Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Staff Picks for Splunk Security Reading November 2020
By
Ryan Kovar
|
Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy!
|
aHR0cHM6Ly9vcGVuLnN |
Easily Identify Malicious Servers on the Internet with JARM by John Althouse Damn you, John Althouse. I already had a huge nerd crush on you for JA3, and now you break out JARM? For those not familiar with it, JARM is a way to actively scan the internet and create server fingerprints. Why do you care? Because by doing so, you can proactively determine malicious servers. Maybe you scan the whole internet and make a giant list (please note, IANAL). Possibly you do a SOAR action of doing a JARM scan against suspicious domains or IPs? Perhaps you are a malware researcher, and you want to find every instance listening for Cobalt Strike callbacks? It's all possible using JARM. I'm not sure what internet scanning repositories like censys.io or zetalytics.com have collected this data yet, but you can already find it getting added to Zmap/Zgrab, so you know it's getting big. |
|
aHR0cHM6Ly9zb3Vu |
Testing adversary technique variations with AtomicTestHarnesses by Michael Haag, Matt Graeber This month I call your attention to the Atomic TestHarnesses project, the latest project brought to the community by the talented folks at Red Canary. This blog post explains how the new project helps blue-ish teamers answer such questions as "How resilient are my detection hypotheses to evasion?" and "How do we define sufficient coverage?" Designed to complement existing frameworks like MITRE ATT&CK, Atomic Red Team, and Invoke-Atomic, Atomic TestHarnesses looks like it will become essential tooling for adversary simulation and detection engineering. |
|
aHR0cHM6Ly93d |
From humble banking trojan, to big time malware by Dan Goodin When Emotet first came on the malware scene, it was only a trojan built to steal banking credentials. Today though, it is "one of the most prevalent ongoing threats" in cybersecurity. As Emotet has evolved, it has moved from stealing banking credentials, to being used to attack government systems in Canada, France, and many nations. The success of Emotet comes from the breadth of tactics it uses to infect, and spread, including using powershell for fileless infections, being able to spread via wireless networks, as well as stealing credentials and using those to spread. Recognizing which tactics and techniques adversaries, and malware, use when trying to land and expand in your environment is key in defending against them. |
|
b399744b58226d |
Microsoft's Kubernetes Threat Matrix: Here's What's Missing by Gadi Naor I've been watching the threat landscape around Kubernetes really evolve quite a bit this year. Because the technology and its usage is evolving and growing rapidly, a wider variety of attacker TTPs are emerging. In the absence of a MITRE ATT&CK matrix specifically for Kubernetes, Microsoft proposed one via a blog in April which was a great start to getting some of the terminology straight. Barely six months later, @GadiNaor has made a great contribution to improving Microsoft's initial effort via this DarkReading article where he fills in some gaps in light of new attacker TTPs. |
|
Li4uIC4uLi4gLS0tIC4uLS |
The CostaRicto Campaign: Cyber-Espionage Outsourced by The BlackBerry Research and Intelligence Team During the course of a month, a number of things hit the always growing inbox. As I was trying to stay current, the weekly intelligence summary from Digital Shadows caught my eye with the headline "APT cyber-mercenaries doing dirty work for paying clients." The newsletter is quite good, but it does require you to register with an email address to receive it, so I didn't want to provide a required registration item as my pick. That said, the report referenced work that the BlackBerry team had recently posted to their ThreatVector blog around the associated campaign and this article is the one I would like to highlight for you this month! When you stop and think about it, this idea of outsourcing your APT is a natural extension when there is a specific talent set available in an ever expanding market. The ability to have a "trusted" entity perform the dirty work of an organization or even nation-state while maintaining plausible deniability can be desirable. Blackberry's analysis found targets across the world and distributed across many vertical markets, though many were financials. Blackberry provides a set of indicators and a technical breakdown of their findings in their blog to round it out. If you want to learn more about the emergence of these for hire groups, the Digital Shadows intelligence summary mentions three additional groups discovered in 2020, so if you want to learn more, you may want to consider signing up for their weekly summary! |
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
