Staff Picks for Splunk Security Reading December 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

David Bianco

@DavidJBianco / @DavidJBianco@infosec.exchange

We tried to quantify how harmful hospital ransomware attacks are for patients. Here’s what we found by Hannah Neprash, Claire McGlave, and Sayeh Nikpay for STAT Health News

"Everyone knows ransomware has consequences, but rarely do we see exactly how bad cybersecurity-related outages can be. Healthcare ransomware kills people."

Ronald Beiboer

CISA and ENISA enhance their Cooperation by ENISA (European Union Agency for Cybersecurity)

"Cooperation between the US and the EU has been proven effective recently in a number of cybercrime cases. Enhancing this collaboration increases the chances of catching these criminals and hopefully will impact their business case negatively."

Mark Stricker

@maschicago

Non-Human Access is the Path of Least Resistance: A 2023 Recap by The Hacker News

"Service Accounts, API Tokens and Secrets, Oh My! This article points out that many of the biggest cyber attacks this year (OKTA, Slack) were enabled by accounts meant for operations - accounts used to run apps, communicate between backend systems, and to communicate with third party services. These are gold for attackers. There is no MFA and no SOS due to the nature of the accounts. They often have access to important systems. Sometimes, these accounts are inadvertently published on GitHub as part of the code, and often they are over permissioned and underprotected. Getting your processes right about these kinds of accounts is critical for protecting yourself in the year ahead!"

Mike Polisky

How to apply natural language processing to cybersecurity by Zac Amos for ReHack

"This article is a primer on the many ways that Natural Language Processing (NLP) can be used to assist with cybersecurity, from phishing email detection to faster data analytics. If you haven't already, also take a look at Splunk AI Assistant (in preview until Feb 2024) which can help make the Splunk Search Processing Language (SPL) even easier!"

Shannon Davis

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story by Andy Greenberg for WIRED

"A very well written article covering the human aspects of the people who created the Mirai botnet. I enjoyed reading about their slow but steady progression from small-time botnet operators to creators of one of the largest botnets ever. And reading about the various people who hunted them and how they handled the three once they were caught was also very interesting. I don't usually make it through WIRED's longer articles, but this one I kept coming back to."

Richard Marsh

Threat actors misuse OAuth applications to automate financially driven attacks by Microsoft Threat Intelligence

"Threat actors abusing OAuth is nothing new, but Microsoft’s Threat Intelligence team is seeing an increase in campaigns. Some of these attacks are becoming more advanced and harder to detect. The scary thing is OAuth consent for an abusive malicious application can be trivially phished in only a couple clicks. It’s up to every M365/Entra customer to properly handle suspicious apps within their environment and take preventative action like conditional access policies. Microsoft’s team gives some great recommendations."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

An Update on Service Restoration Efforts from Kyivstar

"On Monday, December 18, Kyivstar, Ukraine's largest mobile operator, released an update that it had restored SMS services following a massive cyberattack nearly a week prior. Meanwhile, a group called Solntsepyok, believed to be affiliated with the Russian GRU, has claimed responsibility for the attack. This appears to be the largest known cyberattack against a civilian communications system and reportedly had knock-on impacts to Ukraine's air raid alert network."