Staff Picks for Splunk Security Reading July 2018

Howdy, folks!

A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in January, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk security world that WE think everyone should read. If you would like to read other months, please take a peek here! I hope you enjoy.


Ryan Kovar

"I would go out tonight...

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations by Digital Shadows

Ugh. I know. You are sick of this blog series waxing poetically about MITRE ATT&CK. Yes we have a total cybercrush. But here is the thing... this blog post exemplifies what the MITRE ATT&CK framework can be used for! One of the most significant recommendations that I give customers who want to learn about "hunting APTs" is to read APT reports from places like APT reports hosted by Threat Miner and learn from them. The MITRE ATT&CK can act as a cognitive thought model for you to frame the reports and easier identify where the victim—in this case the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee)—could build defenses or have detected the incursion. What I love about that this blog post is that it is short, sweet, and succinct. It gives an excellent computer network defense (CND) view of the supposed GRU actions against the DCCC and DNC and places to for other organizations to improve their security. Think about assigning homework to your analysts to read reports and return with similar-formatted threat models to see if it improves your network's safety!

David Veuve

but I haven't got a stitch to wear.

Defending Office 365 with Graph Analytics by Matt Swann

I'm going back into the archive for one of my all-time favorite posts (inspired by a recent post from @jackcr), which talks about how the O365 security team uses graph analytics combined with multiple strengths of an indicator. While my data science fanaticism goes wild for the graph analytics, the piece I think everyone should take away from this article is the classification of analytics into Alerts, Behavioral, and Contextual. We have seen advanced Splunk customers apply similar concepts, and I love any opportunity to help facilitate the value of "risky" behavior or important notes to augment a traditional alert.

Dave Herrald

This man said 'it's gruesome that...

Give Your SOC a SOUL by Alissa Torres

This week I had the pleasure of attending and participating in the annual SANS Security Operations Summit in New Orleans. Chris Crowley (@CCrowMontance) and the team once again assembled a fantastic lineup of speakers for this two-day event. One presentation that stood out to me was Give Your SOC a SOUL by Alissa Torres (@sibertor). Those of us who work in the blue-team toolset area of the security industry are quick to invoke the topic of analyst retention, but I'm not sure we fully appreciate the magnitude or the nuances of this challenge. In her talk, Alissa thoughtfully and rigorously examines the human aspect of the SOC with an emphasis on what leaders can do to motivate, empower, and retain analysts.

John Stoner

someone so handsome should care'"

Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments by Dan Gunter

As I was reviewing the articles that I had read throughout the month, this SANS paper by Dan Gunter really stood out. One of the challenges with hunting is determining what you have, but also identifying your gaps in coverage. This can help drive adding relevant data sources to your logging, so you have better coverage in the future. Dan lays out several concepts around how to calculate the rigor of your hunt and shows how you can map this to observable collected during your hunt, Lockheed Martin Kill Chain, MITRE ATT&CK as well as a way to characterize Threat Intel return on investment. While Dan is referencing ICS environments in his paper, there is no reason that many of the concepts he presents could not be used for any environment. He makes the following comment as well that resonates: "While Newton's third law does not apply to network or host phenomena, this research proposes a similar corollary relevant to network and host phenomena that states, "for every attacker action there is a manifestation of the attacker's action realized in network and host logs." Let's hope this is taking place...

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion