New In-Person Event locations added! Choose your event, and join us for practical cyber security training.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,140 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Machine Learning Techniques for Intrusion Detection by Yih Han Tan - June 9, 2021 in Intrusion Detection

    This paper aims to equip intrusion analysts with the basic techniques needed to apply machine learning to intrusion detection. It will first review and describe the different approaches to machine learning-based classification (e.g., logistic regression, support vector machines) before explaining the challenges of applying it to network intrusion detection. It will also review methods of data preprocessing, model training, and testing. This paper then describes experiments carried out on a dataset (NSL-KDD) that is widely used to test intrusion detection algorithms. Two sets of experiments demonstrating the application of commonly used machine learning-based classification and methods extensively used to improve model performance (e.g., boosting, bagging, stacking, label smoothing, and embedding) are performed. With a knowledge of the underlying algorithms and the provided source code, network operators can experiment with and eventually apply machine learning-based intrusion detection to their network.


  • How to Fuel Your DevSecOps in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 2, 2021 in Application and Database Security, Cloud Security

    To build an effective and successful security automation strategy for the DevOps pipeline, organizations need to consider all parts of the pipeline. This includes securing code and repositories, monitoring and controlling privilege allocation, scanning all checked-in and modified code for vulnerabilities, and scanning all builds and images for package and component vulnerabilities. And by monitoring all running assets through cloud fabric logging, they can use event-driven automation to remediate or alert on issues. In this whitepaper, SANS Analyst Dave Shackleford describes how to bring security teams into all phases of development and during cloud operations to increase visibility and improve security posture.


  • CIS CSC Controls vs. Ransomware: An Evaluation by Dylan Malloy - May 19, 2021 in Critical Controls

    Cybercriminals continue to develop and enhance both new and existing ransomware variants, exploiting vulnerabilities to compromise computer systems and wreak havoc on individuals and organizations. Ransomware, while everchanging, typically relies heavily on a lack of controls in place for it to be promptly stopped or eradicated; however, many controls set out to reduce the overall impact of ransomware, if not stop it entirely. Organizations often try to protect themselves from ransomware by investing money into their security stack, Anti-virus, Endpoint Detection and Response, and Host Intrusion Prevention System. However, these tools will not be nearly as effective without the proper controls to align their functions. Implementing CIS Critical Security Controls can significantly reduce the impact of ransomware, or even potentially stop it in its tracks, meaning minimal disruptions to operations.


  • Avoiding or Minimizing Ransomware Impact to the Bottom Line Analyst Paper (requires membership in SANS.org community)
    by John Pescatore and Benjamin Wright - May 19, 2021 in Breaches, Legal Issues

    In this report, John Pescatore, SANS Director of Emerging Security Trends, and Benjamin Wright, lawyer and SANS Senior Instructor, explore key ransomware issues, including: - Key security processes to avoid ransomware attacks - Issues around ransomware payoffs if an attack succeeds - How cyber insurance can play a role in reducing the financial impact of an attack


  • Keeping Control Over the Cloud Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 18, 2021 in Cloud Security, Risk Management

    Are your operations, employees, and data are spread across multiple platforms? This product review examines the benefits offered within the Bitglass platform to manage cloud security. Get a handle on your cloud exposure and gain control over it with a unified platform that allows for consistency in monitoring, detection, and policy implementation across various technologies.


  • SANS 2021 Password Management and Two-Factor Authentication Methods Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Dale - May 18, 2021 in Authentication, Security Trends

    Passwords are a hassle, and they're expensive to manage. They're also inherently insecure. Are organizations still required forced resets and enforcing complex passwords and other inconveniences that users tend to resist? This whitepaper explores the results of the SANS 2021 Password Survey, including how many passwords users and admins have to perform their work tasks, and how organizations are managing their passwords across users, apps, and devices.


  • Packets or It Didn't Happen: Network-Driven Incident Investigations Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - May 18, 2021 in Clients and Endpoints, Incident Handling, Network Security, Threat Hunting

    This paper examines use cases for network monitoring (including in cloud environments) and how organizations can use it to drive incident investigations. Discover what an intelligent packet capture system can do for your security program.


  • How to Build a Security Observability Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 17, 2021 in Best Practices, Cloud Security

    By leveraging cloud-native events and services, as well as cloud-integrated third-party services that can aid in correlating and automating security response, public sector organizations can build a robust cloud security architecture that is sustainable and effective at increasing security posture. This whitepaper, which includes four use cases, describes approaches to security event detection and response, event collection and guardrail services, and how to integrate automation capabilities.


  • Cyber Risk Profile of a Merger or Acquisition SANS.edu Graduate Student Research
    by Tyler Whittington - May 13, 2021 in Risk Management

    Companies often use mergers and acquisitions to expand their market share and increase profitability. To appropriately assess a potential target, acquiring companies regularly dedicate time and resources to identify risks and quantify the target company’s value.A company’s cyber risk is not commonly considered a factor in pre-acquisition assessments, nor does an organization’s Information Security team frequently play an active role in this process. Due to these gaps, acquiring companies have identified incidents both during and after an acquisition deal has closed. These late discoveries resulted in millions of dollars in lost revenue and or breaches affecting millions of customers. Advancements within the Information Security industry have enabled the collection of open-source information through tools and standardized reconnaissance methodologies. Based on these accomplishments, research must be conducted to determine how this information can be used to calculate a company’s cyber risk without the benefits of internal visibility.


  • Six Steps To Successful Mobile Validation by Heather Mahalik, John Bair, Alexis, Brignoni, Stephen Coates, Mike Dickinson, Mattia Epifani, Jessica Hyde, Vladimir Katalov, Scott Koenig, Paul Lorentz, Christophe Poirier, Lee Reiber, Martin Westman, Mike Williamson, Ian Whiffin, and Oleg Skulkin - May 7, 2021 in Mobile Security

    Digital forensics is a complex and ever-changing field that requires a lot of testing, tools and validation. This paper is written by experts in smartphone forensics who have many years' experience in research, tool development, validation, testimony and who care about educating the community on the recommended steps to ensure mobile data is extracted, examined and reported in a manner that is trusted.


  • Staying Invisible: Analyzing Private Browsing and Anti-forensics on Mac OS X SANS.edu Graduate Student Research
    by Rick Schroeder - May 6, 2021 in Forensics

    The increasing desire to protect personal information has resulted in enhanced privacy features in web browsers. Private browsing modes combined with the growing popularity of disk cleaning tools present a problem for forensic analysts. The increase in privacy features results in a reduction of forensic evidence on the suspect system. This added complexity makes it difficult for an investigator to determine which websites were browsed by the suspect. When the primary sources of forensic evidence are tampered with, it is necessary to identify secondary sources. In Windows-based investigations, secondary evidence is often discovered within hibernation files, operating system artifacts, or error logs. Digital forensic analysts require similar files in macOS. They need to understand how and when logs are written. Identifying and understanding secondary sources of evidence is essential for an analyst to support the details of their case.


  • ExcavationPack: A Framework for Processing Data Dumps SANS.edu Graduate Student Research
    by TJ Nicholls - May 6, 2021 in Free and Open Source Software

    Data dumped online from breaches is rich with information but can be challenging to process. The data is often unstructured and littered with different data types. This research presents a framework using Docker containers to process unstructured data. The container-focused approach enables flexible data processing strategies, horizontal scaling of resources, the efficacy of processing strategies, and future growth. Security professionals utilizing this framework will be able to identify points of interest in data dumps.


  • GPS for Authentication: Is the Juice Worth the Squeeze? SANS.edu Graduate Student Research
    by Adam Baker - May 6, 2021 in Authentication

    For decades, location has been used as a validating factor in authentication. However, this has almost exclusively reflected IP address-based geolocation, a far less precise data point than a GPS coordinate. This paper will compare the precision of IP address location data to that of GPS coordinates, to determine if the increased available precision of GPS coordinates provides sufficient enhancement in value to justify expanding the use of GPS coordinates for authentication.


  • Identifying the Android Operating System Version thru UsageStats by Alexis Brignoni - April 28, 2021 in Forensics

    Locating the Android operating system version within a digital forensic extraction is necessary to properly apply operating system specific domain knowledge when parsing the data for forensic artifacts. Most automated tools that parse Android full file system extractions depend on the /system/build.prop file to determine the Android version among other device identifiers. Due to how variable Android implementations are regarding access to the data source a build.prop file might not be available in a particular forensic extraction. Is there a way to determine the Android version of an extraction by only looking at the userdata directory? The answer is yes. This was useful to me since some of my digital forensics tooling for Android extractions would benefit from programmatically identifying the Android version when a build.props file is not available.


  • How to Build a Security Posture Strategy for the Control Plane and Assets in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 28, 2021 in Best Practices, Cloud Security

    Security operations teams need to adjust their strategies as the surface area of the cloud grows. This means stronger configuration practices, including identity policies and authentication, storage configuration, workload configuration, and tuning. Based on the shared responsibility model, these are all control requirements for which cloud tenants are responsible. Improving cloud security posture requires increased visibility and centralized control over cloud configuration and workload management. This whitepaper is designed to help you build an effective and timely strategy for securing your control plane.


  • Contextualizing the MITRE ATT&CK Framework Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 27, 2021 in Forensics, Threats/Vulnerabilities

    Getting the right data to test security controls effectively is easier said than done. Too often, organizations are testing attacker techniques without the context necessary to build effective security control tests. While the MITRE ATT&CK framework provides useful information, when used in conjunction with threat intel reports it can provide a deeper understanding of how, why, and when attackers may abuse a technique. Using real-world examples, this paper shows you how to build efficient, life cycle-appropriate tests that identify visibility gaps and more in order to improve your defenses.


  • Scoping an Intrusion Using Identity, Host, and Network Indicators Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - April 22, 2021 in Intrusion Detection, Intrusion Prevention

    Second half of a two-part series, this paper covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion. Defenders fail to discover the full extent of adversary infrastructure. Defenders claim "containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only known items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication. This paper highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.


  • Understanding Your Attack Surface Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 21, 2021 in Intrusion Detection, Intrusion Prevention

    What does it mean to evaluate your attack surface? For many organizations, it may simply mean running a vulnerability scanner against their perimeter and hoping an attacker does not do the same. This legacy thinking leaves out all the nooks and crannies that attackers have become adept at finding. Your attack service should also include your system and network configurations, brand exposure, and knowledge of how your data is secured amongst numerous cloud providers. In this paper, we will provide our review of Netenrich's Attack Surface Intelligence (ASI) application. Offering unique insight into the aforementioned data points - and then some - Netenrich presents a novel way to examine enterprise exposure and evaluate potential risks. ASI provides the best of both worlds - a convenient, high-level point of view on organizational risk, while still providing the granular context that analysts need to analyze and remediate potential risks.


  • How to Use Historical Passive DNS for Defense Investigations and Risk Assessments Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 20, 2021 in Threat Hunting, Threats/Vulnerabilities

    Passive DNS offers a wealth of historical DNS records analysts can use to gain valuable insight into changes over time, changes that can provide them with valuable context in their threat hunting investigations. In this paper, SANS Analyst Dave Shackleford explores Farsight Security's Passive DNS Database (DNSDB) as a tool for identifying threats, reducing risk, and resolving incidents. In addition to sharing his experiences of what it's like to work with DNSDB database, Shackleford walks through five real-world use cases that demonstrate how to conduct searches, limit query results, and use the context of those results to reduce risks and resolve incidents.


  • A SANS 2021 Report: Top Skills Analysts Need to Master Analyst Paper (requires membership in SANS.org community)
    by Ismael Valenzuela - April 20, 2021 in Security Awareness, Security Basics

    As one of the highest-paid jobs in the field, security analysts must become "all-around defenders," highly competent in threat detection, while maintaining excellent analytical and communication skills. But what are the technical and nontechnical skills required to acquire mastery in this role? In this whitepaper, SANS author, instructor, and analyst Ismael Valenzuela answers these questions and examines the top skills that security analysts need.


  • Vulnerability Management Blueprint for the Clinical Environment SANS.edu Graduate Student Research
    by Adi Sitnica - April 14, 2021 in HIPAA

    The industry-standard vulnerability management process is largely inapplicable within clinical settings. Unique medical industry-specific devices and other complexities and limitations, such as vendor-owned and managed systems and regulated and other non-standard hardware, limit the general effectiveness of the process. This document explores a standard clinical footprint and provides guidance (or a 'blueprint') to further developing and maturing the vulnerability management operational model for clinical settings, with the primary goal of risk reduction within the confines of a clinical environment.


  • SANS 2021 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 13, 2021 in Security Awareness, Security Trends

    This SANS survey explored the types of services organizations are using, what types of controls and tools provide the most value, and how effective cloud security brokering is for a range of use cases.


  • A Multi-leveled Approach for Detection of Coercive Malicious Documents Employing Optical Character Recognition SANS.edu Graduate Student Research
    by Josiah Smith - April 8, 2021 in Intrusion Detection

    Authors of malicious documents often include a graphical asset used to lure the potential victim to "enable editing" and to "enable content" to activate the macro's embedded logic. While these graphical lures vary in theme, language, and content, they commonly have similar coercive text. Using Optical Character Recognition to produce text files of the images provides the ability to anchor the images' contents. While attackers have been known to intentionally manipulate images to bypass OCR-based detection, some additional techniques can surface the textual contents. Optical Character Recognition can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.


  • How to Architect a Security-Driven Networking Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 5, 2021 in Network Access Control, Cloud Security

    As organizations shift more resources to the cloud, defenses have grown organically along with the increase in size and complexity of networks. Today, a new model of security-driven networking, known as security-driven layered defense, is helping organizations create a strong set of proactive layered network defenses. In this whitepaper, SANS analyst Dave Shackleford explains how security teams are using this model to strengthen their network defenses and describes the capabilities and features they should consider when designing a robust, cloud-centered network security strategy.


  • Network Security: Protecting Your Organization Against Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 31, 2021 in Threat Hunting, Threats/Vulnerabilities

    Recent supply chain attacks have proven that third parties are an unexpected, yet trusted, entry vector into an organization. By utilizing legitimate methods to breach an organization, threat actors can hide under the radar with escalated privileges. Furthermore, attackers have shown that they are security-savvy, knowledgeable of enterprise defenses and their workarounds. Enterprise defense should be structured around BOTH system and network data; without, you will never see the full picture. With this webcast, we will outline NDR capabilities and how bringing endpoint and network together will prove to be a one-two punch to bring down even advanced attackers. We will specifically outline how to mitigate common third-party attack surfaces, what could have been done differently in the wake of the attack, and have the recent attacks provided enough reason to consider changes in implementation.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.