Staff Picks for Splunk Security Reading November 2018

Dave Herrald and Ryan Kovar

XlBCW0BFU15mW0BGX
VBCW05FXl5MW0BFU11m
W0NGXVBCVUBGXVBCW0BLXl1BVUN
FeV1MWENGeV5MWE
@meansec
@daveherrald

First Round of MITRE ATT&CK™ Evaluations by Frank Duff

MITRE’s ATT&CK Framework just keeps getting better and better. The most recent addition comes in the form of the First Round of MITRE ATT&CK™ Evaluations which were released in late November. The results of the product evaluations are fascinating to read; however I'm just as impressed by the methodology the team employed throughout the process. First off, kudos to MITRE for emphasizing transparency and carefully explaining the challenges inherent in performing such evaluations. I also like how the team took it as an opportunity to show how to use a single adversary group as a mechanism for selecting tactics to use in the test. That approach makes sense both for these evaluations and for organizations looking to put the ATT&CK Framework to use in their own security programs.

John Stoner

NLXV1MW0BLXV1CW2
RGXV5CVUNGXlBBVUBFX
VBCWENFXl5MW0BFU15BW
EBLXV1CW05FXV1MWEBLXl5BV
@stonerpsu

This Is the Fastest Way to Hunt Windows Endpoints by Michael Gough

September is a crazy time of year between the start of the school year, the boy’s hockey and prepping for .conf, and so it wasn’t realistic for me to head to New Orleans for the SANS Threat Hunting Summit as much as I would have loved to go. Fortunately, the good folks at SANS posted the summit presentations, and there is quite a treasure trove of goodness. While there is a lot of phenomenal content, I wanted to highlight Michael Gough's talk "This Is the Fastest Way to Hunt Windows Endpoints.” Michael has done a tremendous amount of work around Windows logging and maintains a great set of cheat sheets that should be used as references for those working with Windows events. During his talk, he introduces his latest cheat sheet that maps the MITRE ATT&CK framework, all 11 tactics, and 187 techniques, to Windows Event codes, Microsoft Sysmon and LOG-MD for Windows 7/8/10 and Server 2008R2/2012! Michael provides guidance around hunting using event logs as well as specific event codes to start with, which is great for folks just getting started or as a refresher for those who have been hunting Windows events and want to make sure they have the most important events covered. He also discusses the importance of looking for malicious auto-runs and other badness in the registry, files, and directories to eliminate the known bad to help focus your hunt. As we have talked previously, Windows events provide great insights, and Michael's presentation is definitely one you should check out!

Matt Valites

UBGXV1CWE5GXV1CVU
NGXlBBWGRFXl1MW0BLXlB
CW0BFeV1MW0BFXVBCf0B
FXVBBVUBGXVBCW05GXVBB
@Matthewvalites

Internet Vulnerability Takes Down Google by Ameet Naik

On November 12, a misconfiguration at a Nigerian ISP that resulted in US traffic to G-Suite being routed to China once again revealed the fragility of Border Gateway Protocol (BGP), one of the Internet's core routing protocols. BGP hijacks fascinate me for three reasons—the ease with which they seem to (continually) happen, the potential scale of impact, and the often utter ambiguity as to why they occur. While this incident appears to be non-malicious, Thousand Eyes cites previous route hijacks that resulted in cryptocurrency theft and targeted financial-sector traffic inspection (for what reason, nobody knows…). The complexity and dynamism of Enterprise environments inevitably lead to challenging problems for security operations teams to solve. Would your security and network team know if your organization's traffic was hijacked? What if, in the case of the financial-sector interception, your traffic ultimately ended-up at it's intended destination, albeit via a different (potentially malicious) route? How would you detect similar routing anomalies and—possibly more importantly—how would you respond were you to be impacted by one?

Derek King

WEBhXV1CW0NFU15Cf0BFXl
5MWENGU15CWE5GXVBBW
0BhXlBCW0BFU15mWENLXl1
BVUBGXVBCW0BLXVBC
@network_slayer

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims by Yonathan Klijnsma

On the 6th of September, British Airways reported a breach of approximately 380,000 stolen (or skimmed) credit card details and personal information. Looking at some of the evidence the attack appears to be consistent with the threat group Magecart according to Yonathan Klijnsma at RiskIQ. I'm choosing this report for a number of reasons; firstly, British Airways are the biggest provider of flights here in the UK, so it's prevalent domestically. Secondly, because Yonathan does a great job of outlining the details of the attack including code snippets, staged infrastructure details, and other tactics used. Lastly because whilst any breach isn't good for consumers, I think BA actually did a great job of noticing the attack in 15 days. While we could argue they might have been sleeping for 14 of them, if we compare it against the median dwell time reported in the 2018 M-Trends report of 101 days then I think the security community should praise some of the quality of the team.

Michael Weinberger

WEBFXl5mWENFU15MWE5FX
V5mW0NhXl1CVUBFU15CWE
BLXnpCW0NFU15BW05GXl1M
WENhXV5CVUBLXl5BW05FXl1
CVUBGXVBCWE5GXV5Bfw==
@tryphantom

BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads by Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, and Ron Deibert

Throughout the start of 2018, The Citizen Lab uncovered many malicious uses of deep packet inspection tools to inject redirects into HTTP traffic, pointing users to malicious downloads or to revenue-generating ads and browser-based cryptocurrency mining scripts. Their report on the finding is a great read, not only because it reads like the plot of a best-selling spy novel, but also because it gives us insight into the use of DPI tools, the importance of HTTPS, and brings up the interesting moral implications of interacting with users traffic. For those of you who work for organizations that deliver products or services to customers, the report helps to emphasize the importance of implementing encryption and security measures to limit the impact external malicious actors can have on our content. For the rest of us, it's a great reminder of how the work we do in security on a daily basis has essential implications on a broader scale. The Citizen Lab continues to do a top-tier job, and this content is no exception. Definitely take the time to read this one, and check out https://citizenlab.ca/about/ for more information about the lab and its work.