Featuring 88 Papers as of April 9, 2014
Enhancing incident response through forensic, memory analysis and malware sandboxing techniques
Wylie Shanks - April 9, 2014
Almost daily, there are reports of successful data breaches and new threat vectors including compromised systems or vulnerable software.
Active Security Or: How I learned to stop worrying and use IPS with Incident handling
Doug Brown - January 14, 2014
Beyond the obvious nomenclature for viruses and worms, several lessons can also be gleaned from the world of epidemiology and applied to information security.
Scott Christie - December 16, 2013
Wardriving requires a computer system with the proper tools installed and a Wi-Fi receiver. Locating Wi-Fi access points has evolved from lugging large computers around in cars, to wardriving apps on smartphones such as WiGLE Wi-Fi Service for Android devices (WiGLE, 2013).
A Practical Social Media Incident Runbook Masters
Trenton Bond - June 20, 2013
In the course of a few short years, social media has clearly become a valuable marketing and communication tool in business strategies.
Corporate vs. Product Security
Philip Watson - June 3, 2013
When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.
Event Monitoring and Incident Response
Ryan Boyle - May 15, 2013
System security policies can still have security holes after implementation and may even introduce unintended consequences.
Using IOC (Indicators of Compromise) in Malware Forensics
Hun-Ya Lock - April 22, 2013
In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.
Track 3 - Intrusion Detection In-Depth GIAC Certified Intrusion Analyst (GCIA) Practical Assignment Version 4.0
Jan Stodola - October 19, 2012
Atrix Network Consulting (ANC) is a privately held network security company, mandated with security audit of ABC University network logs.
InfiniBand Fabric and Userland Attacks Masters
Aron Warren - October 18, 2012
InfiniBand™ is not a word used much in the hacking community. It is much like the phrase "Apple exploits" was to "Windows exploits" about 5 years ago or so.
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management Masters
Barbara Filkins - October 18, 2012
The increasing use of electronic health record (EHR) systems, health information exchange (HIE) networks, and cloud computing significantly increases the exposure of sensitive medical information to loss of confidentiality, integrity, and availability due to data-related attacks, such as medical identity theft or insider threats (Ponemon Institute, 2011).
Shedding Light on Security Incidents Using Network Flows
Kevin Gennuso - May 16, 2012
Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.
Incident Handler's Handbook
Patrick Kral - February 21, 2012
An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.
Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response Masters
Kevin Fuller - February 14, 2012
What is a baseline? The primary definition of baseline is that it is a line that is a basis of measurement (Farlex Inc, 2011).
Computer Forensic Timeline Analysis with Tapestry
Derek Edwards - November 29, 2011
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
Identifying Malicious Code Infections Out of Network
Ken Dunham - August 29, 2011
Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.
Responding to Zero Day Threats
Adam Kliarsky - July 20, 2011
The internet has become a pervasive threat vector to organizations of all sizes. As new technologies are adopted to keep pace with business trends, surreptitious sources lurk in the shadows to exploit the weaknesses exposed. Sophisticated, targeted attacks such as Aurora, APT, Stuxnet, and Night Dragon have been making headlines, with goals of monetary gain and intellectual property theft.
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools
Jonny Sweeny - June 28, 2011
When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.
Wireless Networks and the Windows Registry - Just where has your computer been? Masters
Jonathan Risto - May 6, 2011
The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.
Following Incidents into the Cloud
Jeff Reed - March 1, 2011
The availability and use of cloud computing continues to grow. Discussions of and references to its benefits and issues grow at a similar pace. As it continues to move from a sort of SOA of the Wild West into the mainstream, more companies will face the myriad questions arising from its use. When, why, where and how should integration with the cloud occur? How can one be certain that a cloud provider will survive through an organizations technology integration lifecycle?
Wireless Mobile Security
Erik Couture - December 3, 2010
Mobile Security: Current threats and emerging protective measures
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Masters
T.J. OConnor - September 13, 2010
Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.
Integrating Forensic Investigation Methodology into eDiscovery
Colin Chisholm - September 8, 2010
The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.
Orion Incident Response Live CD Masters
John Jarocki - May 7, 2010
There are many frameworks for incident handling, including the Security Incident Handling Guide from the National Institute of Standards and Technology (NIST) (Scarefone, Grance, & Masone, 2008), (Mandia, Prosise, & Pepe, 2003), and the SANS six-step handling process (Skoudis, 2009). Carnegie-Mellons Software Engineering Institute even provided a study of these and more along with a framework for creating an incident management process tuned for a specific organization (Albert, Dorofee, Killcrece, & Zajicek, 2004). Tools for incident handling and response also exist, but responder tool kits are often built by collecting important tools one at a time until the expert incident handler has a custom set. This makes it difficult to bring in less-experienced incident response team members, and it creates challenges for collaboration during the incident as well as consistent collection and storage of evidence. Some Incident Response environments do exist, but they primarily focus on the analysis process, and do not provide a communication and collaboration framework. Nor do they usually provide a workflow based environment.
Scareware Traversing the World via a Web App Exploit
Mark Hillick - April 19, 2010
This paper will discuss the reasons behind this attack but more importantly, through following the six phases of Incident Handling in the SANS GCIH 504 course, it will provide direction on how such an incident should be handled from both the web-application side and the desktop perspective. This description will highlight how the attack was constructed with great precision and with greater control, resiliency and reliability than many top legitimate companies when they implement their IT solutions.
Incident Handling as a Service
Michel Lundell - March 1, 2010
This paper is about providing an incident handling service to companies that focus on their primary business and have limited resources to have an in-house IT security organization.
Winquisitor: Windows Information Gathering Tool
Michael Cardosa - January 19, 2010
Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.
Preventing Incidents with a Hardened Web Browser
Chris Crowley - December 15, 2009
There is substantial industry documentation on web browser security because the web browser is currently a frequently used vector of attack. This paper investigates current literature discussing the threats present in today's environment.
Cisco Security Agent and Incident Handling Masters
Greg Farnham - October 1, 2009
An implementation of Cisco Security Agent (CSA) is analyzed and impacts to the incident handling process are identified. In addition, guidance is provided to configure CSA to support the incident handling process.
Simple Windows Batch Scripting for Intrusion Discovery Masters
Tim Proffitt - September 29, 2009
Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.
Mitigating Insider Sabotage
Joseph Garcia - September 28, 2009
How failing to create an effective termination policy and deploy correct user access controls to deter insider threats can be costly.
Security Incident Handling in High Availability Environments Masters
Algis Kibirkstis - September 15, 2009
SANS Whitepaper discussing a security incident handling process for high-availability systems.
Investigative Tree Models Masters
Rodney Caudle - September 15, 2009
Investigative tree models provide a structured approach to incident handling during incident response. This SANS whitepaper explores definable, reproducible structures to be created facilitating controlled cost exposure during an incident response cycle.
Protecting Against Insider Attacks Masters
Brad Ruppert - August 10, 2009
Key factors in enhancing internal security controls and protecting a company from internal attacks. Often the greatest damage can be done by someone already inside these defenses. It is imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals that require it to perform their specific job function. The goal of this paper will be to identify high risk areas commonly neglected and to provide some best practice tips to enhance internal security controls.
Incident Handlers Guide to SQL Injection Worms
Justin Folkerts - June 18, 2009
This paper seeks to demystify an innovative type of attack known as a SQL Injection Worm.
Virtual Rapid Response Systems
Chris Mohan - June 11, 2009
This paper aims to provide organizations with a quick and effective response to IT security breaches at remote locations with a virtual response platform.
The SirEG Toolkit
François Bégin - April 23, 2009
This paper provides the reader an overview of the SirEG Toolkit, then discusses the type of data it captures on a suspicious host and more importantly, how that data is captured.
A Guide to Encrypted Storage Incident Handling Masters
Wylie Shanks - April 9, 2009
Encrypted storage solutions provide confidentiality of data; however, they have also created a need for effective incident response. Privacy legislation and regulatory compliance mandates are increasingly driving encrypted storage solution deployments. This document provides incident handlers with a few tools and processes in order to respond effectively to incidents involving encrypted storage solutions.
Security Incident Handling in Small Organizations
Glenn Kennedy - December 16, 2008
Considerable research has been accomplished, with a focus on the steps necessary to create and organize an Incident Handling Team in large organizations, but the resources required for such a project do not scale down to anything usable by the Small Business community. This paper reviews current best practices in the security community, and proposes a compromise that scales these steps into something workable and acceptable to the SB community. The paper also references SANS checklists to assist the SB owner step through the processes before, during, and after a security incident, along with literature, vendor, and tool resources.
Intrusion Detection Likelihood: A Risk-Based Approach
Blake Hartstein - November 5, 2008
The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).
Tips for Making Security Intelligence More Useful Masters
Mason Pokladnik - October 9, 2008
Trends and incidents show us when security is working. When security is failing to meet the organizations intended goal of reducing risk, we have to reevaluate our controls with the benefit of new security intelligence information. Just imagine what improvements could be made if we spent anywhere near the effort investigating the security implications of IT projects as we do the compliance issues.
Expanding Response: Deeper Analysis for Incident Handlers Masters
Russ McRee - October 9, 2008
Most incident handlers likely have a toolkit theyre fond of that, in all probability, contains tools most handlers are familiar with. It is the intent of this paper to expand common horizons and discuss tools that may not readily appear in a typical toolkit.
An approach to the ultimate in-depth security event management framework
Nicolas Pachis - June 23, 2008
"SANS 504: Hacker Techniques, Exploits and Incident Handling" illustrates the six steps to the incident handling process: preparation, identification, containment, eradication, recovery and lessons learned. This incident response system is derived from the SANS booklet, "Computer Security Incident Handling Step by Step: A Survival Guide for Computer Security Incident Handling". The two phases we want to take a look at in this paper are preparation and identification. While the other steps are important for the continuation of the business processes for your group, paying close attention during the preparation and identification phases can speed up your response time to an incident.
Mining gold... A primer on incident handling and response Masters
Stacy Jordan - June 23, 2008
Incident handling and response is a key area in the IT security arena. As a part of the GIAC GOLD program, several outstanding papers on the subject have been generated. This paper has collected information from those papers to serve as basic for future research. Topical areas in the paper include: defining what a incident is, incident handling process, how to create a computer incident response team and tools/resources for supporting incident handlers.
- Creating and Maintaining Policies for Working with Law Enforcement Masters Tim Proffitt - May 21, 2008
- Incident Handling for SMEs (Small to Medium Enterprises) Terry Morreale - May 20, 2008
Breach Notification in Incident Handling
Jeffery Buffington - March 4, 2008
This document will provide the IT professional with a general understanding of what "breach notification" is, and demonstrate some of the variety found among the legal requirements for actually conducting notification. In addition, this document will identify some of the tools currently available that may assist an incident handler with determining what data may have actually been exposed, and offer suggested means of conducting the actual notification.
Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider
Ahmed Abdel-Aziz - February 11, 2008
Since the threat trend is moving from large number and unfocused attacks to fewer, highly targeted and financially motivated attacks [Kinghorn 2007], Espionage security incidents are naturally expected to be on the rise. Through the technical report, I hope to demonstrate to the readers an example of how social networking sites that are becoming evermore popular can aid an attacker [Walls 2007], especially in the reconnaissance and exploit stages of the attack. Also highlighting the danger of the improper use of the SSH reverse tunneling technique, and how important it is to have security policy that users are aware of and follow.
Baselines and Incident Handling
Chris Christianson - January 29, 2008
Preparation is an important part of the incident handling process (SANS, n.d.); it is the only part of the process that an incident handler can do ahead of time. Preparing well can help an incident handler to identify and respond to an incident more quickly. It can also help him or her to be more efficient throughout the entire incident handling process.
Documentation is to Incident Response as an Air Tank is to Scuba Diving
Chet Langin - December 11, 2007
That IP address you just traced may result in a search warrant, an arrest, and court action. Can your documentation justify these actions, and is it ready for scrutiny? Even routine vulnerability scans and bot incidents can have unexpected results. Getting it done right the first time saves effort in the long run, preserves requisite credibility, and can save face, possibly even your job.
Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit
Jamal Bandukwala - November 20, 2007
This paper will aid the incident handling and security community by explaining and demonstrating forensically sound processes to create a powerful multi session DVD. This can be customized to contain several of the most popular Linux live CDs and a second DVD/CD that contains other tools that may not be contained on the live multi session DVD.
Creating and Managing an Incident Response Team for a Large Company Masters
Timothy Proffitt - July 18, 2007
Using good communication skills, clear policies, professional team members and utilizing training opportunities, a company can run a successful incident response team.
An Incident Handling Process for Small and Medium Businesses Masters
Mason Pokladnik - June 18, 2007
This paper's intention is to assist you in getting an incident response capability off the ground in a SMB environment by analyzing some of the constraints of a smaller corporate environment.
International Cybercrime Treaty: Looking Beyond Ratification
Daniel Robel - March 28, 2007
For the purposes of this paper, a global incident can be defined as an incident involving the computers, network, or assets of more than one nation-state. An incident implies harm or the attempt to harm. The term incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.
Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics Masters
Ricky Smith - February 9, 2007
One of the first things that an incident handler takes for a potential computer incident is verifying that an incident has actually occurred. As part of the verification process, the incident handler will need to examine the system looking for the evidence of the incident.
Secure File Deletion: Fact or Fiction?
John Mallery - January 18, 2007
This paper will deal with how and where some of these files are created and how to securely remove them from a system.
Malware 101 - Viruses
Aman Hardikar - June 15, 2006
This paper provides new insights into establishing Incident Handling procedures for dealing with various types of malware. It also aims to give a detailed perspective into the various types of malware or malicious software and their propagation mechanisms.
Incident Management 101 Preparation & Initial Response (aka Identification)
Robin Dickerson - January 17, 2005
According to SANS, there are six steps involved in properly handling a computer incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Incident Management 101 provides guidelines, procedures, and tools designed to assist security specialists with the first two phases of Incident Management Preparation and Initial Response (aka Identification phase).
Reporting Incidents to an ISP with BlackICE ClearICE Report Utility and the Importance of Submitting Firewall Logs to the Dshield.org Project
Victor Arnaud - March 9, 2004
This practical has two objectives: guide users of BlackICE to report incidents to their ISPs (using ClearICE Report Utility) and show users the importance of submitting firewall logs to the dshield.org project.
Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting
Mary Hall - October 31, 2003
Development and implementation of a Computer Incident Response Team is a major undertaking in any organization.
Windows Responders Guide
Koon Tan - October 31, 2003
This paper provides the first responder guide to handle incident occur on a Windows platform system.
Building an Incident Response Program To Suit Your Business
Tia Osborne - October 31, 2003
The purpose of this paper is to outline the key concepts of an Incident Response Program (IRP).
Developing a Computer Forensics Team
Christine Vecchio-Flaim - October 31, 2003
Efforts to establish sound information assurance programs are rapidly evolving due to increased connectivity, enhanced technology, and the continuous introduction of operating and application systems software.
Proposed Conceptual Tools for Managing Cost and Complexity When Securing Networks
Kathleen Howard - October 31, 2003
This paper will describe the cost and complexity issues facing security professionals, outline the desired outcome in facing these issues, and finally will suggest initial proposals for reaching those goals.
Identify Intrusions with Microsoft Proxy Server, Web Proxy Service and WinSock Proxy Service Log Fil
Saundra Coward - October 31, 2003
This paper provides a guide on how to identify intrusions using Microsoft's Proxy Server log files.
Nailing the Intruder
Vinay Disley - October 31, 2003
This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same.
Reporting Unauthorized Intrusions: A "How To" Guide
Melton Roland - October 31, 2003
This paper provides a "how to" guide for reporting unauthorized intrusions.
The Enemy Within: The Role of the Security Administrator in Apprehending and Terminating the Malicio
Robin Stuart - October 31, 2003
The following information is set forth to generally describe the tools available to security administrators to facilitate the apprehension and participate in the resolution of internal threats to your organization's sensitive or restricted resources.
Successful Partnerships for Fighting Computer Crime
Beth Binde - October 31, 2003
Given the wide range of possible criminal activities in the high technology arena, computer security officers need to be prepared to respond to computing incidents that are not only against the local acceptable use policy for computers and networks, but also violate federal, state or local statutes.
Information Security: Handling Compromises
Craig Bowser - October 31, 2003
While the corporate sector may not be guarding national secrets, they are protecting valuable information such as trade secrets, financial documents and personal information.
Collection and Dissemination of Computer and Internet Security Related Information
Scott Fox - October 31, 2003
Ongoing advances in technology and the growth of the Internet are introducing not only an increase in the number of vulnerabilities being found, but also an increase in the complexity of system administration, incident handling and forensic analysis work.
Adventures in Computer Forensics
Diana Michaud - October 31, 2003
Computer forensics is one piece to the investigative puzzle.
CodeRed II: Incident Handling Process and Procedures
Michael Goodwin - October 31, 2003
This paper uses the CodeRed II virus as a template to generate questions to help you better prepare for the next virus outbreak.
Building a Low Cost Forensics Workstation
Matthew McMillon - October 31, 2003
This paper will outline the fundamentals of computer forensic investigation and then, based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.
Investigating an Internal Case of Internet Abuse
Mal Wright - October 31, 2003
I was recently required to investigate an incident of Internet abuse and this essay describes the detection, investigation and various tools used to collect the evidence.
Computer Incident Response Team
Michelle Borodkin - October 31, 2003
This paper is designed to answer the big questions about Computer Incident Response Teams including: What is a CIRT? Who should be on a CIRT and what function will they serve? And, What steps need to be taken to implement a CIRT?
Incident Response and Creating the CSIRT in Corporate America
Chris Thompson - October 31, 2003
The purpose of this document is to discuss implementing a formal incident response organization.
An Overview of Disk Imaging Tool in Computer Forensics
Madihah Saudi - October 31, 2003
The objective of this paper is to educate users on disk imaging tool, issues that arise in using disk imaging, offer recommended solutions to these issues and examples of disk imaging tool.
Combating Computer Crime
Jason Upchurch - October 31, 2003
Computer crime and computer related crimes are growing areas of concern for both law enforcement and businesses alike.
Corporate Incident Handling Guidelines
David Theunissen - October 31, 2003
If you are a large multinational corporation without a large security function, this paper will help you approach some of the common problems in preparing incident handling procedures.
From Events to Incidents
Charles Pham - October 31, 2003
This paper is an attempt at clarifying "events" and "incidents" for training purposes so that effective filtering can be apply when it come to reporting an incident.
Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000
Norman Haase - October 31, 2003
The purpose of this paper is to be an introduction to computer forensics.
Computer Forensic Legal Standards and Equipment
Damian Tsoutsouris - October 31, 2003
Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies' top priority in this age of increased security conscious commerce
One Incident Of Remediating The CRC 32 sshd1 Vulnerability
Rebecca Sander - October 31, 2003
The purpose of this paper is to document the process I used to respond to the CRC32 sshd1 vulnerability.
Deterring Cyber Attacks
Christy Bilardo - October 31, 2003
This paper provides a Strengths, Weaknesses, Opportunities and Threats [SWOT] Analysis to help you analyze three alternatives and recommend the best one to upper management.
The Coroners Toolkit - In depth
Clarke Jeffris - October 31, 2003
In this paper describes evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 hereafter referred to as TCT.
Computer Forensics - We've Had an Incident, Who Do We Get to Investigate?
Karen Ryder - October 31, 2003
So how does a manager (IT or not) decide how to investigate an incident? This paper's aim is to provide Australian managers with a basis to make this decision by providing an insight into computer forensics and evidence handling, and giving advantages and disadvantages for each option.
What You Don't See On Your Hard Drive
Brian Kuepper - October 31, 2003
This paper will address the issue of retrieving data that has been deleted and hidden access and control of your computer, looking at the recent development of rootkits designed for Microsoft Windows operating systems.
Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine
Gary Belshaw - October 31, 2003
This document is intended to highlight the steps taken in ascertaining the level of damage done in a network break-in (or hack attack) on our system, and the steps taken in rectifying the damage.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.