Staff Picks for Splunk Security Reading March 2021
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter
Recently I was asked to create a reading list for some executive level folks of approachable books and whitepapers around cybersecurity due to... news events. Finding content that is low on technobabble and undecipherable jargon but high on content is difficult. The only people who seem to master this are Journalists. Enter: Countdown to Zeroday by Kim Zetter. Her book is clear, concise, and (dare I say) exciting. I find it helpful to have people read books like this to learn about historical events and context and use them as case studies to apply to recent (ahem) events in the news.
Back in June 2020, my staff pick was the book Active Measures: The Secret History of Disinformation and Political Warfare by Thomas Rid, along with two Lawfare podcasts that interviewed Thomas about his book and findings. Fast forward nine months and the National Intelligence Council released their declassified assessment this month around election influence which would fall under the bucket of active measures. The report delineates election influence from election interference and then goes on and outlines multiple nation-states who they assessed attempted to influence the election as well as their analysis around motivations, as well as actors, methods and operations. Finally, for anyone looking to write threat intelligence reports, please pay careful attention to the estimative language that is used throughout the assessment. In fact, the last page of the assessment explains how this language is used and what it means. Great stuff for folks who write assessments to have in their kit.
Cybercrime goes too far in beer breach by Elizabeth Montalbano
It is a sad day indeed when cybercriminals go after brewing companies. In what appears to be an attack pulled straight from Splunk's Boss of the SOC, Molson Coors has been hit by a cybersecurity "incident". The company is not saying what the attack was, but with the recent string of ransomware attacks there is speculation that this is the case again. This attack seems to have caused pretty severe disruptions, with Molson Coors hiring outside help, and "working around the clock" to fix it. When looking at how to defend against attacks like this, having visibility into both the IT and OT environments is key. Being able to detect anomalous behavior across the infrastructure, including manufacturing environments, gives an organization a chance to stop the attack before it spills their beer.
Top 10 Malware February 2021 by CISecurity
This month I read the CIS Top 10 Malware for February 2021, as observed by the MS-ISAC (that's US centric for those outside of the mothership).. A few things stand out to me. Zeus (or its variant code is still clearly very active! Woah - thats so 2011! David Veuve's detection work at Splunk never dies! If IOCs are your thing, there are a number of them here that you may be able to use to help confirm any suspicious activity you observe. Enterprise Security and Phantom customers, have plenty of material on Splunk blogs to help you operationalize those. Lastly, we talk endlessly about the importance of endpoint data. Sysmon and a solid powershell collection strategy would feature heavily in detecting many on this list. However, don't let WMI Event logs become a second class citizen. The prevalence of WMI for lateral movement and persistence is ever increasing. Grab those logs and a go a huntin' Snugy, Coinminer, Zeus and more! Anyone taking any bets as to what hits the March top 10?
A Zeek OpenVPN Protocol Analyzer by Keith J. Jones
I appreciated Dr. Jones' walking through the OpenVPN Protocol as well as how he authored the Zeek plugin to help detect the use of OpenVPN on a network. While not commonly seen by adversaries (yet?), there are demonstrated examples of encrypted C2 (see MITRE ATT&CK Technique T1573 Encrypted Channel). Thinking past malicious outsiders, enterprise defenders should be aware of when hosts on their network are making outbound VPN connections that might indicate data exfiltration or other bad behavior. This blog and plugin also motivated me to deploy Zeek on my home lab once again.
Related Articles
Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
When Your Fraud Detection Tool Doubles as a Wellness Check: The Unexpected Intersection of Security and HR
Splunk Security Content for Threat Detection & Response: November Recap
Security Staff Picks To Read This Month, Handpicked by Splunk Experts
Behind the Walls: Techniques and Tactics in Castle RAT Client Malware
AI for Humans: A Beginner’s Field Guide
Splunk Security Content for Threat Detection & Response: November 2025 Update
Operation Defend the North: What High-Pressure Cyber Exercises Teach Us About Resilience and How OneCisco Elevates It
