Staff Picks for Splunk Security Reading June 2021

Ryan Kovar

@meansec

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity by Kim Lewandowski, Google Open Source Security Team & Mark Lodato, Binary Authorization for Borg Team

It seems like the repercussions from SolarWinds have defined my life for the last 1,433 months. To wit, months later, I am still talking about Supply Chain attacks and reading blogs on the latest Executive Order that references it. This blog from Google is no different. Their SLSA (salsa... mmmm...) framework will eventually help organizations have greater confidence in THEIR supply chain and thus help the world. Saying that some people are going to find this a bit...esoteric. If you read nothing else, read their chart on "Threat | Known example | How SLSA could have helped." It breaks down eight different threats to the supply chain, case studies, and how SLSA could've helped. At least the "threat" and "known example" are universally helpful to anyone who buys or sells software!

Matt Toth

@willhackforfood

You're Hired! Just kidding, you're pwned! by Brian Krebs

When people are looking for jobs, the last thing they want to worry about is being scammed. Sadly, this continues to happen and Krebs highlights a recent scam that was used to conduct ID Theft. People were drawn to classifieds posted on LinkedIn by a consulting firm in Washington DC, and when they responded to the post were directed to send an email to a recruiter using a Gmail address. Interestingly, the consulting firm and recruiter are real, but the contact information was not. At the time of the story around 100 people had responded to the false job postings. There are a series of tips that Krebs shares at the end of the story that we should all be aware of, but the big one is if it feels too good to be true, it probably is.

Damien Weiss

@damienweiss

Red Canary's Diary of a Detection Engineer by Sarah Lewis and Matt Graeber

I have a serious soft spot for how-to articles. I especially have a soft spot for articles that take me into the thinking of the person who is doing the how-to. Red Canary has started a series titled, "Diary of a Detection Engineer" that delivers the thinking and the how-to. I have been using that information to help my customers write better Splunk searches.

In this case, Sarah goes through her exploration of two executables, scrcons.exe and dllhost.exe and what she found suspicious about their behaviors.

Paul Pelletier

Containers have security problems and flexibility issues. VM's will make them viable. by Darren Yates

Will containers be the death of VM's? VM's have been around since the 1960's when IBM pioneered this technology with their CP-40 and CP-67 platforms (I wasn't actually around then, but I do love history). Containers have been around since the late 1970's, with Kubernetes now being the gold standard. I find this an interesting debate because there are merits to each approach. VM's are definitely better at isolation than containers, since containers share all the resources of the host. There is definitely a need for better isolation within containers, enter microVM's where you get the best of both worlds (a container running inside a lightweight VM). So will it be a fight to the death...time will tell, hopefully we'll see the industry use this more hybrid approach to container security.

Dave Herrald

@daveherrald

Best Practices for MITRE ATT&CK(r) Mapping by Cybersecurity & Infrastructure Security Agency (CISA) and Homeland Security Systems Engineering and Development Institute(tm) (HSSEDI)

A few years back, Ryan and I were working on a project together, and unbeknownst to each other, we ended up both grabbing the same action item. The task was to take a set of data in Splunk and map that activity to the MITRE ATT&CK(r) framework. When we realized we had both done the work, we decided to compare our results, and oh boy, were we surprised. For two people who are generally on the same page, we arrived at significantly different conclusions! As is so often the case in security, our individual biases crept in, resulting in significant differences between our final products. Suffice to say, mapping security events to tactics and techniques is trickier than it seems.

This is why I was excited to see that the US Cybersecurity & Infrastructure Security Agency (CISA) released Best Practices for MITRE ATT&CK(r) Mapping. According to CISA: "This guide provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK as they analyze and report on cybersecurity threats. This will improve defenders' ability to proactively detect adversary behavior and supports robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data."

I think this guide helps fill a void, and I recommend it to any team charged with mapping security events to MITRE ATT&CK(r). I think it can be adopted as is, or it can serve as a jumping-off point for you to create your own standards.

CISA noted that the guide was developed in partnership with the Homeland Security Systems Engineering and Development Institute(tm) (HSSEDI).

Tamara Chacon

@holly1g0lightly

Researchers create 'Shadow Figment' cybersecurity decoy tech that lures attackers into a fake world by Richard Yonck

Building a "honeypot" has always intrigued me, since I first learned about them. Creating complete copies of a network or even playing a little defense always piqued my interest. Today, our world has seen attacks on our food processing plants, utility companies, hospitals, and so many more. The playing field is continuously changing with new intrusion methods everyday and the cybersecurity field needs some sophisticated techniques to combat them. This article by Richard Yonck on GeekWire dives into the brilliant new tool called Shadow Figment.

James Brodsky

@james_brodsky

VMs Help Ransomware Attackers Evade Detection... by Kelly Sheridan

Well now I've seen it all. I can remember years ago when WannaCry and NotPetya and Locky - all of those quaint little ransomwares came out, we stood up VirtualBox VMs in a lab and infected them, and captured all of the metadata about the infection in Splunk to write detections. But now VirtualBox is sometimes part of the ransomware attacks themselves? How meta! But in these days of much more targeted ransomware - it makes sense that an attacker might have the time to stand up a VirtualBox VM on the target host, map target host drives to the guest, and start encrypting. And your trusty EDR might be blind to this! Time to lock down your policies and searching for VirtualBox (and other virtualization tools) where you don't expect them...

John Stoner

@stonerpsu

The FBI's Anom Stunt Rattles the Encryption Debate by Lily Hay Newman

This story dropped a bit earlier in the month; the FBI carried off what some might call a supply chain attack and managed to get a developer of Anom to become an informant and then place an app into the "secure" messaging platform to send all communication to the FBI. Yeah, pretty fascinating. The tricky part of all of this is another facet of the encryption debate that has continued for many years. Parts of the government desire access to systems that are encrypted from one end to the other while many organizations in tech have steadfastly refused. This activity, while very effective for the purpose of this operation no doubt will reignite this debate with fair points in all directions. Lily Hay Newman has a great piece in Wired that lays out the debate in the context of Anom and what the broader implications are as well as the concerns around violating privacy of innocent citizens.