Staff Picks for Splunk Security Reading: May 2018

Ryan Kovar

I wrote this for Pugs ;-)
@meansec

Using ATT&CK to Advance Cyber Threat Intelligence – Part 1 by Katie Nickels

At this point, ya'll must be sick of the love fest that Splunk has for Mitre's ATT&CK framework. We talk about how we use ATT&CK to organize our BOTS competitions, we talk about how Enterprise Security Content Updates maps its searches to the ATT&CK framework for better understanding of attacks, and we even select blog posts about ATT&CK for our staff reading picks! There is a reason: ATT&CK is awesome. But what I like about this article, written by Katie Nickels, is that it shows how you can map threat intelligence over the ATT&CK framework. I often get customers asking me "where do I start hunting" or "How do I focus my search for APT: Juggling Snail?" The techniques outlined by Katie in the first of a blog series shows how you can take known attributes of an adversary and overlay it on the ATT&CK navigator. This could give you places to brainstorm for hunting OR you could take those TTPs and use the mapped ATT&CK searches in ESCU or Splunk Security Essentials to find bad stuff. It is a great way when you are too lazy to think for yourself and just want the internet to tell you how to find baddies :-)

Derek King

SplunkCyberBaby

Verifying Success of Key Mitigations by James Ronayne

For my first staff picks, I’m choosing this talk from .conf2015 by James Ronayne, NSA. I think this is a great talk, not just for its “intelligence” (pardon the pun) but for everyone tasked with designing or operating a security monitoring operation. It has it all; from the anatomy of an attack, description of the kill chain, thought process around choke points, to even prevention techniques. Finally, the presentation teaches you to choose the right Splunk visualisations to monitor not just the ‘thing,’ but maybe just maybe the behaviour of the ‘thing’ when it’s the right approach to help mitigate or limit the damage of a compromise. Most of all, it's practical and gets the creative side flowing if you let it... And who doesn’t need a bit of that in their lives?

Rich Barger

"Bedazzling Bearded
Barn Owner"
@richbarger

Indicators and Network Defense by Joe

You know that feeling when you read something that someone else has written and it captures ideas you’ve had, but feared to share because you were sure people would think you were a little crazy? I will posit that Joe Slowik’s Indicators and Network Defense has the potential to smash new #ThreatIntel dogmas and bring reformation to our sect of security, similar to Luther's 95 Theses. If you see controversy in some of his statements, I urge you to meditate on the picture that Joe is really painting. He has gone to the edge of the IOC “flat-earth,” and returned with insights into a world of potential that could dramatically advance our craft. His message should encourage everyone because it gives #ThreatIntel consumers and producers wider widths, deeper depths, and higher heights. There is a dimension to the approaches by which we detect, investigate, contextualize, and respond to modern threats. It is time that our community has this difficult, but necessary, family discussion.

Dave Herrald

“Davogorgon returns!”
@daveherrald

Behind the Scenes with Red Canary’s Detection Engineering Team

Over the last several months we have had the great pleasure to get to know the team at Red Canary. Red Canary is a group who is passionate about helping find evil in their customers' environments, and they are equally passionate about sharing knowledge with the community. From contributions like the Sysmon App for Splunk to the Atomic Red Team Project to thoughtful conference presentations like this one from Red Canary Analyst Frank McClain, this is a team that is always looking to give back to the community. The blog I selected is particularly useful to anyone building security detection mechanisms on a data platform, and most Splunk customers we work with are doing just that. The blog provides some useful tips for effectively dealing with false positives and includes practical examples of how to use some popular industry resources like the Pyramid of Pain and Mitre's ATT&CK framework.

John Stoner

"Will work for
lighthouse shirts"
@stonerpsu

Detecting Password Spraying with Security Event Auditing by Sean Metcalf

As I was doing research for some upcoming work, I was drawn to this fantastic blog post that Sean Metcalf at Trimarc wrote about the technique of password spraying and how to detect it using Windows Event Logs. Password Spraying, for those unfamiliar with it, is a way to guess passwords but do it in such a manner that it spreads the guessing across the entire enterprise of users so that lockouts due to multiple failed attempts within a time threshold does not occur. Because the attack surface is so broad, I can try a few passwords against a system, and then move to the next system with the same passwords without encountering lockouts. What’s great about this post is that Sean addresses a number of different ways Windows Events that would expose this behavior including monitoring for 4625, 4648 and 4771 events depending on the attack vector the adversary is targeting. He also covers running PowerShell scripts to uncover this behavior. With this knowledge you can quickly write analytics to observe and act on password spraying in Windows!