Staff Picks for Splunk Security Reading April 2019

Ryan Kovar

@meansec
Witty Thing

DNS based threat hunting and DoH (DNS over HTTPS) by Adam Ziaja

As someone who has been advocating the detection of malicious activities via DNS for many years, I was dismayed when I found out about malicious use of DNS over HTTPS (DoH). This is a great technical primer for blue teamers to learn the ins and outs of DoH and how red teamers/adversaries can use it to bypass just about every single defense we have. I spent some time after this paper trying to whiteboard how to detect DoH consistently... and I'm not gonna lie, it's going to be hard. If you have ideas, hit me up on Twitter!

John Stoner

@stonerpsu
Witty Thing

DNS Hijacking Abuses Trust In Core Internet Service by Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres

This month had lots to choose from, but I wanted to highlight Talos's fascinating blog post on a campaign they are calling "Sea Turtle" which is built around DNS Hijacking. This campaign has been going on for over two years, and while it is predominantly focused in the Middle East and North Africa, some of the techniques used are new and unique; like anything else, success will breed greater adoption of these successful techniques in other adversary's toolkits. For example, they employed certificate impersonation as part of their man in the middle attack using certificates issued from other providers, making the MitM attack less likely to be detected. They also steal the organization's legitimate SSL certificates and use them on adversary controlled servers. Talos provides IOCs as well as CVEs for the vulnerabilities that provide initial access, so there are some excellent takeaways in the post beyond the information on Sea Turtle. It is crucial to maintain control of your DNS servers, and this article highlights new ways adversaries are trying to wrest away that control to gain access deeper into the organizations.

Dave Herrald

@daveherrald
Witty Thing

"Mental Models for Effective Searching" by Chris Sanders

This month we had the honor of presenting at the 2nd annual SANS Blue Team Summit in Louisville Kentucky. Of all the great talks given at the summit, my favorite was "Mental Models for Effective Searching" by Chris Sanders. In this presentation, Chris skillfully combines general guidance (useful regardless of technology stack) with some useful product-specific syntax and tips. In this way, the talk was exactly what we have come to expect from Chris: deep insight into how the human brain works followed by practical advice on leveraging that knowledge to make security analysts better at their jobs. As someone who spends much time teaching folks how to search in Splunk, I know how hard it is to be concise and how easy it is to misunderstand precisely how a search works on a particular platform. I would be remiss if I did not mention some of the other great things Chris does for the security community that everyone should be aware of. First is the Rural Technology Fund which needs your help to achieve its goal of impacting 100,000 students by 2020. I highly recommend you donate today. Also, check out Chris' free course entitled The Cuckoo's Egg Decompiled which is a guided walkthrough of one of the earliest books on computer security monitoring.

Derek King

@network_slayer
Witty Thang

Reverse-engineering Broadcom wireless chipsets by Hugues Anguelkov

Splunk Security folks speak a LOT about closely monitoring endpoints in the best way you can. Turning on process auditing either using standard operating system audit features or by third-party software were not precious, but we are passionate about it! This month's pick for me exemplifies why we like to bang that endpoint drum so hard! Hugues Anguelkov at Quarkslab has identified multiple vulnerabilities affecting multiple Broadcom WiFi drivers. By chaining these together, it is possible to remotely compromise a host and execute arbitrary code. This, in turn, has a knock on effect to well-known manufacturers' hardware. I've chosen this because device drivers don't always feature heavily in a organisation's threat analysis, and therefore patching efforts. We know attack vectors have for a long time now transitioned to the endpoint as a potential initial foothold, and this type of attack is an example of that. Operating at such a low level in a system, these vectors can potentially bypass many of the higher level prevention strategies placed on systems giving more weight (as if you need it anyway!) to why getting detection capability directly on the endpoint is a now a critical component of any threat detection capability. As always, defence in depth is critical. Patch to prevent, and monitor to detect!

Joel Ebrahimi

@antimatt3r
Witty Thing

Wipro Hack And The Lack of Disclosure by Brian Krebs

There was plenty of your typical tax time phishing hacks going on in April as usual, but if you have not heard about the disclosure of the Wipro attack or maybe the lack thereof, it is an exciting read. KrebsOnSecurity first reported the breach after reaching out to Wipro and not getting much response back. It seems that the leadership wanted to sweep this under the rug as quietly as possible, but hiding anything—especially a security breach—is not likely to happen with a public company. What makes this story even more disheartening and even comical is that Brian Kerbs called into the quarterly earnings call and challenged Chief Operating Officer Bhanu Ballapuram to what inaccuracies Brian had made in his article that Bhanu referred to. BrianOnKrebs published a follow-up article with more details as well. Besides the lack of responsible disclosure in this hack, another thing that made this interesting was what appears to be the goals of the hackers. For such a substantial compromise, it seems that the hacker's target were gift cards to be used at the retailer's stores. It makes you wonder who was actually behind these attacks and were they sophisticated in using a 'zero-day' as Wipro claims.

Michel Oosterhof

@micheloosterhof
Witty Thing

APT34 / OILRIG LEAK, QUICK ANALYSIS by misterch0c

Iranian state actor OilRig, also known as APT34, has been active in the Middle East for the last few years. Some of their attack tools were leaked on Telegram this month; a copy is available here. Palo Alto published much detail on their DNS tunneling here. While I mostly operate in the world of software and security, it's always interesting to learn other fields as well—here's a step-by-step guide on getting hardware access IOT devices and how to reverse engineer undocumented serial ports. Also, last I'd like to point at the work Splunker Mark Bonsack is doing in standardizing syslog configurations, which can send to file for UF consumption, HTTP Event Collector and Kafka. Give it a try!