Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Check out our previous staff security picks, and we hope you enjoy.
"This is a great article to get you in the spirit of Halloween. Companies are exposing links that let anyone start a Zoom meeting in an employee's name and invite others. Think of how this could be abused, particularly social engineering scams. The article breaks down the misuse of PMI links, particularly those with passcodes embedded, which can give unauthorized individuals access to meetings. The convenient links are not subject to expiration and can be exploited by attackers. Be sure to follow the tips in the article for using Zoom links more safely."
"Has the Common Vulnerability Scoring System (CVSS) got you scratching your head as to which vulnerabilities you should prioritize? Ever wish you had a Magic 8 Ball that could predict which vulnerabilities would be exploited? The Exploit Prediction Scoring System (EPSS) can help! The EPSS is a metric that I love to reference to help guide organizations in making decisions as to how to respond to CVEs. It uses machine learning to look at historical data of exploits and identify patterns and trends that can predict future exploits. On the flip side, it can also be used to shape internal security testing programs so that organizations can be one step ahead of any risks."
"This article states, 'Some Israeli organizations are exposing their Modbus, a SCADA communications protocol. In fact, researchers found 400 such occurrences.' This is remarkable, especially considering that Israel is widely acknowledged as a leader in the field of cybersecurity on the global stage."
"This blog is about a drive by download technique leading to execution of malicious js script using smart contracts from the Binance Smart Chain for second stage payload delivery."
"Corporate announcements follow a predictable format so the blog announcing Graph Activity Logs in in public preview isn't a captivating read in and of itself but I'm excited by the new capability and expanded visibility into MS Graph API calls. From the initial public response, it seems like there is a lot of potential for high-value detections and this may offer a great data source for threat hunting. These logs can be ingested into Splunk today using the Microsoft Cloud Services Add-On via Azure Event Hubs, which I'm looking forward to trying out."
"The article talks about a new zero-day DDoS attack technique called HTTP/2 Rapid Reset. It discusses what the attack is and how it works. It also goes into how the attack has been mitigated by major cloud providers."
"You’ve heard it before: People, Process and Technology! Those are the parts in the Venn Diagram of any IT system. This article drills down on the people part of that Venn Diagram. As part of IT systems, people are the initial point of attack. Bad actors get initial access by hacking the human being with phishing attacks, social engineering, vishing, and more.
So how do we address this? This article points out the importance of cybersecurity awareness and education. These steps are absolutely necessary - but not enough! In any medium to large scale organization, there are going to be users who, despite education, will not act with safety in mind. That’s why using models such as Zero Trust to protect the network are important. They don’t depend on users behaving well.
The shortage of cybersecurity professionals is also a big problem, as this article points out. That’s why automation products, like Splunk SOAR, are so valuable!"
William Van Duynhoven
"Nation state actor tactics continue to evolve and target industry changes such as a revolving remote IT workforce to steal intellectual property, exploit organizations, and fund ballistic missile programs. This is a fascinating attempt to organize at scale by placing bad actors inside an organization that has not been identified previously. The article talks about the importance of employee verification through video or other methods, but ultimately in a virtual environment, this may still be exploited through a myriad of camera trickery. This is where your Pyramid of Pain framework or other security best practices like least privilege access play an important role in mitigating the impact on your organization. As the window for remote IT work significantly dwindles along with the opportunity to exploit remote IT workers, I wonder what tricks they have next in store."
"Microsoft is moving closer to its goal of killing NT LAN Manager (NTLM) authentication in order to improve security for Windows users. This month, the company announced two new Kerberos features in Windows 11 to reduce fall back to NTLM.
- IAKerb, a public extension to the Kerberos protocol, allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight.
- A local KDC for Kerberos allows remote authentication of local user accounts using Kerberos.
Microsoft plans to eventually disable NTLM authentication by default in Windows 11, while keeping the option to re enable NTLM for compatibility purposes."