Staff Picks for Splunk Security Reading: March 2018

Ryan Kovar

“SHAME! SHAME! SHAME!”
@meansec

Detecting Lateral Movement through Tracking Event Logs by JPCERT/CC

I am continually impressed by the attention to detail and effort that JPCERT puts into their reports. In June of 2017, JPCERT/CC dropped a document that outlined 49 different tools/commands that adversaries use to traverse networks. Not only do they do an excellent job describing WHAT these tools are, but they also show all the forensic evidence in Windows logs left by EACH ONE OF THESE TOOLS in an impressive little githiub.io app! I don't believe anyone has operationalized this yet for Splunk (although I am sure the Security Research Team has something brewing) but it would not be difficult for a SOC to take this report and create high-fidelity correlation searches off the info inside. Top Kovar Tip: Keep an eye on JPCERT for moar awesomeness in the future.

James Brodsky

“Just full of general shame”
@james_brodsky

Detecting RDP brute force with one hand by Security Storm

Over and over and over I hear the same thing from customers: “But we don’t WANT to collect data from our endpoints into Splunk! It will cost too much! It’s too hard! We don’t see the value! Are those nachos but made with potato chips?” Yet, take a look around at any advanced detection techniques for Splunk—hell, any modern security analytics platform—and you’ll see endpoint data. Even the simple questions that come up are easier to answer with endpoint data. Case in point: I’ll go back to the well of https://security-storm.com again this month and call out this very short entry on detecting and preventing brute-force RDP attacks on directly-connected endpoints (yes, that’s a thing). The folks at security-storm show you extremely simple searches against Windows Security events—sysmon would do, too—to find unsavory behavior against their ill-connected endpoints, and then tell you how they prevent it once they’ve used Splunk to assess the scope of the problem.

Ken Westin

“Shameless”
@kwestin

Former Equifax CIO Jun Ying Accused of Insider Trading by Bloomberg

Recently, I presented at BSides Vancouver on a very similar topic, the title of which was “White Collars & Black Hats: Bitcoin, Dark Nets and Insider Trading.” Although my talk dealt primarily with how criminal hackers are collaborating with traders in the targeting of non-public information to gain an edge in trading, I did discuss an insider case as well, where an insider was providing M&A information to external traders who used that information to net millions. The Equifax case is a different beast altogether and deals with someone in a senior position who learned of a breach that could have an effect on share price and who acted on that information. There were logs available to identify Ying’s search history and intent and that he was aware of the potential impact of the breach on share price, whereas other executives who had sold shares had no knowledge of the breach in question. It is interesting that knowledge of a breach or vulnerability can now be considered non-public information subject to SEC insider trading laws, something to consider in a breach response and risk plan.

Dave Herrald

“Davogorgon”
@daveherrald

The Newcomer’s Guide to Cyber Threat Actor Naming by Florian Roth

This month I chose a blog post and associated resource by the highly respected Florian Roth. Florian is well known as one of the most prolific creators of YARA rules and as the creator of the standardized Sigma signature format for SIEM systems. Florian recently published The Newcomer’s Guide to Cyber Threat Actor Naming, which provides insight into the realm of threat actor naming in our industry. For those not familiar with threat group identification and tracking, suffice to say it’s a complicated endeavor. Minute technical details, incomplete pictures of an actor’s activity, threat groups stealing/sharing code and techniques, and sometimes competitive situations among the teams tracking the adversary can all lead to a seemingly incomprehensible situation. In this post, Florian deconstructs the current state and provides an open list of threat groups that we can all use to help make sense of the landscape.

John Stoner

"Two trick Buttercup”
@stonerpsu

Building threat hunting strategy with the Diamond Model by Sergio Caltagirone

I was recently asked to present a webinar on threat hunting, and as I was preparing for it, I was reviewing my notes and materials. As I was examining, Sergio’s article jumped out at me because of its threat intelligence approach to driving threat hunting. When hunting, I can start anywhere, which is a blessing and a curse. The Diamond Model helps me contextualize the intelligence that I have which then can lead me in a direction for my hunt. For example, if I see a US-CERT advisory on web-shells, I can start my hunt focusing on that capability, particularly if that advisory indicates that victims could help my peer groups or me. After reviewing the different hunting approaches based on the vertices of the Diamond Model, Sergio then discusses pros and cons and strategies of each method. Great questions and a great way to take your threat intelligence and apply it to your hunt!