Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Check out our previous staff security picks, and we hope you enjoy.
"This episode of the Planet Money Podcast looks at how money from crypto heists is laundered, increasingly by DPRK-backed threat actors to evade financial sanctions. This episode provides a great primer for those unfamiliar with how the end game of cryptocurrency theft actually works."
"I find it fascinating when threat actors choose to openly talk with people about their targets and motivations. The screenshots shown in the article bring to the front the implicit trust that organizations place on email access as an authentication factor. Compromise a well-placed organization and immensely expand access to other 'webs of trust'."
"The International Criminal Court (ICC) is an important target and interesting for state actors with political motivations. Too bad we may never find out what happened due to the nature of these kinds of institutions."
"HTTPSnoop and PipeSnoop are two new malware variants recently discovered that are used to target telecommunication service providers. A report conducted by Cisco Talos states that they are a part of the same set called ShroudedSnooper. Each has their own purpose, HTTPSnoop is more focused on public facing servers and PipeSnoop works on already compromised networks. This is another example of why enhanced security is needed for critical systems."
"When GitHub Actions added support for using IAM roles, instead of long-lived IAM user access keys, security practitioners rejoiced at reducing one of the key (no pun intended) burdens of integrating GitHub Actions with AWS. However, a common misconfiguration led to IAM roles that were allowed to be used from any GitHub repo, not just the repo intended. This was further compounded by a popular tutorial sharing code that contained this misconfiguration, leading to more and more incorrectly configured roles as the community built upon that code. Scott describes the technical aspects of approaching the root issue, as well as some of the social psychology challenges (such as the "bystander effect") that come with tackling problems like this in the open source world more broadly."
"This month, a huge ransomware attack hit MGM/Caesar’s. If we needed a reminder of the threat landscape we live in, we sure got it! What’s even more remarkable is that this started as a simple social hack - using LinkedIn data and impersonating a user on the Help Desk. Another interesting angle here is that attackers are using the attack to drive up the value of customer data stolen in previous attacks! All of this underscores the need to prevent ransomware by detecting activity before the encryption or exfiltration of data, as recommended by our SURGe team at Splunk."
"This is something I've been hearing for years: there isn't a shortage of people who want to be in security, there's a shortage of people who have been in security. I remember seeing a job posting for a 'Cloud Security Architect' with five years experience... in 2019! I run into a lot of programs that have tried hiring inexperienced people, and then training them, only to have them leave and take a better job. They then shut down the entry-level openings, and try to hire only experienced people rather than look at the root cause: security jobs have one of the steepest promotion/salary increase curves in technology. If we want to train and retain folks through that steep curve, our HR policies and practices will have to evolve and start treating security as a separate and unique domain within technology."
"Supply chain risk management is a top concern for many organizations. To address this, CISA recently announced a new Hardware Bill of Materials (HBOM) framework to help vendors and purchasers manage and mitigate risk by providing an inventory of hardware components included in a product. The new framework was developed by the Information and Communication Technology (ICT) Supply Chain Risk Management (SCRM) Task Force and includes HBOM use cases, a repeatable format to identify issues up the supply chain, and a data field taxonomy for hardware components and attributes. This builds upon prior work to build and implement SBOMs (Software Bill of Materials) for software supply chain transparency."