Staff Picks for Splunk Security Reading March 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our monthly staff security picks and our best picks for security books and articles. We hope you enjoy.

Haylee Mills

@7thdrxn

How China built a one-of-a-kind cyber-espionage behemoth to last by Patrick Howell O'Neill

"I find this absolutely fascinating. China has taken a unique approach to the development of their nation's cyber capabilities, and although some methods might put a bad taste in the mouth of your average DEFCON attendee, they are undeniably effective. We have security professionals dive into all sorts of interesting pathways they'll share at conferences or in a whitepaper, but steering our cyberindustry behemoth toward dealing with problems spotted years earlier can be futile. That concentrated, dedicated effort into research and operationalization while being covert about methods means the global security community will only be stumbling upon that tradecraft in the wild. Regardless, it will be interesting to see what these differing approaches deliver in the coming years!"

Scott Roberts

@sroberts

Exposing initial access broker with ties to Conti by Vlad Stolyarov and Benoit Sevens at Google Threat Analysis Group (TAG)

"A great breakdown of not just the current tactics, techniques, and procedures of an Initial Access Broker, but what I really like is the way Google's Threat Analysis Group broke down the evolution of of EXOTIC LILY. This is a great example of using 3rd party intelligence to enhance your own understanding, find links, build upon them, and provide a better understanding to the community."

Drew Church

@drewchurch

The secret US mission to bolster Ukraine’s cyber defenses ahead of Russia’s invasion by Mehul Srivastava, Madhumita Murgia, and Hannah Murphy with Financial Times

"According to this article from Ars, there were cyber mission teams deployed overseas by U.S. Cyber Command in the fall of 2021 in preparation for the conflict we're now watching unfold. While we will likely never understand the full scope of what was uncovered and defended by these teams, it's an interesting glimpse into nation-state level defensive cyberspace operations that we don't normally see."

Audra Streetman

@audrastreetman

An Empirically Comparative Analysis of Ransomware Binaries by Shannon Davis

"Splunk SURGe released new research about ransomware encryption speeds to help blue teams inform their defenses. Shannon Davis tested how fast 100 ransomware binaries each encrypted nearly 100,000 files using a modified version of Splunk’s open-source Attack Range. The results? LockBit had the fastest binary (~4 min) and Babuk had the slowest (~3.5 hrs). The average median encryption time across 10 ransomware families was about 43 min. This timeframe is likely beyond the capabilities of most organizations to respond effectively once encryption is underway. To learn more about our lab and methodology, check out Shannon's blog post or download the full whitepaper."