Take 10% Off OnDemand or vLive Courses Now

Reading Room

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,360 original computer security white papers in 89 different categories.

Are we making progress using analytics to anticipate and prevent security failures? Take survey - enter to win $400 Amazon gift card! https://www.surveymonkey.com/r/2015SANSAnalyticsSurvey

Click Here

Latest 25 Papers Added to the Reading Room

  • Protecting Third Party Applications with RASP Infographic Analyst Paper
    by - August 27, 2015 
  • Deployment of a Flexible Malware Sandbox Environment Using Open Source Software by Jose Ortiz - August 24, 2015 in Incident Handling

    The identification and analysis of malware is one of the many tasks performed by incident handlers. Only a small number of commercial entities provide the technology capable of automating this. Most times these offerings are beyond the reach of small organizations due to the high costs associated with licensing and maintenance. One open source alternative is Cuckoo Sandbox. It is a free software project licensed under GNU GPLv3. It allows the user to analyze and collect data against suspected pieces of malware. The framework installation requires careful configuration by an experienced Linux administrator. The accepted method of deployment is to follow the prescribed steps and test the application until it works. Attempting to scale the sandbox environment beyond a few virtual machines becomes a complicated process due to the maintenance required for multiple Windows configurations. By using techniques borrowed from the DevOps methods, a small team of incident handlers can create a sandbox environment that is not only repeatable and consistent, but also scalable. The user can create multiple template profiles, which allow for flexible testing.

  • Preventing data leakage: A risk based approach for controlled use of the use of administrative and access privileges Masters
    by Christoph Eckstein - August 24, 2015 in Data Loss Prevention

    Organizations invest resources to protect their confidential information and intellectual property by trying to prevent data leakage or data loss. They adopt policies and implement technical controls to stop the loss and disclosure of sensitive information by outside attackers as well as inadvertent and malicious insiders. They follow best practices like the Critical Security Controls, specifically Control 12 (Controlled Use of Administrative Privileges) and Control 17 (Data Protection), to prevent the unauthorized leakage and disclosure of sensitive information. One type of data loss or data leakage prevention controls includes endpoint protection solutions to stop file transfers to USB storage devices or file uploads to public websites. However, the larger and more complex the business and organization the more users that may be granted exceptions to these policies and controls in order for them to be able to fulfill their job related tasks. The approval of these exceptions is often solely based on the business need for the individual user. This raises the question of how an approval for an exception does influence the risk of data leakage for an organization? What is the specific data leakage risk for granting an individual user a certain exception? This paper presents a new approach to risk based exception management, which will allow organizations to grant exceptions based on inherent data leakage risk. First, this paper introduces a concept for evaluating and categorizing users based on their access to sensitive information. Then in the second step, a ruleset is defined for granting exceptions based on the categorization of users, which enables individual approvers to make informed decisions regarding exception requests. The overall objective is to lower the data leakage risk for organizations by controlling and limiting exceptions where the access and thereby potential loss of information is the highest.

  • What Companies need to consider for e-Discovery by Thomas Vines - August 24, 2015 in Legal Issues

    Within the legal environment, Discovery is the process of identifying, locating, preserving, securing, collecting, preparing, reviewing, and producing facts, information, and materials for the purpose of producing/obtaining evidence for utilization in the legal process. Electronic Discovery (e-Discovery) is an extension of these processes into the digital environment and Electronically Stored Information (ESI). Legal departments are ill-prepared to deal with the digital environment of a business. Increasingly they are turning to the companys Information Technology (IT) department in order to identify, locate, preserve, and collect ESI. This is not break/fix work that is typical in IT operations. This is a new area of Data Governance and Records Information Management. This paper explores the relationships between Executive Management, Legal, Risk Management, IT, and Security in fulfilling the demands and obligations for defensible e-Discovery. This analysis includes a discussion of the Electronic Discovery Reference Model (ERDM) and its integration with Information Governance Reference Model (IGRM).

  • Paying Attention to Critical Controls Masters
    by Edward Zamora - August 21, 2015 in Critical Controls

    International organizations such as the Australia DSD, the European Commission and the US NSA have developed their lists of top mitigations and actions they consider necessary for organizations and governments to implement. It has been further established by the international information security community that the twenty critical security controls are the top relevant guidelines for implementing and achieving greater security. Many of the controls require the deployment and installation of security software. But is installing software all there is to it? Will an organization be better defended by buying lots of security products? In one particular use case, attackers were able to break through the network defenses of an organization that implemented many of the security controls but did not do so properly. Under the sense of false security, the senior leadership woke up to some bad news when they learned that gigabytes of data were stolen from the organizations network after controls were in place. The implementation of security controls should be done with careful planning and attention to detail. This paper covers what the attackers did to circumvent the controls in place in the organization, how they could have implemented the critical controls properly to prevent this compromise, and what an organization needs to do to avoid this pitfall.

  • Detect, Contain and Control Cyberthreats Analyst Paper
    by Eric Cole, PhD - August 20, 2015 in Security Awareness

    An Analyst Program whitepaper by Dr. Eric Cole. It discusses the value of prioritizing mitigation efforts based on known risks and high- value targets, and how doing so can reinforce network defenses.

  • The Race to Detection: A Look at Rapidly Changing IR Practices Analyst Paper
    by Alissa Torres - August 19, 2015 

    With the rapidly changing risk environment, those assigned to protect their organizations must be agile in adapting technology to meet the challenges presented to them. Read this paper to learn what leading incident response practices are doing, and what they plan for the future.

  • Insider-Focused Investigation Made Easier Analyst Paper
    by Dave Shackleford - August 18, 2015 in Security Awareness

    A review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.

  • DevOps Rescuing White Lodging from Breaches Masters
    by Tobias Mccurry - August 18, 2015 in Case Studies

    For the second time in fourteen months, multiple financial institutions lodged complaints of fraud on customer credit and debit cards recently used at White Lodging Services locations (Krebs, Hotel Franchise Firm White Lodging Investigates Breach, 2014). White Lodging, along with others, was attacked to gain access to the highly profitable credit card data in their financial systems. Companies are faced with the threat of many different malware specialized in Point of Sale systems. This paper will take a case study approach to examine the White Lodging breaches and show how adopting the Development Operations (DevOps) mindset could have worked to mitigate the breaches. This approach can provide an organization a systematic method to quickly implement the Sans Critical Controls.

  • Configuration Management with Windows PowerShell Desired State Configuration (DSC) Masters
    by Brian E. Quick - August 18, 2015 in Best Practices

    Keeping information system baselines consistent with a formal configuration management plan can be a very difficult task. Changes to server based systems and networking must be monitored in order to provide some measure of compliance. A new distributed configuration management platform by Microsoft® called Desired State Configuration (DSC) makes this task easier. The objective of this paper is to describe in depth how PowerShell 4.0 can help to solve this common problem. DSC uses a declarative syntax that any skilled administrator can utilize to deploy software, monitor configuration drift and even report conformance. DSC is cross-platform compatible with hundreds of useful resources freely available. DSC leverages PowerShell 4.0 and gives administrators a useful way to automate configuration management.

  • Maturing and Specializing: Incident Response Capabilities Needed Analyst Paper
    by Alissa Torres - August 17, 2015 

    Survey results reveal an increasingly complex response landscape and the need for automation of processes and services to provide both visibility across systems and best avenues of remediation. Read this paper for coverage of these issues, along with best practices and sage advice.

  • Following a Breach Simulating and Detecting a Common Attack Masters
    by Dale Daugherty - August 14, 2015 in Case Studies

    Modern networks are designed with multiple layers of preventive and detective controls. Even with these controls, networks continue to be breached and these breaches can go unnoticed for months. While preventive measures cannot stop all attacks and exploits, detective measures should be able to identify intrusions and malicious activity in a timely manner. The ability to detect this activity depends on the kinds of intrusion monitoring systems in place and the analysts ability to recognize and act on the alerts. This paper will outline the anatomy of a common attack, simulate the steps in an attack; including elements from the recent breach of Sally Beauty Supply, and determine how an attack can be detected.

  • Protecting Home Devices from Malicious or Blacklisted Websites Masters
    by Sumesh Shivdas - August 10, 2015 in Home & Small Office

    The majority of the devices on a home network have unrestricted outbound connectivity to the Internet. (Barcena & Wueest, 2015) Other than the use of opendns, which only provides some protection against phishing, fraud and limited blacklisting, a homeowners options are limited. To provide protection from known malicious sites and produce DNS query logs for further detailed analysis, a simple virtual machine set up with DNS is proposed. When coupled with opendns, unlimited blacklisting capability and automatic updates to block malicious sites from all devices is provided. The solution also provides the capability to analyze all the DNS logs using a log based Intrusion Detection System like OSSEC.

  • Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise by Jason Mack - August 10, 2015 in Intrusion Detection

    As the interest in collecting actionable cyber intelligence has grown substantially over the last several years in response to the growing sophistication of attackers, with it has come the need for organizations to more readily process indicators of compromise and act immediately upon them to determine if they are present in a given enterprise environment. While host-based tools have been designed for this very purpose, they can be challenging to deploy on an enterprise-wide basis and are dependent on frequent updates. This paper will propose several methodologies by which these indicators of compromise may be visible within network traffic. It will further study how key network security devices (e.g. Snort IDS, IPTables Firewall, Web Proxy, etc.) can be used to effectively identify and alert on indicators of compromise both on the way into the network and also via analysis of outbound traffic. In addition, STIX and TAXII will be thoroughly investigated as individual protocols, including how they can best be incorporated into the rapid generation of customized network monitoring rules.

  • Securing Linux Containers by Major Hayden - August 10, 2015 in Linux Issues

    The components that make Linux containers possible have been available for several years, but recent projects, such as LXC and Docker, have made the technology much more accessible to users. Containers allow for even more efficient utilization of server resources through greater density and faster provisioning. However, securing containers is much more challenging than traditional virtualization methods, including KVM. The isolation layer between the container and the kernel, as well as between each container, is extremely thin. Weaknesses in the kernel or the container configuration can lead to compromises of containers or the entire system. The responsibility of managing the operating system within the container can also become blurry with time, and that can also lead to compromises of the container. Fortunately, Linux security modules, such as SELinux and AppArmor, along with careful configuration and container operating system management, can strengthen the thin walls around each container. Organizations that use mature Dev/Ops practices can also improve security within each container by automating the creation and deployment of container images. This paper will discuss the best strategies for securing a system running containers and the trade-offs that come with each.

  • Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification Masters
    by David Fletcher - August 10, 2015 in Forensics

    The objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.

  • Data Loss Prevention and a Point of Sales Breach Masters
    by Nicholas Kollasch - August 10, 2015 in Case Studies

    Target could have used a data loss prevention solution to mitigate the success of its infamous data breach. However, organizations typically deploy data loss prevention with simple policies and rules that detect 15- or 16-digit number strings that might represent a credit card number; this strategy, would not be effective in the case of the Target attack due to the attackers packaging the loot with Base64 encoding directly on the point of sales systems. Therefore, a security practitioner requires alternative detection measures to detect this type of anomalous activity. Data loss prevention can support an organizations ability to implement the Critical Security Controls, thereby providing the capability to detect such a sophisticated attack during the key stage of the Kill Chain model: Actions on Objective. Data loss prevention, when implemented with robust rules that reflect current attack tactics, techniques, and procedures, can reduce the likelihood of success by making it a bit more difficult to extract the valuable data.

  • Challenges for IDS/IPS Deployment in Industrial Control Systems Masters
    by Michael Horkan - August 7, 2015 in Industrial Control Systems

    Intrusion Detection and Prevention Systems (IDS/IPS) are a key component of defense-in-depth strategy for information systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems need to incorporate this technology in order to properly defend against a growing threat landscape. This paper examines how to deploy this technology in a sample ICS/SCADA setting, identifies hurdles that both industrial control system vendors and asset owners must overcome in order to make IDS/IPS deployment successful, and provides recommendations for both vendors and owners in order to approach the use of these technologies. This paper is written with two audiences in mind. It is intended for the enterprise IT professional who is familiar with security technologies and best practices, but unfamiliar with ICS/SCADA, as well as ICS/SCADA engineers and managers who lack experience in enterprise security.

  • Observation and Response: An Intelligent Approach Analyst Paper
    by J. Michael Butler - August 7, 2015 in Threats/Vulnerabilities

    A SANS Analyst Program whitepaper by J. Michael Butler. It discusses how properly focused observation and tracking efforts provide intelligence from inside the enterprise by monitoring for indicators of compromise such as odd point-in-time activities on the network, unusual machine-to-machine communications, outbound transfers, connection requests and many other suspicious activities.

  • Tunneling, Pivoting, and Web Application Penetration Testing Masters
    by Gordon Fraser - August 3, 2015 in Penetration Testing

    When conducting a web application penetration test there are times when you want to be able to pivot through a system to which you have gained access, to other systems in order to continue testing. There are many channels that can be used as avenues for pivoting. This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter sessions. and Ncat HTTP proxy; within the context of using them with key tools in the penetration testers arsenal including: Nmap, the Burp Suite, w3af, Nikto, Iceweasel, and Metasploit.

  • PKI Trust Models: Whom do you trust? Masters
    by Blaine Hein - July 28, 2015 in Encryption & VPNs

    There has been a substantial amount of attention in the media recently regarding Public Key Infrastructures (PKI). Most often, secure web server exploits and signed malware have generated this attention and have led to the erosion of trust in PKI. Despite this negative media attention, there has been very little detailed discussion of the topic of PKI Trust proliferation and control. PKI is an integral part of our daily lives even though, for the most part, we never notice it. Europe is several years ahead of North America in the ubiquitous deployment of PKI to its citizens, but North America has begun to catch up. This paper covers four major areas including the definition of trust and trust models, implementation of trust, auditing of trust, and managing trust. The paper provides proof of concept tools to allow administrators to understand their current level of PKI trust and techniques manage trust.

  • Coding For Incident Response: Solving the Language Dilemma Masters
    by Shelly Giesbrecht - July 28, 2015 in Forensics, Incident Handling, Scripting Tips, Tools

    Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.

  • Beyond the Point of Sale: Six Steps to Stronger Retail Security Analyst Paper
    by Robert L. Scheier - July 28, 2015 in Security Awareness

    A whitepaper by Robert Scheier. It addresses the complex nature of IT in the retail environment and outlines a six-step process for enhancing security of small shopkeepers as well as big-box chains.

  • An Introduction to Linux-based malware Masters
    by Matthew Koch - July 23, 2015 in Malicious Code

    Abstract Although rarely making news headlines Linux malware is a growing problem. As a result, Linux systems are left in an insecure state with minimal defenses against malware. This becomes increasingly problematic with the growth of networkable embedded devices often referred to as the Internet of Things (IoT). This paper will discuss attack vectors for Linux malware, analyze several pieces of malware and describe defensive capabilities.

  • Incident Tracking In The Enterprise by Justin Hall - July 20, 2015 in Incident Handling

    Some organizations employ Computer Security Incident Response Teams (CSIRTs) to investigate and respond to security incidents. They often find these investigations to be poorly executed, time consuming, and ultimately ineffective at discovering the root cause of a breach. Unfortunately, this is not usually due to the skill of the investigators, but rather due to the tools and processes they use to manage the investigations. This paper describes the use of purpose built case management software, integrated into the incident response process, to track these investigations. CSIRTs that take an organized, formal tracking approach will collaborate better and find their investigations to be more complete and useful to risk managers.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.