Staff Picks for Splunk Security Reading September 2019

Ryan Kovar

@meansec

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program by David J. Bianco and Cat Self

Usually, I don't wait for QUITE this late in the month, but I'm sitting at the SANS Threat Hunting Summit and just saw a phenomenal talk by David J. Bianco and Cat Self about how they built out an advanced Hunting program at Target. I have seen many presentations around building threat hunting programs that do what I classify as "drawing the owl" presentations: Step 1: Need a hunting program. Step 2: So now that we have a global hunting team here is what we found! That is not this talk. Step by step, David and Cat break down why and how they built their world-class hunting team at target with useful diagrams. So far only the slides are released, but look out for the video in 2-3 months!

John Stoner

@stonerpsu

Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks by Symantec's Security Response Attack Investigation Team

As I started contemplating what to write about this month, I came across Symantec's Tortoiseshell blog on the targeting of IT providers in Saudi Arabia to pivot to their customers. Symantec also mentioned that a provider saw Poison Frog tools, associated with APT34/OilRig, a month or so before Tortoiseshell tools were seen. As Symantec's blog correctly points out, due to the timing of the APT34 tool leak, that does not mean that APT34 is associated with this attack, but it is an exciting connection to look into. Then, as I continued my reading, I found this blog from Cisco Talos on Tortoiseshell tools being used to host malware on a site that is similar in name to an authentic veteran's hiring site. Talos walks through the installation and the depth of recon the malware goes to collect information about the victim system. It uses hardcoded email addresses as a feedback loop, but if you aren't looking for it, you might not notice, as this attack is targeted at individuals. At that point, the RAT that is installed has the same capabilities that were identified by Symantec in the IT provider attacks. These are two very different targets, and it is somewhat early on, but it will be interesting to see additional research and information that is uncovered on Tortoiseshell and if there turns out to be a linkage to APT34/OilRig. It isn't unrealistic to expect that with that diverse spread of victims, that others won't be targeted in the future.

Henry Canivel

@Bazinga73

Four tools to consider if you're adopting ATT&CK by Casey Smith

Coming from #securitysummercamp, among the most common takeaways is the industry has readily moved to the MITRE ATT&CK model, and rightfully so! It's a model that helps provide more actionable context for security incident response and general security practitioners, too, to identify and prioritize risk to your business. But where and how do you start? As a security practitioner within Splunk, one of my roles is to identify and streamline processes for other teams effectively. As our company is actively adopting the ATT&CK model as part of our shared language, I wanted to identify tools others in the field have identified as useful for this adoption. Red Canary provides quality consulting and analysis, as I've had the pleasure of taking a SANS course with one of their consultants for networking security. The tools in this blog enable the IT or security practitioner a good thrust into engaging with the model and how you can start leveraging them. Watching enough sessions from BSides and DefCon, it seems Olaf Hartong's work is a most worthy start. Michael Haag recommends this Hartong's Splunk app as it leverages not only the ATT&CK model but also Splunk as a platform and the data sources to fulfill it. Focusing on Windows security event data and sysmon, a trending data source this year for security, it's a great start to kick off your security monitoring posture. The app already exists in Splunkbase, which makes it convenient for folks ready to plug and play but also in Github for the latest updates, which includes a link to a tactical deployment implementation! Next steps: playing with what data we have, tinkering with the UI and UX, and expanding coverage to other data domains of ours.

Matt Toth

@willhackforfood

ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group by ESET research

As Information Security professionals, our jobs are to keep our organization's data safe, so knowing how bad actors are going to try and sneak it out is a must. In a write up by the ESET Research team on the Stealth Falcon group, it seems they are using Windows BITS (Background Intelligent Transfer Service) to communicate with their C&C servers. Using parts of an OS that was intended for bandwidth optimization for large file transfers is pretty smart, and will get past many detection technologies. The malware then encrypts the files before they are automatically sent out, and once the transfer is complete, it removes the encrypted data from the host system and the logs to help cover their tracks. The ESET Research team included IoC's, and the MITRE ATT&CK techniques used, so make sure to read up and make sure your organization is protected.

Damien Weiss

@damienweiss

ZEEKURITY ZEN ZERIES by Eric Ooi

Have you ever struggled to install Zeek and get it to work with Splunk? How about getting it to work in a way that's optimized, so your NICs aren't melting under the load? Have you then struggled to have Splunk recognize precisely what it's looking at? Perhaps you're not a Zeek expert, and you're looking for ways to wring intelligence out of your networking data beyond what you have today. If so, the good news is that Eric Ooi has just written a series of blog entries that steps you through the process of installing, configuring, and tuning Zeek, then sending that data to Splunk in a way will make you say, "Hey, I never noticed that before."

Joel Ebrahimi

@antimatt3r

Critical Exim Flaw Opens Millions of Servers to Takeover by Lindsey O'Donnell

Do you ever think about why some vulnerabilities get more attention than others? Over the summer there was a lot of attention brought to BlueKeep. Granted this is a remote exploit that affects Windows systems, and it should be taken seriously, but it does require access to the Remote Desktop port which typically would not be exposed directly on the internet. Security researchers has estimated it would affect 1 million systems. But what about something that would affect 5 million systems! Or a service that requires an open port exposed to the internet to run! Well, this is the case with Exim, a mail transfer agent (MTA). Exim is the most widely deployed MTA in the world, and the recently announced vulnerability places any system running the software susceptible to compromise with remote code execution at root-level privileges. The exploit takes advantage of how Exim handles TLS data and ultimately results in a buffer overflow in the software. If you are a security researcher, you may have heard about this vulnerability, but for the potential severity of this vulnerability, it seems