Staff Picks for Splunk Security Reading August 2018

Tarah Wheeler

@tarah

On Cyber: Towards an Operational Art for Cyber Conflict by Gregory Conti and David Raymond

"On Cyber" is a pitch-perfect breakdown of the major topics in fighting cyberwar based on the template laid out by Clausewitz. While that could be seen as derivative, it is in fact, a brilliant meta-maneuver to cause people who haven't as yet really begun to know in their bones that cyberwar is real war. The translation into planes of battle and the move to express different tactics through historical examples of battles compared directly with major and well-known cyberattacks draws a clear line between how we need to begin creating defensive (and offensive) strategies of war which simply take the cyber realm as matter-of-fact. While "cyber" isn't a word often welcomed by the information security community, it is the clearest, and best way to communicate this concept to people who aren't embedded in infosec. This manual is an instant classic, and I recommend red and blue team people read it so they can step into the minds of the people doing their jobs...but in uniform.

Matt Valites

@Matthewvalites

AWS Privilege Escalation -- Methods and Mitigation by Rhino Security

The first step in a security monitoring playbook is to determine 'What do you want to protect?'. Let's pretend the answer is 'AWS.' 'Step 2' in in the playbook methodology is to determine 'What are the threats?' In this article, Spencer Gietzen does a fantastic job of enumerating 17 different attacks against AWS' Identity and Access Management (IAM). Once you understand these threats, you can determine the data and the query needed to detect those threats (step 3) to secure a portion of your AWS environment. Rinse and repeat for your VMs, application, serverless environment, etc....

Derek King

The Cuckoo's Egg by Cliff Stoll

This month I'm going old school in more ways than one! Not only am I taking us back to 1986, but I'm also going to suggest a book.. (OK you could get a PDF if you want). The Cuckoo's Egg by Cliff Stoll is a non-fiction book of an astronomer turned systems manager at Berkeley Lab identifying a small error in his computer systems. That leads him through months of investigations tracking a hacker back to the then East Germany and funded by the CIA for espionage. The hacker was pivoting through US DoD computer systems at a time when the world didn't understand what a hacker was, and law enforcement for theft of 'information' wasn't even a thing! -- If anyone needs to step back from shiny box syndrome and remind ourselves of why we do what we then this is a must read. In real life Cliff is eccentric, and it absolutely shows in his writing! -- Enjoy!

Jim Apger

@jimapger

A visual introduction to machine learning by Stephanie and Tony @R2D3

We spend a bunch of time here at Splunk delivering anti-fraud solutions that are primarily focused on either online behavior or purely transactional datasets. A working knowledge of Machine Learning (ML) is required to deal with the transactional scenarios most effectively. For those just getting started on the ML journey, take a look at this month's pick. It's a visual introduction to ML, and although it's been around for a while, it's visualizations are still impressive.

John Stoner

@stonerpsu

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations by Digital Shadows

This month was tremendous regarding the breadth of content published! There was a lot to choose from, but the indictment of FIN7 combined with my adoration of MITRE ATT&CK pushed this post to the top of my list. Digital Shadows did a great job taking the FIN7 indictments and breaking them down based on materials that the Department of Justice posted (pretty sweet exhibits, btw!). The Digital Shadows team then broke out the FIN7 methodology and mapped it to both Pre-ATT&CK and ATT&CK to illustrate the different stages of the overall attack as well as the tactics and techniques used every step of the way and then closed each phase of the attack with their guidance on how to mitigate the threat. As the Digital Shadows team notes, there are still additional pieces of information that the indictment does not cover that need to be gathered around the attack, but it provides excellent insight into this particular set of attacks well as steps organizations should take to mitigate against these kinds of adversaries.

Alice Bluebird

Shameless Marketing Plug
@aliceBluebird

Through the Looking Glass Table by Splunk

OK OK OK... this isn't your usual "Staff Picks," but it is something we are pretty proud of. Many of you are aware of the "Frothly" universe that we have created for the "Boss of the SOC" competition. This graphic novel created by Splunk is the first issue of many. It describes Alice's battles defending Frothly against T'APT using Splunk tools in graphic (har har) detail. The comics are loaded with inside jokes that we consider funny and several easter eggs. A free beer to whoever finds the hildegardsfarm.com reference. Hopefully, you enjoy it!