Staff Picks for Splunk Security Reading February 2023

Hello, everyone! Welcome to the Splunk Staff Picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

You can check out our previous staff security picks here. We hope you enjoy.

Shannon Davis

(@DrShannon2000 / @DrShannon2000@infosec.exchange)

Mr President! We Cannot Allow a Spy Balloon Gap! by Tom Uren for Seriously Risky Business

"A great, lighthearted (appropriate here) take on the whole Chinese balloon saga. You can read the article in this link, but if you aren’t already subscribed to the Risky Biz newsletter, I highly recommend it (number 7 of my top 12 newsletters)."

Ronald Beiboer

(Linkedin)

Dissect: An incident response game-changer by Erik Schamper for Fox-IT

"Fox-IT open-sourced their incident response tool Dissect. According to their website, 'Dissect enables you to go from acquisition of thousands of systems to answering the how, when, and what in a matter of hours.' Its API allows for anyone with Python experience to adapt it to their own needs and create output to the platform of their liking. It’s available on GitHub for everyone to use now. "

Ryan Fetterman

(@iknowuhack)

Big Data is Dead by Jordan Tigani for MotherDuck

"In this post, former Google BigQuery engineer Jordan Tigani reflects on more than 10 years as a big data evangelist and argues that the era of "Big Data" has ended. This is not to say that data isn't more important than ever, but storage and compute have outpaced the scale of growth that most organizations collect and query out of necessity, or by policy. Have we overcome the biggest challenges of collecting and querying security data at scale? Alleviating the "Big Data" management burden allows for better direction of our research efforts with Splunk—extracting valuable insights from our data!"

Tom Smit

(@tsmit / Linkedin)

cURL audit: How a joke led to significant findings by Maciej Domanski for Trail of Bits Blog

"I've always been a huge fan of people finding weird and alarming things by happenstance. Here's a story about how someone jokingly said, 'What if we send curl just random bad stuff...' As you can see from this blog post, quite a bit of "badness" occurred. It's a gentle reminder to always trust but verify, and keep your tools clean and close to you. Read along as the fuzzing of curl exposed memory leaks and memory corruption bugs."

Sydney Howard

(@letswastetime)

Telemetry Layering by Jonathan Johnson for SpecterOps

"We often focus on one piece of telemetry as part of a detection, but your tools can generate other source types that may be worth investigating further. This post explains the process of detection layering in which we create a detection for a specific technique using multiple telemetry sources. Using this method, we can get a more holistic view of an adversarial technique and better detection coverage in case one telemetry source fails."

Mark Stricker

(@Mark_Stricker)

ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally by Robert Lemos for DarkReading

"In January, I reviewed an article about how adversaries might use ChatGPT against organizations. In this article, Robert Lemos looks at the other side of the coin: using AI like ChatGPT for defense. But as we're all learning, care must be taken when using these tools!"

Audra Streetman

(@audrastreetman / @audrastreetman@infosec.exchange)

Fog of war: how the Ukraine conflict transformed the cyber threat landscape by Shane Huntley for Google Threat Analysis Group (TAG)

"Nearly one year after Russia invaded Ukraine, Google TAG, Mandiant and Google Trust & Safety released a report analyzing how the conflict has changed the cyber threat landscape. Researchers divided the war timeline into five phases of Russian cyber operations, noting that Mandiant observed more destructive cyberattacks in the first four months of 2022 than in the previous eight years. 

In 2022, Google says it disrupted nearly 2,000 instances of Russian Information Operation (IO) activity on its platforms. The report also notes disruptions to the cybercrime ecosystem, with an observed uptick in reported ransomware attacks in Russia, but not against critical infrastructure in NATO member countries. The report also assesses that former members of the Conti ransomware group may be repurposing their techniques to target Ukraine.”