Staff Picks for Splunk Security Reading December 2018

Ryan Kovar

@meansec

Good time for a change
See, the luck I've had

Naked Statistics by Charles Wheelan

I am a huge believer in the need for cybersecurity professionals to learn, understand, and use statistics in their day job. Of course, it doesn't hurt that Splunk makes that super easy. :-) For those of you who say "I'm not good at math," I hear you. I am still befuddled to this day how I ended up with a job that requires day-to-day mathing. The details of how I learned to love statistics are quite inconsequential... Very well, where do I begin? My father was a relentlessly self-improving WoW farmer from Belgium with low-grade narcolepsy and a penchant for debuggery. My mother was a 15-year-old French web developer named Chloe with webbed feet. My father would reverse malware; he would drink. He would make outrageous claims like he invented the regex. Sometimes, he would accuse Pentium IIIs of being lazy. The sort of general malaise that only CEO's possess and the insane lament... My childhood was typical: summers in the San Jose... typing lessons with Mavis... In the spring, we'd make boats from discarded Crays... When I was insolent, I was placed in a burlap hoodie and had algorithms shouted at me—pretty standard, really. At the age of 32, I tried to make some interesting visualizations and failed... because I didn't know how to make numerical sense of my data. This was the book that turned statistics from a scary word used by mathwarlocks into something obtainable and usable on a day to day basis. It breaks the theory down into real-world relatable chunks, and you end up sitting at bars joyfully expounding the differences between mean, median, and Bill Gate's salary. I hope you enjoy it!

John Stoner

@stonerpsu

Can make a good man
Turn bad

Services Cyber Intrusion Casebook 2018: Stories from the front lines of incident response in 2018 and insights that matter for 2019 by Crowdstrike

As we get to the end of the year, it's natural for us to all look back on the previous year as we prepare for the coming year. Crowdstrike has released its Cyber Intrusion Casebook for 2018, and with the holidays, I felt this would be a good read for everyone. Their casebook starts with findings from their service engagements over the past year and then goes into overarching trends based on the incident response, compromise assessments and advisory engagements they have worked. This first part provides some useful information, but I enjoyed the deeper dive that makes up the second half of the report. In the latter portion, Crowdstrike shares six case studies, across multiple industries, that provide a look into the investigations that they were a part of this year. Each case study has a breakdown of the intrusion, the investigation, and analysis that went on, as well as the attacker tools that were involved (and their mapping to the MITRE ATT&CK framework). Each case study wraps up with recommendations. If you don't read anything else in this report (you wouldn't do that, would you?), read and seriously investigate undertaking these recommendations in your environment in the coming year. There are excellent recommendations in each case study that will assist any organization, so even if you can't do them all, consider implementing the ones you are able to!

Matt Valites

@Matthewvalites

So please please please
Let me, let me, let me
Let me get what I want
This time

Driving Efficacy Through Detector Tuning: a Deeper Dive Into Detection Engineering by Keshia LeVan

One difference we see between mature security operations and those working to become mature is how those organizations measure the effectiveness of their operations. Known as Alert Fatigue, repeatedly spending time on analyzing events that provide no value is a drain on people and tool resources. However, how do you know whether or not the events being analyzed are providing value or not? In this multi-part blog post, Red Canary showcases a way to look at the efficacy of security monitoring events. By combining this type of measurement with a repeatable and prescriptive playbook, security organizations can make intelligent decisions about how to improve underperforming queries, identify skills or effort gaps in their analysts, highlight trends in detections, and help justify staffing levels.

Adam Swanda

deadbits

Haven't had a dream in a long time
See, the life I've had
Can make a good man bad

A new exploit for zero-day vulnerability CVE-2018-8589 by Boris Larin, Anton Ivanov, Vladislav Stolyarov

This month I wanted to draw attention to a write-up by Kaspersky on the Windows zero-day exploit, CVE-2018-8589. While this exploit has since been patched in November, the vulnerability existed in the way Windows handled calls to the Win32k.sys driver, leading to a race condition. If adequately exploited by an authenticated attacker, it led to arbitrary code execution in the context of the local user. What's interesting about this particular vulnerability is that it was found in-the-wild being used by targeted malware, as it's not very often you find malware leveraging built-in exploits these days. Now that the news of this vulnerability has been released and a patch pushed, it might not be long before we begin to see this exploit being used in non-targeted attacks such as cybercrime malware. All the more reason to make sure your systems are patched for the holidays!

Jim Apger

@jimapger

So for once in my life
Let me get what I want
Lord knows, it would be the first time
Lord knows, it would be the first time

Risk Gifts, An early present by CONTRA_BLUETEAM

2018 brought forth an exciting development for several of us who have been thinking through the problem of Alert Fatigue in the SOC. The Anti-Fraud work that I have been involved in for the past many years has sharpened my usage of abstraction when looking for early signs of the fraudster at work. One of the notions we cling to in the anti-fraud space is that the fraudster is almost always the outlier and they leave plenty of clues as to their behavior hidden in your data. In cyber-security, we have more concrete models, such as the MITRE ATT&CK framework, than we do in the anti-fraud space for understanding the adversary's motivations. Chasing anomalous user behavior without regard to a behavioral framework rather than embracing it is what got us into this alert fatigue mess, to begin with, because we have been treating each anomaly as an alert. We further compound the problem by trying to whitelist our way out it. Rather than having an analyst run through the situational awareness drill for every traditional alert, let's take a step back to leverage an abstraction of an entity's aggregate anomalous and/or "risky" behavior as part of the analytics process. I have coined an idea called Risk-Based Alerting (RBA) where we treat traditional cyber-security correlation rules as risk attributes then examine those risk attributions to drive alerts. Several SOCs have adopted this methodology thanks in large part to the pioneering work presented by American Family Insurance in their .conf18 session detailing their success with this RBA approach. Writing that first risk attribution rule is the hardest part of RBA as it involves new mechanics to generate meaningful attributions. For those interested in a more technical dive into what goes into a risk attribution rule, take a look at my staff pick for the month. That example will save a ton of time for those early in their RBA journey. There are many other very technical Splunk specific blog entries on that site should you choose to explore their playbook.

Dave Herrald

@daveherrald

<~BQS?8F#ks-GB\6`H#IhIF^eo7@rH3;
G@>T'BKpZ'=%5,p7ri*"<_H!~>

Holiday Hack Challenge by Ed Skoudis and his team from Counter Hack Challenges

It's December! So for me, there is no choice but to call your attention to the annual SANS Holiday Hack Challenge. The legendary Ed Skoudis and his team from Counter Hack Challenges have yet again created an activity that gamifies technical security education while bringing a community together in the holiday spirit. Moreover, it's fun! Really fun. In fact, If you're like me, it's quite addictive. This year, participants attend a virtual security conference called KringleCon which features presentations from security experts before embarking on the quest to solve challenges and answer questions. I have participated in this event for many years, and I've been a fan of Ed's for even longer. If you have some spare time, I highly recommend you check it out!