Threat Bounty Success Story: Kyaw Pyiyt Htet
Today, we want to tell you the story of Kyaw Pyiyt Htet, the content author who has been with the Threat Bounty Program for almost four years. We introduced Kyaw Pyiyt Htet on our blog and mentioned some information about his personal and professional background.
It is exciting to hear from Kyaw Pyiyt Htet now and learn about his professional development, career progress, and plans for the future.
Tell us about yourself, your current company, and your position in the company.
I am Kyaw Pyiyt Htet. My name is a bit hard to pronounce. I currently work as a Senior Threat Analyst at LMNTRIX, an Australian XDR service. The company provides cyber defense services across the APAC and North American regions. My daily tasks are mostly focused on threat response by utilizing EDR/XDR. It is what I do at my current position and as my daily job.
Before I joined the Threat Bounty Program, I worked as an L1 analyst. I fine-tuned the detection rules and relied on signatures and reactive monitoring. I also learned how threat detection engineers operate and how to identify cyber incidents effectively.
How long have you been a member of the Threat Bounty Program? What do you think are your biggest achievements and milestones as a Threat Bounty content author?
I have been participating in the Threat Bounty program for three years and eight months, and I still continue to contribute. My biggest achievement and milestone is that I was listed as the Top author in 2022 in August, October, and November in the monthly report. Recently, I was recognized as one of the Top 20 SOC Prime contributors.
Speaking about rule contributions, can you tell us how many rules you submitted during your participation in the Program?
Currently, 189 rules have been successfully published on Threat Detection Marketplace. The overall submission might have over 200 rules, but unfortunately, I can’t recall them in detail. Many of my submissions were rejected. Even though I received so many rejections, I have gained experience that I use to create high-quality Sigma rules.
Do you have any personal schedule or milestones for submitting your rules? Observing the activity of the Threat Bounty community, the number of submissions for the actively publishing authors varies significantly, from 5 to 50+ submissions per week. How do you do that?
I do not have any fixed goal. And 50+ submissions monthly – I do not do that. But I can tell you about my approach.
First of all, I read open-source threat reports, such as Unit 42, Cybereason, Cisco Talos, and similar. Usually, I read the reports and look for some detection artifacts. For example, are there any registry key creation, or any scheduled operations by the threat actor, and so on, and then I take that detection artifact, create a Sigma rule, and contribute to the Threat Bounty Program.
In parallel, I research the custom C2 framework in my home lab environment, and there, I can find other significant detection artifacts. As of now, I have several detection rules on the SOC Prime Platform that are 100% my internal research.
These two approaches that I use to write detection rules that I contribute.
Do you have any particular topics or directions in threat hunting that you are very passionate and excited about?
When I read a threat intelligence report, I first look for indicators of an attack rather than indicators of compromise. If I have to create robust detection content, it should rely on indicators of attack because it is hard to change from the attacker’s perspective.
For example, if we write a Sigma rule based on IOC, such as an IP address or a domain name, it is not really reliable as a long-term detection.
That is why I pay attention to command-line executions or other key registry artifacts that are hard to change in an attacker’s operation.
Let’s talk about the least pleasant part of the content submissions, namely, content rejection. What is your experience?
Honestly, previously, I relied on IOCs to create Sigma rules, and this was the main reason why my rules were rejected. Another reason is that sometimes I create rules very late, so content by other contributors has already passed the verification before me.
Each time I receive a rejection, SOC Prime’s verification team specifies a reason. They recommended that I focus on creating high-quality and high-accuracy detection rules. I gained this experience even though I received so many rejections.
And how did you shift from writing IOC-based rules to behavioral content?
Later, I started to apply the Piramyd of Pain model because, using this model, we can make an assessment of the attacker’s capabilities based on the level of difficulty. What I mean by that – the higher the level of the artifacts in the Pyramid of Pain is, the higher the accuracy of the detection rule.
I always apply the Pyramid of Pain model when I read threat reports or do my own research. When I find some good artifacts, I create a Sigma rule and submit it.
Did this experience help you to grow professionally?
Yes, exactly. For example, I am very attentive to the recommendations of the SOC Prime Team when they say that my rule is weak or that I have to adjust some detection parameters. Those kinds of recommendations help me a lot in my job, too. I can make better finetuning and reduce the false-positive alerts. I think I gained a lot from my experience participating in the Threat Bounty Program.
What was your main motivation for participating in Threat Bounty? Was it money, self-improvement, or maybe a challenge?
To create rules for the Threat Bounty Program, I have to read news about emerging threats. This helps me a lot with my daily job because my job responsibilities include cyber threat intelligence operations. It means that I need to stay connected with information about emerging threats and create detection rules almost every day. In reality, participating in the Threat Bounty Program and doing my day-to-day job are closely connected, and there is no huge difference there. That is why I encourage everyone to participate in the Threat Bounty Program, which will help us uplift our skills and be beneficial for the companies we work for.
What is your personal motivation to continuously contribute rules to Threat Bounty?
First of all, I want to contribute to the international community because I want to be famous. This is my personal motivation and my ego. Surely, I want to have additional income and be able to buy whatever I want. One more important motivation for me is that I can showcase my career and skills by participating in the Threat Bounty Program. I can add this to my CV when applying for a new job in the international cybersecurity market.
Let’s talk about your community. Do you share your experience and recommend that your friends and peers join the Threta Bounty Program?
Yes, sure, some of my friends are already actively contributing to the Threat Bounty Program. For those who are not yet members of this program, I always encourage them to participate. Even though you will get a lot of rejections from the start, in parallel, as I already mentioned, it is a great opportunity to learn how to create mature detection rules. Don’t give up!
The other benefit is that we are creating Sigma rules, so we know what the abnormal activity is and can better fine-tune the existing rules. This is the type of skill-uplifting that you can gain by participating in the Threat Bounty Program.
How do you plan to develop professionally further? Do you rely on SOC Prime here?
With SOC Prime’s assistance — and it is really one of the main parts of my career development — I want to become a cyber threat intelligence expert in five years. With SOC Prime’s assistance, I gained the possibility to engage with the international community on the Discord server and receive feedback from the verification team, which is also an important part of self-improvement.
Also, with Uncoder AI, I can easily convert Sigma rules to the EDR language we use in our company, which is also helpful.
Your experience is very interesting and inspiring. I believe that more enthusiasts who are just starting their careers should follow your example and advice and join the Threat Bounty Program.