Staff Picks for Splunk Security Reading February 2022

Hello everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of news articles, research, white papers, and customer case studies that we feel are worth a read. Check out our monthly staff security picks and our all-time best picks for security books and articles. We hope you enjoy!

Scott Roberts

Twitter: @sroberts
What are Weak Links in the npm Supply Chain? by Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, and Chandra Maddila.

"I originally saw this in The Record article Thousands of npm accounts use email addresses with expired domains by Catalin Cimpanu, but the ramifications of this paper overall, including expired email domains, is pretty startling. Modern software supply chains are hard under the best of circumstances and these issues of orphaned packages can have dire downstream ramifications (this not just being JavaScript, but equally important in every other programming language that can dynamically pull in libraries at build or run time)."

Haylee Mills

Twitter: @7thdrxn
Ransomware as a Service Innovation Curve by Coveware

"Coveware regularly deals with ransomware groups and is well equipped to provide insight on the evolution of RaaS Tactics, Techniques, and Procedures (TTPs). This is more of a recap -- and doesn't cover how some groups hire folks with red team skills to secure big scores - but it was a helpful refresher for me, since so much has been happening in the past few years."

Johan Bjerke

BeyondCorp is dead, long live BeyondCorp by Maya Kaczorowski

"Excellent post going through Zero Trust and how it is being applied at Google and how it is pretty much impossible to deploy a fully Zero Trust architecture outside of the lab. Anybody claiming otherwise is wrong."

Mick Baccio

Twitter: @nohackme
In 2022 what are the actual risks to clicking on links? by Dylan Ayrey

"QR codes, amirite? That scan/autoclick kerfuffle spurred a conversation about the dangers posed by hyperlinks in 2022. When Bob Lord asked this question of the twittervoid, Dylan Ayrey posted a fantastic video response. The whiteboard is a perfect touch. One of the risks he covers is Cross-Origin Resource Sharing (CORS) - something most orgs likely haven’t considered in their threat models, and his detailed explanation here is succinct and digestible. Please watch part 2, imo most security incidents begin with this vector. Be sure to check out the talk with Christian Frichot from BSidesSF that covers this topic and much more."

Damien Weiss

Twitter: @damienweiss
Exploiting Jenkins build authorization by Asaf Greenholts

"Asaf has written two articles that are top of mind for anyone responsible for CI/CD pipeline. I chose the Exploiting/Securing Jenkins article because it's near to my experience. I've been to many development shops where Jenkins was put into place with the default configuration, leading to potential hijinx. Thankfully, Asaf has written about a couple ways to secure Jenkins. Also luckily, there's a product out there that will monitor your build platform for you."

Audra Streetman

Twitter: @audrastreetman
The Elite Hackers of the FSB by Hakan Tanriverdi at BR and Florian Flade & Lea Frey at WDR

“Reporters with the German public broadcasters BR and WDR released their findings from an OSINT-based investigation into the APT group known as Snake, Turla, or Uroburos. Since at least 2004, security researchers say Snake has targeted government networks for cyberespionage using clever attack vectors and delivery methods such as Satellite internet. The reporters pieced together clues to uncover the likely malware authors, using online forum usernames, social media accounts, and personal websites. The information pointed to two men who once worked for a company that, at the time, belonged to the Russian secret service FSB. I highly recommend reading through the full investigation, which is displayed online in an interactive format."