FREE Purple Team Summit | May 24-25: Explore collaboration approaches that maximize value of red and blue teams. Register now!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,130 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Vulnerability Management Blueprint for the Clinical Environment SANS.edu Graduate Student Research
    by Adi Sitnica - April 14, 2021 in HIPAA

    The industry-standard vulnerability management process is largely inapplicable within clinical settings. Unique medical industry-specific devices and other complexities and limitations, such as vendor-owned and managed systems and regulated and other non-standard hardware, limit the general effectiveness of the process. This document explores a standard clinical footprint and provides guidance (or a 'blueprint') to further developing and maturing the vulnerability management operational model for clinical settings, with the primary goal of risk reduction within the confines of a clinical environment.


  • SANS 2021 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 13, 2021 in Security Awareness, Security Trends

    This SANS survey explored the types of services organizations are using, what types of controls and tools provide the most value, and how effective cloud security brokering is for a range of use cases.


  • A Multi-leveled Approach for Detection of Coercive Malicious Documents Employing Optical Character Recognition SANS.edu Graduate Student Research
    by Josiah Smith - April 8, 2021 in Intrusion Detection

    Authors of malicious documents often include a graphical asset used to lure the potential victim to "enable editing" and to "enable content" to activate the macro's embedded logic. While these graphical lures vary in theme, language, and content, they commonly have similar coercive text. Using Optical Character Recognition to produce text files of the images provides the ability to anchor the images' contents. While attackers have been known to intentionally manipulate images to bypass OCR-based detection, some additional techniques can surface the textual contents. Optical Character Recognition can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.


  • How to Architect a Security-Driven Networking Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 5, 2021 in Network Access Control, Cloud Security

    As organizations shift more resources to the cloud, defenses have grown organically along with the increase in size and complexity of networks. Today, a new model of security-driven networking, known as security-driven layered defense, is helping organizations create a strong set of proactive layered network defenses. In this whitepaper, SANS analyst Dave Shackleford explains how security teams are using this model to strengthen their network defenses and describes the capabilities and features they should consider when designing a robust, cloud-centered network security strategy.


  • Network Security: Protecting Your Organization Against Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 31, 2021 in Threat Hunting, Threats/Vulnerabilities

    Recent supply chain attacks have proven that third parties are an unexpected, yet trusted, entry vector into an organization. By utilizing legitimate methods to breach an organization, threat actors can hide under the radar with escalated privileges. Furthermore, attackers have shown that they are security-savvy, knowledgeable of enterprise defenses and their workarounds. Enterprise defense should be structured around BOTH system and network data; without, you will never see the full picture. With this webcast, we will outline NDR capabilities and how bringing endpoint and network together will prove to be a one-two punch to bring down even advanced attackers. We will specifically outline how to mitigate common third-party attack surfaces, what could have been done differently in the wake of the attack, and have the recent attacks provided enough reason to consider changes in implementation.


  • Pentest as a Service with Cobalt Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 16, 2021 in Penetration Testing, Threats/Vulnerabilities

    What if organizations could turn external penetration testing into an interactive experience they could use to regularly evaluate and increase their security posture? It is possible. SANS instructor Matt Bromiley reviews Cobalt's "pentest as a service" platform, an experience he describes as "an information security experience unlike many others"--but in a good way. In this paper, Bromiley examines using Cobalt to schedule, perform, interact with, and act upon penetration testing results. And more.


  • SANS 2021 Endpoint Monitoring in a Dispersed Workforce Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 15, 2021 in Security Awareness, Security Trends

    Past SANS surveys show that endpoints serve as some of the most common points to launch an attack more deeply into a targeted organizations network. Our 2021 survey investigates how effectively organizations are (or are not) using solutions that offer auditing or advanced endpoint detection and response (EDR) capabilities.


  • Missing SQLite Records Analysis by Shafik G. Punja and Ian Whiffin - March 12, 2021 in Forensics

    This article will specifically discuss the identification of missing records, within the SQLite database in its use as an application file format. The various analysis tools that will be used to analyze missing records within SQLite databases will be noted throughout the article. The authors are working from the premise that recovery of deleted, partially recoverable, or wholly intact recoverable records, is no longer viable. What will not be covered is the explanation on the various methods to recover deleted records. For that we direct you to the only textbook on this subject authored in 2018 by Paul Sanderson, titled, SQLite Forensics.


  • Insider Threat The Theft of Intellectual Property in Windows 10 by Eduard Du Plessis - March 11, 2021 in Forensics

    The prevalence of the theft of intellectual property investigations has grown over the past years and when investigated it will most likely be on a Windows 10 machine. It is important to have a clear framework on how to approach and execute such an investigation accurately and timeously. In this paper we will identify and analyse important Windows 10 artefacts that will reveal the user, the file and folders opened, applications used and the location of the files and folders. These artefacts are LNK (Link) Files, Jump Lists, Shell Bags, Prefetch files, USB connections and Network Mappings. We will demonstrate how to acquire and analyse these artefacts using a set of lightweight and powerful digital forensic software tools that are also affordable. The reader will find that by systematically analysing and correlating artefact events a timeline can be build that tells a story.


  • Malware Detection in Encrypted TLS Traffic Through Machine Learning SANS.edu Graduate Student Research
    by Bryan Scarbrough - March 10, 2021 in Artificial Intelligence

    The proliferation of TLS across the Internet leads to a safer environment for the end user but a more obscure setting for the network defender. This research demonstrates what can be learned using Machine Learning analysis of TLS traffic without decryption. It applies a novel approach to TLS analysis by analyzing data available in the unencrypted portion of the handshake combined with Open-source Intelligence (OSINT) data about Internet Protocol (IP) addresses and domain names. The metadata is then analyzed using three different machine learning algorithms: Support Vector Machine (SVM), One-Class SVM (OC-SVM), and an Autoencoder Neural Network. This research also addresses the imbalanced data distribution between malicious and benign traffic with the OC-SVM and the Autoencoder Neural Network. Finally, this research demonstrates that when using the correct header data the SVM and OC-SVM classify malware with a more than 99% F2 score and the Autoencoder approximately 95% F2.


  • Remote Workforce Impact on Threat Defenses SANS.edu Graduate Student Research
    by Sean Goodwin - March 10, 2021 in Clients and Endpoints, Home & Small Office, Telecommuting

    As organizations embrace remote work, the defensive security posture needs to be re-examined to effectively address threats while facing new or different constraints and tools. This paper investigates the prevention and detection control effectiveness against the known adversary Tactics, Techniques, and Procedures (TTPs) documented within the MITRE ATT&CK (R) taxonomy in a remote working (work from home, WFH) environment.


  • Hunting in Network Telemetry Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - March 5, 2021 in Threat Hunting, Threats/Vulnerabilities

    An extension of Chris Crowley's 2020 paper "20/20 Vision for Implementing a Security Operations Center" about technology deployment of the triad of host, network, and correlation capabilities; this webcast will outline how Vectra enables hunting within network telemetry data. Hunting is looking at data available throughout the environment with the assumption that previously developed detection engineering has failed, yet compromise relevant data is present. Hunting is different from investigation as it does not begin with an indicator, rather it starts with a hypothesis. Hunting presumes latent, undiscovered compromise. With this in mind, we'll discuss how Vectra can be used to identify problematic systems based on unexpected or unauthorized network activity. Specifically, this webcast will focus on using the Vectra tool for initial discovery. (The next webcast in the series will be held April 28th and will cover discovering the scope of the intrusion after the discovery of a compromise.)


  • Preventing Windows 10 SMHNR DNS Leakage SANS.edu Graduate Student Research
    by Robert Upchurch - March 3, 2021 in DNS Issues

    Microsoft enables Smart Multi-Homed Name Resolution (SMHNR) by default, sending name lookups out of all the connected interfaces for all configured name resolution protocols: DNS, LLMNR, and NetBIOS over TCP/IP (NetBT). Research on the effect that SMHNR has on DNS behavior showed that several users were concerned with DNS leakage ("DNS Leaks," 2017). DNS leakage is where unauthorized parties can observe, intercept, and possibly tamper with the name lookups or the lookup responses. Users were also frustrated by operational issues, such as attempting to resolve a private network hostname and receiving no response, a slow response, or an incorrect response while connected to a VPN ("Windows 10", 2015). This frustration led to users attempting to disable SMHNR ("Turn Off," 2021), but it did not always resolve the issue. The process to disable SMHNR varied based on the edition of Windows used, so the goal was to investigate the effect of SMHNR on DNS behavior and pursue an edition agnostic, native operating system method to mitigate that effect. Testing revealed that Name Resolution Policy Table (NRPT) rules provided a simple, scalable, and agile mechanism for controlling DNS client behavior that was effective across the multiple editions of Windows and worked irrespective of whether SMHNR was on or off.


  • A Forensic Analysis of the Encrypting File System by Ramprasad Ramshankar - February 24, 2021 in Forensics

    EFS or the Encrypting File System is a feature of the New Technology File System (NTFS). EFS provides the technology for a user to transparently encrypt and decrypt files. Since its introduction in Windows 2000, EFS has evolved over the years. Today, EFS is one of the building blocks of Windows Information Protection (WIP) - a feature that protects against data leakage in an enterprise environment (DulceMontemayor et al., 2019). From the attacker's perspective, since EFS provides out-of-the-box encryption capabilities, it can also be leveraged by ransomware. In January 2020, SafeBreach labs demonstrated that EFS could be successfully used by ransomware to encrypt files and avoid endpoint detection software (Klein A., 2020). The purpose of this paper is to provide security professionals with a better understanding of artifacts generated by EFS and recovery considerations for EFS encrypted files.


  • Unpacking the Hype: What You Can (and Can't) Do to Prevent/Detect Software Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 24, 2021 in Breaches, Intrusion Detection, Intrusion Prevention

    This paper focuses on the SolarWinds compromise and what it can teach us about detecting software supply chain compromises.


  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 22, 2021 in Intrusion Detection, DNS Issues, Incident Handling, Intrusion Prevention, Security Trends

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.


  • Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 22, 2021 in Network Security, Risk Management, Standards

    Designed as a companion paper to “Architecting For Compliance: A Case Study in Mapping Controls to Security Frameworks,” this implementation guide seeks to show those considering deploying a FortiGate appliance in their networks whether a NIST 800-53v5 control family (or individual control) can be supported through the proposed deployment. For those who have already deployed a FortiGate appliance, this implementation guide can be used as a tool to validate that the organization is getting the best value possible from the deployment.


  • Architecting for Compliance: A Case Study in Mapping Controls to Security Frameworks Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 22, 2021 in Network Security, Risk Management, Standards

    SANS reviewed Fortinet’s FortiGate product to test and highlight features and to identify how those features align with NIST 800-53v5 controls. This paper is intended to assist those considering the FortiGate product family—as well as those who may be unfamiliar with FortiGate—to understand its capabilities and how it will help them achieve their NIST 800-53v5 compliance goals. This is a companion paper to “Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide”.


  • Improving Incident Response Through Simplified Lessons Learned Data Capture SANS.edu Graduate Student Research
    by Andrew Baze - February 17, 2021 in Incident Handling

    The Lessons Learned portion of the cybersecurity incident response process is often neglected, resulting in unfortunate missed opportunities that could help teams mature, identify important trends, and improve their security. Common incident handling frameworks and compliance regimes describe time-consuming and relatively complex processes designed to capture these valuable lessons. While an extensive and resource-heavy process may be necessary in some cases, it is often difficult for incident response teams to dedicate sufficient time to capture this lesson data at the end of an incident. Dedicating time is even more difficult when the team is simultaneously handling other incidents. This paper addresses the planning and implementation of a simplified approach to capturing Lessons Learned data at any time, as opposed to at the conclusion of an incident. This approach includes a tagging schema and demonstrates how identification of lesson type, sub-type, and associated work items can provide valuable data to further an organization's original Lessons Learned goals.


  • Build and Automate an Effective Zero Trust Network with Secure Workload by Cisco Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 16, 2021 in Network Security, Security Trends

    This paper reviews the most recent update to Cisco's Secure Workload (formerly Tetration), a hybrid workload protection platform that can help implement zero trust segmentation and access control. Our review noted a shift from a pure micro-segmentation and zero trust discovery and access control platform to a more multifaceted security operations system.


  • Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems SANS.edu Graduate Student Research
    by Jonathan Baeckel - February 11, 2021 in Industrial Control Systems / SCADA

    There is a blind spot the size of a 27-ton, 2.25-megawatt maritime diesel generator in the world's critical infrastructure control system (CICS) landscape. Compared to typical IT systems, CICSs are composed of a much larger ratio of non-routable traffic, such as serial-based Fieldbus communications, than their IT-based brethren, which almost exclusively rely on TCP/IP-based traffic. This traffic tells field devices to take actions and reports back process status to operators, engineers, and automated portions of the process. As vital as it is to the process, this specialized traffic is routinely ignored by Operational Technology (OT) architects and analysts charged with defending this type of system. They tend to favor a TCP/IP only approach to traffic collection and analysis that is more geared toward an IT-only environment. This paper analyzes Stuxnet to determine the effect that serial communication monitoring and analysis may have on the situational awareness of such an event. It will pose several questions. Could the attack have been detected without the availability of known Indicators of Compromise (IoC)? Would the attack have been detected sooner? Would there have been no effect at all? This information may help organizations pursue a risk-based approach to architecting a CICS traffic collection and analysis system.


  • Cloud Security Monitoring on AWS by Sherif Talaat - February 8, 2021 in Cloud Security, Secure Monitoring

    Cloud services adoption is growing massively year over year. In most cases, moving to the cloud decision is driven by cost optimization goals. Organizations usually start the cloud journey with the lift-and-shift approach, migrating the datacenter as-is, including the security services and controls, even the physical appliances, to the equivalent virtual appliances from the respective vendor. In some cases, the security controls used on- premises are not as effective with cloud services. Moreover, in some other cases, it can be expensive as well. This paper illustrates Amazon Web Services (AWS) security services a security professional can use to aid the cloud service's continuous security monitoring operations.


  • How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 1, 2021 in Cloud Security, Threat Intelligence

    Threat intelligence can play a major role in improving the state of security incident-handling operations, either through proactive threat hunting activities or during active investigations based on detection scenarios. But threat intelligence can mean different things to different organizations. In this whitepaper, SANS analyst Dave Shackleford shows you how to customize your CTI program to your organization's processes and workflows as well as how to invest in security solutions that reduce risk and accelerate the resolution of security events with actionable context and minimal noise.


  • Using Deep Instinct for Cyberthreat Prevention Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - January 29, 2021 in Clients and Endpoints, Intrusion Detection

    Although not an endpoint detection and response (EDR) tool, Deep Instinct does provide some features that stray into the EDR space and takes a fundamentally different approach to detection than traditional EPP. This paper reviews this platform and highlights use cases as applicable.


  • How Sweet It Is: A Comparative Analysis of Remote Desktop Protocol Honeypots SANS.edu Graduate Student Research
    by Lauri Marc Ahlman - January 28, 2021 in Active Defense

    Remote Desktop Protocol (RDP) and other remote administrative services are consistently targeted by attackers seeking to gain access to protected systems. Honeypots are a valuable tool for network defenders to learn about attacker tools and techniques. This paper proposes an architecture for an RDP honeypot running on a Linux host. The proposed solution includes a capability to replay RDP sessions and observe attacker activity and keystrokes. Further, this paper presents a comparative analysis between this proposed solution and an RDP honeypot using the open-source project PyRDP (Gonzalez, 2020) which is represented as a Windows environment.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.