Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Staff Picks for Splunk Security Reading March 2021
By
Ryan Kovar
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.
Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.
|
I'm vaccinated! |
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter Recently I was asked to create a reading list for some executive level folks of approachable books and whitepapers around cybersecurity due to... news events. Finding content that is low on technobabble and undecipherable jargon but high on content is difficult. The only people who seem to master this are Journalists. Enter: Countdown to Zeroday by Kim Zetter. Her book is clear, concise, and (dare I say) exciting. I find it helpful to have people read books like this to learn about historical events and context and use them as case studies to apply to recent (ahem) events in the news. |
|
I'm even double vaccinated |
Back in June 2020, my staff pick was the book Active Measures: The Secret History of Disinformation and Political Warfare by Thomas Rid, along with two Lawfare podcasts that interviewed Thomas about his book and findings. Fast forward nine months and the National Intelligence Council released their declassified assessment this month around election influence which would fall under the bucket of active measures. The report delineates election influence from election interference and then goes on and outlines multiple nation-states who they assessed attempted to influence the election as well as their analysis around motivations, as well as actors, methods and operations. Finally, for anyone looking to write threat intelligence reports, please pay careful attention to the estimative language that is used throughout the assessment. In fact, the last page of the assessment explains how this language is used and what it means. Great stuff for folks who write assessments to have in their kit. |
|
|
Cybercrime goes too far in beer breach by Elizabeth Montalbano It is a sad day indeed when cybercriminals go after brewing companies. In what appears to be an attack pulled straight from Splunk's Boss of the SOC, Molson Coors has been hit by a cybersecurity "incident". The company is not saying what the attack was, but with the recent string of ransomware attacks there is speculation that this is the case again. This attack seems to have caused pretty severe disruptions, with Molson Coors hiring outside help, and "working around the clock" to fix it. When looking at how to defend against attacks like this, having visibility into both the IT and OT environments is key. Being able to detect anomalous behavior across the infrastructure, including manufacturing environments, gives an organization a chance to stop the attack before it spills their beer. |
|
Is DEFCON still a thing? |
Top 10 Malware February 2021 by CISecurity This month I read the CIS Top 10 Malware for February 2021, as observed by the MS-ISAC (that's US centric for those outside of the mothership).. A few things stand out to me. Zeus (or its variant code is still clearly very active! Woah - thats so 2011! David Veuve's detection work at Splunk never dies! If IOCs are your thing, there are a number of them here that you may be able to use to help confirm any suspicious activity you observe. Enterprise Security and Phantom customers, have plenty of material on Splunk blogs to help you operationalize those. Lastly, we talk endlessly about the importance of endpoint data. Sysmon and a solid powershell collection strategy would feature heavily in detecting many on this list. However, don't let WMI Event logs become a second class citizen. The prevalence of WMI for lateral movement and persistence is ever increasing. Grab those logs and a go a huntin' Snugy, Coinminer, Zeus and more! Anyone taking any bets as to what hits the March top 10? |
|
I hope its a thing |
A Zeek OpenVPN Protocol Analyzer by Keith J. Jones I appreciated Dr. Jones' walking through the OpenVPN Protocol as well as how he authored the Zeek plugin to help detect the use of OpenVPN on a network. While not commonly seen by adversaries (yet?), there are demonstrated examples of encrypted C2 (see MITRE ATT&CK Technique T1573 Encrypted Channel). Thinking past malicious outsiders, enterprise defenders should be aware of when hosts on their network are making outbound VPN connections that might indicate data exfiltration or other bad behavior. This blog and plugin also motivated me to deploy Zeek on my home lab once again. |
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
