Staff Picks for Splunk Security Reading October 2019

Ryan Kovar

@meansec

rMcQirw631CNN2yzgAZr9+ qs7tAPO/HmSwhILytgV8bYI7qvfGgTbzsNj GEQZl7n3Amplp+MXx3FsnIDbhx/ikWbqVn6 ZRBd6anPCOmbPoBuIKbM8

Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics by Jason Barnette and Bryan Thiry

Splunk's global user conference was at the end of October, and there was one talk that I was super excited to see. As much as I love talking and working with statistics and machine learning, there are few SOCS that are mature enough to not only USE math to find bad guys but operationalize it and perfect it. Lockheed Martin CERT is a benchmark of SOC success IMO so I'm not surprised a talk like this emerges from their group. Jason and Bryan do a great job of walking through their use cases, risk models, and ML models with lots of example searches. I especially love the peer group analysis model for emails via LAIKABoss. Where was that eight years ago when I did real work for a living! Make sure you review the appendix where they give some extra goodness!

John Stoner

@stonerpsu

D53HSVNNohu6u6vm15Qs0+COd SJGfHyyDroBiykE2RzaV7uPdnj4gmx sSa6wEWE+Ak7Iutb1Ih3qzl0l11zIv uiemdnEUAjs+B616nYBi5bHQLGhz

There's an Actor In My Pocket! by Daniel Garcia and Jennifer Chavarria Reindl

The SANS Threat Hunting and Incident Response Summit straddled September and October and in addition to being able to speak at the summit, I was fortunate to hear some fantastic speakers discussing threat hunting, including this talk. Daniel and Jennifer discussed building hypotheses as the gateway to starting their hunt, something we talk about frequently, but what I thought was fantastic was how they broke this down, almost to the point of what I would think of as a Mad Lib (yes, I am probably showing my age a bit) around the adversary, act, method, time, location, victim and motive. Being able to keep these critical elements in mind during hypothesis development can help your hunt focused! They then applied this to a set of hunts and wrapped up with the collaboration of findings with incident response and threat intelligence. It is a well thought out process and an excellent talk, and I think everyone can come away with some great ideas from it, whether that is around hypothesis development or even leveraging the hunts they highlighted!

Tim Frazier

@timfrazier1

W47Mz1GxJr1/BKQBZxcoVxvJrT I5zsSGH+UU2sbEdvMd8Gw2Gnbd9 94kOLw6QBqjSq350bE152nORIE2 /44OIieaaDmR80pgDlxj/8HYQeYnlF/Jw

Great Deep Dive on Detection Engineering by Matt Graeber

While I'm sad that this was the last DerbyCon in Louisville, I'm glad that there is hope for "DerbyCon Communities" in the future. Until they get going, we still have the recordings from @irongeek_adc that we can watch over and over again with popcorn: late into the wee hours of the night to our hearts' content. One of my favorite talks that I had the privilege of attending this year was Matt Graeber's (@mattifestation) talk on detecting lateral movement using WMI. Matt goes deep into using Event Tracing for Windows (ETW) and does so in a very systematic way that is easy to follow, even for the ETW-uninitiated like myself. Since Matt's talk, @vector_sec posted an ETW TA for Splunk on Github here. Talk about great timing! This is bleeding edge stuff right here, folks. Check it out to explore how you can take your detection engineering to the next level!

Derek King

@network_slayer

gjPWtz/iAqNhfVwSs0QAV+8g9S0mEQ/OH/ oOTl6+8iED0CXaN3zDvSuDEvtGbu rUKAVBUnMcO+txLsoK3SE6TjFyF4 D3IIJstdgeeh7grp8dNVvcO

Sudo -u who? by Mohit Kumar

I chose this article this month not necessarily because of its wide-scale impact (although it does have the capability to be), but because of its applicability. It demonstrates how a simple misconfiguration or specific sequence of events can surface holes in software that has been a 'mainstay' for a long time! In some ways, it mirrors the Heartbleed vulnerability found back in 2014. All versions of sudo before 1.8.28 (released in October 2019) are vulnerable to privilege escalation using a user id of -1 or 4294967295 (unsigned -1) due to the way the code converts numeric id to a user name. The vulnerability only exists with a particular configuration in the sudoers file, and therefore expected impact low. However, sudo is a file that exists in every major Linux distro. What I think is essential here is the critical message of

Matt Toth

@willhackforfood

D0bVabUuJWTQJGyvcN6o vWlGrotBcc0mXS6C57cRrgm2sd3X8Mg WT1xD5NNtvdVYuXYyWkTLT0Xxnj28vj GwhmBcTEDgTAJS878iPiCPkC7x9zJQ

Soldering spy chips inside firewalls is now a cheap hack, shows researcher by John E Dunn

From a security researcher showing that it is no longer just nation-states that can implant hardware into your devices , to the China linked APT group Winnti attacking a major mobile hardware and software manufacturer based in Asia, our supply chains are more at risk that many organizations are prepared to deal with. How do you trust that the hardware or software you are using has not been compromised on its way to your door or desktop? Some suggestions are regular audits of your third-party service providers, baselining what is normal in your organization to detect outliers as they appear, and adequately vetting new organizations you work with.

Damien Weiss

@damienweiss

Ms. Trainor almost had it right. Its all about the base64 and other BOLD and italicized things

ATT&CK CON 2.0 by Mitre ATT&CK team

ATT&CKCon 2.0 proved itself to be one of the best conventions of the year. Both with how well it was run and how excellent the content was. Many talks covered ATT&CK from a fresh perspective: Tell Tall Tales with ATT&CK!, Lessons in Succesful Purple Teaming, Toni Gidwani's keynote presentation about intelligence, operations, and how to bridge the two, and Climbing the ATT&CK Ladder were all worth the price of admission alone. Wait. You didn't make it? No problem, as full videos of the conference are online now, with slide/video links soon to come.