Staff Picks for Splunk Security Reading May 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Ronald Beiboer

LinkedIn

The NATO CCDCOE welcomes new members Iceland, Ireland, Japan, and Ukraine by NATO CCDCOE

"The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) welcomed four new member nations: Iceland, Ireland, Japan, and Ukraine, strengthening its cyber defense coalition, with the aim to foster further collaboration and bolster collective cybersecurity."

Adam Swanda

mastodon.social/@deadbits

The Dangers of Google's .zip TLD by @bobbyrsec

"The launch of Google's new TLD ".zip" has caused some concern within the security community and this blog shows one example of why. The author demonstrates how an attacker can create a highly convincing phishing URL by leveraging unicode and the ".zip" TLD. It's very likely organizations will see phishing campaigns use this TLD in the near future, so you should consider implementing detections now."

DarkBERT: A Language Model for the Dark Side of the Internet by Youngjin Jin, Eugene Jang, Jian Cui, Jin-Woo Chung, Yongjae Lee, Seungwon Shin

"Large language models are increasingly getting adopted for a wide range of tasks across industries and personal use cases. Here we have an example of how domain specific LLMs might be applied within cybersecurity with the "DarkBERT" model (trained on Dark Web data) demonstrating use cases such as detecting ransomware leak websites and identifying noteworthy forum threads."

Bryan Pluta

Don't @ Me: URL Obfuscation Through Schema Abuse by Nick Simonian for Mandiant

"Great article about how URLs can be obfuscated to help make phishing and other attacks more successful. You may need to look at your Splunk technology add-ons to ensure they extract URLs properly, especially URLs that use the @ symbol."

Mike Polisky

Open redirect vulnerability abused in O365 phishing campaigns led from legitimate domains by Silent Push

"This article outlines how attackers are using multiple evasion techniques in their phishing attacks. They walk through the use of legitimate domains as redirect servers (to evade black lists), as well as CAPTCHA services to evade sandbox analysis. As a bonus, IOCs from multiple campaigns are included at the end of the article."

Tony Iacobelli

IT employee impersonates ransomware gang to extort employer by Bill Toulas for Bleeping Computer

"This article provides a great reminder that we always need to be vigilant against insider risk. In this case, the risk was even on the person who might have even been responsible for investigating themselves. While it is never fun to have to compartmentalize investigations or other work, it is sometimes necessary to prevent one issue from spawning even larger, bigger issues."

Mark Stricker

@maschicago

Cutting Through the Noise: What is Zero Trust Security? by Marie Hattar for Security Week

"As cyberattacks escalate year after year, zero trust as a framework for Security will become more and more important. It's not enough to keep playing whack-a-mole with the ongoing threat landscape. This fact has been recognized as part of Pillar One in the National Cybersecurity Strategy. This article covers what zero trust is and the benefits you can expect from it. You may be interested to know tha Splunk has published a guide to help security personnel on their zero trust journey"

Tamara Chacon

Linkedin

The Team of Sleuths Quietly Hunting Cyberattack-for-Hire Services by Andy Greenberg for WIRED

"Another takedown of cyberattack-for-hire groups happened this week. Big Pipes, the team behind the scenes hunting these groups have been silently working to stop these cybercriminals. Allen Greenberg of Wired dives into the history and operations of Big Pipes and the impact they are making."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques by Microsoft Threat Intelligence

"In the latest reminder that US critical infrastructure is vulnerable to cyberattacks, Microsoft released a report on the same day as a Five Eyes joint advisory alerting to a PRC state-sponsored threat actor's targeting of infrastructure in Guam. The MSFT report states with moderate confidence that this campaign is 'pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.' Advanced persistent threats are known to scan networks of US critical infrastructure for espionage and contingency purposes. What's interesting in this report is how the adversary leveraged SOHO network equipment and living off the land techniques in order to evade detection. Hopefully the IOCs and hunting queries listed in these reports will help analysts determine if other critical infrastructure in the US is also affected."