Security

April 25, 2023

5 Minute Read

Staff Picks for Splunk Security Reading April 2023

By Audra Streetman

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. You can check out our previous staff picks here. We hope you enjoy.

Doug Lhotka

@douglhotka

Large Language Models and Phishing by Bruce Schneier

"When you combine this type of technology with large databases of breached data, phishing is about to get a whole lot worse. Instead of form letters with missing fields or poor grammar, or generic campaigns and easily spotted scams, we will not get highly targeted custom campaigns, including specific details about the individual that lent it credibility. Add in the ability to interact in full conversations and this is going to be a major problem. The challenge for us as security professionals is twofold; how can we automatically detect and identify these types of campaigns upstream and either flag or block them, and second, how can we properly educate the lay public about this capability to help them avoid becoming a victim."

Danny Furtaw

@furtawww / Linkedin

Exploding USBs used to target journalists in Ecuador by Jurgita Lapienytė

"Remember the Rubber Ducky? Add-in some explosives, plug it in and... BOOM! This article details an incident where a USB was used as a means to detonate explosives at a local news station in Ecuador. Authorities found that the actors placed RDX (a type of explosive) inside a launcher capsule in the USB device. Criminal groups are actively devising new methods to cause chaos and commit violence. This proves that cybersecurity goes beyond protecting our data, but also our people. While this is an extreme case, it should serve as an example of why we need to remain vigilant when dealing with any unknown or unusual devices, like USBs. Stay safe!"

Zachary Christensen

New ChatGPT4.0 Concerns: A Market for Stolen Premium Accounts by Check Point Team

"Who would have guessed it? Brute-forcing credentials to ChatGPT accounts so you can resell AI-as-a-Service using stolen credit cards. It's no surprise that cybercriminals are taking advantage of those who reuse passwords on multiple platforms. This has led to a rise in account takeover of ChatGPT premium accounts, allowing more cybercrime in selling accounts or AI services. This is also another great reminder to not reuse passwords and to be cautious of advertisements for new AI services."

Lars Wittich

The LockBit ransomware (kinda) comes for macOS by Patrick Wardle

"A seemingly new variant of the LockBit ransomware was analysed, this time featuring macOS as target. It is still not entirely clear how impactful this could potentially be, but this write-up goes into a lot of detail about what it does and what to look out for."

Madeleine Milukas

NIST Small Business Cybersecurity Corner from NIST.gov

"While it’s fun to work with well-staffed security operations teams that use the latest, greatest products, most days I work with small- to medium-sized businesses as well. Many of them don’t have a full-blown SOC, but instead have a single “Security Person” or even an IT Team that’s also responsible for Security. I love working with these smaller companies, but I’ve noticed how overwhelming it can be for them, considering the wealth of security-oriented information out there. This may be old news for some of you, but I found NIST’s Small Business Security Corner through last month’s NIST Small Business Cybersecurity Community of Interest (COI) announcement, and my mind went straight to how relevant this information would be to the teams I work with every day! The page includes planning tools, workbooks, a glossary, helpful guides by topic, and training videos. It’s a great resource for any business just starting to improve its security posture, and it’d also be valuable for someone new to the security analyst role in general (by way of career change, internship, etc.). Even a seasoned veteran could benefit from browsing through the content, if only to brush up on security-oriented topics and best practices."

James Hodgkinson

yaleman@mastodon.social

We put GPT-4 in Semgrep to point out false positives & fix code by Bence Nagy for Semgrep

"This is a great example of how LLM's can make for better outcomes in the DevSecOps arena. The first question I'm always asked about security scanning and automated tools is "how actionable are the outputs?" The answer's normally "not great, without trained security professionals and dedicated staff." It looks like this could be rapidly changing with LLMs providing an interpretation of the problems and good first-attempt contextual suggestions for changes. I'm excited to see where this goes, but remember - nothing beats good testing!"

Ronald Beiboer

FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks by Ravie Lakshmanan for The Hacker News

"Old acquaintances reappear and collaborate in the act of stealing your data while simultaneously encrypting it using multi-stage malware attacks."

Sydney Howard

@letswastetime

Living Off the Orchard: macOS Binaries (LOOBins) by Brendan Chamberlain

"Alongside the recent releases of new tool repositories (such as LOLDrivers), we welcome Living Off the Orchard: macOS Binaries (LOOBins)! What makes LOOBins unique is that it focuses only on binaries on macOS and how these can be used for malicious purposes. It does not include overlapping Unix binaries that are detailed in GTFOBins. This can be incredibly useful as you are investigating your macOS environments. This is a brand new repository but something that should be bookmarked! Happy hunting!"

Damien Weiss

@damienweiss

The weird world of Windows file paths by Erik Jälevik

"As a UNIX snob, I have thought about the relative simplicity of UNIX paths and compared them with needlessly complicated paths that Microsoft has thrust on the world and have wondered "why?" more times than I can count. That being said, a foundational knowledge of rules and exceptions to Windows paths is necessary for threat hunters and red teamers alike. For instance, did you know that you can't name a file PRN on a Windows machine? Seriously, try it. Thankfully, Erik Jälevik has documented this strange world for us."

Kassandra Murphy

Cyber Threat Intelligence: The Power of Data by Ed Cabrera for Trend Micro

"The number of customers I work with who still aren’t leveraging the power of threat intelligence is diminishing but they certainly still exist. With that, this article describes how bringing in threat intelligence data can benefit and enhance an organization’s overall security posture. Some of the benefits include risk and management and compliance, cybersecurity defense and incident response, as well as some lesser known benefits like increasing your competitive advantage differentiation and improving CxO-level briefings."

Chris Perkins

The Future State: Data in SLED by Chris Perkins

"In this blog, I take a brief trip back in history and talk about the future of data in State, Local Government and Education organizations."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Hacker Group Names Are Now Absurdly Out of Control by Andy Greenberg for WIRED

"In this article, Andy Greenberg takes aim at threat actor naming conventions that feature descriptive animal names like 'Charming Kitten' or 'Fancy Bear.' It comes after Microsoft announced a new taxonomy with a weather theme. Attribution using so-called 'pet names' can trivialize the serious implications of cyberattacks. It's an easy criticism to make. More difficult, however, is finding a solution for organizing emerging and evolving threat groups into systems for analysts to effectively track and compare. Even more difficult (and unlikely) is a naming convention that's universally adopted, because organizations that track these groups have different visibility into their infrastructure and behaviors. For example, one company may track an activity group that another company clusters as two separate activity groups. From a reporting perspective, descriptive names are more memorable than 'Group 86.' I'm not sure the right answer, other than to acknowledge that threat intelligence collection and attribution is a highly nuanced and complex process."

Detecting Lateral Movement with Splunk: How To Spot the Signs

Identifying lateral movement is so important, and it sure isn't easy. Using Splunk makes it a lot easier, and we'll show you how in this tutorial.

Security 2 Min Read

Fraud Detection: WFH Leading to Increased BEC and Phishing Threats — What To Look For

We take a look at a couple examples that can help detect BEC and phishing, and highlight how some people may already have the data in Splunk!

Security 4 Min Read

Staff Picks for Splunk Security Reading October 2019

A selection of presentations, white papers and blog posts you might have missed in this month (or before), handpicked from the Splunk security world

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk