What Threats Keep You Up at Night? Tell Us in the SANS 2017 Threat Landscape Survey and Enter to Win $400 Amazon Gift Card: https://www.surveymonkey.com/r/2017SANSThreatLandscape
Seeking your best practices in data protection: Take the SANS Survey and enter to win a FREE Data Breach Summit Pass OR a $400 Amazon gift card | www.surveymonkey.com/r/2017DataProtex
More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,670 original computer security white papers in 103 different categories.
Latest 25 Papers Added to the Reading Room
Network Security Infrastructure and Best Practices: A SANS Survey Analyst Paper
by Barbara Filkins - May 23, 2017 in Network Devices, Network Security
- Associated Webcasts: Network Security Infrastructure and Best Practices: A SANS Survey
- Sponsored By: NETSCOUT Systems, Inc.
Network infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.
Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence) by Ryan D. Pittman, Cindy Murphy, and Matt Linton - May 22, 2017 in Forensics
- Associated Webcasts: Prelude to Beats & Bytes: Striking the Right Chord in Digital Forensics
This paper will present results from a recent survey of DF/IR professionals and seek to provide relevant observations (together with published psychological, sociological, and neurological research) to discuss the similarities and intersections of DF/IR and music, as well as identify potential correlations between being a successful DF/IR professional and playing music. It will also discuss numerous challenges facing DF/IR professionals today and how learning to play and enjoy music can help DF/IR personnel both overcome some of those challenges and be more effective in their chosen field.
Future SOC: SANS 2017 Security Operations Center Survey Analyst Paper
by Christopher Crowley - May 16, 2017 in Incident Handling, Security Policy Issues
- Associated Webcasts: SOCs Grow Up to Protect, Defend, Respond: Results of the 2017 SANS Survey on Security Operations Centers, Part 1 Future SOCs: Results of the 2017 SANS Survey on Security Operations Centers, Part 2
- Sponsored By: Tripwire, Inc. LogRhythm NETSCOUT Systems, Inc. Carbon Black ThreatConnect Endgame
The primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.
How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect Analyst Paper
by Dave Shackleford - May 9, 2017 in Email Issues
- Associated Webcasts: How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect
- Sponsored By: AGARI
Why are our traditional email and endpoint security tools failing us? First, most email deployments lack any authentication of outside senders. Given this vulnerability, it’s trivial to execute spoo ng and falsi ed email content that purports to come from a trusted entity the recipient knows and trusts. Second, attackers are using cloud-based email and “detection-busting” techniques such as fake identities, deceptive sender names and phony domains to beat defenses. Clearly, given the prevalence of email-borne threats, protecting email infrastructure and end users needs to be a high priority for all security teams today. To this end, SANS had the opportunity to review Agari Enterprise Protect and the Agari Email Trust Platform.
Deception Matters: Slowing Down the Adversary with illusive networks® Analyst Paper
by Eric Cole, PhD - May 1, 2017 in Intrusion Detection, Intrusion Prevention
- Associated Webcasts: Deception Matters: Slowing the Adversary with illusive networks
- Sponsored By: Illusive Networks
Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.
A New Era in Endpoint Protection Analyst Paper
by Dave Shackleford - April 26, 2017 in Clients and Endpoints
- Associated Webcasts: A New Era in Endpoint Protection: A SANS Product Review of CrowdStrike Falcon Endpoint Protection
- Sponsored By: CrowdStrike
Conventional antivirus solutions aren’t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.
Hunting Threats Inside Packet Captures by Muhammad Elharmeel - April 25, 2017 in Threat Hunting
Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.
The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey Analyst Paper
by Rob Lee and Robert M. Lee - April 25, 2017 in Threat Hunting
- Associated Webcasts: Threat Hunting-Modernizing Detection Operations: The SANS 2017 Threat Hunting Survey Results | Part 1 Reducing Attacks and Improving Resiliency: The SANS 2017 Threat Hunting Survey Results | Part 2
- Sponsored By: Rapid7 Inc. Anomali DomainTools ThreatConnect Sqrrl Data, Inc. Malwarebytes
Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.
Show Me the Money! From Finding to Fixed to Funded STI Graduate Student Research
by Robert J. Mavretich - April 24, 2017 in Management & Leadership
Corporations both large and small, whether public or private, can always benefit from an information security audit to improve their security posture. This security audit will highlight vulnerabilities and provide prescriptive guidance on how to fix them within a formal report. The ability to motivate organizational teams to complete the necessary work has historically been a challenge. While tracking of these findings using a workflow management tool has its value, most organizations stop at simply tracking the deficiencies, rather than take the necessary steps to remediate them in a timely manner. Thus, vulnerabilities from a decade ago are still causing disruption in our present day hyper-connected world. By applying an economic incentive system to the resolution of those findings, much like a sales division incentive program, a company can create a remediation bounty program. This will assist in motivating non-managerial staff to conceive of innovative ways to apply necessary fixes quickly, and to manage systems that are less susceptible to nefarious actors and their less than honorable intentions.
No Safe Harbor: Collecting and Storing European Personal Information in the U.S. STI Graduate Student Research
by Alyssa Robinson - April 24, 2017 in Management & Leadership
When the European Court of Justice nullified the Safe Harbor Framework in October of 2015, it left more than 4,000 companies in legal limbo regarding their transfer of personal data for millions of European customers (Nakashima, 2015). The acceptance of the Privacy Shield Framework in July of 2016 expands the options for U.S. companies that need to transfer EU personal data to the US but does little to ameliorate the upheaval caused by the Safe Harbor annulment. This paper covers the history of data privacy negotiations between the Europe and the United States, providing an understanding of how the current compromises were reached and what threats they may face. It outlines the available mechanisms for data transfer, including Binding Corporate Rules, Standard Contractual Clauses, and the Privacy Shield Framework and compares their requirements, advantages, and risks. With this information, US organizations considering storing or processing European personal data can choose the transfer mechanism best suited to their situation.
Hunting through Log Data with Excel by Greg Lalla - April 24, 2017 in Intrusion Detection
Gathering and analyzing data during an incident can be a long and tedious process. The vast amounts of data involved in even a single system intrusion can be overwhelming. Larger and well-funded incident response teams typically have a Security Information and Event Management (SIEM) product at their disposal to help the responder sift through this data to find artifacts relevant to the intrusion. This paper will demonstrate to the reader how to use Microsoft Excel and some of its more advanced features during an intrusion if a SIEM or similar product is not available to the incident responder.
The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it by Deepak Bellani - April 20, 2017 in Forensics, Threat Hunting
Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information.
Snort and SSL/TLS Inspection by Yousef Bakhdlaghi - April 20, 2017 in Intrusion Detection, Encryption & VPNs
An intrusion detection system (IDS) can analyze and alert on what it can see, but if the traffic is tunneled into an encrypted connection, the IDS cannot perform its analysis on that traffic. The difficulty of looking into the packet payload makes the encrypted traffic one of the challenging issues to IDS. In Snort, the encrypted traffic inspector is available optionally and can only inspect connections’ handshakes with no further inspection of the payload after the connection has established. However, encrypted traffic can be entirely decrypted using the private key (decryption key), but there are some issues associated with SSL/TLS key exchanges that could increase the difficulty of decrypting traffic provided the private key.
Integrating Prevention, Detection and Response Work Flows: SANS Survey on Security Optimization Analyst Paper
by G.W. Ray Davidson, PhD - April 19, 2017 in Best Practices
- Associated Webcasts: Impact of Isolated Cyber Security Functions: A SANS Survey
- Sponsored By: ThreatConnect
Are the prevention, detection, response and prediction functional groups operating in unison with shared data and workflow, or are they remaining true to the tradition of operational silos in most technology groups? In this survey, we analyze satisfaction with staffing levels, tools and management-support architectures to help provide best practices and guidance for IT security practitioners.
Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform Analyst Paper
by Dave Shackleford - April 13, 2017 in Security Trends, Threats/Vulnerabilities
- Associated Webcasts: Speed and Scalability Matter: SANS Review of LogRhythm 7 SIEM and Analytics Platform
Just how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation.
Identifying Vulnerable Network Protocols with PowerShell STI Graduate Student Research
by David Fletcher - April 6, 2017 in Network Access Control
Microsoft Windows PowerShell has led to several exploit frameworks such as PowerSploit, PowerView,and PowerShell Empire. However, few of these frameworks investigate network traffic for exploitative potential. Analyzing a small amount of network traffic can lead to the discovery of possible network-based attack vectors such as Virtual Router Redundancy Protocol (VRRP), Dynamic Trunking Protocol (DTP), Link Local Multicast Name Resolution (LL-MNR) and PXE boot attacks, to name a few. How does one gather and analyze this traffic when Windows does not include an integrated packet analysis tool? Microsoft Windows PowerShell includes several network analysis and network traffic related capabilities. This paper will explore the use of these capabilities with the goal of building a PowerShell reconnaissance module which will capture, analyze, and identify commonly misconfigured protocols without the need to install a third-party tool within a Microsoft Windows environment.
Securing the Home IoT Network STI Graduate Student Research
by Manuel Leos Rivas - April 5, 2017 in Network Access Control, Home & Small Office, Internet of Things
The Internet of Things (IoT) has proven its ability to cause massive service disruption because of the lack of security in many devices. The vulnerabilities that allow those denial of service attacks are often caused due to poor or no security practices when developing or installing the products. The common home network is not designed to protect against the design errors in IoT devices that expose the privacy of the users. The affordable price of single board computers (SBC) and their small power requirements and customization capabilities can help improve the protection of the home IoT network. SBC can also add powerful features such as auditing, inspection, authentication, and authorization to improve controls pertaining to who and what can have access. Implementing a home-control gateway when properly configured reduces some common risks associated with IoT such as vendor-embedded backdoors and default credentials. Having an open source trusted device with a configuration shared and audited by many experts can reduce many of the bugs and misconfigurations introduced by vendor security program deficiencies.
Detecting Attacks Against The 'Internet of Things' by Adam Kliarsky - March 30, 2017 in Intrusion Detection, Internet of Things
The need to detect attacks against our networks has exploded with the rapid adoption of connected devices affectionately dubbed the "Internet of Things" (or IoT). Manufacturers are rapidly producing devices to meet consumer and market demand which creates a shortened time-to-market in manufacturing. The level of security in the product development lifecycle becomes questionable, as well as production standards. Vulnerabilities have been showing up targeting the physical interfaces of IoT devices, wireless protocols, and user interfaces. It is imperative that intrusion analysts understand how to assess the attack surface, analyze threats, and develop the capability to detect attacks in IoT environments. This paper will review threats, vulnerabilities, attacks, and intrusion detection as it applies to the IoT.
SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution Analyst Paper
by Sonny Sarai - March 28, 2017 in Intrusion Detection, Intrusion Prevention
- Associated Webcasts: SOC in the Cloud: A review of Arctic Wolf SOC Services
- Sponsored By: Arctic Wolf Networks
Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?
This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.
Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 Analyst Paper
by John Pescatore - March 20, 2017 in Cloud Computing, Data Protection
- Associated Webcasts: 2017 Cybersecurity Trends: Aiming Ahead of the Target to Increase Security
Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.
Tracking Online Counterfeiters by Emilio Casbas - March 16, 2017 in Intrusion Detection
The counterfeiting market makes-up a vast global business where the impact of fraudulent activity is hard to quantify. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents their most common tactics and its relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites.
Securing DNS Against Emerging Threats: A Hybrid Approach Analyst Paper
by John Pescatore - March 16, 2017 in DNS Issues
- Associated Webcasts: Protecting Business Mobility Against Emerging Threats
- Sponsored By: InfoBlox
This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.
Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation STI Graduate Student Research
by Jeremiah Hainly - March 15, 2017 in Automation, Incident Handling, Free and Open Source Software
Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.
Detection of Backdating the System Clock in Windows by Xiaoxi Fan - March 15, 2017 in Forensics
In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches, system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that "the system clock has not been backdated," he or she must examine multiple artifacts for corroboration.
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey Analyst Paper
by Dave Shackleford - March 14, 2017 in Threats/Vulnerabilities
- Associated Webcasts: Cyber Threat Intelligence in Action-Skills and Implementations: Results of the 2017 Cyber Threat Intelligence Survey Part 1 Cyber Threat Intelligence in Action-Effectiveness of CTI Programs and Wish Lists for the Future: Results of the 2017 Cyber Threat Intelligence Survey Part 2
- Sponsored By: Arbor Networks Rapid7 Inc. Lookingglass Cyber Solutions, Inc. Anomali DomainTools ThreatConnect
Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.
All papers are copyrighted. No re-posting or distribution of papers is permitted.