Staff Picks for Splunk Security Reading November 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Mike Polisky

Leveraging the SPARTA Matrix by aerospace.org

"The Space Attack Research and Tactic Analysis (SPARTA) matrix visualizes the relationship between tactics and techniques/sub-techniques for space-cyber threats. Inspired by and very similar to the MITRE ATT&CK Framework."

Sydney Howard

@letswastetime

The Detection Series: Open Scripting Architecture, AppleScript, and JavaScript for Automation by Tony Lambert, Brandon Dalton, Cat Self, and Ferdous (“Sal”) Saljooki

"I really enjoyed this online webinar and accompanying blog post as they dive into unique threats affecting macOS systems. They explain how the macOS native scripting capabilities like AppleScript are very easily exploitable, similar to how an adversary might exploit PowerShell on Windows OS. There are several fantastic hunting and detection ideas throughout the webinar, which are shared in detail and tied right back to the MITRE ATT&CK Framework."

Ryan Fetterman

@iknowuhack

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries by the Symantec Threat Hunter Team

"This month I'm highlighting new Symantec Threat Hunter Team reporting on Billbug (aka Lotus Blossom, DRAGONFISH, Spring Dragon), a long-active state-sponsored APT. This report is notable because, among multiple victims, the threat actors are targeting a certificate authority (CA). CA's are managers and issuers of digital certificates that underpin the fundamental trust of internet security. Compromising private keys or root CA servers enable complex attacks, which subvert these trust relationships. The actors use many common living-of-the-land binaries for Discovery: AdFind, NBTscan, Ping, Tracert...This underscores the value of a risk-based alerting (RBA) approach. Alone, these applications may not draw scrutiny, but with RBA they can be linked into a suspicious chain of reconnaissance activity!"

Shannon Davis

@DrShannon2000 / @DrShannon2000@infosec.exchange

The Hunt for the Dark Web's Biggest Kingpin by Andy Greenberg for WIRED

"There have been high-level discussions around the takedown of the dark web marketplace AlphaBay before. This series goes further and does an amazing job discussing the people and actions involved in great detail."

Tighe Schlottog

@workape

Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions by Crystal Morin, Threat Research Engineer at Sysdig

"A fascinating read, and cautionary tale, of ensuring that you are instrumenting and have detections around your GitHub actions data. While this attack was built and worked around free tier accounts, it could have easily been executed against paid/enterprise tier accounts with the same effect. The breakdown of the attack, with all the relevant IOC's associated with all aspects of the attack within GitHub actions, is a must read for anyone interested in CI/CD security or DevSecOps in general."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Iranian hackers breached the agency that hears federal worker grievances by Ellen Nakashima, Tim Starks and Aaron Schaffer for The Washington Post

"In an alert this month, CISA revealed that a U.S. federal network was compromised as early as February by Iranian government-sponsored APT actors. The Washington Post's Cybersecurity 202 newsletter reports that an Iranian hacking group known as Nemesis Kitten is believed to have exploited Log4Shell (CVE-2021-44228) to install crypto-mining software on the network of Merit Systems Protection Board, which hears grievances from federal employees. It's unclear if the crypto-mining software was used as a cover for espionage, or if these threat actors were motivated by financial gain. Regardless, this incident serves as a reminder that the Log4j vulnerability is endemic and continues to pose a threat to government agencies and the private sector. "