Staff Picks for Splunk Security Reading September 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy. 

Ryan Fetterman

@iknowuhack

On Detection: Tactical to Function Part 6: What is a Procedure? by Jared Atkinson at SpecterOps

"In this post, Jared Atkinson (Chief Strategist @ SpecterOps) continues his series on in-depth detection engineering ("On Detection: Tactical to Function") — this time exploring the "P" (Procedural) level of "TTP" (Tactics, Techniques, & Procedures). Jared defines procedures as 'the most detailed implementation steps of how an adversary carries out an attack.' Understanding the art of the possible at the procedural level is critical for understanding the quality and potential limitations of your detection approach and specific search logic. Jared has a great writing style that often connects metaphorically to concepts outside the realm of cybersecurity, making the content technical, but also accessible. This series of posts directly contributes to disambiguating a current "grey area" in defensive cybersecurity — the way we measure and communicate about the concept of "coverage" with regard to ATT&CK® technique detection."

Haylee Mills

@7thdrxn

Making Risk Based Alerting Magick, an On Demand Lunch and Learn with Splunk

"Okay, I know. It's my *own* Lunch and Learn webinar but it's about the cybersecurity thing I'm most excited about; especially for burnt out SOC teams who aren't crafting detections this way! Lots of people have been talking about behavior aggregation detection methodologies for years but I still don't see it put in plain language or an ability to do so in most products. In this talk I cover the basics of what RBA is, but also about how to plan out your implementation for success. The crowd also asks a bunch of great questions!"

Sydney Howard

@letswastetime

Developing an Intelligence-Driven Threat Hunting Methodology by Joe Slowik at Gigamon

"Everyone talks about threat hunting, but few organizations have people dedicated to the function. This white paper provides a thorough overview into requirements to establish a successful threat hunting program at your organization. I particularly like the call out that the threat hunting process is iterative rather than linear. This can be key for growth as you build upon previous work to truly mature your threat hunting program."

Mick Baccio

@nohackme

The Los Alamos Club by Strider

"I have read more incident reports in the past few weeks than I care to, and I know I'm not alone in that feeling. While distraction doomscrolling, I came across an amazing read from the team at Strider, detailing a connection between Los Alamos Labs, China’s ‘Thousand Talents Program’ and the Southern University of Science and Technology, SUSTech. Going back to the late 80’s, “at least 162 scientists who had worked at Los Alamos returned to the PRC to support a variety of domestic research and development (R&D) programs.” Fortuitous coincidence? Long term intelligence goals? Let me know what you think."

Audra Streetman

@audrastreetman

Exmatter: Clues to the future of data extortion by Daniel Mayer, Threat Researcher at Stairwell and Shelby Kaba, Director of Special Operations at Cyderes

"In this blog, security researchers explore a new tactic in data exfiltration that was recently employed by a BlackCat ransomware affiliate (aka ALPHV or Noberus). BlackCat is believed to be the successor to Darkside and BlackMatter ransomware and has gained attention for its use of Rust, a cross-platform programming language. 

The researchers examined a sample that appears to be an updated version of the Exmatter data exfiltration tool. Exmatter steals specific file types before the ransomware is deployed. The tool now comes with an Eraser feature to corrupt files on the victim machine by overwriting portions of each file with data from other files (see this diagram).

Threat Researcher Daniel Mayer points out that corrupting data on a victim's machine could eliminate the need for an encryptor, which ransomware operators often develop for affiliates in exchange for a cut of the profit under the RaaS model. BlackMatter affiliates may have grown frustrated with encryptors after a flaw in 2021 allowed the cybersecurity firm Emsisoft to create a decryptor for victims. Corrupting data in lieu of encryption would allow affiliates to retain 100% of the ransom payment, creating an incentive to, 'strike it out on their own, replacing development-heavy ransomware with data destruction.'"