Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Staff Picks for Splunk Security Reading February 2021
By
Ryan Kovar
|
Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.
|
51 weeks since my last flight |
SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users by Bradley Barth We hear "how do I create a detection for everything in the Mitre ATT&CK matrix?" quite often at Splunk. I get it. It makes sense. It's a matrix. It makes you want to fill in boxes with green and red for "done" and "not done" status. But the reality is that ATT&CK was not designed to give you a SIEM detection scavenger hunt challenge. The ATT&CK team designed it to allow for a scientific method of tracking adversary TTPs. It just so happens that SIEM nerds like us can also use it to generate detections for SOME of those TTPs. Full disclosure, I was interviewed for the article, so I obviously have a bias, but take a look and think hard on how you are using Mitre ATT&CK in your organization. |
|
Are hotels still a thing? |
Sandworm Intrusion Set Campaign Targeting Centreon Systems by ANSSI Readers of our blog may not be familiar with ANSSI, so in case you are not, allow me to introduce the organization who is bringing you my selection for this month. ANSSI is the acronym for Agence Nationale de la Securite des Systemes d'Information. They describe their role eloquently on their own website in this way; "The role of the National Information Systems Security Agency is to facilitate coordinated, ambitious and proactive consideration of cybersecurity issues in France." At the end of January they produced a report that you may not have seen that discusses the targeting of Centreon systems by the Sandworm Intrusion Set. I wasn't familiar with Centreon but with a little web browsing found that they are an ITOps Platform that was founded in France. With all the recent IT monitoring fun many of us have experienced over the past few months, I found it fascinating that another ITOps platform had been targeted prior to 2020. The report (EN / FR) details the webshell and backdoor utilized and its operation, including ties back to the original ESET report that associated the similarities of the backdoor to Industroyer, which was attributed to TeleBots(Sandworm). Most importantly from a defensive side, ANSSI provided a set of recommendations and detections; IOCs for MISP in JSON format, SNORT and YARA rules that are detailed in the report can also be downloaded for your own use. |
|
Will I get to goto .conf? |
B is for Billion, as in 3.27 Billion Stolen Logins by Tara Seals When a user on a cybercriminal forum posts about a compilation of over 3 billion stolen account logins, it gets an eyebrow raise. The user, Singularity0x01, dropped the COMB (Compilation of Many Breaches)for around $2 US on RaidForums. While the number of accounts included is massive, they appear to have been available in the Dark Web for some time. This is a good reminder for users to get a password management tool, and make sure to use unique passwords for each site or account, and update those affected in breaches. |
|
Am I alone? |
DNS Hijacking Attacks on Home Routers in Brazil by Albert Zsigovits It's always DNS. And this article does nothing to dispel that maxim. In my red team years, I would go after corporate and government DNS servers to create a joyful army of MItM attacks. Flip all pictures upside down in a browser? Sure. Replacing downloads with installers of my own? Don't mind if I do. Run all bank sites through to scrape relevant information? Sure. "But wait, Damien, what about TLS?" Well, my friends, the number of people that actually look for the lock symbol is pretty small... This mindset is what I present today: websites in Brazil taking advantage of vulnerabilities to log into consumer's wireless routers to change the DNS servers that are being pointed to. Now, they're pointing to the evil DNS servers for no good. Indeed, the article goes on to show that these DNS servers are pointing folks to "bank websites" to harvest credentials. IOCs are in the article. |
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
