found the Threat Bounty Program in SOC Prime and decided to join immediately because this is the only platform that has a Threat Bounty Program, which allows Blue Teamers to publish detection rules to help many organizations detect cyber attacks. I also believe the Threat Bounty Program could help me improve my knowledge and skills.
4. Tell us about your journey and experience with the Threat Bounty Program. What surprised you the most?
I just started to learn how to write Sigma rules and Snort rules the month before I joined the Threat Bounty Program. I was surprised when I created and submitted detection rules to SOC Prime. Every rule is reviewed in detail and also given feedback by the reviewer. That could help me improve my skills in writing high-quality rules.
Another thing that surprised me was that I developed a Sigma rule that includes some malicious payloads, and it was blocked by the SOC Prime Platform’s WAF. I was scared I would be banned at the time, but when I contacted SOC Prime in Slack, they informed me it was a bug and advised me to report it to the bug list channel.
5. How much time do you need on average to create a Sigma rule that will be published in the SOC Prime Platform?
The average time depends on the complexity of the rule, the type of rule, and the techniques used by threat actors. Some techniques need to be tested to make sure they work and are tuned to reduce false positives, which also affects how long it takes to write. Usually, I spend between 15 and 30 minutes on each Sigma rule.
6. What do you think is the biggest benefit of the SOC Prime Threat Bounty Program for cybersecurity and you personally?
The SOC Prime Threat Bounty Program is only one way for Blue Teamers like me to gain valuable experience in writing threat detection rules under the supervision of the SOC Prime Team. The program is also a new passion for exploring new attack techniques that are used by threat actors worldwide.
7. What would you recommend for Threat Bounty beginners from your own experience?
If you’re new to the Threat Bounty Program, start by looking at SigmaHQ’s Sigma rules or SOC Prime’s free access rules, then check for attack details from the link in the rule reference and attempt to convert to conditions to detect the attacks yourself. This is the quickest way to learn more about how to write the Sigma rules.