Don't Miss: MacBook Air, Surface Pro 7, or $350 Off with SANS Online Training - Register Now!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,080 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Reverse Engineering Virtual Machine File System 6 (VMFS 6) SANS.edu Graduate Student Research
    by Michael Smith - November 19, 2020 in Forensics

    Virtual Machine File System (VMFS) 6 is a proprietary file system. The file system’s proprietary nature means that many forensic applications are unable to parse the file system. There is a lack of support because proprietary file systems do not have to follow an accepted standard and can make modifications that break forensic tools with any release. This instability means that maintaining parsers for these file systems can become costly very quickly. This vacuum of support for proprietary file systems has created an opportunity for open-source utilities to grow in ways that support parsing these file systems. Skilled forensic examiners scour the open-source community and publicly available research for parsers and digital artifacts analyses when they encounter file systems or files unsupported by large forensic applications. The goal of this research is two-fold. First, to increase the understanding of VMFS 6 with its myriad digital artifacts. Second, to conclusively determine the recoverability of a deleted file.


  • Continuous Monitoring Effectiveness Against Detecting Insider Threat SANS.edu Graduate Student Research
    by Steven Austin - November 19, 2020 in Intrusion Detection

    More organizations are implementing some form of Continuous Monitoring, yet there is an increase in insider threat incidents. The number of insider threat incidents has increased by 47% in two years, from 3,200 in 2018 to 4,716 in 2020 (Epstein, 2020). This data shows insider threat is an on-going problem for organizations despite efforts to implement Continuous Monitoring. The results of this research provide organizations with evidence of Continuous Monitoring effectiveness against detecting malicious insider attack techniques.


  • 20/20 Vision for Implementing a Security Operations Center Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - November 18, 2020 in SOC, Threats/Vulnerabilities

    Organizations want to transform the Security Operations Center (SOC) with automation and orchestration. Threat intelligence needs to be ingested, defense expenditures need to be optimized based on attacker tactics and techniques, new technology needs to be implemented, cloud resources and other external resources are taking the place of traditional on-premises systems, and skilled staff are scarce. To accomplish this modernization in stream with existing operations, a clear strategy for the capabilities and implementation is needed. How will you develop this strategic vision? Most organizations will look to the industry standards and reference implementations to determine a strategy before proceeding. This paper and webcast will help you explore what those models are. It will identify and discuss several models of what a SOC is. The relative merits and shortcomings will be identified, and value propositions will be offered. Your strategic outlook and your implementation will be substantially improved as a result.


  • Ransomware Prevention Special Report: How to Address a Pervasive and Unrelenting Threat Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson - November 17, 2020 in Security Trends, Threats/Vulnerabilities

    Ransomware is a fast-growing threat affecting thousands of government agencies and municipalities, and now it is even targeting itself toward halting critical ICS/SCADA operations. This paper explains why and how ransomware is spreading, introduces standards and provide guidance for detecting and recovering from ransomware, based on US-CERT and NIST resources.


  • Effective ICS Cybersecurity Using the IEC 62443 Standard Analyst Paper (requires membership in SANS.org community)
    by Jason Dely - November 17, 2020 in Industrial Control Systems / SCADA, Network Security, Risk Management, Standards

    IEC 62443 is the global standard for the security of ICS networks, designed to help organizations reduce the risk of failure and exposure of ICS networks to cyberthreats. This paper explores how that standard can provide guidance to enterprises looking to choose and implement technical security capabilities. It also addresses how Fortinet's layered solutions may help asset owners and system integrators reach IEC 62443 compliance.


  • Supercharge Incident Response with DDI Visibility Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 16, 2020 in Cloud Security, Incident Handling

    A simple and efficient way to gain an advantage over attackers—and control of your environment’s security—is to utilize the data you already generate and own. This paper explores how organizations should rely on and incorporate key data points (DNS, DHCP, and IPAM) into nearly every aspect of their security approach.


  • Defeat the Dread of Adopting DMARC: Protect Domains from Unauthorized Email SANS.edu Graduate Student Research
    by Tim Lansing - November 11, 2020 in Email Issues

    Many large organizations do not implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) (Frenkel, 2017), and system administrators at small to medium businesses struggle to understand DMARC and how to use it to protect domains that send and do not send emails. When fully implemented, DMARC is a barrier discouraging criminals from conducting spoofing attacks against a domain (Kerner, 2018). DMARC reports on what servers are sending the domain’s email. This research examines how to simplify the process of configuring and monitoring the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC to save individuals and businesses time, and allow them to better protect themselves and their domains.


  • Learning from Learning: Detecting Account Takeovers by Identifying Forgetful Users SANS.edu Graduate Student Research
    by Sean McElroy - November 11, 2020 in Security Analytics and Intelligence

    By measuring a user’s increasingly familiarity with a web application over time, outliers in use may indicate account takeover fraud. Credential stuffing attacks are increasing in frequency, allowing threat actors to use data breaches from one source to perpetuate another. While multi-factor authentication remains a crucial preventative measure to protect against credential stuffing, the availability of credential data sets with contact information and the correlation with demographic data can allow threat actors to overcome it through interactive social engineering. Concurrently, alternative defense mechanisms such as network source profiling and device fingerprinting lose effectiveness as privacy-protecting technologies reduce the observable variability between legitimate and fraudulent user sessions. This paper explores the potential of clickstream data containing logs of users’ navigation through a web application as an alternative defense to detecting account takeover activity for digital banking platforms. By identifying when users are exhibiting learning behaviors, the detection of such behaviors for established users may provide an indicator of compromise.


  • Architecture and Configuration for Hardened SSH Keys SANS.edu Graduate Student Research
    by Scott Ross - November 11, 2020 in Authentication

    The Secure Shell (SSH) protocol is a tool often-used to administer Unix-like computers, transfer files, and forward ports securely and remotely. Security can be quite robust for SSH when implemented correctly, and yet it is also user-friendly for developers familiar with Unix. Asymmetric SSH keys used by the protocol have allowed operations engineers and developers to authenticate to remote machines – supporting increased automation and orchestration across DevOps environments. While the private keys should be password protected, they are often not. The fast pace of DevOps and the focus on delivery has led to many companies not controlling their authentication credentials or understanding the risk they create. Private key files can become scattered around the environment, presenting a tempting target for threat actor exploitation to pivot across a network or access cloud services. This paper will evaluate a simple solution for protecting private keys by storing them on an external cryptographic device (Yubikey) and automating key management/SSH configuration (Ansible). This potential solution will be compared to local key storage and prevalent ad-hoc key management against conventional SSH attack techniques in the MITRE ATT&CK matrix.


  • Leveraging the OWASP API Security top 10 to build secure web services by Enrique Cabezas - November 11, 2020 in Application and Database Security

    Imagine you decide to build an application using web services. What are the main aspects to consider when it comes to security? With the first version of the OWASP API Security top 10 being released, exploring the defensive aspect of each entry in the top 10 will allow us to revisit them and reflect on what could be some good practices to follow. While reviewing a web service on all best-practice security measures might not be in line with an organization’s risk appetite, this approach offers the reader the benefit of mitigating the most critical types of vulnerabilities as a starting point. We will showcase the architecture of a straightforward banking application using SOAP, REST and GraphQL respectively. This will allow us to demonstrate diverse attention points specific to these technologies when it comes to finding solutions for each unique OWASP API security API top 10 vulnerability class.


  • SANS Vulnerability Management Survey 2020 Analyst Paper (requires membership in SANS.org community)
    by David Hazar - November 9, 2020 in Security Trends, Threats/Vulnerabilities

    The 2020 Vulnerability Management Survey focused on how organizations vulnerability programs are evolving and maturing in response to changing technology, architecture and design. It also explored how organizations are identifying vulnerabilities in their applications and non-traditional infrastructure. Download this paper to learn who is responsible for treating or remediating discovered vulnerabilities, and how mature survey respondents feel they are at managing different types of vulnerabilities within different technology components, services and even third-parties or partners.


  • Threat Intelligence Solutions: A SANS Review of Anomali ThreatStream Analyst Paper (requires membership in SANS.org community)
    by TJ Banasik - November 2, 2020 in Intrusion Detection, Threats/Vulnerabilities

    Cyber threat data from multiple sources overwhelm todays Security Operations Centers (SOCs) without a centralized method to aggregate it. Many organizations have immature threat intelligence programs that rely on select external threat feeds, which users struggle to analyze. A cyber threat intelligence program requires people, processes, and technology to process, exploit, and disseminate threat data. In this product review, SANS had the opportunity to review the Anomali ThreatStream® product, a threat intelligence platform providing a unified solution for collecting, curating, and disseminating threat intelligence. ThreatStream rationalizes multiple threat data sources into a single high-fidelity repository by automatically normalizing, de-duplicating, removing false positives, and enriching the threat data, then associating all related threat indicators. ThreatStream applies a highly accurate machine learning algorithm for scoring indicators of compromise (IOCs).


  • How to Create a Scalable and Automated Edge Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 30, 2020 in Best Practices, Cloud Security

    As core data center services shift to cloud, cloud edge architecture and deployment models offer the advantage of convergence and unification of disparate network services into a single brokering fabric. In this whitepaper, SANS instructor Dave Shackleford describes how to improve security at the perimeter, by reducing the complexity and increasing interoperability of traditional approaches. This timely approach to defense includes developing a layered control approach to perimeter security, implementing a scalable security solution at the network's edge and improving efficiency through automation.


  • Fear of the Unknown: A Metanalysis of Insecure Object Deserialization Vulnerabilities by Karim Lalji - October 28, 2020 in Penetration Testing

    Deserialization vulnerabilities have gained significant traction in the past few years, resulting in this category of weakness taking eighth place on the OWASP Top 10. Despite the severity, deserialization vulnerabilities tend to be among the less popular application exploits discussed (Bekerman, 2020) and frequently misunderstood by security consultants and penetration testers without a development background. This knowledge discrepancy leaves adversaries with an advantage and security professionals with a disadvantage. This research will aim to demonstrate exploitation techniques using insecure deserialization on multiple platforms, including Java, .NET, PHP, and Android, to obtain a metanalysis of exploitation techniques and defensive strategies.


  • Verifying Universal Windows Platform (UWP) Signatures at Scale SANS.edu Graduate Student Research
    by Joal Mendonsa - October 28, 2020 in Intrusion Detection, Incident Handling, Microsoft Windows, Threat Hunting

    Enterprise security teams often use native Windows tools, like PowerShell, to check signatures and quickly establish where a binary is a known-good or is unknown and worthy of further investigation. Unfortunately, a new and growing class of applications – Universal Windows Platform (UWP) applications – incorrectly appear to be unsigned when checked using traditional methods. This paper will demonstrate a way to efficiently validate UWP applications in a networked environment, strictly using Microsoft tools, and without placing additional binaries on remote systems.


  • Extending DevSecOps Security Controls into the Cloud: A SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Eric Johnson - October 27, 2020 in Cloud Security, Security Trends

    In the 2020 SANS DevSecOps Survey, authors Jim Bird and Eric Johnson explore how organizations are extending their DevSecOps security controls beyond their on-premises environments into the public cloud to secure their cloud networks, services and applications. Download this paper to learn how to leverage best practices in DevSecOps in your cloud-based environment and how to use the most effective tools and technologies.


  • The SANS Guide to Evaluating Attack Surface Management Analyst Paper (requires membership in SANS.org community)
    by Pierre Lidome - October 26, 2020 in Cloud Security, Risk Management

    This guide provides an overview of the benefits and limitations of attack surface management and actionable guidance for organizations looking to evaluate an ASM solution.


  • Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive SANS.edu Graduate Student Research
    by Christopher Hurless - October 23, 2020 in Incident Handling

    There is a wealth of open-source tools available for information security. A characterization of the various open-source products will provide a means of fortifying endpoints and auditing those fortifications with an Endpoint Detection and Response (EDR) solution. High-quality security practices do not have to be expensive products, but they do need to hit several automation requirements to be effective. With this in mind, building robust, automated, EDR capability using open-source, community-driven tools that automate and standardize security responses is not only possible but practical. Having a set of predefined control settings on an endpoint goes beyond malware detection. It sets the stage to ensure that an organization’s endpoints are fortified from an attack before it happens. By implementing the Center for Internet Security (CIS) Desktop Benchmarks, organizations have a means of strengthening endpoints from attack. Adding Osquery allows them to have a tool for knowing when a machine has fallen out of a fortified state. Following the loss of fortification is the need to investigate the cause and return the device to its intended state which can be done using Elastic Stack and TheHive.


  • Prescriptive Model for Software Supply Chain Assurance in Private Cloud Environments SANS.edu Graduate Student Research
    by Robert Wood - October 14, 2020 in Cloud Security

    As companies embrace Continuous Integration/Continuous Deployment (CI/CD) environments, automated controls are critical for safeguarding the Software Development Life Cycle (SDLC). The ability to vet and whitelist container images before installation is vitally important to ensuring the security of corporate networks. Google Cloud offers the Container Registry in combination with Binary Authorization to understand the container footprint in the environment and provide a mechanism for enforcing policies. Grafeas and Kritis are open-source alternatives. This paper evaluates Grafeas and Kritis and provides specific recommendations for using these tools or equivalents in private cloud environments.


  • The All-Seeing Eye of Sauron: A PowerShell tool for data collection and threat hunting SANS.edu Graduate Student Research
    by Timothy Hoffman - October 14, 2020 in Threat Hunting

    The cost of a data breach directly relates to the time it takes to detect, contain, and eradicate it. According to a study by the Ponemon Institute, the average time to identify a breach in 2019 was 206 days (Ponemon Institute, 2019). Reducing this timeframe is paramount to reducing the overall timeline of removing a breach, and the costs associated with it. With ever-evolving adversaries creating new ways of compromising organizations, preventive security measures are essential, but not enough. Organizations should not assume they will be compromised, but instead that they already have been. Finding and removing these already existing breaches can be difficult. To find existing breaches, organizations need to conduct threat hunting, which seeks to uncover the presence of an attacker in an environment not previously discovered by existing detection technologies (Gunter & Seitz, 2018). This paper looks at the PowerShell tool, Eye of Sauron, which can be used for threat hunting by identifying indicators of compromise (IOCs), as well as anomaly detection using data stacking in a Windows environment. Its' capability to detect the presence of IOCs is tested in two scenarios, first in a simulated attack, and second after the introduction of malware.


  • Firebase: Google Cloud's Evil Twin by Brandon Evans - October 8, 2020 in Cloud Security

    Firebase allows a frontend application to connect directly to a backend database. Security wonks might think the previous sentence describes a vulnerability, but this is by design. Released in 2012, Firebase was a revolutionary cloud product that set out to "Make Servers Optional". This should raise countless red flags for all security professionals as the application server traditionally serves as the intermediary between the frontend and backend, handling authentication and authorization. Without it, all users could obtain full access to the database. Firebase attempts to solve this by moving authentication and authorization into the database engine itself. Unfortunately, this approach has several flaws.


  • A Startups Guide to Implementing a Security Program by Vanessa Pegueros - October 8, 2020 in Management & Leadership

    Startups struggle to balance survival with the practical implementation of a security program. There are numerous obstacles facing founders who want to generate a solid security foundation, including limited cash, lack of support from investors or the board, and conflicting priorities such as generating revenue. Despite these obstacles, customers and potential customers continue to demand a base level of security controls. This drive from customers, especially enterprise customers, for solid security programs has forced startups to develop a practical approach to security that works within the boundaries of their constraints. Implementation of key controls and processes can establish a solid security foundation and meet the needs of customers.


  • Enhancing the security capabilities of the Ubiquiti UniFi Security Gateway (USG) by Tim Coakley - October 8, 2020 in Firewalls & Perimeter Protection

    The UniFi Security Gateway (USG) is a popular security device manufactured by Ubiquiti; it is relatively unique within the marketplace for its affordability and adoption of use within both Enterprise and SOHO environments. The USG, at its core, provides a firewall, routing, and advanced security features for network protection, traffic management, and ease of integration. A balanced set of features come pre-packaged. However, advanced users and security practitioners seeking more granular detail may be disappointed with some of the box security reporting options.


  • No Strings on Me: Linux and Ransomware SANS.edu Graduate Student Research
    by Richard Horne - October 7, 2020 in Tools

    Ransomware poses an ever-increasing threat to businesses and organizations as it continues to evolve and change. Many organizations are forced to pay for solutions to this growing problem with expensive and out-of-date signature-based solutions. As the possibility looms for ransomware to impact all operating systems and businesses alike, organizations will need to focus on early detections and warnings to stay ahead of its spread. This paper aims to examine the probability of detecting ransomware throughout its lifecycle within Linux environments. In conjunction with detections, the ultimate goal of the ideas presented is to provide security teams with a more reliable and cost-effective method to detect, react, and neutralize Linux ransomware variants.


  • Shall We Play a Game?: Analyzing the Security of Cloud Gaming Services SANS.edu Graduate Student Research
    by Adam Knepprath - October 7, 2020 in Cloud Security

    The adoption of cloud gaming services is quickly growing. Like many services that are eager to go to market, cloud gaming services lack strong security measures. This paper provides an analysis of three cloud gaming service providers’ privacy policies, out of the box security, and mitigations end-users should consider.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.