20+ years in IT, including network engineering. I still don’t know what the routers will prove unless they’re intact with their configurations which might include what they’re connecting to like China, Germany, etc.
And as another poster said, it’s Splunk, not spunk.
This makes a shitton more sense than the PDW post.
They wanted the routers to find out where the netflow and syslogs were being sent so they could grab the SIEM, which would have had records of the through-the-box dataflows and admin access logs.
Since they got the Splunk (SIEM) data, then IDGAF about the routers.
Mutual TLS is only going to protect the syslog data in flight, not at rest in the Splunk DB.
I contend that going after the netflow is the way- if the syslog were tampered with, the netflow would prove or refute those admin connections noted by syslog. Flows coming from the machines can be uniquely fingerprinted, router or not, to prove their origin.
If the netflow were tampered with, there would either be obvious gaps, or anomalies pointed out by what they already know from the machines.
Agreed, routers don't have enough storage to retain enough useful information dating back to the elections. If the routers retained the full security logs and configuration changes dating back, they could show configuration changes to open ACLs to IP ranges that may include source IPs in other countries. That doesn't really mean much as a hacker could run everything in VMs hosted in AWS and source IPs from US-West.
I have some experience with Splunk and it's a very powerful tool, tracks everything with rules and such. Basically a software version of a router but with logs.
My experience is somewhat limited but I know it's really powerful and if Cyber Ninjas have the logs that can prove wrongdoings, then yeah we've won.
No. Splunk is not a router. It is a logger. With Splunk Enterprise Security or writing your own rules it can be a SIEM. We have two implementations of Splunk. I manage our security engineering team.
I know that. Guess I probably said it wrong but when I was doing Splunk, it felt like I was configuring a router. I'm not saying it's a router of any kind, I'm just saying it felt like the same as setting up a router like Cisco with IOS, because of rules, exceptions and more.
Like I said, my experience with Splunk is limited because I make do with what I can at home and obviously not at the enterprise level. Been trying to find a job but apparently no one is interested in hiring a deaf person like myself with experience working with computers, has a I.T. degree with a couple of certs, concentrating in Sys admin, networking and cyber security.
Trying to understand this one. MAC addresses are only locally significant, although they are unique. Re-framing packets is how a router moves packets from one router interface to the another router interface in order to forward packets. (MAC address is in the frames.)
Still, the MAC addresses act as a “fingerprint” of sorts as they are unique and if they can be correlated with other traffic data as you say they might mean something. I’m still scratching my head.
20+ years in IT, including network engineering. I still don’t know what the routers will prove unless they’re intact with their configurations which might include what they’re connecting to like China, Germany, etc.
And as another poster said, it’s Splunk, not spunk.
This makes a shitton more sense than the PDW post.
They wanted the routers to find out where the netflow and syslogs were being sent so they could grab the SIEM, which would have had records of the through-the-box dataflows and admin access logs.
Since they got the Splunk (SIEM) data, then IDGAF about the routers.
Now this here makes tons of sense provided they haven’t fucked with the configs.
Splunks log are not enough for one very simple reason: authenticity. Anyone can say that a very compromised Splunk log is fake.
If the white hats are really in control and know what they are doing, they were using syslog with mutual tls.
This way, with routers in hand, you can prove that that log actually came from that router.
Mutual TLS is only going to protect the syslog data in flight, not at rest in the Splunk DB.
I contend that going after the netflow is the way- if the syslog were tampered with, the netflow would prove or refute those admin connections noted by syslog. Flows coming from the machines can be uniquely fingerprinted, router or not, to prove their origin.
If the netflow were tampered with, there would either be obvious gaps, or anomalies pointed out by what they already know from the machines.
Agreed, routers don't have enough storage to retain enough useful information dating back to the elections. If the routers retained the full security logs and configuration changes dating back, they could show configuration changes to open ACLs to IP ranges that may include source IPs in other countries. That doesn't really mean much as a hacker could run everything in VMs hosted in AWS and source IPs from US-West.
I have some experience with Splunk and it's a very powerful tool, tracks everything with rules and such. Basically a software version of a router but with logs.
My experience is somewhat limited but I know it's really powerful and if Cyber Ninjas have the logs that can prove wrongdoings, then yeah we've won.
No. Splunk is not a router. It is a logger. With Splunk Enterprise Security or writing your own rules it can be a SIEM. We have two implementations of Splunk. I manage our security engineering team.
I know that. Guess I probably said it wrong but when I was doing Splunk, it felt like I was configuring a router. I'm not saying it's a router of any kind, I'm just saying it felt like the same as setting up a router like Cisco with IOS, because of rules, exceptions and more.
Like I said, my experience with Splunk is limited because I make do with what I can at home and obviously not at the enterprise level. Been trying to find a job but apparently no one is interested in hiring a deaf person like myself with experience working with computers, has a I.T. degree with a couple of certs, concentrating in Sys admin, networking and cyber security.
Router MAC addresses to coincide with the traffic data? Just throwing it out there.
Trying to understand this one. MAC addresses are only locally significant, although they are unique. Re-framing packets is how a router moves packets from one router interface to the another router interface in order to forward packets. (MAC address is in the frames.)
Still, the MAC addresses act as a “fingerprint” of sorts as they are unique and if they can be correlated with other traffic data as you say they might mean something. I’m still scratching my head.