35+ Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC! Save up to $300 thru 10/16.
Register by Tomorrow to Save $300 on 4-6 Day Courses at SANS Cyber Defense Initiative® in Washington, DC!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,930 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • BITS Forensics STI Graduate Student Research
    by Roberto Nardella - October 14, 2019 in Forensics

    The “Background Intelligent Transfer Service” (BITS) is a technology developed by Microsoft in order to manage file uploads and downloads, to and from HTTP servers and SMB shares, in a more controlled and load balanced way. If the user starting the download were to log out the computer, or if a network connection is lost, BITS will resume the download automatically; the capability to survive reboots makes it an ideal tool for attackers to drop malicious files into an impacted Windows workstation, especially considering that Microsoft boxes do not have tools like “wget” or “curl” installed by default, and that web browsers (especially those in Corporate environments) may have filters and plugins preventing the download of bad files. In recent years, BITS has been increasingly used not only as a means to place malicious files into targets but also to exfiltrate data from compromised computers. This paper shows how BITS can be used for malicious purposes and examines the traces left by its usage in network traffic, hard disk and RAM. The purpose of this research is also to compare the eventual findings that can surface from each type of examination (network traffic examination, hard disk examination and RAM examination) and highlight the limitation of each analysis type.



  • The Value of Contemporaneous Notes and Why They Are a Requirement for Security Professionals by Seth Enoka - September 30, 2019 in Forensics

    Contemporaneous notes, or notes taken as soon as practicable after an event or action takes place, are invaluable to analysts in security roles performing activities such as digital forensics and incident response. There are various situations where contemporaneous notes provide a disproportionate return on time invested. However, there is no standard which defines the minimum information to record or indicates why every analyst should create some form of contemporaneous notes, whether in the civil or criminal domain. Timestamping, “write-once” versus write-many modalities, and how to edit or amend contemporaneous notes are important considerations. Additionally, including enough information such that the analyst, or any analyst, can follow the notes after time has elapsed and still achieve the same results and conclusions is essential when taking contemporaneous notes. The evidentiary value of contemporaneous notes should be defined and understood by every security professional.


  • ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - September 30, 2019 in Intrusion Detection, Threats/Vulnerabilities

  • JumpStart Guide to Application Security in Amazon Web Services Analyst Paper (requires membership in SANS.org community)
    by Nathan Getty - September 27, 2019 in Application and Database Security

    This paper seeks to give you a better idea of what your organization needs to successfully plan and execute a secure application transition to, or deployment in, an AWS environment. Learn how security teams can best support application development teams, what options you have as a security professional for this support, and how best to guide your development teams as they transition workflows to AWS.


  • Pass-the-Hash in Windows 10 STI Graduate Student Research
    by Lukasz Cyra - September 27, 2019 in Penetration Testing

    Attackers have used the Pass-the-Hash (PtH) attack for over two decades. Its effectiveness has led to several changes to the design of Windows. Those changes influenced the feasibility of the attack and the effectiveness of the tools used to execute it. At the same time, novel PtH attack strategies appeared. All this has led to confusion about what is still feasible and what configurations of Windows are vulnerable. This paper examines various methods of hash extraction and execution of the PtH attack. It identifies the prerequisites for the attack and suggests hardening options. Testing in Windows 10 v1903 supports the findings. Ultimately, this paper shows the level of risk posed by PtH to environments using the latest version of Windows 10.


  • Exploring Osquery, Fleet, and Elastic Stack as an Open-source solution to Endpoint Detection and Response STI Graduate Student Research
    by Christopher Hurless - September 10, 2019 in Intrusion Detection

    Endpoint Detection and Response (EDR) capabilities are rapidly evolving as a method of identifying threats to an organization's computing environment. Global research and advisory company, Gartner defines EDR as: "Solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems" (Gartner, 2019). This paper explores the feasibility and difficulty of using open-source tools as a practical alternative to commercial EDR solutions. A business with sufficiently mature Incident Response (IR) processes might find that building an EDR solution “in house” with open-source tools provides both the knowledge and the technical capability to detect and investigate security incidents. The required skill level to begin using and gaining value from these tools is relatively low and can be acquired during the build process through problem deconstruction and solution engineering.


  • A New Needle and Haystack: Detecting DNS over HTTPS Usage STI Graduate Student Research
    by Drew Hjelm - September 10, 2019 in DNS Issues

    Encrypted DNS technologies such as DNS over HTTPS (DoH) give users new means to protect privacy while using the Internet. Organizations will face new obstacles for monitoring network traffic on their networks as users attempt to use encrypted DNS. First, the paper presents several tests to perform to detect encrypted DNS using endpoint tools and network traffic monitoring. The goal of this research is to present several controls that organizations can implement to prevent the use of encrypted DNS on enterprise networks.


  • How to Build a Threat Detection Strategy in Amazon Web Services (AWS) Analyst Paper (requires membership in SANS.org community)
    by David Szili - September 10, 2019 in Cloud Computing, Threat Hunting

    Threat detection and continuous security monitoring in the cloud must integrate traditional on-premises system monitoring with the cloud network infrastructure and cloud management plane. A successful, cloud-based threat detection strategy will collect data from systems, networks and the cloud environment in a central platform for analysis and alerting. This paper describes how to build a threat detection strategy that automates common tasks like data collection and analysis.


  • Success Patterns for Supply Chain Security Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - September 9, 2019 in Best Practices, Security Trends

    Many CISOs report that supply chain security is one of their top challenges. Supply chain attacks are on the rise, and the high financial impact of these attacks has increased CEO, board of director, and regulatory/auditor attention to supply chain security. In this whitepaper, John Pescatore, SANS Director of Emerging Security Trends, provides recommendations and guidance in addressing these concerns.


  • Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 5, 2019 in Intrusion Prevention, Threat Hunting

    Security teams cannot defend complex networks without holistic, correlative insight into the environment. In this first part of a two-part review, Matt Bromiley reviews the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats and deception. Not only does the Fidelis platform allow for holistic visibility, but it also makes it easy for organizations to move toward threat hunting, shortening their time to detect and uncover intrusions.


  • Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 5, 2019 in Intrusion Detection, Threat Hunting

    In this final part of a two-part review, Matt Bromiley continues his review of the Fidelis Elevate platform, shifting focus to endpoint security. He examines how Fidelis Endpoint provides endpoint insight and response, highlighting capabilities such as behavioral monitoring and detections, enterprisewide threat hunting, and response automation, as well as ease of integration with Fidelis Elevate to bring networks and endpoints together. With this kind of holistic visibility, the job of securing modern enterprises becomes significantly easier and more achievable.


  • Changing the DevOps Culture One Security Scan at a Time STI Graduate Student Research
    by Jon-Michael Lacek - August 28, 2019 in Securing Code

    Information Security has always been considered a roadblock when it comes to project management and execution. This mentality is even further solidified when discussing Information Security from a DevOps perspective. A fundamental principle of a DevOps lifecycle is a development and operations approach to delivering a product that supports automation and continuous delivery. When an Information Technology (IT) Security team has to manually obtain the application code and scan it for vulnerabilities each time a DevOps team wants to perform a release, the goals of DevOps can be significantly impacted. This frequently leads to IT Security teams and their tools being left out of the release management lifecycle. The research presented in this paper will demonstrate that available pipeline plugins do not introduce significant delays into the release process and are able to identify all of the vulnerabilities detected by traditional application scanning tools. The art of DevOps is driving organizations to produce and release code at speeds faster than ever before, which means that IT Security teams need to figure out a way to insert themselves into this practice.


  • Container-Based Networks: Lowering the TCO of the Modern Cyber Range STI Graduate Student Research
    by Bryan Scarbrough - August 26, 2019 in Penetration Testing

    The rapid pace and ever-changing environment of cybersecurity make it difficult for companies to find qualified individuals, and for those same individuals to receive the training and experience they need to succeed. Some are fortunate enough to use cyber ranges for training and proficiency testing, but access is often limited to company employees. Limited access to cyber ranges precludes outsiders or newcomers from learning the skills necessary to meet the ever-growing demand for cybersecurity professionals. There have been several open-sourced initiatives such as Japan's Cybersecurity Training and Operation Network Environment (CyTrONE), and the University of Rhode Island's Open Cyber Challenge Platform (OCCP), but they require significant hardware to support. The average security professional needs a cyber range environment that replicates real-world Internet topologies, networks, and services, but operates on affordable equipment.


  • Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity STI Graduate Student Research
    by Erik Avery - August 21, 2019 in Risk Management

    Cyber Protectionist policies are adversely impacting global cybersecurity despite their intent to mitigate threats to national security. These policies threaten the information security community by generating effects which increase the risk to the networks they are intended to protect. International product bans, data-flow restrictions, and increased internet-enabled crime are notable results of protectionist policies – all of which may be countered through identifying protectionist climates and subsequent threat. Analyzed historical evidence facilitates a metrics-based comparison between protectionist climate and cybersecurity threats to comprise the Cyber Protectionist Risk Matrix - a risk framework that establishes a new cybersecurity industry standard.


  • JumpStart Guide for SIEM in AWS Analyst Paper (requires membership in SANS.org community)
    by J. Michael Butler - August 20, 2019 in Cloud Computing

    This paper explores the needs, implementation options, capabilities, and various considerations for organizations looking to implement SIEM/SOAR capabilities in Amazon Web Services (AWS). The paper compares the integration of SIEM and SOAR in the cloud environment to on-premises use. Suggestions for planning SIEM and SOAR integration into an AWS cloud environment also included.


  • Effectively Addressing Advanced Threats Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 19, 2019 in Security Trends, Threats/Vulnerabilities

    As security professionals well know, the wave of advanced threats never stops, and organizations are increasingly challenged in dealing with the onslaught. But not all threats are created equal. How do you identify the most critical and deal with those? In this survey, we asked the security community to share what advanced threats their organizations are facing and how they're allocating resources and technology.

    Register now for the associated webcast at 1 p.m. Eastern on Wednesday September 25, 2019: https://register.gotowebinar.com/register/6150616769136423937


  • Better Security Using the People You Have Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 13, 2019 in Security Awareness, Security Trends

    Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.


  • Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in SANS.org community)
    by Don Murdoch - August 12, 2019 in Network Access Control, Clients and Endpoints

    Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.


  • SANS 2019 Incident Response (IR) Survey: It's Time for a Change Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 31, 2019 in Incident Handling, Security Trends

    The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.


  • ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis STI Graduate Student Research
    by Andy Piazza - July 29, 2019 in Threat Intelligence

    Risk management is a principal focus for most information security programs. Executives rely on their IT security staff to provide timely and accurate information regarding the threats and vulnerabilities within the enterprise so that they can effectively manage the risks facing their organizations. Threat intelligence teams provide analysis that supports executive decision-makers at the strategic and operational levels. This analysis aids decision makers in their commission to balance risk management with resource management. By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.


  • How to Protect Enterprise Systems with Cloud-Based Firewalls Analyst Paper (requires membership in SANS.org community)
    by Kevin Garvey - July 26, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.


  • JumpStart Guide for Cloud-Based Firewalls in AWS Analyst Paper (requires membership in SANS.org community)
    by Brian Russell - July 24, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today’s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.


  • Bye Bye Passwords: New Ways to Authenticate Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 23, 2019 in Authentication, Security Trends

    The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.


  • Are Your Security Controls Yesterday’s News? Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 18, 2019 in Security Awareness, Threats/Vulnerabilities

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
    The second spotlight (coming in October 2019) will focus on the input SANS received from a recent poll that gathered opinions from the SANS community on this topic.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.