Staff Picks for Splunk Security Reading October 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy. 

Jose Hernandez

@_josehelps

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684) by James Horseman at Horizon3.ai

"If you are running or own any Fortinet equipment please, please update. This is a nasty vulnerability that gets attackers unauthenticated RCE on a FortiOS device. It has even caught off guard some of us at #STRT who run Fortinet in our house. The attack only requires an actor to send a specially crafted HTTP request with a "Report Runner" User-Agent string and a X-Forwarded-For header — super easy to execute and is being actively exploited in the wild."

Michael Haag

@M_haggis

Hunting for Cobalt Strike: Mining and plotting for fun and profit by the Microsoft Security Response Center

"Last year the Splunk Threat Research Team released Melting-Cobalt as a way to help defenders identify Cobalt Strike Teamservers in the wild. The Microsoft Security Response Center team released a blog on their additions to Melting-Cobalt. MSRC added a new source – RiskIQ, and showcased their usage of Melting-Cobalt within Azure Functions (a serverless solution) and then taking the data to Microsoft Sentinel and Azure Data Explorer. This blog is a great publication for defenders to see how dynamic Melting-Cobalt may be with integrations, along with the ability to ingest the data into any platform. With the addition of RiskIQ, Melting-Cobalt has the ability to hunt for Teamservers across four services. "

Mike Polisky

Better know a data source: Process creation by Brian Donohue, Principal Information Security Specialist at Red Canary

"Process creation is a crucial data source for monitoring endpoint behavior. This article explains where to find it and how to use it."

Sydney Howard

@letswastetime

Threat Hunting Series: Using Threat Emulation for Threat Hunting by Kostas

"What better way to understand a threat than by emulating it yourself? Threat emulation is an immensely beneficial tool we can use when threat hunting. This post walks through the steps to a successful emulation including creating an environment to test, such as the Splunk Attack Range. Emulating the attack will generate endpoint and network telemetry you can later analyze to better understand your environment and create more efficient threat hunting queries."

Ryan Fetterman

@iknowuhack

A bias bounty for AI will help to catch unfair algorithms faster by Melissa Heikkilä at MIT Technology Review

"Bias in AI algorithms is a challenging problem that can have severe, real-world consequences – previously found in systems affecting healthcare, criminal justice, and hiring decisions. This article in the MIT Technology Review outlines details on an ambitious new project, announced at the Conference for Machine Learning in Security (CAMLIS) 2022 by Dr. Rumman Chowdhury and Dr. Subho Majumdar – a "Bias Bounty" program for identifying and mitigating algorithmic biases, using a crowd-sourcing, competitive approach. Anyone interested can check out the first challenge – open now, at bugbounty.ai!"

Haylee Mills

@7thdrxn

America’s Throwaway Spies: How the CIA failed Iranian informants in its secret war with Tehran by Joel Schectman and Bozorgmehr Sharafedin at Reuters

"I always love articles like these for the fascinating breakdown of events, but it breaks my heart that these informants were caught thanks to sloppy operational security practices by the CIA. Opsec is quite difficult to do well, but knowing the sort of manipulation we use to recruit valuable informants and that their lives are potentially on the line, this sort of thing shouldn't happen."

Travis Lowe

Linux Rootkits Part 1: Introduction and Workflow by Harvey Phillips

"Have you ever found yourself wanting a deeper understanding of how Linux rootkits work? If so, then this is the post (it's actually a series of nine posts) for you. This series walks through Linux rootkits from head to toe. It starts out simple, explaining what a kernel object is. Each additional post adds more and more capabilities to the code until you have all of the components required for a fully functional rootkit. The best part of the series is that there are tons of examples and explanations that make it all very hands-on if you want it to be."

Mark Stricker

@maschicago

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms by Nate Nelson at ThreatPost

"While multi-factor authentication is a recommended practice, it is not the magic button for security. All too often we hear about MFA phishing and MFA exhaustion attacks. As a case in point, the 0ktapus campaign has been incredibly successful using these techniques, catching companies such as Cloudflare, Twilio, and perhaps Doordash in their tentacles."

Audra Streetman

@audrastreetman

Making Cybersecurity Accessible for Women by Rachel Bishop at Huntress

"In this survey of women who work in cybersecurity, more than 71% said that they had been made to feel uncomfortable during an interaction in the field because of their gender. This is a problem and I am glad Huntress is asking women about their experiences. It is also clear from this survey that mentorship, passion, and supportive co-workers play a large role in encouraging women to pursue and stick with careers in cybersecurity."