By Ryan Kovar April 16, 2020
 |
new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.
Get more recommendations: check out our monthly staff security picks and our all-time best picks for security books and articles! I hope you enjoy.
|
Stardate 73741.1. Editors log: |
COVID threat intel in Splunk by Ryan Kovar I told all my authors this month that they couldn't talk or focus on COVID. They didn't listen. Then I decided to write my staff pick about COVID. Even worse, I am offering up two blog posts that I wrote that are both about COVID IOCs. Sue me; I'm a narcissist. Anyhoo, I wanted to share these two blogs because they provide easy to digest ways on quickly ingesting IOCs from open-source sites, like GitHub, into both Splunk core and Enterprise Security. Now saying all of that, I've had some fascinating discussion with threat intel analyst friends about the value of these indicators. Microsoft had a great blog post talking about how they have blocked tens of thousands of these domains at a product level, thus preventing them from being seen at organizations. Saying that, since I have published these blog posts several organizations have reached out thanking me for helping them find some baddies. Your value of these IOCs is, as always, dependent upon on your threat model. If you are a hospital, you may care more than when you are a Silicon Valley startup. Despite the debate on the usefulness of the threat data, the method I outline of quickly ingesting and using these indicators is hopefully clear and of value. If nothing else, enjoy the REM easter eggs I put in there for John Stoner's personal enjoyment. |
|
I have given up all |
Automation and Commoditization in the Underground Economy by Insikt Group Welcome to my rookie post for Security Staff picks! I may be Splunk Sales Engineer now, but I'll always be a Security Analyst at heart. So to stay close to my roots as a blue-team defender, I enjoy getting lost in security literature to stay current with the industry. This week I read this 30-min threat report from Recorded Future on how threat actors are using automation to proliferate their malicious efforts. From topics like using checkers and brute-forcers to extend breaches, to accessing dark web marketplaces to purchase phishing services and banking injects, this report covers several ways adversaries are capitalizing on old-school and novel automation methods. I appreciate that while it goes into detail about specific tools and online profiles, it also offers mitigative best practices to combat the increasing sophistication from the bad guys/gals. If you like to nerd out over threat intel (but you're also critical of what's considered valuable threat intel) like myself, you'll appreciate this read. |
|
and I've run out of beer. |
Criminals hack Tupperware website with credit card skimmer by jerome segura Collectively, the security world focusses on scary stuff like APTs, data exfiltration, and lateral movement. Still, some of the simple hacks with low volume data theft can be just as worrisome. This article covering a recent virtual skimming attack shows that the eventual data compromise was very simple; redirect the user to a malicious iframe, steal their credit card data, and then redirect back to the initially intended iframe. This is a reminder that bad guys will take any valuable data they can get, even if it isn't millions of records at a time. |
|
Truely these are trying times. |
When looking for content to share, I generally try to provide items that are NOT 80 pages in length or require a registration form to access it, but this month I will make an exception because the content is interesting and something you don't read every day. Booz Allen Hamilton released a thorough report using open source intelligence that takes a long term view at the APT groups generally referred to as APT28 and Sandworm, and is attributed to Russia's GRU. First, they examine Russia's current military doctrine and then take 23 risks and threats from that and tie them to 33 case studies of cyber activities that are linked to GRU operations. I realize I may have scared a few of you with an 80-page report, but the case studies are the first 40 pages; the rest are appendices and endnotes, which contain an extensive set of links for additional reading. Still not convinced? Fine. Here is the article by Catalin Cimpanu on ZDNet's Zero Day blog about the report and is even more condensed... But trust me, you want to read the complete report! |
|
However blog by blog, |
SANS Launches New Series of Virtual Capture-the-Flag Cyber Challenges by Michelle Peterson Got some time on your hands? SANS comes to the rescue again! They have announced a series of virtual, hands-on capture the flag events, many of which are free to the community. Here at Splunk, CTF events are near and dear to our hearts, and this series comes from the same folks at SANS who inspired us to create Splunk Boss of the SOC. I appreciate how quickly SANS and the team at Counterhack Challenges prepared these challenges and brought them to the community. The term "time flies when you're having fun" is nowhere more applicable than when immersed in a security CTF. Check out these events to learn a little and take your mind off the crisis for a while! |
|
word by word |
I hope it's safe to assume that I am not the only one watching entirely too much television. So much focusing on the tweedy impertinence of BPD detectives, I forgot to be on the lookout for my 3rd favorite IRS notification! No tax season would be complete without the IRS" drafting a warning about potential scams, and this year is no different. Well...maybe a little different. The team at FireEye predicted an uptick in the use of phishing related to economic impact payments (this is what your stimulus check is called) based on activity detected in mid-March. Proofpoint" reported the same less than two weeks later, and the IRS" as well as FBI" have drafted guidance specific to COVID-19 phishing. Tax rebates, economic stimulus payments, reward/loyalty programs, auto insurance discounts – there's no shortage of lures available to unscrupulous bad actors looking to exploit current events. Slim Charles' wisdom holds – Game's the same, just got more fierce. |
|
we shall write |
Derpcon virtual infosec conference by Denver Enterprise Risk Professionals Conference In this new, global WFH climate, security never sleeps. I'm sure you've seen some memes floating around about, shall we say, the business for security professionals? From our sports leagues to concerts and other entertainment events, every major event has been displaced indefinitely. In its place, we are starting to see a wholesale adoption of virtual collaboration through virtual happy hours with friends and family, remote education for our children, and various talk shows hosted from home. For those of us in the security industry, folks in Denver, Colorado, are hosting a virtual security conference end of this month! Still early, the CFP is open, feel free to contribute both as a speaker but also proceeds to help the local COVID-19 response and charities. Wonderfully named, DerpCon aims to deliver the security thirst for knowledge and practicum. I will be looking forward to sessions and workshops geared towards cloud security and improving threat modeling assessments. The conference will be hosted virtually at the end of the month (April). Learn new security Jitsu moves and techniques, donate to help a great cause! |
|
Together, we shall persevere |
When data breaches mean life or death by Pierluigi Paganini We read about data breaches regularly, and while many of them can impact our economic lives, not many mean life or death, at least in the US. When 42 Million Iranians have their Telegram information leaked, it means that they could become targets of the Iranian Government. The data appears to have come from a third-party fork of the open-source application, but that probably doesn't make any of the users feel better, wondering if their private messages and accounts were targeted, and if they are now at risk of losing more than just their Marriott points. |
|
So stay strong |
It is the season of Threat Reports. Last month, I wrote about Mandiant's report, and it was truly excellent. Red Canary has also produced an excellent report, but looking at the top MITRE ATT&CK techniques used to infiltrate into their customers. Additionally, they've broken down the top techniques used to infiltrate by industry. Helpfully, they've also written how to detect each of the techniques, and while many of the detections are well known, there are several excellent detections this author hasn't seen before. |
