2020欧洲杯投注备用

SECURITY

Staff Picks for Splunk Security Reading May 2020

new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks2020欧洲杯投注备用" series! I hope you enjoy.

 

Ryan Kovar


2020欧洲杯投注备用We didn't start the fire

I love the "idea" of machine learning, but I often find it is a bit pie-in-the-sky. A recent blog post by my colleague Greg Ainslie-Malik gives some nice step-by-step guidance of how to use the Deep Learning Toolkit developed by Philipp Drieger2020欧洲杯投注备用 to analyze a generated dataset from . The ability to visualize the network traffic and apply models is really cool. Once I have time, I want to take old BOTS data and try it all out. Nice to see some actual ML that is useful and clearly laid out. Kudos, Greg and Philipp!

Drew Church


It was always burning

2020欧洲杯投注备用This joint Cybersecurity Advisory from the US National Security Agency (NSA) and Australian Signals Directorate (ASD) is a great technical resource for understanding what web shell malware is as well as explaining detection and prevention methodologies. What takes this whitepaper from good to great is the inclusion of nine appendices with scripts, rules, and yes, even Splunk SPL, to help defenders with the problem. I wish more people and organizations gave this kind of practical advice in their advisories. I also want to point out that the NSA publishes a wealth of knowledge on their and the ASD publishes their .

Andrew Morris

2020欧洲杯投注备用Since the world's been turning

This

2020欧洲杯投注备用We didn't start the fire

2020欧洲杯投注备用If you liked what was introduced last summer in Microsoft Sysmon v10.0, then you should be very excited about the brand new v11.0 release. This major update to Sysmon includes file delete and archive monitoring to help responders capture attacker tools and quickly identify malicious or anomalous activity. But wait, there's more... there are plenty of other new features that can also be very valuable when threat hunting with Splunk. Don't believe me? Check it out yourself!


No we didn't light it

A GRU hacker, Dmitry Badin, who is on the FBI's wanted list of his alleged involvement in hacking attempts against the USADA and WADA has now been indicted by Germany for the Bundestag Hack. This hack occurred back in April 2015, and ended with over 16GB of data being exfiltrated, which included a lot of sensitive information presumably. The hacker did not always practice good OPSEC though and his credentials were leaked, exposing a rather simple password. Even hackers get lazy when they don't feel that there are real consequences to their actions.

John Stoner


But we tried to fight it

2020欧洲杯投注备用It should not come as a surprise to anyone that reads this blog regularly that COVID-19 lures are being used for all sorts of nefarious purposes. Recently, the research team at TrendMicro found that Gamaredon, an , and suspected to be the same group as , was actively conducting operations earlier this year. In March, TrendMicro identified tactics associated with email attachments that Gamaredon had previously used, but this time some of the emails leveraged the ongoing pandemic as part of its lure. This specific campaign is also extending beyond Ukraine to other European countries. TrendMicro's blog goes on to highlight their findings with mapping to MITRE techniques and provides a nice set of findings to work with. As a bonus, and to muddy the waters a bit more, Recorded Future reported seeing Gamaredon having overlapping infrastructure with Iranian nation-state actors. So, I've just ended up giving you three articles to read on this, but the underlying message remains constant: current events are highly effective lures for phishing.

Tim Frazier


But when we are gone

Finding and responding to security incidents that happen in cloud environments like AWS, GCP, or Azure is a nascent topic that is evolving daily. Check out this blog post from Expel for a great write up of a real-world example of detecting and responding to some "badness" in AWS, including what specifically they detected on, how they gathered context about it, and what they recommended to their customer as an appropriate response. If you have been struggling thinking of what sort of things you should detect with your AWS Cloudtrail logs or what kind of process you should follow when finding something interesting, I highly recommend this blog post from Expel.


Will it still burn on, and on, and on, and on

With every new security layer comes a unique opportunity for attackers to peel it back, reverse engineer it, and manipulate it to their needs. How does this apply to logging into devices with your fingerprint? Biometric authentication has gained traction over the last five years, so I'm sure this topic is relevant to you or someone you know (Mom and Dad, I'm talking to you!). This blog post from the Talos research team details their quest to bypass fingerprint authentication in phones, laptops, and USB drives. In using different collection methods, they are successful in replicating fingerprints to gain access to these devices. And while this may sound like a worthwhile garage project, this research makes it clear the initiative was tedious and spanned over months of work. The article's conclusion emphasizes you should only worry if you're a high-profile target or store intellectual property on your devices. However, because I'm paranoid, I will ignore biometrics altogether and happily stick with my fossilized iPhone passcode.

Mick Baccio


Nevermind, Mick lit it.

I'm not sure how, but I managed to finish all five seasons of The Wire in a month - hooray completely jacked up circadian rhythm. While trying to search for ways that will make my brain stop holding my sleep hostage, I came across many ransomware articles - I think my google-fu may need some tuning. Ransomware is the constant evil we hear about...constantly, maybe we know someone or know a company that fell victim to a ransomware attack. In 2019, the financial impact of ransomware attacks almost tripled to $36k per incident - average estimates showed over 11 BILLION dollars in damages globally in 2019. There are incredible resources out there that will provide information about different ransomware strains, potential vectors for infection, and bad actors utilizing these exploit kits to rip people off.

One of the more high profile variants is . First spotted around 2014, Shade has been one of the most prolific strains and approximated to be responsible for over 50% of the malicious code spotted 'in the wild' in the first half of last year. Inexplicably, the operators behind the Shade malware shut down operations in late 2019. We're all pretty aware of the wonkiness that is 2020, so of course, this gets weirder. In addition to shutting down operations, the group released 750,000 decryption keys to allow victims to recover their data. A note published to Github reads, "We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data." To help victims, developed and published tools to decrypt files on victim machines.

I am thankful there is one less active ransomware variant - only eleventy billion to go. Stay frosty out there.


2020欧洲杯投注备用First in but last out

Far too many times, we have people placing devices on our networks with zero to little security. And far worse, they're using default usernames and passwords. Faithful reader, I wish I knew why people did this, but I do not. I do, however, know how to detect these devices and feed the information into Splunk so you can leverage our notifications and correlation goodness. Go to the link and download the Default HTTP Login Hunter. Run it against your network, perhaps a subnet at a time, and place the results in a monitored location. Viola, you have a default killer.

 

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion