Staff Picks for Splunk Security Reading May 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our monthly staff security picks and our all-time best picks for security books and articles. We hope you enjoy. 

Damien Weiss

@damienweiss

Wizard Spider In-Depth Analysis by PRODAFT

"When I was a kid, I was enamored with card magicians and just HAD to know how they performed the impossible. I was warned by my family that knowing how it's done ruins the wonder of the trick. Well, I sit here knowing how to perform many card tricks and I'm still entertained. Likewise, while I'm disgusted by ransomeware practitioners, I want to know how they perform their evil, in order to protect companies and people against it. Thankfully, PRODAFT released a report on the inner workings of Wizard Spider. Yes, the IOCs are in there, but also how the criminal group is going about their business, from cold calling all the way to encrypting and extorting."

Drew Church

@drewchurch

Risk and Vulnerability Assessments for Fiscal Year 2021 from CISA

"I am always on the hunt for approachable and accessible material to share with customers, colleagues, and the community. This month CISA released their latest Risk and Vulnerability Assessment report along with an infographic full of stats. Think of this as the .gov version of the Verizon DBIR with fewer funny footnotes. If you're looking for a simple document to walk through an attack for a tabletop exercise or something to explain to your IT-but-not-cyber-savvy friends about how attacks work, I'd definitely start here."

Haylee Mills

@7thdrxn

A Twitter thread on Ukraine's "unique 21st century fighting style" by Trent Telenko

"Ryan Kovar shared this thread but I'm stealing it for the Staff Security Pick before he can submit it. CUZ HOLY MOLY! This is wildness. It starts with a deconstruction of how Ukraine's artillery guidance system works kinda like Lyft, assigning missile/mortar to the nearest "driver" in a manner that reduces decision lag by an order of magnitude (call to trigger pull in 30 seconds, compared to 20 minutes for the U.S.). In addition, it allows for a targeted strike from multiple directions if multiple firing batteries are in range. They can then displace very quickly or contribute to multiple targets. Once Russia developed an exploit to knock out those SATCOM links (and many stationed throughout Europe) Ukraine turned to Starlink for encrypted communications. 'Starlink gave Ukraine the military space telecommunications bandwidth of the United States with zero investment in satellite infrastructure before the war,' the thread states. This is even before Starlink deploys their next version of satellites with high bandwidth, which will be free of nation state interception. Curiouser and curiouser..."

Johan Bjerke

@Johan_Bjerke

Where to begin? Prioritizing ATT&CK Techniques by Mike Cunningham, Alexia Crumpton, Jon Baker, and Ingrid Skoog

"Techniques are created equal in the ATT&CK Framework with no prioritization built in. The lack of prioritization has left users to figure this out for themselves by using frequency or threat group popularity as single variable to rank which Techniques to focus on. Now MITRE has developed the Top ATT&CK Techniques methodology, which takes into account Prevalence, Choke Point, and Actionability to rank what Techniques will give you most impact for the effort. This is a great read on how this new methodology works."

Tamara Chacon

@holly1g0lightly

Hackers can steal your Tesla Model 3, Y using new Bluetooth attack by Bill Toulas at Bleeping Computer

"Relay attacks have been around for a while now. Adversaries used to intercept signals for garage door openers to gain entry into homes. This article written by Bill Toulas at Bleeping Computer dives into research from the NCC group about Bluetooth Low Energy relay attacks targeting a 2020 Tesla Model 3 and the 2021 Model Y. The short but fun read dives into the findings and includes a video of security researchers testing the exploit on the Model Y."

Audra Streetman

@audrastreetman

Cyber Insurers Raise Rates Amid a Surge in Costly Hacks by James Rundle and David Uberti at the Wall Street Journal

"Direct-written premiums among the largest U.S. cybersecurity insurers jumped significantly in 2021 to $3.15 billion compared to $1.64 billion in 2020. That's a 92% increase year-over-year, according to a WSJ report that cites data from the National Association of Insurance Commissioners. According to analysts, the increase primarily reflects higher rates, which will help the cyber insurance industry lower the percentage of its income that it pays out to claimants. After a year of high profile ransomware attacks targeting Colonial Pipeline and JBS, Insurers are realigning to cyber risk with stricter coverage criteria and new wording to clarify act-of-war excusions amid the war in Ukraine."