Two Days Left to Get an iPad Air with Smart Keyboard, or Surface Go, or $300 Off with OnDemand or vLive Training ends tomorrow!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,910 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Better Security Using the People You Have Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 13, 2019 in Security Awareness, Security Trends

    Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.


  • Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in SANS.org community)
    by Don Murdoch - August 12, 2019 in Network Access Control, Clients and Endpoints

    Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.


  • SANS 2019 Incident Response (IR) Survey: It's Time for a Change Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 31, 2019 in Incident Handling, Security Trends

    The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.


  • ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis STI Graduate Student Research
    by Andy Piazza - July 29, 2019 in Threat Intelligence

    Risk management is a principal focus for most information security programs. Executives rely on their IT security staff to provide timely and accurate information regarding the threats and vulnerabilities within the enterprise so that they can effectively manage the risks facing their organizations. Threat intelligence teams provide analysis that supports executive decision-makers at the strategic and operational levels. This analysis aids decision makers in their commission to balance risk management with resource management. By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.


  • How to Protect Enterprise Systems with Cloud-Based Firewalls Analyst Paper (requires membership in SANS.org community)
    by Kevin Garvey - July 26, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.


  • JumpStart Guide for Cloud-Based Firewalls in AWS Analyst Paper (requires membership in SANS.org community)
    by Brian Russell - July 24, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today’s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.


  • Bye Bye Passwords: New Ways to Authenticate Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 23, 2019 in Authentication, Security Trends

    The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.


  • Are Your Security Controls Yesterday’s News? Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 18, 2019 in Security Awareness, Threats/Vulnerabilities

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
    The second spotlight (coming in October 2019) will focus on the input SANS received from a recent poll that gathered opinions from the SANS community on this topic.


  • Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Crowley and John Pescatore - July 9, 2019 in Security Trends, SOC

    In this survey, senior SANS instructor and course author Christopher Crowley, along with advisor and SANS director of emerging technologies John Pescatore, provide objective data to security leaders who are looking to establish a SOC or optimize an existing one. This report captures common and best practices, provides defendable metrics that can be used to justify SOC resources to management, and highlights the key areas that SOC managers should prioritize to increase the effectiveness and efficiency of security operations.


  • Attackers Inside the Walls: Detecting Malicious Activity STI Graduate Student Research
    by Sean Goodwin - July 2, 2019 in Intrusion Detection

    Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This paper investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.


  • Building Cloud-Based Automated Response Systems STI Graduate Student Research
    by Mishka McCowan - July 2, 2019 in Cloud Computing

    When moving to public cloud infrastructures such as Amazon Web Services (AWS), organizations gain access to tools and services that enable automated responses to specific threats. This paper will explore the advantages and disadvantages of using native AWS services to build an automated response system. It will examine the elements that organizations should consider including developing the proper skills and systems that are required for the long-term viability of such a system.


  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 in Reverse Engineering Malware

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.


  • How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Thomas J. Banasik - June 27, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.


  • Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - June 27, 2019 in Clients and Endpoints

    EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.


  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths STI Graduate Student Research
    by Brianne Fahey - June 26, 2019 in Logging Technology and Techniques, Tools

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.


  • Building and Maturing Your Threat Hunting Program Analyst Paper (requires membership in SANS.org community)
    by David Szili - June 24, 2019 in Threat Hunting

    Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.


  • JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in SANS.org community)
    by David Hazar - June 19, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.


  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 in Reverse Engineering Malware, Threat Intelligence

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.


  • How to Build a Data Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 13, 2019 in Cloud Computing, Data Protection

    When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.


  • Authentication: It Is All About the User Experience Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - June 12, 2019 in Authentication

    In a world where compromised user credentials can cost an enterprise millions of dollars, the importance of being able to validate user accounts is a crucial enterprise requirement. Yet implementation of modern authentication techniques is lagging, even though it provides better user experiences as well as stronger authentication. This paper examines how these techniques can be applied within your organization for your employees--the other custodians of your data. It also explores the benefits of the new WebAuthn specification.


  • Automating Response to Phish Reporting STI Graduate Student Research
    by Geoffrey Parker - June 12, 2019 in Email Issues

    Phish Reporting buttons have become easy buttons. They are used universally for reporting spam, real phishing attacks when detected, and legitimate emails. Phish Reporting buttons automate the reporting process for users; however, they have become a catch-all to dispose of unwanted messages and are now overwhelming Response Teams and overflowing Help Desk ticket queues. The excessive reporting leads to a problem of managing timely responses to real phishing attacks. Response times to false positives, spam, and legitimate messages incorrectly reported are also significant factors. Vendors sold phish alert buttons with phishing simulation systems which then became part of more in-depth training systems and later threat management systems. Because of this organic growth, many companies implemented a phish reporting system but did not know that they needed an automation system to manage the resulting influx of tickets. Triage systems can automate a high percentage of these phish alerts, freeing the incident response teams to deal with the genuine threats to the enterprise on a prioritized basis.


  • SANS 2019 State of OT/ICS Cybersecurity Survey Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins and Doug Wylie - June 11, 2019 in Industrial Control Systems / SCADA, Security Trends

    In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.


  • Mobile A/V: Is it worth it? STI Graduate Student Research
    by Nicholas Dorris - June 5, 2019 in Mobile Security

    In the mid 2010’s, mobile devices such as smartphones and tablets have become ubiquitous with users employing these gadgets for various applications. While this pervasive adoption of mobile devices offers numerous advantages, attackers have leveraged the languid attitude of device owners to secure the owner’s gadgets. The diversity of mobile devices exposes them to a variety of security threats, as the industry lacks a comprehensive solution to protect mobile devices. In a bid to secure their assets and informational resources, individuals and corporations have turned to commercial mobile antivirus software. Most security providers present mobile versions of their PC antivirus applications, which are primarily based on the conventional signature-based detection techniques. Although the signature-based strategy can be valuable in identifying and mitigating profiled malware, it is not as effective in detecting unknown, new, or evolving threats, as it lacks adequate information and signature regarding these infections. Mobile attackers have remained ahead via obfuscation and transformation methods to bypass detection techniques. This paper seeks to ascertain whether current mobile antivirus solutions are effective, in addition to which default Android settings assist in the prevention or mitigation of various malware and their consequences.


  • Finding Secrets in Source Code the DevOps Way STI Graduate Student Research
    by Phillip Marlow - June 5, 2019 in Securing Code

    Secrets, such as private keys or API tokens, are regularly leaked by developers in source code repositories. In 2016, researchers found over 1500 Slack API tokens in public GitHub repositories belonging to major companies (Detectify Labs, 2016). Moreover, a single leak can lead to widespread effects in dependent projects (JS Foundation, 2018) or direct monetary costs (Mogull, 2014). Existing tools for detecting these leaks are designed for either prevention or detection during full penetration-test-style scans. This paper presents a way to reduce detection time by integrating incremental secrets scanning into a continuous integration pipeline.


  • DICE and MUD Protocols for Securing IoT Devices STI Graduate Student Research
    by Muhammed Ayar - June 5, 2019 in Internet of Things

    An exponential growth of Internet of Things (IoT) devices on communication networks is creating an increasing security challenge that is threatening the entire Internet community. Attackers operating networks of IoT devices can target any site on the Internet and bring it down using denial of service attacks. As exemplified in various DDoS attacks that took down portions of the Internet in the past few years (such as the attacks on Dyn and KrebsOnSecurity (Hallman, Bryan, Palavicini Jr, Divita, Romero- Mariona, 2017)), IoT users need to take drastic steps in securing them. This research will discuss the steps in attempting to secure IoT devices using DICE and MUD.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.