SECURITY

Staff Picks for Splunk Security Reading April 2021

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! I hope you enjoy.

Ryan Kovar

@meansec

 

DNS Critical Infastructure by Dan Kaminsky

Recently the information security community and the world lost a great human being. Billions of people have benefited from Dan Kaminsky's research, and many of the "infosec" or "hacker" community have directly benefited from his gregarious personality and generous nature. #infosec Twitter is overflowing with heartwarming stories and anecdotes, but I thought we might honor him by sharing his work that rocketed him to international acclaim. His research in DNS cache poisoning changed the world, but I have found that very few have read the presentation he gave in 2008 at Black Hat. For those of you who are not DNS experts, check out this great illustrated explanation from unixwiz.net. Fairwinds and following seas, Dan, we've got the watch.

Dave Herrald

@dherrald

 

2021 Threat Detection Report by Red Canary

After a brief hiatus, I continue the tradition of calling out the fine work produced by our friends at Red Canary. This time it's their 2021 Threat Detection Report. In detection, access to telemetry is everything, but it is hard to come by. So when telemetry-rich organizations like Red Canary give insight into what they are seeing, we blue teamers are wise to take note. The team at Red Canary are leaders in the MITRE ATT&CK(r) community. They have formatted the report to take full advantage of the framework, including exemplary use of ATT&CK(r) sub-techniques. It would be easy to make a report like this resemble a laundry list, but it's far from it. At every turn, the report shares valuable context such as the "Emerging Tradecraft" sections and practical advice on reducing false positives and seeing through common obfuscation techniques. The report reads as easily as a security conference hallway conversation happens. Needless to say, this one is an end-to-end must-read for anyone working in threat detection!

John Stoner

@stonerpsu

 

We're From the Government, We're Here to Help: The FBI and the Microsoft Exchange Hack by April Falcon Doss

I have no doubt that readers of this series are aware of the Microsoft Exchange vulnerabilities, HAFNIUM and even the announcement of the FBI taking down the webshells that were placed during the attack. But I wanted to highlight this article by April Falcon Doss from the Just Security site and the legal implications of what the FBI did. April does a fantastic job explaining how this is analogous to a criminal search and seizure warrant. She draws a line to a physical metaphor of an armed bomb which helps connect this to something tangible. She also discusses how guidance has changed to provide courts the flexibility to handle issues like this in cybercrimes. Finally, she wraps up with a series of thoughts and ideas as to considerations to have in place when deciding if this is the proper course of action in the future, how the private sector has been looking for more active assistance in these situations as well as the ever present challenge between privacy versus the public good. As always there is more to cyber than just the technical bits, and this article is a great example of that!

Matt Toth

@willhackforfood

 

Hacking hacking software...I mean forensic software by Dan Goodin

With the plethora of hacks and attacks that have been going on over the last few weeks it took a really interesting hack to make this month's pick. Cellebrite has helped governments and other organizations exploit mobile devices for years. Seeing a bag of Cellebrite equipment "fall off the back of a truck", creator of the Signal messaging app Marlinspike, found multiple vulnerabilities in their software. The story is a must read, and a lesson that securing your security tools is very important. Security through obscurity is a myth.

Damien Weiss

@damienweiss

 

Attacking Xerox multi function printers by Raphael Rigo

Do you hate printers? Do you hate those multi-function devices with a computer slapped onto the side of it as much as I do? I don't think you do, because they cause me to go red with rage. Here's a device that sees nearly every piece of paper in the office either through the scanner, copier, or printer. What does that computer slapped on the side even do? Is it keeping copies of my scans/prints? If so, can an adversary easily crack one of these things? And if they can, how can I stop them? Well, Raphael Rigo answers these questions for a presentation on the Xerox multi-functions that we've seen in all our offices. Our link is to the slides, but if you'd like the video of him going over the slides, it's here.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion