SECURITY

Staff Picks for Splunk Security Reading August 2021

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek here! I hope you enjoy.

Ryan Kovar

@meansec

S

How ransomware happens and how to stop it by NZ Cert

I literally can't count how many times I have referred to this document in Slack, Twitter, Linkedin, and in person. I love how the NZ Cert broke down the entire lifecycle of ransomware in actionable areas and explained what you need to help. I recently spoke with Lisa Vaas from threatpost.com about ransomware and how usually, when people talk to me about it, it's like asking to put Humpty Dumpty back together again. You can't try and stop ransomware after it executes. Its just too fast. This whitepaper clearly shows how much value there is to thinking left of "boom" or the actual installation and execution of malware... er ransomware... err the same thing. The point is, spend time working on your defenses BEFORE you are encrypted (or compromised), and you will be able to defend much more effectively.

Damien Weiss

@damienweiss

U

SolarWinds and the Holiday Bear Campaign by Bobby Chesney

Too much ink has been spilled on SolarWinds, and I've become exhausted by the latest hot take on the attack. That being said, have you struggled to get your CFO or manager to understand what happened with the SolarWinds attack and why it matters? Well, have I got the article for you. Here is a fantastic, high level overview that stays technically accurate rather than glossing over the details to make itself more accessible.

John Stoner

@stonerpsu

R

Cobalt Strike, a Defender's Guide by The DFIR Report

Cobalt Strike was created to be a tool for security teams to test their defenses, but it has also become a favorite of entities with more nefarious purposes. Numerous adversary groups, some related to nation states, others related to financial crime, have been observed using Cobalt Strike as part of their operations. The reason I mention all of this is that if you have not seen Cobalt Strike, you may have been very fortunate or you may benefit from my pick for this month! TheDFIRReport and Kostas published an in-depth primer that provides an overview on Cobalt Strike's capabilities, available documentation and videos (there are a bunch btw), as well as examples, explanations and links to the highly customizable feature that is the malleable C2 profile feature. At this point, we have barely scratched the surface of the guide and now start looking at Cobalt Strike and the logging it creates. Many of the examples covered leverage Microsoft Sysmon, which you know we are a big fan of. In fact, we wrote about Sysmon as a key tool for hunting. And in case you are not using Sysmon, the author included Windows Event Codes for reference as well. After walking through numerous tactics and the logs that are generated, the guide provides a brief discussion on aggressor scripts and links to samples and then a robust section on defences including Sigma, Suricata and Yara rules. If you are in need of a single place to focus on Cobalt Strike, this document is a great place to start!

Matt Toth

@willhackforfood

Ge

If at first you don't succeed, try bribery! by Brian Krebs

With Ransomware on everyone's mind it was only natural that criminals have resorted to bribing employees to deploy malware in corporate networks as another technique in their arsenal. When a phishing scheme did not work out, a malicious scammer reached out to what he assumed was an employee to offer 40% of the ransom if the employee installed the malware. The employee was a fake persona created by a security team luckily for that organization. Disgruntled employees have been a worry for a long time, with many notable data breaches hammering the danger home. There are tools and techniques to help limit the risk, like behavior analytics to detect potential insider threats, and we need to be on the lookout for new tactics our adversaries use to compromise our networks to stay a step ahead of them.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion