Sneak Preview of the Enterprise Security Content Update for March 28, 2018 (Part 2)

In addition to the Analytic Story on AWS Cryptomining we covered in our blog post from last week, this week's Enterprise Security Content Update release highlights a recent Department of Homeland Security (DHS) alert fingering the Russian government for cyber activity targeting critical infrastructure sectors and includes searches to help detect similar activity.

Check out the highlights:

Russian Government Implicated in Cyber Attacks Against US Infrastructure

The frequency of nation-state cyberattacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.

One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.

Find out more about suspicious activities—spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications and many more—in this Analytic Story.

This Analytic Story includes a number of detection searches, such as:

Monitoring for PowerShell processes that were launched using a parameter designed to bypass the local PowerShell execution policy.
A search that looks for specific registry paths that malware often uses to ensure survivability and persistence on system startup.
Alerting for spikes in SMB traffic that may indicate an infected host attempting to spread ransomware to other hosts in your environment.

It also includes some environment-specific and investigative searches that may help you go deeper.

Data Sources Required:

Network traffic logs
Logs that include both the process name and command-line from your endpoints

Update the Enterprise Security Content Update app now on Splunkbase to ensure you always have the latest analytics!

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Contextualize your data with threat intelligence information from Project Honey Pot

Security 7 Min Read

UK TSA Regulations: SOC Teams, Get Ready!

The UK Telecommunications Security Act (TSA) compliance is coming and will be a new challenge for SOC teams. Splunk security evangelist Matthias Maier takes a closer look at requirements and shares an end-to-end use case as an example.

Security 2 Min Read

Why Detection and Response Holds the Key to Data Protection

Enterprises are changing security spending strategies and moving away from prevention-only to focus on threat detection and response

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk

Sneak Preview of the Enterprise Security Content Update for March 28, 2018 (Part 2)

Related Articles

Contextualize your data with threat intelligence information from Project Honey Pot

UK TSA Regulations: SOC Teams, Get Ready!

Why Detection and Response Holds the Key to Data Protection

About Splunk

Subscribe to our blog

Connect with Splunk on X

Connect with Splunk on Instagram