Staff Picks for Splunk Security Reading March 2020

Ryan Kovar

@meansec

MERCURY (aka MuddyWater) [is] the most capable and dangerous threat actor linked to Iran by Ned Moran

If you've paid attention to my areas of threat actor focus over the last six years at Splunk, you'll know that I always find Iranian threats the most fun to keep up with. Why? Maybe because I like kittens and underdogs. When I first started tracking threat groups from Persia, they were not the most advanced kids in the yard. Lots of Havij and script kiddie goodness. Now they are breaking out A-Team level cyber badassery on a global stage. Given Ned's role at Microsoft, you should start brushing up on Mercury/Zagros*/Muddy Water, even if they aren't your usual cup of چای. I always like to start with the Muddy Water bibliography in MITRE ATT&CK and go from there!

Mick Baccio

@nohackme

¡Ã..ÀÈû}´8/|.4^.ZÞÌ

Teaming up with Defending Digital Campaigns on election security by Mark Risher

Long time reader, first-time submitter. It feels weird to be on the other side of the keyboard. My first submission is going to be about political campaigns, which should really shock no one, but stick with me - there's a bonus at the end. On Safer Internet Day, Mark Risher announced Google's partnership with Defending Digital Campaigns to offer FREE security keys to ALL political campaigns. Through the distribution of security keys, Google and Defending Digital Campaigns have eliminated the attack vector used to compromise the email accounts of several high-profile figures in the 2016 POTUS campaign cycle. If you're a staffer, volunteer, supporter, citizen —whatever your affiliation or involvement may be — this is something that everyone can champion. During my time as CISO at Pete for America, I learned the adage "every dollar spent on X, is a dollar not spent on votes" is very accurate, and their budgets can limit the success of political campaigns. With this free offering, there is no excuse for any campaign not to implement security keys for all staff. If you are currently participating in a campaign, you can still sign up for the Advanced Protection Program and use your phone as a security key. Read more about it here
Related: hey, Google, bring back Buzz.

John Stoner

@stonerpsu

Hackers Are Everywhere. Here's How Scholars Can Find Them by Ben Buchanan

How many of you consider yourselves scholars? That's ok, even if you aren't, Ben Buchanan discusses some exciting places to learn more about cyber operations beyond where you may traditionally look. His book, "The Hacker and the State" was just released, and while I have not read it yet, I look forward to it. In this blog post he discusses how there are three sources of information that are somewhat underutilized in understanding more about these operations. They are technical literature from other disciplines, such as computer science, private sector, and government-related documents. The private sector documents are likely where most of our readers spend their time learning more about cyber operations. Still, he brings up a good point that some of the more recent federal indictments and other sources of information that exist, can provide a great deal of additional information to better understand what I will refer to as long term campaigns rather than just a point-in-time operation, depending on geopolitical changes that might occur.

Dave Herrald

@dherrald

Firefox continues push to bring DNS over HTTPS by default for US users by Eric Conrad

I had the pleasure of attending the SANS Blue Team Summit this week in Louisville, KY, USA. The keynote was delivered by @eric_conrad on the topic of DNS over HTTP(DOH) and DNS over TLS(DOT). In his talk, Eric pointed out that Mozilla announced that they began enabling DOH for all US-based users on February 25. The clear-text nature of the DNS protocol has long been a double-edged sword. While enterprise defenders have relied on easy access to this high fidelity network telemetry, privacy (and even security, as pointed out by Selena Deckelmann) advocates warn of the significant information leakage that traditional DNS represents. One takeaway from Eric’s talk is that although this change may negatively impact our ability to collect DNS data easily off the wire, there are still ways for organizations to configure local resolvers with logging to collect the data. Be sure to set aside some time to think about how these changes are going to affect your DNS collection strategy going forward.

Matt Toth

@willhackforfood

How a hacker's mom broke into prison--and the warden's computer by Lily Hay Newman

Many people in IT use their Mothers as a punchline, "Even my Mom can do it!" but we need to change that mindset. Our Mothers have a wealth of expertise that is hugely beneficial across our industry. Just ask John Strand, whose mother performed a penetration test at a prison, and totally owned it. Using her experience in the Food Service Industry, she posed as an Inspector. She was able to gain not only access to the prison's networks but also give advice on how to improve the food service practices in the prison. We need to respect everyone's experience because you never know when it will be necessary to take over a network.

Damien Weiss

@damienweiss

MTrends 2020 by FireEye

If you haven't read it yet, or ever before, you're in for a treat. FireEye Mandiant has released its yearly report on malware and APTs: MTrends 2020. I'm not going to ruin the surprise here, but if you're interested in a detailed report about malware trends, security statistics, cloud penetrations and their SIEM defenses, and a new APT group, then this is the report for you. This report's analysis of threat trends will help justify your spending and time, and honestly, it's a fun read.