Interview with Developer: Florian Roth

We keep writing a series of interviews with participants of the Developer Program (https://my.socprime.com/en/tdm-developers). The previous interview is here: https://socprime.com/blog/interview-with-developer-lee-archinal/

Meet Florian Roth. 

Florian Roth is CTO of Nextron Systems GmbH. He is the creator of APT Scanner THOR – Scanner for Attacker Activity and Hack Tools and the developer of the Nextron’s most comprehensive handcrafted Yara rule feed service – Valhalla.
He created the Sigma project together with Thomas Patzke. Florian is also the author of numerous open-source Github projects including yarGen, LOKI IOC Scanner, yarAnalyzer, FENRIR (Bash IOC Scanner) and several OSINT projects such as APT Group Mapping (Google Docs), YARA Exchange member.

Florian, could you please tell us a bit about yourself and your experience in the cybersecurity area?

I started my career as an offensive researcher at Siemens in Frankfurt in 2003. During that time I did a lot of pentesting, tuned IDS/IPS systems and built security monitoring solutions for customers in the Frankfurt area (banks and other big companies). In 2012 I experienced my first incident that didn’t involve a virus outbreak but human action in the form of a persistent security incident at a large German corporation. From then on I worked for other customers with similar issues and started to develop tools, guidelines and detection mechanisms to detect this kind of threat.

You are one of Sigma inventors. Can you tell how was it? How did you get the idea to do smth like Sigma?

The idea was born while I was working on a set of use cases for a customer’s threat detection manual. The customer gave me a set of PDF documents by different vendors and asked me to extract and write search queries to detect these threats in his new SIEM system. It seemed to be a “waste of leverage”, to extract and write a set of SIEM specific search queries that a single customer can use. I always imagined a print out of my work in a filing cabinet and thought:
“What a waste. There must be a better – more generic – form to express these detection ideas. There must be many other consultants like me on this planet working on the same documents and the same search queries for different SIEM systems. If one of us would be able to express and share its method with the others, which would be able to convert the generic form in a specific form for their target system, we would all profit.”

What do you think, how convenient sigma is as a tool for writing detection rules?

We decided to integrate features into the standard that have broad support among many different SIEM or log management platforms. We’ve excluded SIEM specific features that are only supported by one or two platforms. This way, we keep the standard clean and simple to write and read. Imagine that even the newly integrated “regex” modifier isn’t supported by all backends yet. Therefore, I think that is as convenient as it could possibly be to write rules but some complex detection ideas cannot be expressed.

Florian, do you recommend Sigma as a threat hunting tool?

Yes. As we encourage people to write Sigma rules to detect generic malicious behavior, it can help you to detect threats that your Antivirus or other solutions miss. The public repository contains numerous detection ideas that are several years old but detect the newest Emotet campaigns and don’t produce any false positives. These are the rules that make us proud and have the most value for new users. Imagine that most of the Sigma rules are free and open. It’s the detection know-how that vendors sell at an incredibly high price. With Sigma, you can supercharge your existing log management solution and apply detection methods provided by the community at no extra costs. Even better, with a budget, you can easily extend these rules with commercial offers like the rules provided in SOC Prime’s TDM.

It is no secret that the popularity of sigma is not only that it is convenient as a tool, but also that the community actively shares its content with everyone. Sharing is free, but do you like the idea that writing complex and demanding content can not only make the world safer but also make money.

Yes. I think that both ways to share detection ideas should coexist. It’s the natural way how markets evolve – they diversify and grow.

How do you make a decision about what rule to create?

I often create rules for the community. Only in cases in which I think that a method is highly specific, spent a lot of effort in creating the rule or the method targets only corporate customers (e.g. APT related behavior) I decide to create a rule as paid content.

How do you choose which rules would be for the community using? What are the main criteria of these rules?

I like to provide rules for current threats that are hot topics on Twitter. E.g. if someone reports a new threat and provides a sample (exploit coder or malware) I fire up my analysis VM, which has Sysmon installed, run the samples, check the local logs, write a rule and push it to the public repo. This takes me between 10 and 30 minutes. Imagine that users that retrieve and apply the public repo automatically can get a method to detect that threat in their SIEM in less than an hour from its public appearance on Twitter. In the past, this was nearly impossible or took much more resources to monitor public channels, analyze a threat and write your own search queries.

How long does it take you to create a new rule?

A few minutes. I usually take an old one that is similar to the one that I would like to write and take it as a template. We have more than 300 rules for many different log sources to choose from.

What is missed in Sigma UI for you to start using it?

Nothing. I just prefer a text editor with YAML syntax support as I don’t need the assistance of Sigma UI to write valid rules.

Florian, as a content writer, you probably have a lab. The question is how do you test your rules and which logsource do you prefer to work with.

I have different VMs. The Windows machines have Sysmon installed, the Linux machines have a configured auditd. To be honest, I often don’t forward my logs to our internal log management system but verify the rules locally with our scanner, which is able to apply Sigma rules on an endpoint.

And what do you think, can the Developer program help organizations worldwide improve their cybersecurity?

Yes, because it creates the necessary incentives for security researchers and we all get more content, free, open and commercial.
Especially, the researcher in the offensive sector could fill their time between engagement creating great rules that lead to a steady income. Those new rule authors, that haven’t been in the market before, add content to market places like TDM and more content, even if it costs a fee, is always better. Often they have to provide proof of the quality of their rules before people start buying some of their content. They’ll add free rules to their research articles and public posts. Everyone wins.
Companies can tap into curated rule feeds or use open-source rule sets in many different repositories. They can pay someone else for the duration or instruct their own employees to collect and maintain a steady stream of new threat detection rules. An every growing variety of sources, free and commercial, provide just the right solution for every organization and enables them to improve their cybersecurity.