Staff Picks for Splunk Security Reading April 2020

new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. 

Get more recommendations: check out our monthly staff security picks and our all-time best picks for security books and articles! I hope you enjoy.

Ryan Kovar


Stardate 73741.1. Editors log:

COVID threat intel in Splunk by Ryan Kovar

I told all my authors this month that they couldn't talk or focus on COVID. They didn't listen. Then I decided to write my staff pick about COVID. Even worse, I am offering up two blog posts that I wrote that are both about COVID IOCs. Sue me; I'm a narcissist. Anyhoo, I wanted to share these two blogs because they provide easy to digest ways on quickly ingesting IOCs from open-source sites, like GitHub, into both Splunk core and Enterprise Security. Now saying all of that, I've had some fascinating discussion with threat intel analyst friends about the value of these indicators. Microsoft had a great blog post talking about how they have blocked tens of thousands of these domains at a product level, thus preventing them from being seen at organizations. Saying that, since I have published these blog posts several organizations have reached out thanking me for helping them find some baddies. Your value of these IOCs is, as always, dependent upon on your threat model. If you are a hospital, you may care more than when you are a Silicon Valley startup. Despite the debate on the usefulness of the threat data, the method I outline of quickly ingesting and using these indicators is hopefully clear and of value. If nothing else, enjoy the REM easter eggs I put in there for John Stoner's personal enjoyment.

Julia Cuaderes

I have given up all
hope of a Hacker's Summercamp

Automation and Commoditization in the Underground Economy by Insikt Group

Welcome to my rookie post for Security Staff picks! I may be Splunk Sales Engineer now, but I'll always be a Security Analyst at heart. So to stay close to my roots as a blue-team defender, I enjoy getting lost in security literature to stay current with the industry. This week I read this 30-min threat report from Recorded Future on how threat actors are using automation to proliferate their malicious efforts. From topics like using checkers and brute-forcers to extend breaches, to accessing dark web marketplaces to purchase phishing services and banking injects, this report covers several ways adversaries are capitalizing on old-school and novel automation methods. I appreciate that while it goes into detail about specific tools and online profiles, it also offers mitigative best practices to combat the increasing sophistication from the bad guys/gals. If you like to nerd out over threat intel (but you're also critical of what's considered valuable threat intel) like myself, you'll appreciate this read.

Andrew Morris

and I've run out of beer.

Criminals hack Tupperware website with credit card skimmer by jerome segura

Collectively, the security world focusses on scary stuff like APTs, data exfiltration, and lateral movement. Still, some of the simple hacks with low volume data theft can be just as worrisome. This article covering a recent virtual skimming attack shows that the eventual data compromise was very simple; redirect the user to a malicious iframe, steal their credit card data, and then redirect back to the initially intended iframe. This is a reminder that bad guys will take any valuable data they can get, even if it isn't millions of records at a time.

John Stoner


Truely these are trying times.

Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations by Booz Allen Hamilton

When looking for content to share, I generally try to provide items that are NOT 80 pages in length or require a registration form to access it, but this month I will make an exception because the content is interesting and something you don't read every day. Booz Allen Hamilton released a thorough report using open source intelligence that takes a long term view at the APT groups generally referred to as APT28 and Sandworm, and is attributed to Russia's GRU. First, they examine Russia's current military doctrine and then take 23 risks and threats from that and tie them to 33 case studies of cyber activities that are linked to GRU operations. I realize I may have scared a few of you with an 80-page report, but the case studies are the first 40 pages; the rest are appendices and endnotes, which contain an extensive set of links for additional reading. Still not convinced? Fine. Here is the article by Catalin Cimpanu on ZDNet's Zero Day blog about the report and is even more condensed... But trust me, you want to read the complete report!

Dave Herrald


However blog by blog,

SANS Launches New Series of Virtual Capture-the-Flag Cyber Challenges by Michelle Peterson

Got some time on your hands? SANS comes to the rescue again! They have announced a series of virtual, hands-on capture the flag events, many of which are free to the community. Here at Splunk, CTF events are near and dear to our hearts, and this series comes from the same folks at SANS who inspired us to create Splunk Boss of the SOC. I appreciate how quickly SANS and the team at Counterhack Challenges prepared these challenges and brought them to the community. The term "time flies when you're having fun" is nowhere more applicable than when immersed in a security CTF. Check out these events to learn a little and take your mind off the crisis for a while!

Mick Baccio


word by word

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks by FireEye Mandiant Threat Intelligence

I hope it's safe to assume that I am not the only one watching entirely too much television. So much focusing on the tweedy impertinence of BPD detectives, I forgot to be on the lookout for my 3rd favorite IRS notification! No tax season would be complete without the IRS" drafting a warning about potential scams, and this year is no different. Well...maybe a little different. The team at FireEye predicted an uptick in the use of phishing related to economic impact payments (this is what your stimulus check is called) based on activity detected in mid-March. Proofpoint" reported the same less than two weeks later, and the IRS" as well as FBI" have drafted guidance specific to COVID-19 phishing. Tax rebates, economic stimulus payments, reward/loyalty programs, auto insurance discounts – there's no shortage of lures available to unscrupulous bad actors looking to exploit current events. Slim Charles' wisdom holds – Game's the same, just got more fierce.

Henry Canivel


we shall write
and you will read.

Derpcon virtual infosec conference by Denver Enterprise Risk Professionals Conference

In this new, global WFH climate, security never sleeps. I'm sure you've seen some memes floating around about, shall we say, the business for security professionals? From our sports leagues to concerts and other entertainment events, every major event has been displaced indefinitely. In its place, we are starting to see a wholesale adoption of virtual collaboration through virtual happy hours with friends and family, remote education for our children, and various talk shows hosted from home. For those of us in the security industry, folks in Denver, Colorado, are hosting a virtual security conference end of this month!

Still early, the CFP is open, feel free to contribute both as a speaker but also proceeds to help the local COVID-19 response and charities. Wonderfully named, DerpCon aims to deliver the security thirst for knowledge and practicum. I will be looking forward to sessions and workshops geared towards cloud security and improving threat modeling assessments.

The conference will be hosted virtually at the end of the month (April). Learn new security Jitsu moves and techniques, donate to help a great cause!

Matt Toth


Together, we shall persevere

When data breaches mean life or death by Pierluigi Paganini

We read about data breaches regularly, and while many of them can impact our economic lives, not many mean life or death, at least in the US. When 42 Million Iranians have their Telegram information leaked, it means that they could become targets of the Iranian Government. The data appears to have come from a third-party fork of the open-source application, but that probably doesn't make any of the users feel better, wondering if their private messages and accounts were targeted, and if they are now at risk of losing more than just their Marriott points.

Damien Weiss


So stay strong
and we will see you next month.

The Red Canary 2020 Threat Detection Report by Keith McCammon, Brian Donohue, Jeff Felling, Tony Lambert

It is the season of Threat Reports. Last month, I wrote about Mandiant's report, and it was truly excellent. Red Canary has also produced an excellent report, but looking at the top MITRE ATT&CK techniques used to infiltrate into their customers. Additionally, they've broken down the top techniques used to infiltrate by industry. Helpfully, they've also written how to detect each of the techniques, and while many of the detections are well known, there are several excellent detections this author hasn't seen before.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags