Choose from 10 Cyber Security Courses at SANS Chicago 2018. Save $400 thru 6/27.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,790 original computer security white papers in 106 different categories.

Latest 25 Papers Added to the Reading Room

  • Cloud Security: Are You Ready? Analyst Paper
    by Dave Shackleford - June 18, 2018 in Application and Database Security, Best Practices

    As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.


  • Windows 10 as a Forensic Platform STI Graduate Student Research
    by Ferenc Kovacs - June 15, 2018 in Forensics

    Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations.


  • Stopping IoT-based Attacks on Enterprise Networks Analyst Paper
    by G. W. Ray Davidson - June 14, 2018 

    The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.


  • Endpoint Protection and Response: A SANS Survey Analyst Paper
    by Lee Neely - June 12, 2018 in Clients and Endpoints

    Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.


  • Back to Basics: Building a Foundation for Cyber Integrity Analyst Paper
    by Barbara Filkins - June 6, 2018 in Security Awareness

    File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.


  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 in Intrusion Detection, Industrial Control Systems / SCADA, Tools

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.


  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - May 27, 2018 in Malicious Code

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.


  • Hunting Threats Inside Packet Captures by Muhammad Alharmeel - May 23, 2018 in Threat Hunting

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.


  • Extracting Timely Sign-in Data from Office 365 Logs by Mark Lucas - May 22, 2018 in Logging Technology and Techniques

    Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole.


  • Methods for the Controlled Deployment and Operation of a Virtual Patching Program STI Graduate Student Research
    by William Vink - May 20, 2018 in Threats/Vulnerabilities

    In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches.


  • Automated Detection and Analysis using Mathematical Calculations by Lionel Teo - May 17, 2018 in Intrusion Detection

    A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.


  • Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform Analyst Paper
    by Ahmed Tantawy - May 10, 2018 in Intrusion Detection

    In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.


  • 10 Endpoint Security Problems Solved by the Cloud Analyst Paper
    by Deb Radcliff - May 4, 2018 in Best Practices, Threats/Vulnerabilities

    SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.


  • Agile Security Patching by Michael Hoehl - May 3, 2018 in Best Practices, Project Management

    Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.


  • Do Random IP Lookups Mean Anything? by Jay Yaneza - May 2, 2018 in Intrusion Detection, Malicious Code

    Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.


  • Tailoring Intelligence for Automated Response Analyst Paper
    by Sonny Sarai - May 2, 2018 in Application and Database Security, Tools

    Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.


  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper
    by John Pescatore - May 1, 2018 in Security Trends

    Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.


  • Security Testing and Vendor Selection with BreakingPoint Analyst Paper
    by Serge Borso - April 30, 2018 in Security Modeling

    In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs.


  • Understanding Mobile Device Wi-Fi Traffic Analysis by Erik Choron - April 24, 2018 in Intrusion Detection, Mobile Security

    Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology.


  • Learning CBC Bit-flipping Through Gamification by Jeremy Druin - April 24, 2018 in Penetration Testing, Encryption & VPNs

    Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment.


  • Securing the Corporate WLAN in a Healthcare Regulated Organization STI Graduate Student Research
    by Jim Pomeroy - April 6, 2018 in Compliance

    Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI.


  • Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaper Analyst Paper
    by Dave Shackleford - April 2, 2018 in Cloud Computing, Security Trends

    This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.


  • Evaluation of Comprehensive Taxonomies for Information Technology Threats STI Graduate Student Research
    by Steven Launius - March 26, 2018 in Threat Intelligence

    Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation.


  • An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper
    by Barbara Filkins - March 26, 2018 in Clients and Endpoints, Cloud Computing

    The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.


  • Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform Analyst Paper
    by Dave Shackleford - March 20, 2018 in Intrusion Detection, Threat Hunting

    Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.