Staff Picks for Splunk Security Reading August 2021

Ryan Kovar

@meansec

S

How ransomware happens and how to stop it by NZ Cert

I literally can't count how many times I have referred to this document in Slack, Twitter, Linkedin, and in person. I love how the NZ Cert broke down the entire lifecycle of ransomware in actionable areas and explained what you need to help. I recently spoke with Lisa Vaas from threatpost.com about ransomware and how usually, when people talk to me about it, it's like asking to put Humpty Dumpty back together again. You can't try and stop ransomware after it executes. Its just too fast. This whitepaper clearly shows how much value there is to thinking left of "boom" or the actual installation and execution of malware... er ransomware... err the same thing. The point is, spend time working on your defenses BEFORE you are encrypted (or compromised), and you will be able to defend much more effectively.

Damien Weiss

@damienweiss

U

SolarWinds and the Holiday Bear Campaign by Bobby Chesney

Too much ink has been spilled on SolarWinds, and I've become exhausted by the latest hot take on the attack. That being said, have you struggled to get your CFO or manager to understand what happened with the SolarWinds attack and why it matters? Well, have I got the article for you. Here is a fantastic, high level overview that stays technically accurate rather than glossing over the details to make itself more accessible.

John Stoner

@stonerpsu

R

Cobalt Strike, a Defender's Guide by The DFIR Report

Cobalt Strike was created to be a tool for security teams to test their defenses, but it has also become a favorite of entities with more nefarious purposes. Numerous adversary groups, some related to nation states, others related to financial crime, have been observed using Cobalt Strike as part of their operations. The reason I mention all of this is that if you have not seen Cobalt Strike, you may have been very fortunate or you may benefit from my pick for this month! TheDFIRReport and Kostas published an in-depth primer that provides an overview on Cobalt Strike's capabilities, available documentation and videos (there are a bunch btw), as well as examples, explanations and links to the highly customizable feature that is the malleable C2 profile feature. At this point, we have barely scratched the surface of the guide and now start looking at Cobalt Strike and the logging it creates. Many of the examples covered leverage Microsoft Sysmon, which you know we are a big fan of. In fact, we wrote about Sysmon as a key tool for hunting. And in case you are not using Sysmon, the author included Windows Event Codes for reference as well. After walking through numerous tactics and the logs that are generated, the guide provides a brief discussion on aggressor scripts and links to samples and then a robust section on defences including Sigma, Suricata and Yara rules. If you are in need of a single place to focus on Cobalt Strike, this document is a great place to start!

Matt Toth

@willhackforfood

Ge

If at first you don't succeed, try bribery! by Brian Krebs

With Ransomware on everyone's mind it was only natural that criminals have resorted to bribing employees to deploy malware in corporate networks as another technique in their arsenal. When a phishing scheme did not work out, a malicious scammer reached out to what he assumed was an employee to offer 40% of the ransom if the employee installed the malware. The employee was a fake persona created by a security team luckily for that organization. Disgruntled employees have been a worry for a long time, with many notable data breaches hammering the danger home. There are tools and techniques to help limit the risk, like behavior analytics to detect potential insider threats, and we need to be on the lookout for new tactics our adversaries use to compromise our networks to stay a step ahead of them.