Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,960 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Building an Audit Engine to Detect, Record, and Validaten Internal Employees' Need for Accessing Customer Data STI Graduate Student Research
    by Jekeon Jack Cha - December 11, 2019 in Digital Privacy

    When using Software-as-a-Service (SaaS) products, customers are asked to store and entrust a large volume of personal data to SaaS companies. Unfortunately, consumers are living in a world of numerous data breaches and significant public privacy violations. As a result, customers are rightfully skeptical of the privacy policies that businesses provide and are looking for service providers who can distinguish their commitment to customer data privacy. This paper examines the viability of building an accurate audit engine to detect, record, and validate internal employees’ reasons for accessing a particular customer’s data. In doing so, businesses can gain clear visibility into their current processes and access patterns to meet the rising privacy demand of their customers.


  • Looking for Linux: WSL Key Evidence STI Graduate Student Research
    by Amanda Draeger - December 11, 2019 in Secure Monitoring

    Microsoft released Windows Subsystem for Linux (WSL) in 2016 to much fanfare, but little research into the security implications of installing this feature followed. This lack of research, and lack of documentation, is a problem for the administrators who want to take advantage of its feature set while monitoring their systems for unusual behavior. Native Windows logging can provide visibility into WSL’s behavior, but there has been no research on which logs can provide this visibility, and what exact information they can provide. This paper examines how to monitor a Windows 10 system with WSL installed for common indicators of malicious activity.


  • Detecting Malicious Authentication Events in SaaS Applications Using Anomaly Detection STI Graduate Student Research
    by Gavin Grisamore - December 11, 2019 in Intrusion Detection

    SaaS applications have been exploding in popularity due to their ease of deployment, use, and maintenance. Security teams are struggling to keep pace with the growing list of applications used in their environment as well as with the process of tracking the data these applications hold. Attackers have been taking advantage of these visibility gaps and have targeted SaaS applications regularly. By using log data from the applications themselves, security teams can use anomaly detection techniques to find and respond to such attacks. Anomaly detection allows security teams to more quickly identify and remedy a data breach by condensing large amounts of data into a shortened list of events that are outliers. The detection techniques used can help security teams respond to or prevent the next data breach.


  • Protecting the User: A Review of Mimecast's Web Security Service Analyst Paper (requires membership in SANS.org community)
    by David Szili - December 11, 2019 in Email Issues, Threats/Vulnerabilities

    The web remains a primary vector for cyberattacks, as either the initiation point or the way to complete the adversaries' mission. In this review, SANS instructor David Szili shares his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular.


  • Threat Hunting with Consistency Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - December 8, 2019 in Best Practices, Threat Hunting

  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 in Forensics

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.


  • Assisted Security Investigations Using Cognitive Computing by Lori Stroud - December 3, 2019 in SOC

    The purpose of this research is to illustrate the application of cognitive computing and machine learning concepts through the building and training of a chatbot that simulates human conversation for cybersecurity investigation scenarios. The SOC chatbot will offer best-practice advisory dialogue to security analysts as they proceed through security incident investigations, thus simulating technical mentorship. As a security analyst progresses through various investigations, they will become more practiced in the recommended and appropriate workflows, gain investigative tool proficiency, and become more confident in handling standalone investigations. The SOC chatbot will serve as a training tool for less experienced analysts and afford more time to upper-tier analysts to respond to escalated security incidents, as they will no longer need to walk through incidents alongside junior analysts. Security analysts serving in a tier 1 SOC role are ideal end-users of the SOC chatbot. As the first line of defense, their primary function is to address SIEM events. They are familiar with basic security concepts, incident ticketing systems, and hold the appropriate level of access for data gathering and external research.


  • How to Build a Threat Hunting Capability in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - December 3, 2019 in Cloud Computing, Threat Hunting

    Threat hunting is more of an art than a science, in that its approach and implementation can differ substantially among enterprises and still be successful. In cloud environments, where the threat landscape is always changing, security teams must know what data to collect and how to analyze it in order to tease out suspicious anomalies. In addition to these topics, this whitepaper walks you through the threat hunting process, describing tools and techniques you can use to find and neutralize threats.


  • 2019 SANS Survey on Next-Generation Endpoint Risks and Protections Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson and John Hubbard - December 2, 2019 in Best Practices, Security Trends

    Past SANS surveys show that endpoints of all types are being breached and used to dig deeper into organizations' networks. Our 2019 Next-Generation Endpoint Survey explores how attack methods and payloads are changing, whether organizations are containing breaches effectively, and more--including recommendations and guidance in addressing these concerns.


  • Catch Me If You Can: Detecting Server-Side Request Forgery Attacks on Amazon Web Services STI Graduate Student Research
    by Sean McElroy - November 27, 2019 in Cloud Computing, Intrusion Detection

    Cloud infrastructure offers significant benefits to organizations capable of leveraging rich application programming interfaces (APIs) to automate environments at scale. However, unauthorized access to management APIs can enable threat actors to compromise the security of large amounts of sensitive data very quickly. Practitioners have documented techniques for gaining access through Server-Side Request Forgery (SSRF) vulnerabilities that exploit management APIs within cloud providers. However, mature organizations have failed to detect some of the most significant breaches, sometimes for months after a security incident. Cloud services adoption is increasing, and firms need effective methods of detecting SSRF attempts to identify threats and mitigate vulnerabilities. This paper examines a variety of tools and techniques to detect SSRF activity within an Amazon Web Services (AWS) environment that can be used to monitor for real-time SSRF exploit attempts against the AWS API. The research findings outline the efficacy of four different strategies to answer the question of whether security professionals can leverage additional vendor-provided and open-source tools to detect SSRF attacks.


  • Automated Detection and Disinfection of Ransomware Attacks using Roadblock Software by Hemant Kumar - November 26, 2019 in Reverse Engineering Malware

    Automated Detection and Disinfection of Ransomware Attacks using Roadblock Software Abstract:We often hear about ransomware locking data and demanding the ransom. Ransomware is a kind of malware that prohibits users from accessing their system or files and mostly requires a ransom payment to regain access. This results in data loss, downtime, lost productivity, including reputational harm. Financial losses from ransomware attacks are predicted to exceed 11.5 Billion Dollars in 2019 with ransomware attacks on businesses every 14 seconds. The extension and complexity of ransomware are advancing at a high rate. Malware authors utilize several sophisticated techniques to evade current security defenses, and all the encryption happens in less than a minute. So, there is a need to develop an automated software that performs detection of various kind of ransomware without depending on the signature of malware, and that can also disinfect the live system against various kind of ransomware attacks under a minute and thus containing the infection from further spreading it to other systems. The software should also notify the incident response team of the detected ransomware attacks and its IOCs so that they can further protect the organization from a similar type of attack. Roadblock software solves this problem by detecting various kinds of ransomware attacks and dis-infecting the system without any need for a reboot in less than a minute. It leads to no data loss, no downtime, no lost productivity, and no reputational harm. The dis-infection process is not dependent on malware signatures or malware coding, and it works by performing fast and deep forensics of the system that is pre-installed with Roadblock, so that it can detect new ransomware variant.


  • Exploring the Human Fingerprints on Malware by Tobias Johansson and Robert M. Lee - November 22, 2019 in Threats/Vulnerabilities

    Much of the focus of cyber threat intelligence is countering adversaries and the tools and capabilities they leverage to do target organizations harm. Malware is a popular choice by many adversaries to fulfill their goals such as access development or destructive purposes. Malware contains a wealth of information to analyze for the purpose of cyber threat intelligence. The development, operationalizing, and utilization of malware is performed by humans and these human interactions leave traces of how the malware is leveraged, its configuration data, or even the choice of the malware itself. Malware is often not unique to specific adversaries but these traces, identified in the paper simply as human fingerprints, can be useful in clustering intrusions into sets for structured analysis and satisfying intelligence requirements. This is not a new concept and there are many researchers who take advantage of these practices today. The purpose of this paper is to introduce this concept to a wider audience and also structure it around the Diamond Model as a useful tool for analysis.


  • Taming the Wild West: Finding Security in Linux Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 22, 2019 in Cloud Computing, Linux Issues

    Although Linux has historically been less prone to attacks, increased enterprise use on-premises and in the cloud means it has become as common a target as Windows environments. This paper looks at the deficiencies of Linux from a security perspective and how to lock Linux down more effectively.


  • Israel's Attack on Hamas' Cyber Headquarters Under Customary International Humanitarian Law by Jonathan Matkowsky - November 21, 2019 in Active Defense

    During intense military fighting in May 2019, Israel stopped the Hamas organized-armed-group from harming Israeli sites as part of establishing offensive cyber capabilities in the Gaza Strip tied to its war effort. Israel attacked the headquarters from which Hamas’ cyber unit operated, including any information systems and related cyber-infrastructure in the facility. Under customary international humanitarian law, the attack on Hamas’ headquarters appears to be a cyber-specific example of a lawful military objective due to its inherent nature, as suggested by Prof. R. Chesney (2019). This paper discusses the principles of international humanitarian law—military necessity, humanity, distinction, and proportionality—applicable from an Israeli law perspective to the targeted strike on the Hamas’ cyber headquarters, including support that the principles have achieved the status of customary international humanitarian law. Israel did not disclose whether Hamas only used the facility for intelligence gathering tied to the war effort alone, or if that intelligence was also being used to develop cyber weapons. Both are inherently lawful military objectives under customary international humanitarian law, according to Prof. Dinstein (2016). A key takeaway is that applying the principles of customary international humanitarian law may sometimes favor using traditional military force, and other times favor using cyber activity.


  • Someone to Watch Over You: A Review of CrowdStrike’s Falcon OverWatch Analyst Paper (requires membership in SANS.org community)
    by Joe Sullivan - November 19, 2019 in Intrusion Detection, Threat Hunting

    Technology alone cannot stop 100% of threats against endpoints. Ensuring security requires that people and processes be an integral part of threat hunting. That’s where CrowdStrike’s Falcon OverWatch comes in--with a team of live, trained threat hunting analysts whose job it is to alert you to advanced attack techniques that can go undetected by automated tools. In this review, SANS puts OverWatch through its paces to detect and alert on sophisticated attacks like credential theft, defense evasion and lateral movement, making it possible for on-premises security teams to respond to threats immediately.


  • JumpStart Guide to Investigations and Cloud Security Posture Management in AWS Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - November 8, 2019 in Cloud Computing, Risk Management, Secure Monitoring

    Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.


  • Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures STI Graduate Student Research
    by Daniel Carbonaro - November 7, 2019 in Standards

    Organizations’ supply chains are growing increasingly interdependent and complex, the result of which is an ever-increasing attack surface that must be defended. Current supply chain security frameworks offer effective guidance to organizations to help mitigate their supply chains from attack. However, they are limited in their scope and impact and can be extremely complex for organizations to adopt effectively. To further complicate issues, the ability of an organization to identify the scope of their supply chains may be a complicated endeavor. This paper seeks to give context not only to the challenges facing security within the ICT Supply Chain, but attempts to give a hybrid framework for any business regardless of size or function to follow when attempting to mitigate threats both to and from within their supply chain.


  • Guarding the Modern Castle: Providing Visibility into the BACnet Protocol STI Graduate Student Research
    by Aaron Heller - October 30, 2019 in Industrial Control Systems / SCADA

    Building automation devices are used to monitor and control HVAC, security, fire, lighting, and other similar functions in a building or across a campus. Over 60% of the global market for building automation relies on the BACnet protocol to enable communication between field devices (BSRIA, 2018). There are few open-source network intrusion detection or prevention systems (NIDS/NIPS) capable of interpreting and monitoring the BACnet protocol (Hurd & McCarty, 2017). This blind spot presents a significant security risk. The maloperation of building automation systems can cause physical damage and financial losses, and can allow an attacker to pivot from a building automation network into other networks (Balent & Gordy, 2013). A BACnet/IP protocol analyzer was created for an open-source NIDS/NIPS called Zeek to help minimize this network security blind spot. The analyzer was tested with publicly available BACnet capture files, including some with protocol anomalies. The new analyzer and test cases provide network defenders with a tool to implement a BACnet/IP capable NIDS/NIPS as well as insight into how to defend the modern-day “castles” that rely on the Building Automation and Control network protocol.


  • An AWS Network Monitoring Comparison STI Graduate Student Research
    by Nichole Dugan - October 30, 2019 in Cloud Computing

    AWS recently released network traffic mirroring in their environment. As this is a relatively new feature, users of the service in the past have used tools such as Security Onion to monitor traffic using a hosted base model of forwarding network traffic to analyze the data. It may not be apparent to an organization which option works best for them, so an analysis should be done of both the traffic mirroring and host based options to determine the benefits and drawbacks of each method. This paper seeks to compare the two types of network monitoring available in the AWS environment, traffic mirroring and host based, and determine which method is more cost-effective, and, through testing, determine which method generates more alerts.


  • How to Perform a Security Investigation in AWS A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - October 30, 2019 in Cloud Computing, Forensics

    Because the technologies that enable investigations in the cloud differ from those on premises, as do the levels of responsibility, organizations need to put in place a cloud-specific incident response plan. By planning out how they will perform investigations using solutions such as AWS, organizations can validate that any obligations they may have as a security organization can be met as effectively in cloud environments as they did in-house.


  • Investigating Like Sherlock: A SANS Review of QRadar Advisor with Watson Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 26, 2019 in Automation, Threat Intelligence
    • Sponsored By: IBM

    This paper reviews QRadar Advisor with Watson, a platform that combines IBM’s famous Watson with QRadar.


  • SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters Analyst Paper (requires membership in SANS.org community)
    by Mathias Fuchs and Joshua Lemon - October 25, 2019 in Best Practices, Security Trends

    Organizations just starting their threat hunting journey have different needs than those who are honing their skills and programs. The SANS 2019 Threat Hunting Survey looks at those differences and how they impact the priorities set by both types of organizations. The authors provide actionable advice to assist organizations as they grow their programs and improve their threat hunting abilities, whether they are new to threat hunting or are simply honing their processes.


  • Challenges in Effective DNS Query Monitoring STI Graduate Student Research
    by Caleb Baker - October 23, 2019 in DNS Issues

    Domain Name System (DNS) queries are fundamental functions of modern computer networks. Capturing the contents of DNS queries and analyzing the logged data is a recommended practice for gaining insight into activity on a network and monitoring for unusual behavior. Multiple solutions and approaches are available for monitoring DNS queries. Some methods add the capability to redirect queries identified as malicious, stopping an attack. This paper investigates the effectiveness of solutions that utilize the monitoring of DNS queries to detect and block behavior DNS queries identified as potential indicators of compromise. The performance of each tool will be evaluated against a sample of real-world threats that utilize DNS queries. As the prevalence of DNS query monitoring increases, attackers will need to take steps to bypass monitoring by obfuscating DNS queries. Accordingly, this paper will also assess the capabilities of each tool to detect techniques for DNS query obfuscation.


  • What Security Practitioners Really Do When It Comes to Security Testing Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 18, 2019 in Security Awareness, Threats/Vulnerabilities

    Given the number, criticality and potential damage of attacks, how can you better protect your organization against the latest threats? And with so many solutions in your arsenal, how can you ensure that security controls are integrated seamlessly to defend you in the moment of truth against attacks? This paper, which is a follow-up to "Are Your Security Controls Yesterday’s News?," addresses issues with security effectiveness testing and how to improve control validation to shorten testing cycles, accelerate remediation and improve your organization's security posture--faster. It presents the results of a recent SANS poll to provide insight into how organizations are testing for security effectiveness and how performance is actually being measured.  The paper also provides specific steps to help you optimize security in a more proactive, continuous way.


  • How to Secure App Pipelines in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 16, 2019 in Application and Database Security, Cloud Computing

    We are seeing nothing less than an evolutionary shift as security infrastructure moves to software-defined models that improve speed and scale, and afford enterprise IT more agility and capabilities than ever before. Application development and deployment are driving this shift, and as the pace of development increases, organizations have a real need to ensure application security is embedded in all phases of the development and deployment life cycle, as well as in the cloud during operations.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.