Staff Picks for Splunk Security Reading November 2019

Ryan Kovar

@meansec

T'was the night before Christmas,
Analysts were bored, and it wasn't a fluke

MITRE ATT&CK: The play at home edition by Katie Nickels and Ryan Kovar

WARNING: SHAMELESS SELF PROMOTION AHEAD. OK, is this month's staff picks later than usual? Yes. Is it because of personal nepotism? Yes. I had an inkling that a very special Black Hat talk that I gave with my friend Katie Nickels was going to post soon, and my ego may have been trying to satisfy my id just a little bit. Regardless of Freudian meanderings, here is a talk that I am hugely proud of. Katie and I discuss the familiar stages that organizations fail at using MITRE ATT&CK and where we think that companies can pick themselves back up and get even more value out of the tool than they thought. It's done with colorful board games, a small singing solo, and the friendly cast of characters from Frothly of BOTS fame. We hope you enjoy it!

John Stoner

@stonerpsu

Not an adversary was stirring,
Not even one of the many Dukes

Operation Glowing Symphony by Jack Rhysider (darknetdiaries podcast)

This month, I decided to move away from the written word (ok, not really as you will see) and go with a specific episode of a podcast I have followed for the past year. Darknet Diaries, from Jack Rhysider, has many great episodes, but I wanted to highlight this one. This episode goes into Operation Glowing Symphony and provides one of the first looks into offensive cyber operations by US Cyber Command (USCC). The specific operation focused on taking down ISIS infrastructure in a tightly coordinated set of attacks. What makes this even more interesting is that Jack interviews the mission commander from the operation who shares his team's experiences throughout the planning, initial exploitation, and the anxious anticipation leading up to the actual takedown. If that isn't enough for you, I wanted to call out two articles that are part of the source list for the episode; I told you we weren't totally departing from the written word ;-) The first is a Motherboard article from August 2018 around documents received as part of an FOIA request that demonstrate how USCC goes through their planning, action, and analysis of cyber operations. The second is an NPR article from September 2019 that provides a really good, in-depth description of the operation as well and served as Jack's impetus for this episode. There are more sources to check out as well, but take the time to read these two articles as well, it's all great stuff and super inciteful!

Megan Parsons

@mparsons_Spl

When out in incident review
There arouse such a clatter

Rogue Trend Micro Employee Sold Customer Data for 68K Accounts by Lindsey O'Donnell

According to the Verizon Data Breach Investigations Report from this year, "privilege misuse and error by insiders" account for 30 percent of breaches. We continue to see examples of unexpected insider access resulting in a significant loss, and the value of the data only increases. Even security-focused companies are not immune. Trend Micro's response to this latest breach? "We have increased our internal security features and processes with regards to accessing the consumer database, including continuous monitoring and alerting of suspicious activities." Basics, basics, basics. Proactive identification of and alerting on suspicious access may not be within reach of all SOCs or NOCs, but monitoring access can and should be. Adopting a user-centric view of the data (such as with UBA) then focuses the monitoring effort on behavior. It can help spot trends so an analyst can cut through the cacophony of individual actions to identify the actual threats.

Henry Canivel

@Bazinga73

The signatures were updated
in the SIEM with care

Policy Sentry by Kinnaird McQuade

As a security or IT practitioner, often, you inherit the ownership of a running solution and its management, less likely to create from scratch with your design input. Managing AWS accounts are a typical example of potentially abandoned management yet still supporting critical services. From corralling all user accounts and access keys floating around, undoubtedly, one wouldn't have as much time to assess the access posture across all AWS services, even if one were comfortable doing so! Hat tip to my security brethren to sharing this with me, Kinnaird McQuade from Salesforce has done yeoman's work in building and open-sourcing an excellent tool that generates IAM policies based on ARNs and various access levels for your AWS account which can provide you an easier lense to audit your deployment. I live in a world that data informs our decisions. Tell me what happened but also what may happen. Inventory-like data dumps, time-based RBAC snapshots, and the like make me happy. Tools that can help crystallize least privilege policies as well as enable security posture assessments directly? Happier still. Enjoy!

Drew Church

@drewchurch

With hopes that an APT
they would surely snare

110 Nursing Homes Cut Off from Health Records in Ransomware Attack by Brian Krebs

My recommended reading this month lands under the theme of "risk management." Security practitioners are familiar with the "C-I-A triad" and are frequently accused of focusing exclusively on the Confidentiality or Integrity of an information system without considering its Availability requirements. We frequently transfer risk by hiring service providers for some or all our IT systems, but if that service provider is affected by a breach, how will your business suffer? Krebs' quote from the VCPI CEO, "...And if they don't get their billing into Medicaid by December 5, they close their doors..." shows how many businesses can't afford much if any, downtime regardless of the source. If your business is literally a matter of life and death, as it is in the case of these 110 facilities, have you (and your service providers!) implemented the basics outlined by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA)? We are no longer living in a world where we can count on international standards and protections when criminal enterprises are involved.

Damien Weiss

@damienweiss

Then sadly, Ryan ran out of room
to finish this poorly written natter

AWS Traffic Mirroring by Colman Kane

If you know anything about me, one thing you should know is that nothing makes me happier than capturing all network data and mining it for the gems that are there. Not only the treasures that are obvious like beaconing but also gems showing devices sending out data to strange locations. Cell phones can be fascinating, for instance. I have struggled, however, to grab data from my AWS instances without going through a Sisyphean feat of standing up more instances and more networking, and even then, it's never been a complete success. Enter AWS Traffic Monitoring and Coleman Kane with his instructions on how to make it all work. These instructions are exactly what we all want: Easy to understand, step by step, and successful.