SANS Rocky Mountain Fall is Live Online! Join us Nov 2-7 MT for 17 interactive courses + NetWars. Save $300 thru 10/7.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,050 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Security Network Auditing: Can Zero-Trust Be Achieved? SANS.edu Graduate Student Research
    by Carl Garrett - September 23, 2020 in Auditing & Assessment

    Since 2010, government and business organizations have begun to adopt the Zero-Trust framework. Although the concept is a decade old, organizations are still in the infant stages of its implementation. Given that tablets and mobile phones have become an intricate part of business aids, all organizations will eventually integrate Zero-Trust into their environments. Many third-party vendors market Zero-Trust tools; though, they only provide one or two pieces to achieve "true" Zero-Trust. Designing a security auditing Zero-Trust framework, professionals must use a layered approach to defense-in-depth. They must also understand the principle of Least Common Mechanism because complicated information technology systems are challenging to control. In traditional perimeter networks, users must authenticate to an entire organizational network, where perimeter-less Zero-Trust networks are segmented; thus, users can log on a Zero-Trust network by accessing a single-segment at a time. This technology eliminates the need for virtual private networks (VPN), thus, providing faster access. Additionally, most organizations state they audit their systems. However, this project focuses on auditing Zero-Trust devices, applications, data, and network traffic, not continuous logging. When implementing the Zero-Trust framework, organizations will learn how to plan and audit for adequate security.


  • Replacing WINS in an Open Environment with Policy Managed DNS Servers SANS.edu Graduate Student Research
    by Mark Lucas - September 21, 2020 in DNS Issues

    In some environments, Windows workstations require placement on the open internet. In order to protect the read-write domain controllers, administrators locate them in a protected enclave behind a firewall, and read-only domain controllers authenticate workstations during day-to-day operations. While this is strong protection for the read-write domain controllers, the configuration breaks the standard dynamic DNS registration of Windows workstations with the read-write domain controller. In our environment, we have maintained WINS servers linked to Windows DNS via the WINS lookup function to continue finding workstations by name. The TechNet page on WINS (Davies, 2011) was last updated almost nine years ago, and Microsoft has been actively encouraging the abandonment of WINS (Ross & Mcillece, 2020). This paper explores Windows DNS Policies to replacing WINS with Dynamic DNS and policy-controlled responses to queries. Utilizing source IP addresses, DNS policies can regulate the provided answers. The operability of DNS Policies and the applicability to this solution is evaluated in depth.


  • Zeek Log Reconnaissance with Network Graphs Using Maltego Casefile SANS.edu Graduate Student Research
    by Ricky Tan - September 21, 2020 in Security Analytics and Intelligence

    Cyber defenders face a relentless barrage of network telemetry, in terms of volume, velocity, and variety. One of the most prolific types of telemetry are Zeek (formerly known as Bro) logs. Many “needle-in-a-haystack” approaches to threat discovery that rely on log examination are resource-intensive and unsuitable for time-sensitive engagements. This reality creates unique difficulties for teams with few personnel, skills, and tools. Such challenges can make it difficult for analysts to conduct effective incident response, threat hunting, and continuous monitoring of a network. This paper showcases an alternative to traditional investigative methods by using network graphs. Leveraging a freely available, commercial-off-the-shelf tool called Maltego Casefile, analysts can visualize key relationships between various Zeek log fields to quickly gain insight into network traffic. This research will explore variations of the network graph technique on multiple packet capture (PCAP) datasets containing known-malicious activity.


  • Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production SANS.edu Graduate Student Research
    by Daniel Behrens - September 21, 2020 in Industrial Control Systems / SCADA

    Due to the critical nature of industrial environments and the lifetime of deployed assets, many organizations do not have complete knowledge of what assets are operating in the environment and what communications are involved. With the continuous move to IP based communications for controls equipment, Cybersecurity continues to increase in importance and is a priority for many executives. Industrial controls are unique because they are interfacing with the real world, which has implications on human safety and the ability of an organization to maintain operations. Unfortunately, the criticality of these devices and the lack of robust network functions on many often requires the use of passive solutions to gather information. This paper will focus on outlining the potential impact of collecting network traffic, discussing the functions available on networking equipment to enable it, identifying possible deployment architectures and the pros and cons of each, and explaining a methodology to calculate the potential impacts.


  • 2020 SANS Enterprise Cloud Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Dale - September 14, 2020 in Cloud Security, Security Trends

    Our 2020 Enterprise Cloud Incident Response Survey investigated the data sources and services that organizations are leveraging to detect, respond to and remediate incidents in the multi-cloud world. This report on the survey focuses less on which cloud service organizations are using, and more on what data sources they are taking advantage of, what services they find useful, and what methods are working in their programs.


  • Fashion Industry (Securely) 4.0ward SANS.edu Graduate Student Research
    by Shawna Turner - September 9, 2020 in Industrial Control Systems / SCADA

    The fashion market segment is going through a significant technological upgrade. The need to meet modern consumer expectations and desires requires wholesale changes in the way the fashion ecosystem has historically shared information and manufactured products. Fashion cannot use existing security guidance due to the consumer expectations that a fashion product provides a unified physical experience. The addition of significant new technology increases the risk of intellectual property loss. The fashion industry requires a list of minimum-security controls that address the entire ecosystem of fashion from the fashion houses to the supply chain to the factory floor to address information security concerns. This paper begins the process of developing a minimum viable list of controls by combining controls from the Purdue model with recommended controls from the Verizon 2019 Data Breach Investigation Report (DBIR). The paper focuses on proposed controls for the fashion sector; however, they apply to any manufacturing pivoting to Industry 4.0.


  • Detecting Malicious Activity in Large Enterprises Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 8, 2020 in Security Awareness, Security Trends, Threats/Vulnerabilities

    As they grow, organizations need to detect threats amid an alarming assortment of unexpected and complex conditions, often with a blend of legacy and current technologies. This paper explores options for advanced threat detections at enterprise scale.


  • How to Create a Comprehensive Zero Trust Strategy Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - September 2, 2020 in Security Modeling, Privilege Management

    To implement zero trust effectively, organizations must consider critical controls, such as network access and inspection controls, as well as the roles that visibility, vulnerability and discovery play in their least privilege strategies. SANS analyst Dave Shackleford explains how to build a microsegmentation access control model that addresses common business drivers, implements capabilities critical to microsegmentation, and applies microsegmentation and zero trust initiatives in ways that positively impact industry compliance requirements.


  • Enabling NIS Directive Compliance with Fortinet for Operational Technology Analyst Paper (requires membership in SANS.org community)
    by Jason D. Christopher - September 1, 2020 in Country-specific Issues, Network Security, Risk Management

    The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper examines how Fortinet solutions can help comply with the NIS Directive.


  • Firewalls in the Modern Enterprise: A New SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 31, 2020 in Firewalls & Perimeter Protection, Security Trends

    From cloud computing to the growing use of containers and virtualized systems, the modern IT enterprise offers constant security challenges. This evolution in enterprise infrastructure has changed the way security professionals think about their security appliances, often finding solace in traditional devices like the firewall or proxy. SANS recently surveyed practitioners about their use and perceptions of firewalls within modern enterprises. This paper explores survey results, and provides insight into how firewalls can help.


  • How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK Matrix Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - August 31, 2020 in Best Practices, Cloud Security

    To build threat detection and hunting capabilities that are more effective, understanding adversary tactics and techniques based on real-world observations is critical. SANS senior instructor and cloud security expert Dave Shackleford discusses how to apply the MITRE ATT&CK Matrix to the AWS Cloud to classify and understand cloud-based techniques and leverage threat intel in order to maintain a strong security posture.


  • Detection of Malicious Documents Utilizing XMP Identifiers SANS.edu Graduate Student Research
    by Josiah Smith - August 27, 2020 in Security Analytics and Intelligence

    Modern digital documents are often composed of multiple other documents and images. Malware authors often produce malicious documents while reutilizing graphical assets or other components that can be uniquely identified with the Adobe Extensible Metadata Platform (XMP). XMP IDs define a standard for mapping asset relationships and can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.


  • Risk Management with Automated Feature Analysis of Software Components SANS.edu Graduate Student Research
    by Steven Launius - August 27, 2020 in Securing Code

    Organizations developing software need pragmatic risk management practices to prevent malicious code from contaminating their software. Traditional security tools for Static Code Analysis identify vulnerabilities, not the presence of backdoors exhibiting unintended actions. Application Inspector is a Microsoft tool released to the open source community that identifies risky features and characteristics of source code libraries. This research will evaluate the accuracy of feature detection in the Application Inspector tool and construct a risk model for automating decisions based on feature analysis of source code.


  • You've Had the Power All Along: Process Forensics With Native Tools SANS.edu Graduate Student Research
    by Trevor McAfee - August 27, 2020 in Incident Handling

    Many organizations are interested in standing up threat response teams but are unable, or unwilling, to provide funding or approval for third-party tools. This lack of support requires threat response teams to utilize built-in, OS-specific tools, to investigate suspicious processes and files. These tools can provide a significant amount of useful information when scrutinizing a suspicious process or file. However, these tools and their output are often unwieldy. A lack of cohesiveness requires running multiple similar commands to gather all the data for an investigation, and then manually combining and correlating that data. This paper examines the data of interest during an incident response and the native Microsoft Windows tools used to obtain it. This paper also discusses how to use PowerShell to automate the collection and compilation of this important data.


  • Incident Response in a Security Operation Center by Josh Higgason - August 27, 2020 in Incident Handling

    Cybercrime dates back to the late 1700s and remains a threat today. By observing current threats, such as phishing and data compromise, a better understanding may be gained regarding cyber campaigns and threat actors. Consequently, efforts must be made to prevent the continuous siphoning of millions of dollars from the economic system caused by cybercrime. Because the highly skilled personnel working with Incident Response in a Security Operation Center face many challenges, teamwork is essential to overcome the threats associated with cybercrime. Additional factors, such as working across multiple time zones with varying time shifts, personality differences, and unique technical skill levels and abilities, affect the ability to work as a team. Working through these differences brings cohesion and strength to the team. The security operations center learns to accomplish more with the time and resources at their disposal. To thwart cybercrime, the personnel in the Security Operations Center must address current issues, devise innovative plans, and adopt a new perspective to overcome the complicated problems they encounter.


  • All for One, One for All: Bringing Data Together with Devo Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 19, 2020 in Incident Handling, Threat Hunting

    Many organizations have an assortment of security tools that have been cobbled together over the years. In this review, SANS instructor Matt Bromiley examines a solution to the problem of bringing multiple tools together: Devo Security Operations. He puts Security Operations through its paces as a tool that provides enterprisewide insight, seamless investigation and hunting, automated data correlation and enrichment, and more so that analysts can get back to business of responding to threats.


  • Intuitive Endpoint Security: A SANS Review of Morphisec Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 18, 2020 in Intrusion Detection, Threats/Vulnerabilities

    Endpoint security can be a tricky topic for organizations. In many cases, security teams utilize endpoint security products that are bulky and cumbersome, barely effective and only make their jobs more difficult. Furthermore, many security products rely so heavily on detecting an incident after the fact that they hardly seem effective in preventing cyber incidents. This leaves the security team constantly chasing alerts through the network, rather than implementing preventative techniques. In this paper SANS instructor Matt Bromiley reviews the Morphisec platform, which reverses much of this approach. Morphisec is geared toward the prevention of malicious activity through the careful morphing of process memory.


  • Aligning Your Security Program with the NIS Directive Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 16, 2020 in Country-specific Issues, Network Security, Risk Management, Standards

    The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper explores various measures of the NIS Directive and how to align your organization’s security posture with those measures.


  • 60870-5-104 protocol snort rule customization by Adrian Aron - August 10, 2020 in Industrial Control Systems / SCADA

    OT Security emerges as a necessity due to its flat network implementation and criticality of systems operated over the network. Supervisory Control And Data Acquisition (SCADA) 60870-5-104 is widely used in Europe by most Utility operators, making it a target for attackers. While IDS signatures for SCADA IEC104 have been developed, most of its signatures are generic and bind to the standard protocol itself, not to the specific implementation of each customer. For example, an interrogation command telegram in a customer environment might be harmless, while others might be critical information. This paper explains the underlying construct of an IEC104 telegram and how to customize standard snort rules for that specific telegram. In this way, each SCADA command can be interpreted, evaluated for permit/monitor/deny to any controlled device, for each particular SCADA implementation.


  • Chaining Vulnerability Scans inTenable IO Using Python by Jeff Holland - August 10, 2020 in Tools

    Enterprise vulnerability scanning traditionally makes use of multiple scanners, runs scans against targets in a parallel manner for maximum efficiency, and uses substantial amountsof bandwidth. However, a particular scanning use case exists that involves scanning targets in a sequential, or "chained", manner so as to conserve bandwidth. Tenable IO and the Tenable-supported PyTenable library do not currently support chained scanning. Using Tenable IO and a collection of Python scripts, an application by which to scan targets in a chained manner will be presented. Additional features such as the automation of scan creation, deletion and execution will be demonstrated, as well as the use of configuration files to define scans and logging parameters. The culmination of these application features will address and satisfy the use case of deploying chained scans in Tenable IO using Python and the Tenable IO REST API.


  • Show Business Benefit by Moving to Risk-Based Vulnerability Management Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - August 10, 2020 in Risk Management

    This paper provides SANS advice for actionable steps to enable security managers to reduce risk and demonstrate business value by increasing the maturity and effectiveness of their vulnerability management processes and controls. It also suggests key questions to ask of product and service providers to select the best approach for an organization.


  • Improving the Bottom Line with Effective Security Metrics: A SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - August 10, 2020 in Metrics and Visualization, Security Trends

    In SANS surveys, CISOs consistently report their major obstacle is the inability to obtain management commitment to increase cybersecurity resources and investment. This paper explores the results of the 2020 SANS Security Metrics Survey with both quantitative results about the overall state of metrics across cybersecurity operations, as well as interview-based qualitative results detailing success stories and best practices of security teams who have been collecting and presenting business-relevant security metrics.


  • Benefits and Adoption Rate of TLS 1.3 SANS.edu Graduate Student Research
    by Ben Weber - July 28, 2020 in Encryption & VPNs

    The cybersecurity industry is often reluctant to adopt new technologies due to perceived complications, assumed dependencies, and unclear information about the benefits. Digital communication protections are not exempt from this phenomenon and are often overlooked when maintaining a secure environment. Adopting new technologies is essential to utilize recent advancements in speed, security, and other newly available features. RFC 8446, better known as TLS 1.3, was released in August of 2018 and included enhancements to the speed and security of a TLS session. Older versions of TLS that still exist, however, fall short when compared to TLS 1.3. This paper provides data testing the speed and security of TLS 1.3 compared to TLS 1.2 across major TLS libraries and a point-in-time measurement of TLS 1.3 adoption across the top 500 websites in the business, retail, technology, and news sectors.


  • Browser Isolation: A SANS Review of Cyberinc's Isla Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 28, 2020 in Intrusion Detection, Threats/Vulnerabilities

    The browser is an integral part of users' day-to-day activities, providing access to internal resources, sensitive data and third-party services. Via the use of webmail and malicious links, it is also an integral piece of the entry vector for attackers. In this product review, Matt Bromiley reviews Cyberinc's Isla, a browser isolation platform that addresses this common incident entry vector by getting in front of browser-borne threats and effectively rendering them harmless.


  • How to Protect All Surfaces and Services in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 28, 2020 in Best Practices, Cloud Security

    Multiple layers of defense are required to protect your AWS environment, and it's essential to use advanced controls and develop more dynamic and continuous processes to evaluate security conditions. Learn how to reduce your overall attack surface to reduce exposure; apply configuration management, real-time assessment and access control mechanisms; and implement automation for monitoring and continuous protection.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.