Remote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, they allow attackers to easily execute arbitrary code on affected systems without authentication — and open the door to use additional tactics and techniques to cause further harm.
To support defenders against these attacks, the Splunk Threat Research Team regularly creates new out-of-the-box security content for use in Splunk Enterprise Security. Join this Tech Talk to learn more from Michael Haag, Principal Threat Researcher, who will provide:
An overview of the latest security content the team has developed to defend against RCEs
Best practices for implementing and using this content
A walkthrough of the detection engineering process the Splunk Threat Research Team follows to create security content for defending against CVEs
Watch the full Tech Talk here:
Detecting Remote Code Executions with the Splunk Threat Research Team.mp4
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Stream Type LIVE
Remaining Time -0:00
1x
Chapters
descriptions off, selected
captions settings, opens captions settings dialog
captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Q:How can I stay up-to-date on content releases from the Threat Research Team?
A: The Community: Every month, we post a recap in the Product News & Announcements section with a list of all the new and updated security content we’ve released, plus links to learn more about each detection onresearch.splunk.com. You can find previous recapshere.
Q: Where can I find the latest research from the Threat Research Team?
A: The Splunk blog: We regularly post research and guidance related to the latest tactics, techniques, and procedures we see adversaries using in the wild. You can find all posts authored by the Splunk Threat Research Teamhere.
Q: Will the Threat Research Team be presenting at .conf this year?
A: Yes! Members of the Threat Research Team will be presenting a number of sessions. You can check out all of the security sessions that will be happening at .confhere.
Q:Please describe an efficient method to detect ransomware attack. Personally I like analyze entrophy of files but is that not too late?
A: We have a greater chance to prevent ransomware by reducing the attack surface using products like - WDAC (windows defender application control), Microsoft Windows AppLocker or ASR rules (Attack Surface Reduction rules). On the mail gateway side, restrict the amount of allowed ingress file extensions (HTA, CHM, JS, VBS, and so on) will help reduce the amount of ransomware or malicious files to the mailbox. Using entropy to identify the files will be too late, unfortunately.
Q:Will any of these vulnerabilities be exercises in Boss of the SOC?
A: Not that STRT is aware of, unsure.
Please feel free to post additional questions here for us to respond to as you rewatch the Tech Talk and demo.