Staff Picks for Splunk Security Reading August 2019

Ryan Kovar

@meansec

THANK GOD BH/DEFCON IS DONE

Popping shells on Pulse VPN (CVE-2019-11539) by Rich Warren (@buffaloverflow)

My good friend Mark Parsons turned me onto the dangers of the pulse VPN, and the talk at Black Hat did nothing to make me feel better. If you haven't checked for these vulnerabilities in your network, do so immediately. Also, if you think you don't have Pulse Connect in your network... I'd... double check. Just in case. This one is nasty.

Derek King

@network_slayer

Just gotta get through .conf19

APT41: A Dual Espionage and Cyber Crime Operation by FireEye

During August, FireEye released the full APT 41 report publically. The report attributes the activity back to several Chinese individuals potentially operating for personal financial gain, state-backed, and draws several comparisons with activity back as far as 2012 for those individuals. I've included two links, the first a condensed summary if time is tight or for interest only, and the full report if you choose. The technical detail is excellent, but the key takeaways apply: patch known vulnerabilities without undue delay, and log detailed endpoint and network feeds for detection and response.

John Stoner

@stonerpsu

And then SANS Events

Attacking and Defending The Microsoft Cloud by Sean Metcalf and Mark Morowzynzki

August always brings an embarrassment of riches with BSides, DefCon, and Black Hat producing talks and presentations on great content, and this year is no exception. I've spent a good chunk of my spring and summer on two activities at the office, and this talk neatly bridged them which caught my eye! Sean and Mark go through their talk by looking at the myriad of ways to attack MS Cloud infrastructure, some of which includes those pesky on-premise active directory controllers that are synchronizing with the Azure AD! They provide an excellent overview of password spraying—an attack technique that if you are not familiar with, you should be—and then wrap up the attack section with a few different token and privilege escalation attacks. The second half of the talk is on defending the cloud, which lays out some excellent and practical tips to consider implementing as you get your presence established in MS Cloud. They even provide a set of phase 1 and phase 2 checklists at the end of their presentation that will give you some actionable steps to take to help secure your cloud!

Drew Church

@drewchurch

And then RSA

Corporate IoT – a path to intrusion by MSTIC

My first submission for the monthly reading list is on a subject near and dear to my heart: vulnerability management. The Microsoft Security Response Center (MSRC) lays out how three Internet of Things (IoT) devices were compromised by the STRONTIUM/APT28 group to gain Initial Access to corporate networks, perform Discovery, and Move Laterally. Spoiler alert: two devices were compromised via default passwords, and the other was a missing security update. Ask yourself—how do I know what my IoT device security posture looks like when currently deployed tools may not provide adequate coverage? I believe the "Recommendations for Securing Enterprise IoT" section is of particular value to any security practitioner looking to self-assess their vulnerability management program in the context of IoT. Take the results and develop a roadmap for the future.

Damien Weiss

@damienweiss

And then RSA
(yes twice)

HTTP headers: Visually Represented by @b0rk (Julia Evans)

Julia Evans has been writing a series explaining HTTP headers in comic form. While this isn't a format that most would choose, she has done so with brilliance. Using the visual composition and an excellent method of explaining the sometimes difficult to understand, you will walk away with a better insight about HTTP headers. While only one tweet is listed here, check out the rest, like, "Cross-Origin Resource Sharing" and "Certificates" to better leverage Splunk in your investigations. Now if I could only get her to write a series on the tax code...

Joel Ebrahimi

@antimatt3r

And then Black Hat/Defcon

Texas ransomware attacks deliver wake-up call to cities by Maggie Miller

In 2013, a malware campaign propagated through the Gameover Zeus botnet began attacking Windows systems through email attachments and became one of the most widely known ransomware attack dubbed Cryptolocker. In these ransomware attacks, files on or connected to the operating system are encrypted using RSA public-key cryptography, and then a message appears on the user's screen demanding some form of payment (typically Bitcoin) for the files to be decrypted. What has changed in 2019 is the targeting of these attacks. Instead of the blind spamming of these attacks or spending time trying to go after big enterprises with lots of preventative security technologies, the attackers are now focusing on smaller organizations and increasingly local governments. The reason these have become the target of choice is that a lot of times these smaller governments contain plenty of sensitive information or maintain control over local infrastructure but lack the security tools, policy, and personnel to defend against these sort of attacks. We have seen success in this attack model, and in August, we saw 23 local governments in Texas get compromised by what appears to be the same attacker. Is this a wake-up call for smaller organizations and governments to increase their cybersecurity?