Staff Picks for Splunk Security Reading March 2021

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. 

Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.

Ryan Kovar


I'm vaccinated!

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter

Recently I was asked to create a reading list for some executive level folks of approachable books and whitepapers around cybersecurity due to... news events. Finding content that is low on technobabble and undecipherable jargon but high on content is difficult. The only people who seem to master this are Journalists. Enter: Countdown to Zeroday by Kim Zetter. Her book is clear, concise, and (dare I say) exciting. I find it helpful to have people read books like this to learn about historical events and context and use them as case studies to apply to recent (ahem) events in the news.

John Stoner


I'm even double vaccinated

Intelligence Community Assessment: Foreign Threats to the 2020 US Federal Elections (Declassified) by National Intelligence Council

Back in June 2020, my staff pick was the book Active Measures: The Secret History of Disinformation and Political Warfare by Thomas Rid, along with two Lawfare podcasts that interviewed Thomas about his book and findings. Fast forward nine months and the National Intelligence Council released their declassified assessment this month around election influence which would fall under the bucket of active measures. The report delineates election influence from election interference and then goes on and outlines multiple nation-states who they assessed attempted to influence the election as well as their analysis around motivations, as well as actors, methods and operations. Finally, for anyone looking to write threat intelligence reports, please pay careful attention to the estimative language that is used throughout the assessment. In fact, the last page of the assessment explains how this language is used and what it means. Great stuff for folks who write assessments to have in their kit.

Matt Toth


Maybe I'll goto DEFCON

Cybercrime goes too far in beer breach by Elizabeth Montalbano

It is a sad day indeed when cybercriminals go after brewing companies. In what appears to be an attack pulled straight from Splunk's Boss of the SOC, Molson Coors has been hit by a cybersecurity "incident". The company is not saying what the attack was, but with the recent string of ransomware attacks there is speculation that this is the case again. This attack seems to have caused pretty severe disruptions, with Molson Coors hiring outside help, and "working around the clock" to fix it. When looking at how to defend against attacks like this, having visibility into both the IT and OT environments is key. Being able to detect anomalous behavior across the infrastructure, including manufacturing environments, gives an organization a chance to stop the attack before it spills their beer.

Derek King


Is DEFCON still a thing?

Top 10 Malware February 2021 by CISecurity

This month I read the CIS Top 10 Malware for February 2021, as observed by the MS-ISAC (that's US centric for those outside of the mothership).. A few things stand out to me. Zeus (or its variant code is still clearly very active! Woah - thats so 2011! David Veuve's detection work at Splunk never dies! If IOCs are your thing, there are a number of them here that you may be able to use to help confirm any suspicious activity you observe. Enterprise Security and Phantom customers, have plenty of material on Splunk blogs to help you operationalize those. Lastly, we talk endlessly about the importance of endpoint data. Sysmon and a solid powershell collection strategy would feature heavily in detecting many on this list. However, don't let WMI Event logs become a second class citizen. The prevalence of WMI for lateral movement and persistence is ever increasing. Grab those logs and a go a huntin' Snugy, Coinminer, Zeus and more! Anyone taking any bets as to what hits the March top 10?

Drew Church


I hope its a thing

A Zeek OpenVPN Protocol Analyzer by Keith J. Jones

I appreciated Dr. Jones' walking through the OpenVPN Protocol as well as how he authored the Zeek plugin to help detect the use of OpenVPN on a network. While not commonly seen by adversaries (yet?), there are demonstrated examples of encrypted C2 (see MITRE ATT&CK Technique T1573 Encrypted Channel). Thinking past malicious outsiders, enterprise defenders should be aware of when hosts on their network are making outbound VPN connections that might indicate data exfiltration or other bad behavior. This blog and plugin also motivated me to deploy Zeek on my home lab once again.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags