Interview with Developer: Ariel Millahuel

We took another interview with one of the participants in SOC Prime’s Developer Program (https://my.socprime.com/en/tdm-developers). We want to introduce to you Ariel Millahuel.

Ariel, could you please introduce yourself and tell us about your Threat Hunting experience?

I’m Ariel Millahuel from Buenos Aires, Argentina and I’m 30 years old.
I started in the Threat Hunting world 2 years ago, when I moved from a SOC to a Blue Team Job. This was my starting point and now, it’s one of my passions.

Let’s talk about the threat-hunting industry. How do you think, what are the most important trends now and weak points?

In my opinion, the most important trends are Malware hunting, Sysmon logs, and cloud technologies. I think that the weakest point is in the machine learning integration into the industry.

Tell us about your experience with Sigma. When have you started to use it and why?

The first time I’ve seen Sigma was in TDM, exploring the rules and so on. At this moment, I started to learn about Sysmon and process monitoring, about 5 months ago. It took at least 3 months for me to started to write some simple Sigma rules.

In your opinion, what are the main benefits of Sigma as a threat-hunting tool? Can Sigma change the way how organizations build their cyber defense?

The main benefits of Sigma are in the integration with the most important SIEMs in the industry, and the opportunity to constantly create content as new threats come to the main stage.
Sigma can change not the way of how organizations build their cyber defense but the entire scenario for blue and red teams.

What do you think is the most complicated and time-consuming part of writing the new Sigma rule?

The most complicated and time-consuming part is to validate what you are putting in a specific rule. I do this in my virtual lab.

How much time do you need to write a new Sigma rule? How do you make a decision what rule to create?

The whole process takes me at least 2 hours per rule. This happens when I see a new behavior in the malware that I analyze in a sandbox.

In your opinion, what can be improved in Sigma?

Sigma was growing since I’ve started to use them, and it was awesome to see the kind of things that you guys are doing. It would be great if the Uncoder has some feedback about parsing errors or “unknown” errors. I’ve seen them and sometimes it’s difficult to see what you’re doing wrong.

What would you recommend to cybersecurity specialists who are just learning how to write Sigma rules, any tips to master Sigma writing?

I recommend to these people the study of Sysmon on a deep level and always learn how the attackers think and how they move.

Have you tried to use Sigma UI? What do you think, how it could be improved?

Sigma UI is a powerful tool and it’s simply perfect. I used them to see how the raw sigma code looks in ArcSight.

Do you have a lab? How do you test your rules and which log sources do you prefer to work with?

I have a small but effective lab where the rules are tested. I always prefer Sysmon logs

You are a participant of SOC Prime’s Developer Program, what do you think, can the Developer Program help organizations worldwide improve their cybersecurity?

TDM and SOC Prime’s developer program will help a lot, and probably make a great change with the excellent idea of paid money to the developers.

At SOC Prime we have launched the Threat Bounty Program that encourages content-sharing between cybersecurity professionals. Ariel, do you like the idea of rewarding developers for sharing Sigma rules and other threat-detection content?

Yes, 100%. This is one of the points that convinced me to join this program.

What would be your recommendation to young cybersecurity specialists who are just deciding which path to choose?

Before choosing any path, I recommend to the young security enthusiasts to stay always informed and learning. Never is enough in this world.

Ariel, you are the first developer who pushes his rules on Twitter, and that’s great. Would it be interesting for the cybersecurity community to have a ‘feed’ on twitter/telegram, where information about the new rules will be published?

A “share” button with a sigma rule preview would be so interesting for the TDM. A feed would be awesome as well. This probably pushes the rules, and the benefits for the developers and SOC Prime as Well.

Twitter… how you can control who is reading your feed? If you provide some idea, what is needed to be detected, bad guys can read and use this information against somebody else. Sometimes a good approach can be used no in the correct way… What do you think about this?

I’m 100% agree with this. I don’t post on twitter some new ideas until I create some sigma rules or content for my work. This is a good way to prevent a bad utilization of your ideas.

We have one more specific question for you. Analysis of malware is usually reactive actions and some organizations can be hacked already with that malware. Ariel, what do you think about predictive detection? Is it possible? If yes, how you search for new ideas that are needed to be detected?

Predictive detection it’s complicated but no impossible. I said that because of the variety of malware’s behavior “into the wild”. You can accomplish a good prediction matrix if your organization thinks about security in a serious way and if you can use apps for malware analysis like Sandboxes.