Splunk : Staff Picks for Splunk Security Reading May 2021

Share:

By Ryan Kovar May 26, 2021

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the 'Staff Picks' series! I hope you enjoy.

Ryan Kovar @meansec	2021 Data Breach Investigations Report by VZ DBIR team Every year I sit down with the Verizon DBIR report, grab a cup of coffee, a notebook, and get educated on real data science. Or breaches. Maybe it's just visualization techniques. Either way, I walk away with lots of education. This year was no different... well, except that I did my review via live-tweeting. One thing I found fascinating was the reduction in card skimming. Not surprising was the use of Ransomware. I loved their data on DDoS. You could take this part to the bank and write yourself a purchase order for a DDoS mitigation service. Take a peek. You won't be disappointed.
Jose Hernandez @d1vious	Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives by Sergiu Sechel Most cyber criminals and even state actors are defaulting to Cobalt Strike as their go to C2 (gasp latest trend), it is imperative to start mapping and hunting open Cobalt Strike team servers. Not only to study them, map out attack campaigns but also understand our enemy, and to build better detections. Sergiu does a great job and describing some common techniques for hunting open Cobalt Strike team servers in the internet as well as how to rip down their configs to further dissect what they are configured to accomplish. As part of his write up he also provides a up to date list of Cobalt Strike team server he discovered and some novel ways to detect them via JARM fingerprints.
John Stoner @stonerpsu thaaatttss all folks	The Full Story of the Stunning RSA Hack Can Finally Be Told by Andy Greenberg This story dropped a week or so ago, but in case you didn't see it, I wanted to bring it to your attention. Andy Greenberg has a great piece in Wired on the RSA hack from 10 years ago and with the NDAs lifted, participants in that attack share more detail and depth of the attack than had been publically been shared before. This was a fairly famous attack, mainly due to the fact that it targeted the seeds for the tokens that RSA produced for numerous companies. I am old enough that I have had many of these hard tokens during my career as I am sure many of you have as well. Having the platform that had the seed values compromised had to have been RSA's worst nightmare. The article goes into how close they were to the adversary as data was being exfiltrated, the communication effort required post-breach, additional attacks on other companies that involved data stolen from this breach, as well as the level of paranoia that RSA and likely any company that has been breached feels. It's a great article and highly recommend you check it out!