PenTest: Splunk and Cybersecurity

Description

Dear PenTest Readers,

The main topic of this month's edition is the usage of Splunk in Cybersecurity. This world’s leading SIEM software is definitely a great help in tracking down issues in your log data. Even though companies mostly use paid versions of Splunk, a Splunk Free version is also available, offering a great opportunity to dive into its options and advantages, before you decide to get a paid license. As the growth of the amount of data doesn’t stop, knowledge of Splunk is a great asset for every potential SOC employee.  

Our contributors provide you with 4 great introductory reads on the usage of Splunk in the security context. To start with, Jill Kamperides prepared a brilliantly-written introductory piece on Splunk and it’s benefits for the organization. Alberto Aceves shows you his practical insight into Splunk’s monitoring abilities. Staford Titus publishes another article with us, in which he demonstrates his tutorial of several security operations done with this software. Ensar Seker demonstrates Splunk’s features and its advantages in the context of enterprise security.

As usual, we do not limit ourselves to the main topic, as our contributors eagerly share their cybersecurity knowledge on more parts of its landscape. If you liked one of our recent editions about the MITRE ATT&CK framework, you will be delighted to read two more articles about it, provided by prof. Fabrizio Baiardi, Emilio Panti, and Harpreet Singh.

Also, we would like to draw your attention to the article on SATCOM hacking by Jhansi Jonnakuti. The topic is worth a deeper analysis and we’re really happy that Jhansi focused on it in her first article published with us.

The rest of the articles in this edition will bring you a wide range of cybersecurity practice and theory, with pieces on mutual certificate authentication and connecting with Burp, cybersecurity of healthcare start-ups, and secure IT/OT convergence in Industry 4.0 era. 

Without further ado,

Let’s dive in the reading!

Enjoy,

PenTest Magazine’s Editorial Team

---

Table of Contents

---

A Crash Course in Splunk and Security

by Jill Kamperides

Built to prevent you from having to scroll through log files until the end of time, Splunk makes data management actually kind of easy. Admittedly, Splunk comes with a learning curve, but that is because it is an absolute powerhouse of a tool. To even call it a tool is an understatement. This article will delve into what Splunk is, why you should care, and how it can make your organization that much more secure.

---

Happy Splunking

by Alberto Aceves

Speaking as a Security Analyst, the best way you can investigate is when you centralize all your data into Splunk for the analysis, otherwise, you need many browser windows for every system that you have, please make a SOC Analyst happy and give them all data in a single system, Splunk. The other very important part of this success is the guy monitoring or using Splunk needs to be curious about what kinds of data he is viewing and why.

---

A Dive Into Security with Splunk

by Staford Titus

Splunk related jobs have skyrocketed in the past few years, owing to the wealth of data that can be retrieved and manipulated for profit. Over 93% of the world’s data is unstructured, originating from customized mobile data to app logs and server logs. Splunk provides the means to make sense of all that unstructured data, to make it useful. It does not stop there but brings the same level of “wealth of data” that enables better security monitoring and attack detection. The historic data is analyzed to help stop threats and even predict future threats thereby immobilizing them even before they take place. Splunk also provides the platform to bring in data from myriads of sources, accumulate data over time, analyze that data and build a strong cyber defense network. The article examines the process of analyzing the historic data to identify bruteforce attacks on a system’s login operation and create an Alert for the same.

---

Splunk Cybersecurity Solutions

by Ensar Seker

By converting machine-generated data into operational intelligence, Splunk users can gain a deeper understanding of what is going on in IT systems and infrastructure in real time. The platform analyzes digital emissions from applications, programs and interfaces logged on files, servers, websites and mobile devices. Using a combination of machine learning, artificial intelligence, and data mining, Splunk customers automate what they can, as fast as they can. We use advanced analytics to identify new attacks and then distribute warnings to connected customers.

---

Caldera: A Platform for Adversary Emulation

by prof. Fabrizio Baiardi and Emilio Panti

The paper introduces the main characteristics of CALDERA, an adversary emulation platform to evaluate the robustness of an IT system. We describe the plug-in architecture, the basic mechanisms of the platform as well as the various versions produced during the project. Some of the main plug-ins currently available are described.

---

Adversary Reconnaissance - Taking a Step Back

by Harpreet Singh

This article will talk about the adversary TTPs before an attack. Starting from target selection and information gathering, to getting prepared for the actual game. This all takes time and, hence, the recon phase is considered important and time consuming. Abraham Lincoln was quoted as saying “Give me six hours to chop down a tree and I will spend the first four sharpening the axe”. We will see how hackers are abiding by this and why is it required. Everyone likes the final act of getting into the system and doing stuff but we will discuss what it takes to reach there. Stay tuned.

---

Mid-air Hacks Are Real. Stay Connected and Avoid Being Hacked

by Jhansi Jonnakuti

This article talks a little about how this communication works and dives into some facts that I came across in my research about how in-flight networks are hacked via tools like WIFI Pineapple, Reaver, etc., and how Ruben Santamarta performed reverse engineering to hack SATCOM terminals from the ground. Also, I’ll explain how we can keep ourselves from being a victim to these notorious hacks by taking some measures in advance when we connect to an open WIFI network.

---

Mutual certificate authentication and connecting with Burp

by Mohit Verma

SSL certificates have become a required implementation when you host a domain, and nearly every developer knows the importance of encrypting the information while sending it over the network. SSL is not just limited to encrypting the information over a channel but also works as an authentication mechanism between the user and server. The general term for such communication is known as mutual TLS communication, where the client presents certain certificates to the server and only if they are valid will the server respond to the request. Let’s dive into some basics of the SSL certificates and how we can use client certificates as an authentication mechanism.

---

Could Blockchain Technology Be The Future Of Healthcare Startup Security? [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]

by Noah Rue

One in four of all data breaches that occur happen in the healthcare industry. And with numbers like these and the value of electronic health records (EHRs) on the black market, the prospect of a healthcare startup is, understandably, especially risky. After all, if a single data breach runs the risk of costing your startup up to millions in damages while putting patients at risk, how can you navigate a new healthcare venture safely?

---

Industry 4.0: Secure IT/OT Convergence

by Joshua Rebelo

While convergence unlocks business value in terms of operations efficiency, performance, and quality of services in digital technologies, it can also be detrimental because threats that target OT environments now have a pathway into IT and OT environments. The result is a greater surface area and more vectors for potential cyber-attacks, as well as a greater risk of exposure to such attacks. With work from home, digital transformation and increasing demand for remote connectivity during Covid-19 times, the solutions that have IT/OT convergence must undergo security assessment and security due diligence to ensure a “Security By Design” approach.