Staff Picks for Splunk Security Reading June 2019

Ryan Kovar

@meansec

29.8978876,-97.2158734

How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today by Tom Strickx

BGP. Whenever I hear those three letters, I am transported back the summer of 2001 when I was studying for my CCNA. Tucked into one of the textbooks was a small mention of "L0pht Crack" and bringing down the internet in "30 minutes" using BGP. In the 20+ years since those "Long haired computer hackers" testified in front of Congress, we have seen various versions of this prophecy come true. From nation-states, intentionally rerouting traffic through their "pipes" to independent organizations pulling a "whoopsies!" This article is excellent for walking through exactly what happened, how, and why. Our traitor former beloved colleague, Matt Valites, actually once talked about BGP in a previous security staff picks too! If you are a Fortune 500 company, financial services, Government, or DIB you should be thinking about how to be proactive in detecting BGP shifts and what BGP hacks means to your data.

John Stoner

@stonerpsu

37.5894543,-108.3288389

Breach → ATT&CK → OSQUERY: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring by Guillaume Ross

This month's pick has a couple of concepts I enjoy so the confluence of them was just too good to pass up. I have spent a good chunk of time over the past year working with MITRE ATT&CK and applying it to threat hunting. Moreover, for those of you who have participated in Splunk's Boss of the SOC (BOTS) or have attended James Brodsky's endpoint talks at .conf, you know that we love endpoint monitoring and we have found OSQuery to be quite helpful and useful for endpoint visibility. Based on those two areas of interest, I wanted to call out a talk that Guillaume Ross gave at SANS Security Operations Summit this month. Guillaume walks through the Singapore Health Service breach and maps the report to MITRE ATT&CK and then looks at how you can use OSQuery to detect these ATT&CK techniques such that as these techniques are used further in the same campaign or by others, they can be detected moving forward by the SecOps team. It is critical to understand previous attacks and learn from them, and his use of OSQuery at the endpoint provides a great example of how any organization can do this!

Joel Ebrahimi

@antimatt3r

46.7104589,-116.8866933

Project Svalbard: The Future of Have I Been Pwned by Troy Hunt

This month I wanted to share a little different type of security read. Have you ever used the site "Have I Been Pwned?" If you are not familiar with it, it is a site that collects compromised email addresses from breaches. Visit the site, enter your email address, and find out if it has been a part of any major breaches in the last couple of years! You can even be proactive and enter your email into a watchlist for notification in future breaches. A single IT professional, Troy Hunt, created/maintains the site, and this article talks about his journey with the site, burnout, and his attempts migrate the site to a company that can maintain. I wanted to give Troy a personal thanks for his commitment to this service, and hopefully, this site ends up in good hands.