Staff Picks for Splunk Security Reading October 2023

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy. 

Zachary Christensen

Linkedin

Don’t Let Zombie Zoom Links Drag You Down by Brian Krebs

"This is a great article to get you in the spirit of Halloween. Companies are exposing links that let anyone start a Zoom meeting in an employee's name and invite others. Think of how this could be abused, particularly social engineering scams. The article breaks down the misuse of PMI links, particularly those with passcodes embedded, which can give unauthorized individuals access to meetings. The convenient links are not subject to expiration and can be exploited by attackers. Be sure to follow the tips in the article for using Zoom links more safely."

Allison Gallo

What API hackers need to know about the Exploit Prediction Scoring System by Dana Epp

"Has the Common Vulnerability Scoring System (CVSS) got you scratching your head as to which vulnerabilities you should prioritize? Ever wish you had a Magic 8 Ball that could predict which vulnerabilities would be exploited? The Exploit Prediction Scoring System (EPSS) can help! The EPSS is a metric that I love to reference to help guide organizations in making decisions as to how to respond to CVEs. It uses machine learning to look at historical data of exploits and identify patterns and trends that can predict future exploits. On the flip side, it can also be used to shape internal security testing programs so that organizations can be one step ahead of any risks."

Ronald Beiboer

LinkedIn

Hacktivists in Palestine and Israel after SCADA and other industrial control systems by Jurgita Lapienytė

"This article states, 'Some Israeli organizations are exposing their Modbus, a SCADA communications protocol. In fact, researchers found 400 such occurrences.' This is remarkable, especially considering that Israel is widely acknowledged as a leader in the field of cybersecurity on the global stage."

Jithin Andoor

Linkedin

“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts by Guardio

"This blog is about a drive by download technique leading to execution of malicious js script using smart contracts from the Binance Smart Chain for second stage payload delivery."

Daniel Federschmidt

@dfederschmidt

Microsoft Graph Activity Log is Now Available in Public Preview by Kristopher Bash

"Corporate announcements follow a predictable format so the blog announcing Graph Activity Logs in in public preview isn't a captivating read in and of itself but I'm excited by the new capability and expanded visibility into MS Graph API calls. From the initial public response, it seems like there is a lot of potential for high-value detections and this may offer a great data source for threat hunting. These logs can be ingested into Splunk today using the Microsoft Cloud Services Add-On via Azure Event Hubs, which I'm looking forward to trying out."

Lars Wittich

Linkedin

New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records by Bill Toulas for Bleeping Computer

"The article talks about a new zero-day DDoS attack technique called HTTP/2 Rapid Reset. It discusses what the attack is and how it works. It also goes into how the attack has been mitigated by major cloud providers."

Mark Stricker

@maschicago

Addressing the People Problem in Cybersecurity by Marc Solomon for SecurityWeek

"You’ve heard it before:  People, Process and Technology! Those are the parts in the Venn Diagram of any IT system. This article drills down on the people part of that Venn Diagram. As part of IT systems, people are the initial point of attack. Bad actors get initial access by hacking the human being with phishing attacks, social engineering, vishing, and more.

So how do we address this? This article points out the importance of cybersecurity awareness and education. These steps are absolutely necessary - but not enough! In any medium to large scale organization, there are going to be users who, despite education, will not act with safety in mind. That’s why using models such as Zero Trust to protect the network are important. They don’t depend on users behaving well.

The shortage of cybersecurity professionals is also a big problem, as this article points out. That’s why automation products, like Splunk SOAR, are so valuable!"

William Van Duynhoven

LinkedIn

FBI says North Korea deployed thousands of IT workers to get remote jobs in US with fake IDs by Thibault Spirlet and Associated Press

"Nation state actor tactics continue to evolve and target industry changes such as a revolving remote IT workforce to steal intellectual property, exploit organizations, and fund ballistic missile programs. This is a fascinating attempt to organize at scale by placing bad actors inside an organization that has not been identified previously. The article talks about the importance of employee verification through video or other methods, but ultimately in a virtual environment, this may still be exploited through a myriad of camera trickery. This is where your Pyramid of Pain framework or other security best practices like least privilege access play an important role in mitigating the impact on your organization. As the window for remote IT work significantly dwindles along with the opportunity to exploit remote IT workers, I wonder what tricks they have next in store."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

The evolution of Windows authentication by Matthew Palko 

"Microsoft is moving closer to its goal of killing NT LAN Manager (NTLM) authentication in order to improve security for Windows users. This month, the company announced two new Kerberos features in Windows 11 to reduce fall back to NTLM.

1. IAKerb, a public extension to the Kerberos protocol, allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight. 
2. A local KDC for Kerberos allows remote authentication of local user accounts using Kerberos.

Microsoft plans to eventually disable NTLM authentication by default in Windows 11, while keeping the option to re enable NTLM for compatibility purposes."