3 Days Left to Save $400 on SANS Baltimore Spring 2017

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

How are you responding to incidents and attacks? What solutions work best? Share your experiences in our 2017 SANS Incident Response Survey and enter to win a $400 gift card.https://www.surveymonkey.com/r/2017SANSIRSurvey

SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! https://www.surveymonkey.com/r/2017SANSSOCSurvey

ICS security: SANS needs your input on attacks and threats and how you're preventing and mitigating them in the industrial control systems environments. Share your experiences and enter to win a $400 Amazon gift card! https://www.surveymonkey.com/r/2017SANSICSSurvey

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,640 original computer security white papers in 101 different categories.

Latest 25 Papers Added to the Reading Room

  • Tor Browser Artifacts in Windows 10 STI Graduate Student Research
    by Aron Warren - February 24, 2017 in Forensics

    The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.


  • OS X as a Forensic Platform STI Graduate Student Research
    by David M. Martin - February 22, 2017 in Mac/Apple Issues, Forensics

    The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options.


  • DevSecOps Transformation: The New DNA of Agile Business Analyst Paper
    by Dave Shackleford - February 21, 2017 in Security Trends, Threats/Vulnerabilities

    This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.


  • Indicators of Compromise TeslaCrypt Malware STI Graduate Student Research
    by Kevin Kelly - February 16, 2017 in Security Awareness, Best Practices

    Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections.


  • PLC Device Security - Tailoring needs by Wen Chinn Yew - February 15, 2017 in Threats/Vulnerabilities

    Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio.


  • Impediments to Adoption of Two-factor Authentication by Home End-Users STI Graduate Student Research
    by Preston Ackerman - February 10, 2017 in Authentication

    Cyber criminals have proven to be both capable and motivated to profit from compromised personal information. The FBI has reported that victims have suffered over $3 billion in losses through compromise of email accounts alone (IC3 2016). One security measure which has been demonstrated to be effective against many of these attacks is two-factor authentication (2FA). The FBI, the Department of Homeland Security US Computer Emergency Readiness Team (US-CERT), and the internationally recognized security training and awareness organization, the SANS Institute, all strongly recommend the use of two-factor authentication. Nevertheless, adoption rates of 2FA are low.


  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 in Active Defense, Forensics, Malicious Code

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.


  • The DevSecOps Approach to Securing Your Code and Your Cloud Analyst Paper
    by Dave Shackleford - February 7, 2017 in Security Trends, Threats/Vulnerabilities

    DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.


  • Moving Toward Better Security Testing of Software for Financial Services Analyst Paper
    by Steve Kosten - February 7, 2017 in Application and Database Security

    The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.


  • Dissect the Phish to Hunt Infections STI Graduate Student Research
    by Seth Polley - February 3, 2017 in Security Awareness

    Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt?


  • Forensication Education: Towards a Digital Forensics Instructional Framework STI Graduate Student Research
    by J. Richard “Rick” Kiper - February 3, 2017 in Best Practices, Forensics, Training

    The field of digital forensics is a diverse and fast-paced branch of cyber investigations. Unfortunately, common efforts to train individuals in this area have been inconsistent and ineffective, as curriculum managers attempt to plug in off-the-shelf courses without an overall educational strategy. The aim of this study is to identify the most effective instructional design features for a future entry-level digital forensics course. To achieve this goal, an expert panel of digital forensics professionals was assembled to identify and prioritize the features, which included general learning outcomes, specific learning goals, instructional delivery formats, instructor characteristics, and assessment strategies. Data was collected from participants using validated group consensus methods such as Delphi and cumulative voting. The product of this effort was the Digital Forensics Framework for Instruction Design (DFFID), a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula.


  • From Security Perspective, the Quickest Way to Assess Your Web Application by Mohammed Alduhaymi - February 3, 2017 in Web Application Security

    The aim of this paper is to explain how to assess web applications with a fast, easy and effective method. A framework has been created as a Chrome Extension to solve two problems. 1. The first problem is when the IT team wants to know the security posture of their web application, but they did not have the budget/time to hire a penetration tester. Therefore, they can use this framework "WPSecAnalyzer Chrome Extension" to check their web application scores from a security perspective without having a deep knowledge of penetration testing. 2. The second problem is when the penetration tester wants to do the reconnaissance phase, he will use many tools, which will consume his time/effort. Consequently, to reduce the time/effort consumed he can use "WPSecAnalyzer Extension" to check many issues/vulnerabilities from one place with an efficient and effective method. The Chrome Extension which is called "WPSecAnalyzer" checks and verifies eleven issues/vulnerabilities on any website the end user visits, and provides him with a report based on the findings. The report will have the score of the website, as well as a list of the findings based on eleven issues/vulnerabilities.


  • Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Risk STI Graduate Student Research
    by Oleg Bogomolniy - February 1, 2017 in Legal Issues

    There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying "cyber risks of daily life"; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors.


  • Digital Ghost: Turning the Tables Analyst Paper
    by Michael J. Assante - February 1, 2017 in Industrial Control Systems / SCADA

    The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.


  • Attack and Defend: Linux Privilege Escalation Techniques of 2016 STI Graduate Student Research
    by Michael Long II - January 30, 2017 in Linux Issues, Privilege Management, Penetration Testing

    Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.


  • Using COIN Doctrine to Improve Cyber Security Policies STI Graduate Student Research
    by Sebastien Godin - January 27, 2017 in Security Policy Issues

    In today’s ever-evolving Cyber environment, the “bad guys” seem to prosper, and the “good guys” cannot seem to find a solution to create a proper defensive posture. As the Cyber environment becomes an integral part of society, it is imperative to find a way to increase the global defensive posture in the most efficient way possible. This paper will focus on possible security policies that are easy to implement, are proven, and have a significant impact on an enterprise's security practices and posture. The argument will use field data and firsthand combat experience. Working within the framework of the Cyber environment as an insurgency, applying proven Counterinsurgency policies, there can be a great increase in security and a more efficient Cyber defender. The application of this solution gives the potential for the Cyber defender to have a new set of tools for the Cyber domain that are proven to be useful in the physical domain of a counterinsurgency.


  • Building and Maintaining a Denial of Service Defense for Businesses STI Graduate Student Research
    by Matt Freeman - January 25, 2017 in Critical Controls, Getting Started/InfoSec, Security Trends

    Distributed Denial of Service (DDoS) attacks have been around for decades but still cause problems for most businesses. While easy to launch, DDoS attacks can be difficult to sustain and even more difficult to monetize for attackers. From the business perspective, a DDoS attack might result in lost revenue but is unlikely to have the same long term impact that a data breach may have. Recent changes in the IT landscape have made DDoS a more attractive attack vector for hackers. The industry trend to connect more and more devices to the Internet (often with minimal to no security), dubbed the "Internet of Things" has created a new marketplace for bad actors to sell their resource exhaustion services. Businesses need to consider all options when planning and implementing a defensive posture against denial of service attacks. As security vendors continue to offer new (and expensive) options to defend against these attacks, how does an InfoSec manager know which is best for their business. Using an "Offense informs the Defense" approach, this paper will analyze the methods used during DDoS attacks in order to determine the most appropriate defensive postures.


  • Implementing the Critical Security Controls Analyst Paper
    by Jim D. Hietala - January 24, 2017 in Critical Controls

    This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CIS Control adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they’ve experienced.


  • Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection Analyst Paper
    by Jerry Shenk - January 24, 2017 in Data Loss Prevention, Social Engineering

    The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.


  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper
    by John Pescatore - January 24, 2017 in Best Practices, Data Protection

    Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem.


  • Superfish and TLS: A Case Study of Betrayed Trust and Legal Liability STI Graduate Student Research
    by Sandra Dunn - January 24, 2017 in Digital Certificates

    Superfish, the bloat adware included in Lenovo consumer laptops from 2014-2015 which intentionally broke TLS, exposed user's personal data to compromise and theft, and altered search result ads in user's browsers severely impacted Lenovo brand reputation. There have been other high profile cases of intentionally modifying and breaking TLS that used questionable and deceptive practices but few that generated as much attention and provide such a clear example of a chain of missteps between Lenovo, Superfish, and their customers. A case study of the Superfish mishap exposes the danger, risk, legal liability, and potential government investigation for organization deploying TLS certificates and keys that breaks or weakens the security design and puts private data or people at risk. The Superfish case further demonstrates the importance of a company's disclosure transparency to avoid accusations of deceptive practices if breaking TLS is required to protect users or an organization's data.


  • Intrusion Detection Evasion Techniques and Case Studies STI Graduate Student Research
    by Pierce Gibbs - January 23, 2017 in Intrusion Detection

    The number of security breaches is increasing significantly each year. Global Internet traffic is expected to be on the order of zettabytes for 2016 and then doubling by 2020. In addition to increased traffic, the percentage of attack traffic is also increasing. The sophistication of attacks is also increasing. Attacks range in complexity from simple protocol, insertion, or desynchronization attacks that exploit the vagueness and incompleteness of the RFCs to polymorphic blending attacks that camouflage attack and exfiltration traffic to match normal traffic for that particular network. Various evasion techniques have been described in articles within this field of study, but there has not been a collective discussion on the variety of evasion techniques. A comprehensive compilation of the most common evasion techniques is needed to aid Intrusion Detection System providers and to assist various decision makers as they determine how best to apply limited resources to protect assets. This paper is a case study analysis designed to detail the most common intrusion evasion techniques that exist in the wild today.


  • Minimizing Legal Risk When Using Cybersecurity Scanning Tools STI Graduate Student Research
    by John Dittmer - January 19, 2017 in Legal Issues

    When cybersecurity professionals use scanning tools on the networks and devices of organizations, there can be legal risks that need to be managed by individuals and enterprises. Often, scanning tools are used to measure compliance with cybersecurity policies and laws, so they must be used with due care. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal network or system operations and to ensure the accuracy of the scanning results. Several challenges will be examined in depth, such as, measuring for scanner accuracy, proper methods of obtaining written consent for scanning, and how to set up a scanning session for optimum examination of systems or networks. This paper will provide cybersecurity professionals and managers with a better understanding of how and when to use the scanning tools while minimizing the legal risk to themselves and their enterprises.


  • Packets Don't Lie: LogRythm NetMon Freemium Review Analyst Paper
    by Dave Shackleford - January 18, 2017 in Intrusion Detection, Data Loss Prevention

    With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.


  • Leveraging the Asset Inventory Database STI Graduate Student Research
    by Timothy Straightiff - January 4, 2017 in Critical Controls

    A well maintained Asset Inventory Database can aid in building a more comprehensive security program based on the CIS Critical Security Controls (CSC). Adding inputs and outputs to the database workflow will help the organization with several of the Critical Security Controls. The Critical Security Controls define a list of prioritized controls that, when followed, can improve the security foundation of an organization. The controls are most effective when implemented in order. Keeping an integrated and well maintained Asset Inventory Database with the proper inputs and outputs can serve as a foundational element in any comprehensive security program.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.