Staff Picks for Splunk Security Reading December 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Floris Ladan

Exercise Crossed Swords 2022 Kicks Off! by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

"In partnership with Splunk, CCDCOE started the 2022 Crossed Swords exercise. This exercise brings together around 120 participants from 24 countries, both from NATO and non-NATO countries and is being conducted at the exercise and training centre CR14 in Tallinn, Estonia."

Tamara Chacon

Twitter Thread about Car Hacking by Sam Curry

"This thread from Sam Curry is a great breakdown of the investigation by him and his team into vulnerabilities affecting various car manufacturers. Without going into any spoilers, the investigation involved a company you might not realize provides vehicle telematics. The thread details the OSINT techniques used to confirm the vulnerability, which allowed the researchers to remotely unlock, start, and locate several remotely connected vehicles knowing only the VIN number. It's a fun thread looking into car security."

Ryan Fetterman

@iknowuhack

Playing Cat and Mouse with the Attacker: Frequent Item Set Mining in the Registry by Maeve Mulholland, Tim Nary, and Fred Frey at SnapAttack

"This month I've been catching up on the great content from CAMLIS. In this talk, Maeve Mulholland from SnapAttack describes a method of "Item Set Mining" to identify unique clusters of registry keys that are tied to an attacker's persistence mechanism. I really like the way this talk acknowledges the difficulty in security data science of capturing the true level of variance an attacker has in how they implement each step of an attack. This methodology seems promising as a means for uncovering more behavioral detection possibilities!"

Sydney Howard

@letswastetime

The Anatomy of a Threat Hunting Hypothesis by Lauren Proehl

"Building a great hypothesis for threat hunting can be difficult. Scope creep is common and ensuring relevancy to your environment is critical. While there are lots of aspects to consider, at the heart of it you need a few key elements. This blog by Lauren Proehl breaks it down in a clear way by using hypothesis diagramming to build strong hypotheses for your threat hunts. Happy hunting!"

Shannon Davis

@DrShannon2000 / @DrShannon2000@infosec.exchange

The Saga of The Well, the World's Most Influential Online Community by Katie Hafner for WIRED

"First off, this is a WIRED Backchannel article written in 1997. But reading this feels very akin to what we're going through with the mass-migration from Twitter to Mastodon. It's a very long read, but I think sometimes we need to spend the time digesting pieces like these to actually gain something meaningful from them."

Mark Stricker

@Mark_Stricker

Lack of Cybersecurity Expertise Poses Threat for Public-Safety Orgs by Robert Lemos for Dark Reading

"Police and emergency responders are among the most vulnerable to cyberattacks, such as ransomware and data leaks. But they handle the most sensitive data, and literally have our lives in their hands. This article covers some of the reasons why. This a problem that must be addressed."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data by Robert McMillan, Joanna Stern, and Dustin Volz at the Wall Street Journal

"In a win for privacy advocates, Apple announced it is expanding end-to-end encryption to include the iCloud with an optional feature called Advanced Data Protection. The move was met with criticism by the FBI, which would no longer be able to access end-to-end encrypted iCloud data with a warrant. Users who opt-in to the feature will need to choose a data-recovery method, since Apple will be restricted in its ability to restore lost data. It's worth noting that, according to this report, Apple Mail, Contacts and Calendar won't qualify for Advanced Data Protection because they use older technology protocols. I'm also excited to see that Apple users will soon be able to log in to their accounts using hardware-based security keys, like the YubiKey."