Staff Picks for Splunk Security Reading January 2019 | Splunk

Howdy, folks!

A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we're bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.

For more reading, check out our monthly staff security picks and our all-time best picks for security books and articles! I hope you enjoy.


Ryan Kovar


After time we grew strong and developed cognitive powers


Anyone who talks to me about cybersecurity for too long knows I am a bit oodaloopy about wire data. I love it. Finding out about wire data after a life of PCAPS was like how a cave dweller must have felt when he tasted cooked meat for the first time. Why did I ever eat raw PCAPS when I could have tasty cooked metadata! Although the author of the blog is actually talking about how to do better PCAP analysis, I have started doing his exercises in Splunk Stream and Zeek. Its good fun that keeps my cyber skills sharp, and it's interesting to me to see rarely I have to resort to Wireshark. I plan on posting a couple of blogs in the future about this and release my version of the tutorials, but using Splunk Stream, Zeek, and Splunk!

Dave Herrald


They made us work for too long, for unreasonable hours

ATT&CK™ Your CTI with Lessons Learned from Four Years in the Trenches by Katie Nickels and Bryan Beyer

I had the pleasure of attending and participating in the SANS Cyber Threat Intelligence (CTI) Summit last week. I particularly enjoyed the presentation entitled "ATT&CK™ Your CTI with Lessons Learned from Four Years in the Trenches" from Katie Nickels (@likethecoins) of MITRE (@MITREattack) and Bryan Beyer of Red Canary (@redcanaryco). My favorite parts of the talk are the top techniques as reported by MITRE and Red Canary and the analysis of the overlap between them. It was also fascinating to get some insight into just how much effort (400 report analyses over five years!) that the MITRE team has invested in creating the framework. Also, be sure to have a look through all the other great presentations from the event in the SANS Summit archive.

Derek King


Our program being determined that the most efficient answer

Multiple Critical Security Vulnerabilities Discovered In Linux Systemd by Abeerah Hashim

Over the festive break, I decided to brush up a little on my 'generally breaking software' foo and came across what I believe should form this months staff picks for me. If your organisation is running Linux, and whether you patch regularly or not, I think everyone should be aware. The Systemd-journald process is responsible for writing audit records. Qualys have reportedly discovered three separate vulnerabilities (CVE-2018-16864, CVE-2018-16865, CVE-2018-16866) in the process that may corrupt memory and allow control over the EIP register and ultimately allow for local privilege escalation. The vulnerabilities were created in the software as far back as December 2011, meaning there will be many potentially impacted systems. Whilst untested Qualys believe all systemd based systems will be affected (with a few exceptions), and have developed concept code to do this. Debian have already released a patch in an unstable 240-1 release, but whatever distro you run to be on the lookout for a patch!

James Brodsky


Was to shut their motherboard systems down

sysmon-config-bypass-finder by Martin Korman

More and more Splunk customers these days are embracing Microsoft Sysmon as a de-facto standard for collecting critical, granular process, network, and file data from Windows endpoints. We talk about this ad-nauseam, it seems, and for a good reason: it is a wonderful data source within which to detect modern threats. But - Sysmon ain't perfect. An intelligent adversary, knowing how you have configured Sysmon in your enterprise, could theoretically design an attack that "bypasses" your Sysmon configuration, essentially leaving you blind because the events you expect to collect in Splunk won't be there. This approach was covered extensively by Matt Graeber and Lee Christiansen at last year's Blackhat conference. So, how can you quickly analyze your Sysmon config for these kinds of weaknesses? This elegant utility from Martin Korman allows you to feed in your config and quickly return potential bypasses in your Process Create and Network Connect Sysmon stanzas. Frequent use of Martin's project as you iterate your configs = a more hardened Sysmon, which is always a good thing!

Adam Swanda


Their system of oppression, what did it lead to?

Content Matching Detection and Additional Outputs by Chris Sanders

Over at Splunk, we know all about how collecting and matching data sets can help to better your security posture and assist your operations. But simple content matching hasn't been enough for a good long while now, and content matching alone certainly won't help your SOC get through these cold winter nights. In a recent blog by Chris Sanders, he dives into more advanced methods of content matching where it becomes part of a bigger picture to a security monitoring and alerting pipeline, and who doesn't like a good automated pipeline? Between identifying anomalous behavior, event decoration, automatically sending matches to an Alerting queue or Ticketing system, and more, Chris has some great practical advice to get you and your team heading down the right path.

John Stoner


Global robo depression, robots ruled by people


This article is a little outside of what I usually put out there, but as someone who has many family and friends on Facebook, Instagram or What's App, I thought this one would be an interesting article to anyone who uses these apps and the potential implications of rationalization and consolidation of these platforms. The Wired article lays out the differences in the current messaging platforms and the trade-offs that Facebook faces of moving to an unencrypted end to end app like What's App. There is also the challenges of user accounts and what is required for being able to stand up and Instagram account versus a Facebook account and what will be needed in the future if these become a single account to rule them all. Consolidation and rationalization post-acquisition is never an easy thing, and when you add in the privacy and identity concerns of a worldwide set of users, this would seem to be a challenging effort that will be interesting to see develop.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags