Staff Picks for Splunk Security Reading October 2018

Ryan Kovar

BOTS, SEC1355, SEC1359
@meansec

Detailed properties in the Office 365 audit log by Microsoft Doc writers Mark Johnson and Denise Vangel

TL;DR: OFFICE365 AWESOMESAUCE!!!!! I'm not gonna lie. I have Office 365 on the brain. Steve Brant and I just gave a presentation at .conf18 hunting in Office 365 logs, "Hunting the Known Unknown: Microsoft Cloud." I've submitted multiple CFPs to conferences on Office 365 hunting. I even have a very expensive test lab of real Office 365 data coming in to test and play with! Despite my presentations and lengthy diatribes, to be perfectly honest, this is the best bit of documentation I can find from Microsoft on their Office 365 log field values. They not only discuss what the names are, but also all the different values that might be contained within. It's the only document I've found like this and it took me hours to find! I'm sure it will be out-of-date soon (#agiledevelopment), but hopefully, they update it. Until then, enjoy learning about Workloads, Operations, and Paths!

John Stoner

BOTS, SEC1310, SEC1359, SEC1674
@stonerpsu

GreyEnergy: Updated arsenal of one of the most dangerous threat actors by Anton Cherepanov and Robert Lipovsky

This month, I decided to pivot towards a very interesting threat intelligence blog and report by the folks at ESET. Anton Cherepanov and Robert Lipovsky wrote a great blog on GreyEnergy, a framework that is believed to be derived from the BlackEnergy toolset that was responsible for the 2015 blackout in Ukraine. This blackout was identified as the first ever caused by a cyberattack. GreyEnergy also has some linkages to TeleBots, as it was used to roll out an early NotPetya worm, prior to the infamous NotPetya that leveraged EternalBlue. The accompanying whitepaper, "GreyEnergy: A Successor to BlackEnergy" provides a deeper dive than the blog post and provides some pretty rich detail into tactics and techniques used to deliver and execute the malware. One other important point is that GreyEnergy does not have capabilities that target ICS, but the tool seems to be focused at workstations that interface with ICS systems. While you may not have seen or experienced this specific attack, there are always lessons to be learned and the whitepaper does a great job of providing this insight. I would check it out!

Matt Valites

BOTS, SEC2106, SEC1359, SEC1843
@Matthewvalites

Netflix Cloud Security: Detecting Credential Compromise in AWS by Will Bengtson

Enterprise identity and access management in AWS is difficult, as is evidenced by the continuous stream of news-worthy compromises. Classic security best practices apply to static AWS accounts, but how do you understand and protect temporary credential usage, especially when that usage originates from other AWS services such as a running EC2 instance? In this post, Will Bengtson from Netflix's Security Tools and Operations team describes a clever approach to identifying malicious use of temporary credentials.

Dave Herrald

BOTS, DEV1545, SEC1359, SEC1244
@daveherrald

Cyber Balance Sheet for 2018 by Cyentia Institute

I'm a big fan of quantitative risk assessment in information security. In fact, I'm so passionate about risk analysis that—along with John Deere tractors and the Driftless Region—it's a topic that my teammates usually avoid bringing up when I'm around. But I digress... Suffice to say that I was very excited to see that the Cyentia Institute published a new version of their Cyber Balance Sheet for 2018 (free report, registration required). The research team at Cyentia is known for their influential work on the Verizon Data Breach Investigation Report and their continued contributions in applying quantitative analysis techniques to problems in information security. The report is insightful overall, but I particularly enjoyed "Balance Point 2: Putting Cyber Risk in Perspective." Overall this report is a great way to gain some perspective on how CISOs and corporate directors think about cyber-security risk.

David Veuve

BOTS, DEV1545, SEC1538, SEC1547, ZUMBA1337
@davidveuve

Say Goodbye to Your Big Alert Pipeline, and Say Hello to Your New Risk-Based Approach by Jim Apger (Splunk) and Stuart McIntosh (American Family Insurance)

In Splunk Security Land, there has been a whisper in the wind the last year: riiiiiiissk. Specifically, the Splunk ES Risk Framework and the usage of it described as "Risk-Based Analytics." Now, before you get too excited (or move on to the next article), we're not talking about real risk here—no annualized loss expectancies, no complicated financial models. We're talking about "risky" activities like users logging in from countries they've not been to before, and generally speaking a new paradigm for writing SIEM rules in the world of Splunk. The clearest, most exciting, and actually-in-production example of this came at .conf18 a month ago in the form of a joint talk between Jim Apger from Splunk and Stuart McIntosh from American Family Insurance. AmFam has removed the traditional SIEM pipeline that we've all known for years and moved all of their alerts to an RBA model. Anyone running their SIEM on Splunk should take a look at this.