Staff Picks for Splunk Security Reading August 2020

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. 

Check out our monthly staff security picks and our all-time best picks for security books and articles. We hope you enjoy.

Ryan Kovar


.conf20 appraoches and BOTSV is a GO!


I know we promised not to promote any more MITRE ATT&CK content, but this isn't MITRE ATT&CK. This is... MITRE Shield. Which can be AUGMENTED by ATT&CK. See! Completely different :-). I have always been interested in the idea of active defense and adversary engagement but found it a little daunting. MITRE has been doing it for years and has now published a project to help organizations figure out how to do it themselves. And best yet for the ATT&CK junkies out there, it is going to be mapped to ATT&CK. Now we can design active and passive defenses and play bingo on our matrix! Woohoo!

Andrew Morris

Should I start seeding clues into blogs?

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims by Brian Krebs

We know that basic identity theft is at the root of most online fraud. But it gets worse for the public and easier for the criminal when the criminals have a login to a "legitimate" data broker. The scary part is that there are data brokers that many of us have no idea exist. Once again, Krebs on Security has a great write up and makes me wish for a universal version of GDPR. But, until we know who has our data, we can't really ask them to delete it.

Derek King


I think I will, starting with my next blog

Time for Volatility v3? by JPCert, Andrew Case

This month I've had a chance to nerd out a bit and wanted to raise the latest version of volatility memory analysis (v3) that has been in BETA since October 19th, but scheduled for release this month. The team has written every line of code from scratch for v3 to meet the challenges of changing memory structures, size, and complexity. V2 (the current version) was developed in the mid-2000s, and a LOT has changed since then. The new framework makes it easier for developers and easier for users. From a user perspective, I'm excited about the removal of profile. V3 will automatically use the right symbol table, apparently! -(Woah!)- I don't know how that kind of voodoo is done, but I like it! For developers JPCert has done a write up on some of the changes, and how to convert v2 to v3 plugins. If you are involved in Incident Response, this is the read for you! And remember, Phantom implements many volatility actions in the volatility app. The community relies so much on this open-source project, so making it easier for users and developers is an amazing contribution and comforting to see the ongoing commitment for years to come. There is nowhere else for the adversary to hide!

Drew Church


So for those of you who read the comments

The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer by Allison Husain

Allison discovered a major (not yet fixed) vulnerability in Gmail/G Suite architecture relating to SPF/DMARC. The vulnerability itself is interesting, but what I particularly appreciated about the blog is two fold (1) a very well written and approachable post on SPF/DMARC and (2) the commitment to responsible disclosure.

Damien Weiss


Start paying attention

DEFCON 2020 Live Notes by Charlie Belmer

DEFCON 28 has come and gone, and the sessions were all virtual. Despite the fact that were no lines and squeezing down skinny halls in the Paris hotel, I still didn't see all the sessions I wanted to. I imagine you had the same problem too. Thankfully, Charlie Belmer has you covered with a livestream notes and links to the videos from many of the presentations. The DNSSEC, Domain Fronting, and Hackium Browser presentations particularly spoke to me.

Matt Toth


Cause I'm totally gonna be dropping things.

Batten down the OT hatches, warns NSA and CISA by Maggie Miller

When the NSA and CISA come out together warning that OT (Operation Technology, think water, electricity, gas infrastructure) Assets are being targeted by adversaries, it is probably something you should pay attention to. The Agencies have seen evidence of spearphishing and attempted ransomware against these critical systems. With a sharp increase in remote work due to the ongoing pandemic, adversaries are taking advantage and every organization, but especially those that maintain critical infrastructure, need to be vigilant in protecting their assets. Monitoring for anomalous activity can help catch adversaries in your environment before they turn off the lights.

John Stoner


Maybe... even Stego

Death from Above: Lateral Movement from Azure to On-Prem AD by Andrew Robbins

In the sporting world, folks complain that August is a desert. In security, this is decidedly not the case and this August, despite the wildness that 2020 has brought us is no exception. There was so much goodness to choose from but the blog that I wanted to highlight this month is from Andrew Robbins of SpecterOps. There has been a lot of research done around hybrid Azure/Active Directory environments and rightfully so, and he references a lot of that past work in his post, but that research has been focused on moving from on-premise instances to Azure or escalating the Azure tenant itself. In this post, he discusses the work they have conducted to identify a method to move from Azure to an on-premise Active Directory! The issue is around the concept of a hybrid-joined system and how these systems are handled. The article does also cite mitigation strategies and walks through how you could make this occur so you can determine if you have any systems that could be impacted in this manner. As much as there is a big push to the cloud, and when it comes to Active Directory, moving that effort to Azure seems like a no-brainer, there will continue to be large numbers of on-premise domains and systems and understanding this attack vector is possible is crucial for blue teamers. I would strongly advise taking 10 minutes or so to read this, particularly if you are using Azure or contemplating a hybrid environment.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags