Interview with Developer: Thomas Patzke

We keep interviewing the developers of our Threat Bounty Program  (https://my.socprime.com/en/tdm-developers) to encourage cybersecurity professionals to develop more Sigma rules, share their threat-detection content and build a stronger community. The previous interview is here https://socprime.com/blog/interview-with-developer-florian-roth/

Meet Thomas Patzke

Thomas is one of the most inspiring experts in the cybersecurity community who has 13+ years of experience in the area of information security, works as a blue teamer and threat hunter at ThyssenKrupp CERT and is Sigma creator together with Florian Roth. Thomas Patzke is not only a contributor to the Sigma project but also experienced developer writing the code for Sigmac and sharing cybersecurity-related tools with the community (https://gist.github.com/thomaspatzke).

Tell us a bit about yourself and about your Threat Hunting experience.

I started to work in information security in 2006 as a consultant with a wide range of projects. Quickly, I’ve shifted to offensive security, concretely application security and occasionally I’ve done log and forensic analysis in incident response projects. Even when these IR jobs were quite small, the tasks were very interesting and my interest in defensive topics has grown over time and got a boost in 2015 when I’ve started to work in a CERT and continuously got in touch with interesting incidents and threat actors. Digging in huge amounts of data to find an attacker fascinated me from the beginning and finally, I’ve completely shifted from offensive security into threat hunting and incident response.

You’re one of Sigma inventors, how much time it took to turn the idea of Sigma into a completed concept? Thomas, why the name “Sigma” has been chosen? Did you expect back then that Sigma will be used by thousands of cybersecurity professionals from all over the world?

Building Sigma was a flowing and very agile process. When Florian contacted me the first time with the idea of a signature format for log events his ideas were already very concrete. We refined this idea together by sending voice messages back and forth and on the next day, Florian already wrote the first Sigma rules (https://github.com/Neo23x0/sigma/commit/87deb349adb22331aae1b923420d382fea278d2c) that don’t differ too much from how Sigma rules are written today. The name “Sigma” was the idea of Florian and as I know Florian, there’s surely a story behind it, but you have to ask him to get it 😉 I liked the name and so we decided on it.

In the following time, we further refined Sigma and discovered a lot of challenges in log signature sharing like different field naming conventions and solved them in the Signature language and conversion tools. After two to three months we had something that we considered as ready to publish, but even after the initial release, new concepts were added and also will be in the future.

I expected that Sigma would be useful for some people because it was built on the pain that Florian and I experienced in the handling incidents and we knew that other people in this area had the same pain. The positive feedback from so many people and adoption by incident response teams from various organizations was far beyond my expectations.

Thomas, what are the main benefits of Sigma as a threat-hunting tool?

The main benefit of Sigma lies in the distribution of one result of doing threat hunting, log signatures for specific events. If it is possible to express it as a Sigma rule, you can distribute it easily in an organization with a heterogeneous detection infrastructure. It is usual in huge organizations to have different SIEM systems because of a historically grown IT infrastructure or because different solutions are used for different purposes. With Sigma you have to write the rule once and you can convert it into a Splunk and ArcSight query for the SIEMs, an Elasticsearch query for the data lake, a Grep or PowerShell one-liner for triaging a suspicious system and for sharing it with the community.

What do you think is the most complicated and time-consuming part of writing new Sigma rules and how much time on average it takes you to write a new Sigma rule?

For me, it takes only a few minutes to write a Sigma rule, which is just a small fraction of the time I usually spend for the research that leads to the log signature. Florian and I put some effort into designing Sigma to being human-friendly and easy to write. I think I’m too biased for identifying complicated parts of Sigma. This is something where we rely on feedback from our users who shouldn’t hesitate to contact us via the GitHub issue or directly if there is something that might be improved.

Sigma is becoming more and more popular worldwide, in your opinion, how Sigma rule is influencing the industry and how do you see the future of Sigma, any specific thoughts about its further development?

I know from some Sigma users that they put Sigma as a requirement in RFPs for security products because they believe in it and we already had contact with various security vendors that want to integrate Sigma support into their products. It would be great to see native Sigma support in security products as YARA and Snort are already integrated into many products. I have developed big parts of the Sigma converter but I am totally fine with it when it gets obsoleted by native Sigma support!

At SOC Prime we have launched the Threat Bounty Program that encourages content-sharing between cybersecurity professionals. Thomas, do you like the idea of rewarding developers for sharing Sigma rules and other threat-detection content?  

Yes! As an offensive security researcher, you can choose for years if you want to be paid for your research or publish it openly and increase your reputation. Threat bounty extends this to defensive research and is a good step to fix the reward imbalance between both areas. I’m a big friend of publishing research results freely and believe people will still do this in the future. Threat bounties could even motivate more people to spend some time in defensive security research and improve the overall situation.

What would you recommend to cybersecurity specialists who are just learning how to write Sigma rules, any tips to master Sigma writing?

Content matters! I think writing Sigma rules is relatively easy and the learning curve is quite steep. An editor with YAML support is sufficient and there are web-based tools like the SOC Prime Sigma UI that support the analyst in writing of Sigma rules. So my advice for learning Sigma is very simple: go ahead, do some cool research or take some existing research (don’t forget about the credits!) and make a Sigma rule out of it. You’ll automatically get fluent with Sigma after a while.