Staff Picks for Splunk Security Reading July 2020

Ryan Kovar

@meansec

When I was young,

Working Through Splunk's Boss of the SOC by Chris Long

I think everyone who would read this blog post has heard of Boss of the SOC and know that this has been a passion project for many of us at Splunk for almost 5 years. Every April, we opensource the previous year's data and the questions/answers to the CTF and let people run it at home! We love spreading the knowledge and education that the BOTS dataset provides, but sometimes it feels like sending your kid to college. You hope he does well, but you are never quite sure. This month, Chris Long sent us a lengthy (6+ part) report card/love letter about BOTS, and we could not be happier. Step by step, he shows his thought process of how to work through our questions. He shows where he goes wrong, calls us on our bullshit, and finds our hidden easter eggs. Reading his writeup of BOTS is like visiting an old friend. It's been years since we created that data, and it is so fun to see it being used and appreciated to this day. I hope you get as much use and enjoyment out of his blog posts as we did!

Derek King

@network_slayerd

I never needed anyone

Threat Group Cards: A Threat Actor Encyclopedia version 2.0 by ThaiCert

This month I stumbled across what is probably the biggest compilation of Threat actors compiled into a single document. All 400+ pages, and 260 individual threat groups. This has clearly been around for some time as it's now version 2.0. ThaiCert has done a great job of compiling this encyclopedia from public OSINT sources that were backed by Security Research. Aside from the 'light bedtime reading' and mild interest the biggest lesson here is just how difficult attribution is, the sheer amount of crossover between so-called groups, and why mere mortals like us are rarely worthy (or right) when attribution is attempted. I'd love to know what use you find for this.

Matt Toth

@willhackforfood

And making blogs was just for fun

If you teach a Hacker to phish, he'll go to jail... by Catalin Cimpanu

A Russian Hacker has been found guilty of breaching the networks of LinkedIn, Dropbox and Formspring. The Hacker, Yevgeniy Nikulin, gained access to the LinkedIn network by infecting an employee's laptop with malware. He was then able to spearphish other organizations, and gained access to Dropbox and Formspring with this technique. Monitoring for phishing emails, and which employees have access to which files, shares, and how they use that access, is important in protecting against attacks like these.

Damien Weiss

@damienweiss

Those days are gone

Toolkit tailored for air-gapped networks discovered. by Ignacio Sanmillan

The first time I saw Splunk was while I was securing air-gapped networks. While we "knew" that the usual measures, no thumb drives, using separate physical networking gear were great, I wanted to take things to the next level, and so began my Splunkification. During that time, I started working towards other defenses and prevention methods, but the hardest part was knowing what to defend against. Thankfully, frameworks used to attack air-gapped networks are becoming more public and so their defenses are coming to light. With that in mind, ESET has discovered a framework it has called "Ramsay". Check it out and start to let the ideas flow of ways you could use Splunk to detect a framework like this.

Mick Baccio

@nohackme

All byyyymyyyyseeeeelllfff

Honda and Enel impacted by cyber attack suspected to be ransomware by MalwareBytes Threat Intelligence Team

In the early part of June, Honda and Enel were both compromised in an attack that "appears to have been carried out by software designed to attack the control systems for a wide variety of industrial facilities like factories and power plants." Honda was forced to halt production in several plants globally, and while there does not appear to have been data exposed, the investigation is ongoing. Analysts believe this may be a new variant of ransomware designed to encrypt files, but with an additional talent of industrial systems disruption.

John Stoner

@stonerpsu

Don't want to blog,
alll byymysellffff

What to expect when you're electing: Talos' 2020 election security primer by Matthew Olney

"It isn't just the core integrity of individual elections that we are worried about, we are also worried about the faith and trust the electorate has in state institutions to fairly administer the elections." Depending when this blog is posted, we are between 90 and 100 days away from Election Day 2020 in the United States and with that comes an opportunity for the country to apply the lessons learned from the 2016 election to provide a higher level of election security than was achieved previously. Talos has released an excellent whitepaper on their time over the past four years researching and learning about the election process across the country and serves as part civics lesson and part security primer. What may not be well understood about the election process is the various constituencies that must come together to carry out an election, who maintains ownership and responsibility of equities including the pollbooks, election management systems and databases and where funding for securing elections comes from. As the team goes through the various components required to conduct an election, from vendors to voting machines to voters and politicians and everything in between, they also highlight the focus of the adversary as well as the role of the security practitioner in each step along the way. The whitepaper is about 15 pages and is a good quick read but I wanted to leave you with a final quote from the primer that hopefully highlights why everyone should care about election security; "...a key geopolitical objective of our adversaries is to weaken the faith that American voters have in American democracy, and to weaken the faith the world has in western-style democracy in general. Because of this, the mere appearance of a problem is sufficient to advance some actors' goals."