Staff Picks for Splunk Security Reading May 2019

Ryan Kovar

@meansec

Sign up

Defenders, want a list of public attack techniques for O365? by John Lambert

Many of you know that for the last year or so, I've been fascinated with Office 365 and how to detect, mitigate, and resolve threats to Microsoft-hosted email environments. Recently, John Lambert—Distinguished Engineer at Microsoft and El Jefe of the Microsoft Threat Intelligence Center—posted this phenomenal tweet and slide deck going over the most common methods of attacking Office 365, spread over a kill chain matrix with linked documentation, and then follow up resources! Full disclosure: myself and Splunk were called out in the tweet and slide deck, but I can't express to you how excited I am to see such remarkable transparency from the Microsoft Security team. This makes a difference in the community and should be upheld as a great example for all orgs to follow as customers to attempt to protect themselves in the XaaS environments.

José Hernandez

@d1vious

For the North America

Someone is spoofing big bank IP addresses — possibly to embarrass security vendors by Sean Lyngaas

On April 22nd, Greynoise detected what looked like a scan of the internet (SYN packets), but with a kick—the sources of the scanned were spoofed to look like large financial institutions. Specifically, the source IPs were being spoofed to look like external hosts of Bank of America, JP Morgan, and Huntington. I share Andrew Morris' (CEO of Greynoise) suspicions that such a scan was an actor seems to "dust honeypot networks, next-generation firewall appliances, and threat feeds around the Internet with inaccurate information to disrupt/mislead organizations." This comes at the heels of an internet debate between some researches and blocklist vendor Spamhaus. Spamhaus has recently come under fire for including IPs in their block list who do similar SYN port scans across the internet. Spamhaus was even called out by Security Research firm Packet.tel and Dan Kaminsky for actively blocking masscan port sweeps. The silver lining here is this forces organizations to practice better hygiene with their block lists and has forced Spamhaus to improve their "spam" block list by accurately not including port sweeps that do not actually send spam.

John Stoner

@stonerpsu

Boss of 

Symantec, Wired, NoBus, oh mai!

As I thought about what I would choose to share this month, I didn't realize that I was going to give you a combination of news accounts, a threat report and a blog post—and that was just the really good stuff! The mystery of DoublePulsar being used by Buckeye (APT3) at least one year before the Equation Group tool release as documented in the Symantec threat report creates questions how APT3 was able to gain access to the tool. Wired provides a bit more color and depth to the story. With all of this coming out, a large number of teeth gnashing followed along with complaints relating to hoarding of exploits by government agencies. This brings us to Dave Aitel's fascinating blog post about where the tools were used (and not used) and considerations that need to be taken from an OpSec perspective if you want to keep your tools to yourself. It's not a simple list by any means, which makes you wonder against a determined defender if this was something bound to happen at some point.

Dave Herrald

@daveherrald

The SOC

Cyber Intelligence Tradecraft Report by CMU-SEI

The stated mission of this in-depth and lengthy report is to "understand how organizations across sectors conduct the work of cyber intelligence and share our findings." I think the authors succeeded in painting a picture of how 32 U.S.-based organizations fare against 33 assessment factors. The report is full of best practices, common challenges, pitfalls to avoid, and a snapshot of how well these companies are taking advantage of cyber threat intelligence to help protect their organizations. As always, there are biases to be aware of. To me, the most notable among these is the fact that the report was prepared for the U.S. Office of the Director of National Intelligence and it only looked at U.S. based organizations. That said, the report is invaluable to any leader or analyst who is seeking a better understanding of current Threat intel trends and practices.

Derek King

@network_slayer

10 Cities, 1000+ people

ZHENG Xiaoqing and ZHANG Zhaoxi vs UNITED STATES OF AMERICA

This month's selection is an exciting one for me and shows that sometimes some of the oldest threats are very much still alive. Steganography is a way to hide information 'in plain sight' and has been used for thousands of years before the digital era. The indictment of a GE Power employee demonstrates how a malicious insider accessed proprietary company information, encrypted it using non-corporate software and proceeded to exfiltrate it inside seemingly harmless photos, using the corporate email system to a private mail address potentially to profit in his own business in China. The investigation proceeds to implicate the Chinese state as providing funding to the employees' business in the form of a grant for the development of turbine technology. All in all, a great read but a reminder to defenders around the world not to ignore the insider threat and again, the importance of detailed process monitoring for endpoints!

Nick Roy

@superducktoes

June 19th

High-Benefit/Low-Regret Automated Actions as Common Practice by Johns Hopkins Applied Physics Laboratory

Another Integrated Cyber conference wrapped up earlier this month at Johns Hopkins. If you're not familiar with IACD it's hosted by the Johns Hopkins University Applied Physics Laboratory (JHU/APL), in collaboration with the National Security Agency (NSA) and the Department of Homeland Security (DHS) with the goal of dramatically changing the timeline and effectiveness of cyber defense via integration, automation, and information sharing. While they've published plenty of great material on security automation, one white paper, in particular, is excellent for getting started with automation. The white paper describes the process of applying a benefit vs. regret matrix for building automation workflows. This lets a user quickly build out use cases that they can fully automate and contrast that with use cases that may require an analyst to review data and decide which branch should the playbook carry out.

Tim Frazier

@timfrazier1

Register Here!

Detection Lab by Chris Long

While it's not technically new this month, Chris Long's @centurion detection lab project on GitHub is a hugely valuable project and worth checking out if you haven't seen (or if it's been a while since you've looked at it). For anyone like me who likes to get their hands dirty trying real attacker techniques and seeing how they can be detected (without compromising your production network), then DetectionLab is for you. With frequent updates and a whole suite of tools preinstalled on the endpoints, (including MS ATA, Splunk UFs, detailed Windows logging policies, PowerShell transcript logging, osquery, and sysmon) as well as Windows AD Domain setup and Splunk preconfigured, you cannot beat this for building and rebuilding fresh test labs. (Hey, we've all irreversibly broken at least one lab environment before and then rage smashed our keyboard thinking about how much time it will take to rebuild it because we didn't take snapshots, right? No? Just me? Ok, never mind...). In the latest version, you can even spin up all the boxes in AWS using Terraform so you don't have to tie up local resources if you'd rather use someone else's computer, er, the cloud. Give it a try and start honing your detections today!