Reward Yourself! Get a $400 Amazon Gift Card with Qualifying OnDemand Course Purchase - Register Today!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,110 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Preventing Windows 10 SMHNR DNS Leakage SANS.edu Graduate Student Research
    by Robert Upchurch - March 3, 2021 in DNS Issues

    Microsoft enables Smart Multi-Homed Name Resolution (SMHNR) by default, sending name lookups out of all the connected interfaces for all configured name resolution protocols: DNS, LLMNR, and NetBIOS over TCP/IP (NetBT). Research on the effect that SMHNR has on DNS behavior showed that several users were concerned with DNS leakage ("DNS Leaks," 2017). DNS leakage is where unauthorized parties can observe, intercept, and possibly tamper with the name lookups or the lookup responses. Users were also frustrated by operational issues, such as attempting to resolve a private network hostname and receiving no response, a slow response, or an incorrect response while connected to a VPN ("Windows 10", 2015). This frustration led to users attempting to disable SMHNR ("Turn Off," 2021), but it did not always resolve the issue. The process to disable SMHNR varied based on the edition of Windows used, so the goal was to investigate the effect of SMHNR on DNS behavior and pursue an edition agnostic, native operating system method to mitigate that effect. Testing revealed that Name Resolution Policy Table (NRPT) rules provided a simple, scalable, and agile mechanism for controlling DNS client behavior that was effective across the multiple editions of Windows and worked irrespective of whether SMHNR was on or off.


  • A Forensic Analysis of the Encrypting File System by Ramprasad Ramshankar - February 24, 2021 in Forensics

    EFS or the Encrypting File System is a feature of the New Technology File System (NTFS). EFS provides the technology for a user to transparently encrypt and decrypt files. Since its introduction in Windows 2000, EFS has evolved over the years. Today, EFS is one of the building blocks of Windows Information Protection (WIP) - a feature that protects against data leakage in an enterprise environment (DulceMontemayor et al., 2019). From the attacker's perspective, since EFS provides out-of-the-box encryption capabilities, it can also be leveraged by ransomware. In January 2020, SafeBreach labs demonstrated that EFS could be successfully used by ransomware to encrypt files and avoid endpoint detection software (Klein A., 2020). The purpose of this paper is to provide security professionals with a better understanding of artifacts generated by EFS and recovery considerations for EFS encrypted files.


  • Unpacking the Hype: What You Can (and Can't) Do to Prevent/Detect Software Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 24, 2021 in Breaches, Intrusion Detection, Intrusion Prevention

    This paper focuses on the SolarWinds compromise and what it can teach us about detecting software supply chain compromises.


  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 22, 2021 in Intrusion Detection, DNS Issues, Incident Handling, Intrusion Prevention, Security Trends

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.


  • Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 22, 2021 in Network Security, Risk Management, Standards

    Designed as a companion paper to “Architecting For Compliance: A Case Study in Mapping Controls to Security Frameworks,” this implementation guide seeks to show those considering deploying a FortiGate appliance in their networks whether a NIST 800-53v5 control family (or individual control) can be supported through the proposed deployment. For those who have already deployed a FortiGate appliance, this implementation guide can be used as a tool to validate that the organization is getting the best value possible from the deployment.


  • Architecting for Compliance: A Case Study in Mapping Controls to Security Frameworks Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - February 22, 2021 in Network Security, Risk Management, Standards

    SANS reviewed Fortinet’s FortiGate product to test and highlight features and to identify how those features align with NIST 800-53v5 controls. This paper is intended to assist those considering the FortiGate product family—as well as those who may be unfamiliar with FortiGate—to understand its capabilities and how it will help them achieve their NIST 800-53v5 compliance goals. This is a companion paper to “Achieving NIST 800-53v5 Compliance with FortiGate: An Implementation Guide”.


  • Improving Incident Response Through Simplified Lessons Learned Data Capture SANS.edu Graduate Student Research
    by Andrew Baze - February 17, 2021 in Incident Handling

    The Lessons Learned portion of the cybersecurity incident response process is often neglected, resulting in unfortunate missed opportunities that could help teams mature, identify important trends, and improve their security. Common incident handling frameworks and compliance regimes describe time-consuming and relatively complex processes designed to capture these valuable lessons. While an extensive and resource-heavy process may be necessary in some cases, it is often difficult for incident response teams to dedicate sufficient time to capture this lesson data at the end of an incident. Dedicating time is even more difficult when the team is simultaneously handling other incidents. This paper addresses the planning and implementation of a simplified approach to capturing Lessons Learned data at any time, as opposed to at the conclusion of an incident. This approach includes a tagging schema and demonstrates how identification of lesson type, sub-type, and associated work items can provide valuable data to further an organization's original Lessons Learned goals.


  • Build and Automate an Effective Zero Trust Network with Secure Workload by Cisco Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 16, 2021 in Network Security, Security Trends

    This paper reviews the most recent update to Cisco's Secure Workload (formerly Tetration), a hybrid workload protection platform that can help implement zero trust segmentation and access control. Our review noted a shift from a pure micro-segmentation and zero trust discovery and access control platform to a more multifaceted security operations system.


  • Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems SANS.edu Graduate Student Research
    by Jonathan Baeckel - February 11, 2021 in Industrial Control Systems / SCADA

    There is a blind spot the size of a 27-ton, 2.25-megawatt maritime diesel generator in the world's critical infrastructure control system (CICS) landscape. Compared to typical IT systems, CICSs are composed of a much larger ratio of non-routable traffic, such as serial-based Fieldbus communications, than their IT-based brethren, which almost exclusively rely on TCP/IP-based traffic. This traffic tells field devices to take actions and reports back process status to operators, engineers, and automated portions of the process. As vital as it is to the process, this specialized traffic is routinely ignored by Operational Technology (OT) architects and analysts charged with defending this type of system. They tend to favor a TCP/IP only approach to traffic collection and analysis that is more geared toward an IT-only environment. This paper analyzes Stuxnet to determine the effect that serial communication monitoring and analysis may have on the situational awareness of such an event. It will pose several questions. Could the attack have been detected without the availability of known Indicators of Compromise (IoC)? Would the attack have been detected sooner? Would there have been no effect at all? This information may help organizations pursue a risk-based approach to architecting a CICS traffic collection and analysis system.


  • Cloud Security Monitoring on AWS by Sherif Talaat - February 8, 2021 in Cloud Security, Secure Monitoring

    Cloud services adoption is growing massively year over year. In most cases, moving to the cloud decision is driven by cost optimization goals. Organizations usually start the cloud journey with the lift-and-shift approach, migrating the datacenter as-is, including the security services and controls, even the physical appliances, to the equivalent virtual appliances from the respective vendor. In some cases, the security controls used on- premises are not as effective with cloud services. Moreover, in some other cases, it can be expensive as well. This paper illustrates Amazon Web Services (AWS) security services a security professional can use to aid the cloud service's continuous security monitoring operations.


  • How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 1, 2021 in Cloud Security, Threat Intelligence

    Threat intelligence can play a major role in improving the state of security incident-handling operations, either through proactive threat hunting activities or during active investigations based on detection scenarios. But threat intelligence can mean different things to different organizations. In this whitepaper, SANS analyst Dave Shackleford shows you how to customize your CTI program to your organization's processes and workflows as well as how to invest in security solutions that reduce risk and accelerate the resolution of security events with actionable context and minimal noise.


  • Using Deep Instinct for Cyberthreat Prevention Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - January 29, 2021 in Clients and Endpoints, Intrusion Detection

    Although not an endpoint detection and response (EDR) tool, Deep Instinct does provide some features that stray into the EDR space and takes a fundamentally different approach to detection than traditional EPP. This paper reviews this platform and highlights use cases as applicable.


  • How Sweet It Is: A Comparative Analysis of Remote Desktop Protocol Honeypots SANS.edu Graduate Student Research
    by Lauri Marc Ahlman - January 28, 2021 in Active Defense

    Remote Desktop Protocol (RDP) and other remote administrative services are consistently targeted by attackers seeking to gain access to protected systems. Honeypots are a valuable tool for network defenders to learn about attacker tools and techniques. This paper proposes an architecture for an RDP honeypot running on a Linux host. The proposed solution includes a capability to replay RDP sessions and observe attacker activity and keystrokes. Further, this paper presents a comparative analysis between this proposed solution and an RDP honeypot using the open-source project PyRDP (Gonzalez, 2020) which is represented as a Windows environment.


  • Detect and Track Security Attacks with NetWitness by RSA Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 22, 2021 in Secure Monitoring, Security Analytics and Intelligence

    In this product review, SANS explores the RSA NetWitness platform. The platform includes many advanced features focused on reducing detection and response time for security operations and investigations, and processing large quantities of data from numerous sources in real time.


  • The State of Cloud Security: Results of the SANS 2020 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Thomas (TJ) Banasik - January 21, 2021 in Cloud Security, Security Trends

    This paper is an in-depth look at how the definition of cloud security is evolving with new capabilities, such as network detection response (NDR). It explores digital transformation motivations as organizations move into various hybrid, cloud, and multi-cloud environments. It also looks at how cloud security architects use cybersecurity tools to build security operations architectures and the considerations respondents evaluate when making cybersecurity tooling decisions. As the COVID-19 pandemic pushes humankind toward a fifth industrial revolution (5IR)--with greater reliance on security to enable remote workforce productivity--we will explore how protection is evolving from traditional perimeter-based networks to zero trust architectures. The paper's primary goal is to better understand if customers feel cloud-native security tooling is equivalent to industry-leading security tools and what drives decisions behind customer adoption.


  • Network Segmentation of Users on Multi-User Servers and Networks SANS.edu Graduate Student Research
    by Ryan Cox - January 20, 2021 in Linux Issues

    In High Performance Computing (HPC) environments, hundreds of users can be logged in and running batch jobs simultaneously on clusters of servers in a multi-user environment. Security controls may be in place for much of the overall HPC environment, but user network communication is rarely included in those controls. Some users run software that must listen on arbitrary network ports, exposing user software to attacks by others. This creates the possibility of account compromise by fellow users who have access to those same servers and networks. A solution was developed to transparently segregate users from each other both locally and over the network. The result is easy to install and administer.


  • Continuous Security Validation Against an Ever-Changing Landscape Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - January 20, 2021 in Commercial Software, Threats/Vulnerabilities

    Waiting for an attack to test your security controls is not acceptable In this SANS product review, Matt Bromiley examines Cymulate Continuous Security Validation, a highly integrated, customizable platform built around testing the security controls of your organization. Bromiley puts this platform to the test in terms of its ability to identify security risks, craft purple team assessments, pivot from intelligence reports to control testing, gain executive-level insight into assessments, and more.


  • 2021 SANS Cyber Threat Intelligence (CTI) Survey Analyst Paper (requires membership in SANS.org community)
    by Rebekah Brown and Robert M. Lee - January 18, 2021 in Security Analytics and Intelligence, Security Trends

    The 2021 SANS CTI Survey analyzes the latest trends in CTI and provides guidance on how organizations are expanding their use of CTI. Also, this year brings a unique perspective, given the global changes and challenges associated with the coronavirus. Download this paper to learn:
    - How consumers and generators of CTI leverage, create, and measure intelligence
    - What progress has been made on automation of intelligence collection and processing
    - What improvements organizations have realized as a result of using CTI
    - Which best practices are in use across respondents' organizations


  • Tactical Linguistics: Language Analysis in Cyber Threat Intelligence by Jason Spataro - January 15, 2021 in Threat Intelligence

    The capability to effectively collect and analyze data in strategic foreign languages when intelligence requirements are supported by it is a defining characteristic in a mature Cyber Threat Intelligence (CTI) program. Far beyond its use in attribution, language analysis can be leveraged to approach collection sources from a new perspective. This research seeks to provide a blueprint of those perspectives, as well as a set of critical considerations for those seeking to add or advance language analysis capabilities within their own CTI environments.


  • CTI, CTI, CTI: Applying better terminology to threat intelligence objects SANS.edu Graduate Student Research
    by Adam Greer - January 13, 2021 in Threat Intelligence

    Increased awareness of the need for actionable cyber-threat intelligence (CTI) has created a boom in marketing that has flooded industry publications, news, blogs, and marketing material with the singular term applied to an increasingly diverse set of technologies and practices. In 2015, Dave Shackleford and Stephen Northcutt published findings of a survey sponsored by some of the largest names in cyber-threat intelligence at the time in order to address the widespread confusion around what precisely cyber-threat intelligence is and how it is generated, delivered, and consumed. In this research, they note that "... a shortage of standards and interoperability around feeds, context, and detection may become more problematic as more organizations add more sources of CTI..." (Shackleford, 2015). However, IT security teams have matured drastically since then, and most research has been applied to automation and standards for specific sub-domains, such as dissemination. This paper analyzes the current CTI environment and uses a defined methodology to develop a taxonomy for the domain that clarifies the application of CTI to security programs and serves as a foundation to further domain research.


  • Tracing the Tracer: Analysis of a Mobile Contact Tracing Application SANS.edu Graduate Student Research
    by Anthony Wallace - January 4, 2021 in Mobile Security

    The pandemic has led to the rapid development of applications designed to take advantage of our hyper-connected world. The Ehteraz application was developed, deployed, and mandated in the nation of Qatar. Government regulation required citizens to register with the app to enter businesses such as malls and grocery stores which forced rapid adoption among the populace. Many citizens are concerned about the range of permissions the app requires to function. Unpacking the application and finding a method of dissecting network traffic was complicated by measures developers took to prevent miscreant-in-the-middle attacks and analysis. Sharing the journey of decrypting the traffic in this application may prove useful to future engineers reversing and bypassing protections to perform analysis on mobile app traffic. Initial analysis has confirmed the application sends only location and Bluetooth data to centralized servers owned by the Ministry of Interior of the State of Qatar.


  • Evaluating Open-Source HIDS with Persistence Tactic of MITRE Att&ck SANS.edu Graduate Student Research
    by Jon Chandler - January 4, 2021 in Intrusion Detection

    Small companies with limited budgets need to understand if open-source tools can provide adequate security coverage. The MITRE ATT&CK framework provides an excellent source to evaluate endpoint security tool effectiveness. A MITRE research paper provides the following insight into the value of ATT&CK, “The techniques in the ATT&CK model describe the actions adversaries take to achieve their tactical objectives” (Strom, et al., 2019). This paper examines two open-source endpoint tools, OSSEC and WAZUH, against the MITRE ATT&CK framework. This analysis will determine each endpoint tool’s ability to detect a select number of the MITRE ATT&CK framework persistence techniques. Out of the techniques reviewed, this paper will analyze the degree to which the ATT&CK technique can be accurately identified by the evaluated tools. MITRE also conducts evaluations but on proprietary tools. The results of the open-source endpoint tools analyzed here can be compared to the MITRE ATT&CK Evaluations conducted on the proprietary endpoint toolsets. The MITRE ATT&CK framework is a valuable methodology that allows a company to compare endpoint tools from a security risk and product evaluation perspective.


  • Developing a JavaScript Deobfuscator in .NET SANS.edu Graduate Student Research
    by Roberto Nardella - January 4, 2021 in Reverse Engineering Malware

    JavaScript, a core technology of the World Wide Web, is a recently born scripting language and, starting from its early years, became notorious within the cyber security community not only for well-known security problems like Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF), but also for its flexibility in offering a valid vehicle for the implementation of the first stage of a malware attack.


  • Analyzing Malicious Behavior Effectively with ExtraHop Reveal(x) Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 4, 2021 in Data Protection, Intrusion Detection

    In the past decade, the information security industry has learned a lot about what attackers do during campaigns against targets. Once a compromise has occurred, attackers attempt to maintain a persistent presence within the victims network, escalate privileges, and move laterally within the victims network to extract sensitive information to locations under the attackers control.

    ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. In this paper, Dave Shackleford reviews ExtraHops Reveal (x) and shares his insights on the many enhancements and new features that help intrusion analysis and investigation teams analyze malicious behavior in their environments more rapidly and effectively.


  • Practical Process Analysis – Automating Process Log Analysis with PowerShell by Matthew Moore - December 29, 2020 in Forensics, Tools

    Windows event log analysis is an important and often time-consuming part of endpoint forensics. Deep diving into user logins, process analysis, and PowerShell/WMI activity can take significant time, even with current tools. Additionally, while utilities exist to automatically parse out various Windows Logs, most of them do not include any native analytical functionality outside of the ability to manually filter on certain strings or event IDs. Window’s native scripting solution, PowerShell, combined with Microsoft’s Log Parser utility allowed for several scripts to be created with a focus on Process Creation and analysis. These scripts can detect processes spawning from unusual locations, processes that exist outside of a baseline ‘Allow List’, or processes that might otherwise appear to be normal, but are actually anomalous. These scripts complement other current tools such as Kape or Kansa, allowing for automated analysis of the data gathered.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.