Staff Picks for Splunk Security Reading September 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Tony Iacobelli

How to Launder $600 Million on the Internet by Jeff Guo, Keith Romer, Jess Jiang, James Sneed for NPR

"This episode of the Planet Money Podcast looks at how money from crypto heists is laundered, increasingly by DPRK-backed threat actors to evade financial sanctions. This episode provides a great primer for those unfamiliar with how the end game of cryptocurrency theft actually works."

Drew Church

@drewchurch

“I’m Not Pro-Russia and I’m Not a Terrorist!” —- InfraGard and Airbus Hacker “USDoD” Unveils His New Campaigns by Dissent for DataBreaches.net

"I find it fascinating when threat actors choose to openly talk with people about their targets and motivations. The screenshots shown in the article bring to the front the implicit trust that organizations place on email access as an authentication factor. Compromise a well-placed organization and immensely expand access to other 'webs of trust'."

Ronald Beiboer

LinkedIn

International Criminal Court says hackers accessed its systems by Carly Page for TechCrunch

"The International Criminal Court (ICC) is an important target and interesting for state actors with political motivations. Too bad we may never find out what happened due to the nature of these kinds of institutions."

Tamara Chacon

LinkedIn

Hackers backdoor telecom providers with new HTTPSnoop malware by Bill Toulas for Bleeping Computer

"HTTPSnoop and PipeSnoop are two new malware variants recently discovered that are used to target telecommunication service providers. A report conducted by Cisco Talos states that they are a part of the same set called ShroudedSnooper. Each has their own purpose, HTTPSnoop is more focused on public facing servers and PipeSnoop works on already compromised networks. This is another example of why enhanced security is needed for critical systems."

William Steinka

A security community success story of mitigating a misconfiguration by Scott Piper for Wiz.io

"When GitHub Actions added support for using IAM roles, instead of long-lived IAM user access keys, security practitioners rejoiced at reducing one of the key (no pun intended) burdens of integrating GitHub Actions with AWS. However, a common misconfiguration led to IAM roles that were allowed to be used from any GitHub repo, not just the repo intended. This was further compounded by a popular tutorial sharing code that contained this misconfiguration, leading to more and more incorrectly configured roles as the community built upon that code. Scott describes the technical aspects of approaching the root issue, as well as some of the social psychology challenges (such as the "bystander effect") that come with tackling problems like this in the open source world more broadly."

Mark Stricker

@maschicago

Caesars ransom attack linked to MGM, tens of millions paid to hackers by Stefanie Schappert for CyberNews

"This month, a huge ransomware attack hit MGM/Caesar’s. If we needed a reminder of the threat landscape we live in, we sure got it! What’s even more remarkable is that this started as a simple social hack - using LinkedIn data and impersonating a user on the Help Desk. Another interesting angle here is that attackers are using the attack to drive up the value of customer data stolen in previous attacks! All of this underscores the need to prevent ransomware by detecting activity before the encryption or exfiltration of data, as recommended by our SURGe team at Splunk."

Doug Lhotka

@douglhotka

On the Cybersecurity Jobs Shortage by Bruce Schneier

"This is something I've been hearing for years: there isn't a shortage of people who want to be in security, there's a shortage of people who have been in security. I remember seeing a job posting for a 'Cloud Security Architect' with five years experience... in 2019! I run into a lot of programs that have tried hiring inexperienced people, and then training them, only to have them leave and take a better job. They then shut down the entry-level openings, and try to hire only experienced people rather than look at the root cause: security jobs have one of the steepest promotion/salary increase curves in technology. If we want to train and retain folks through that steep curve, our HR policies and practices will have to evolve and start treating security as a separate and unique domain within technology."

Audra Streetman

@audrastreetman /@audrastreetman@infosec.exchange

Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management by CISA

"Supply chain risk management is a top concern for many organizations. To address this, CISA recently announced a new Hardware Bill of Materials (HBOM) framework to help vendors and purchasers manage and mitigate risk by providing an inventory of hardware components included in a product. The new framework was developed by the Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Task Force and includes HBOM use cases, a repeatable format to identify issues up the supply chain, and a data field taxonomy for hardware components and attributes. This builds upon prior work to build and implement SBOMs (Software Bill of Materials) for software supply chain transparency."