Staff Picks for Splunk Security Reading July 2021
Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read.
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.
Kubernetes Hardening Guidance by NSA, CISA
If there is one new technology I have not wrapped my head around, it is Kubernetes. Or K8. Or Katie? Still not clear. Splunk has been doing some great work on it (BOTSV anyone?), but I need to get more knowledge! My favorite bit of recently acquired information is that many cloud security professionals believe that Kubernetes is not inherently insecure; it is just not installed correctly :-). So the answer to that? Hardening guides. Great job by the NSA/CISA, once again, putting out some valuable and approachable information. Read through their 50+ guide for some great examples of securing, architecture, and configuration guides.
Chinese State-Sponsored Cyber Operations: Observed TTPs by NSA, CISA and FBI
July....just, wow. So many choices this month, between ransomware attacks, new research, vendor best practices, there was a lot out there, but I wanted to highlight the joint advisory that NSA, CISA and FBI published on Chinese State-Sponsored Cyber Operations. The actual advisory itself is fairly brief but contains some good high level themes around state sponsored activities that have taken place and some of the recent focus areas that have been observed, including the use of public vulnerabilities and multi-hop proxies. If you would like to dig deeper, the appendix provides a robust listing of TTPs, which can be extremely helpful to contextualize actions being observed. Additionally, the detection and mitigation recommendations section is a nice punch list of actions that defenders can use to help button up their organizations. It is also worth noting that this is the first document that I have seen that uses the DEF3ND framework that MITRE developed with funding from the Cybersecurity Directorate of NSA. Concepts like platform hardening and executable allowlisting are techniques identified that can have wide-ranging benefits and definitely should serve as food for thought. Even if you don't believe that your organization is targeted with this advisory, it is still a worthwhile document to review to better understand how adversaries utilize techniques and how detections can be employed to mitigate them, no matter who the adversary may be.
Related Articles
Endpoint Security Data Collection Strategy: Splunk UF, uberAgent, or Sysmon?
Peeping Through Windows (Logs): Using Sysmon & Event Codes for Threat Hunting
