Final Week to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,910 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Are Your Security Controls Yesterday’s News? Analyst Paper (requires membership in community)
    by Matt Bromiley - July 18, 2019 in Security Awareness, Threats/Vulnerabilities

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
    The second spotlight (coming in October 2019) will focus on the input SANS receives from this poll that gathers opinions from the SANS community on this topic.

  • Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey Analyst Paper (requires membership in community)
    by Chris Crowley and John Pescatore - July 9, 2019 in Security Trends, SOC

    In this survey, senior SANS instructor and course author Christopher Crowley, along with advisor and SANS director of emerging technologies John Pescatore, provide objective data to security leaders who are looking to establish a SOC or optimize an existing one. This report captures common and best practices, provides defendable metrics that can be used to justify SOC resources to management, and highlights the key areas that SOC managers should prioritize to increase the effectiveness and efficiency of security operations.

  • Attackers Inside the Walls: Detecting Malicious Activity STI Graduate Student Research
    by Sean Goodwin - July 2, 2019 in Intrusion Detection

    Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This paper investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.

  • Building Cloud-Based Automated Response Systems STI Graduate Student Research
    by Mishka McCowan - July 2, 2019 in Cloud Computing

    When moving to public cloud infrastructures such as Amazon Web Services (AWS), organizations gain access to tools and services that enable automated responses to specific threats. This paper will explore the advantages and disadvantages of using native AWS services to build an automated response system. It will examine the elements that organizations should consider including developing the proper skills and systems that are required for the long-term viability of such a system.

  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 in Reverse Engineering Malware

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.

  • How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in community)
    by Thomas J. Banasik - June 27, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.

  • Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in community)
    by Jake Williams - June 27, 2019 in Clients and Endpoints

    EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.

  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths STI Graduate Student Research
    by Brianne Fahey - June 26, 2019 in Logging Technology and Techniques, Tools

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.

  • Building and Maturing Your Threat Hunting Program Analyst Paper (requires membership in community)
    by David Szili - June 24, 2019 in Threat Hunting

    Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.

  • JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in community)
    by David Hazar - June 19, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.

  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 in Reverse Engineering Malware, Threat Intelligence

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.

  • How to Build a Data Security Strategy in AWS Analyst Paper (requires membership in community)
    by Dave Shackleford - June 13, 2019 in Cloud Computing, Data Protection

    When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.

  • Authentication: It Is All About the User Experience Analyst Paper (requires membership in community)
    by Matt Bromiley - June 12, 2019 in Authentication

    In a world where compromised user credentials can cost an enterprise millions of dollars, the importance of being able to validate user accounts is a crucial enterprise requirement. Yet implementation of modern authentication techniques is lagging, even though it provides better user experiences as well as stronger authentication. This paper examines how these techniques can be applied within your organization for your employees--the other custodians of your data. It also explores the benefits of the new WebAuthn specification.

  • Automating Response to Phish Reporting STI Graduate Student Research
    by Geoffrey Parker - June 12, 2019 in Email Issues

    Phish Reporting buttons have become easy buttons. They are used universally for reporting spam, real phishing attacks when detected, and legitimate emails. Phish Reporting buttons automate the reporting process for users; however, they have become a catch-all to dispose of unwanted messages and are now overwhelming Response Teams and overflowing Help Desk ticket queues. The excessive reporting leads to a problem of managing timely responses to real phishing attacks. Response times to false positives, spam, and legitimate messages incorrectly reported are also significant factors. Vendors sold phish alert buttons with phishing simulation systems which then became part of more in-depth training systems and later threat management systems. Because of this organic growth, many companies implemented a phish reporting system but did not know that they needed an automation system to manage the resulting influx of tickets. Triage systems can automate a high percentage of these phish alerts, freeing the incident response teams to deal with the genuine threats to the enterprise on a prioritized basis.

  • SANS 2019 State of OT/ICS Cybersecurity Survey Analyst Paper (requires membership in community)
    by Barbara Filkins and Doug Wylie - June 11, 2019 in Industrial Control Systems / SCADA, Security Trends

    In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.

  • Mobile A/V: Is it worth it? STI Graduate Student Research
    by Nicholas Dorris - June 5, 2019 in Mobile Security

    In the mid 2010’s, mobile devices such as smartphones and tablets have become ubiquitous with users employing these gadgets for various applications. While this pervasive adoption of mobile devices offers numerous advantages, attackers have leveraged the languid attitude of device owners to secure the owner’s gadgets. The diversity of mobile devices exposes them to a variety of security threats, as the industry lacks a comprehensive solution to protect mobile devices. In a bid to secure their assets and informational resources, individuals and corporations have turned to commercial mobile antivirus software. Most security providers present mobile versions of their PC antivirus applications, which are primarily based on the conventional signature-based detection techniques. Although the signature-based strategy can be valuable in identifying and mitigating profiled malware, it is not as effective in detecting unknown, new, or evolving threats, as it lacks adequate information and signature regarding these infections. Mobile attackers have remained ahead via obfuscation and transformation methods to bypass detection techniques. This paper seeks to ascertain whether current mobile antivirus solutions are effective, in addition to which default Android settings assist in the prevention or mitigation of various malware and their consequences.

  • Finding Secrets in Source Code the DevOps Way STI Graduate Student Research
    by Phillip Marlow - June 5, 2019 in Securing Code

    Secrets, such as private keys or API tokens, are regularly leaked by developers in source code repositories. In 2016, researchers found over 1500 Slack API tokens in public GitHub repositories belonging to major companies (Detectify Labs, 2016). Moreover, a single leak can lead to widespread effects in dependent projects (JS Foundation, 2018) or direct monetary costs (Mogull, 2014). Existing tools for detecting these leaks are designed for either prevention or detection during full penetration-test-style scans. This paper presents a way to reduce detection time by integrating incremental secrets scanning into a continuous integration pipeline.

  • DICE and MUD Protocols for Securing IoT Devices STI Graduate Student Research
    by Muhammed Ayar - June 5, 2019 in Internet of Things

    An exponential growth of Internet of Things (IoT) devices on communication networks is creating an increasing security challenge that is threatening the entire Internet community. Attackers operating networks of IoT devices can target any site on the Internet and bring it down using denial of service attacks. As exemplified in various DDoS attacks that took down portions of the Internet in the past few years (such as the attacks on Dyn and KrebsOnSecurity (Hallman, Bryan, Palavicini Jr, Divita, Romero- Mariona, 2017)), IoT users need to take drastic steps in securing them. This research will discuss the steps in attempting to secure IoT devices using DICE and MUD.

  • Digging for Gold: Examining DNS Logs on Windows Clients STI Graduate Student Research
    by Amanda Draeger - May 22, 2019 in DNS Issues

    Investigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly.

  • Overcoming the Compliance Challenges of Biometrics STI Graduate Student Research
    by David Todd - May 22, 2019 in Legal Issues

    Due to increased regulations designed to protect sensitive data such as personally identifiable information (PII) and protected health information (PHI), hospitals and other industries requiring improved data protections are starting to adopt biometrics. However, adoption has been slow within many of the industries that have suffered most of the breaches over the last several years. One reason adoption has been slow is that companies hesitate to implement biometrics across their organization without first understanding the vast complexities of the various state-by-state privacy regulations. By adopting a common biometrics compliance framework, this research will show how organizations can implement biometric solutions that comply with the overall spirit of the different state privacy and biometric regulations, enabling those companies to improve global data protections.

  • Passive Isn't Good Enough: Moving into Active EDR Analyst Paper (requires membership in community)
    by Justin Henderson - May 17, 2019 in Clients and Endpoints, Intrusion Prevention

    Endpoint detection and response (EDR) technologies focus on identifying anomalous activity at scale, but are often constrained by delayed analyses. Endpoint protection platforms (EPP) can manage aspects of endpoint security, but often lack enterprise class detection and reporting capabilities. Which leads us to the most recent addition to the endpoint protection arsenal--active endpoint detection and response, which boasts real-time analysis capabilities as compared to traditional passive EDR.

  • Hunting for Ghosts in Fileless Attacks by Buddy Tancio - May 13, 2019 in Malicious Code

    Hunting for a fileless threat can be a tedious and labor-intensive task for any analyst. It is, most often than not, extremely time-consuming and requires a significant amount of data gathering. On top of that, the traditional tools, methods, and defenses seem to be less effective when dealing with these almost invisible threats. Threat actors are frequently using attack techniques that work directly from the memory or using legitimate tools or services pre-installed in the system to achieve their goals (Trend Micro, 2017). It is a popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat – cryptocurrency miners. In some incidents, searching for a malicious file that resides in the hard drive seems to be insufficient. This study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.

  • How to Protect a Modern Web Application in AWS Analyst Paper (requires membership in community)
    by Shaun McCullough - May 9, 2019 in Cloud Computing, Threats/Vulnerabilities

    In moving assets to the cloud, organizations need to prioritize their security plans based on the risks to which they are exposed. With threat modeling, organizations can identify and prioritize the risks to infrastructure, applications and the services they provide, as well as evaluate how to manage those risks over time. This paper includes use cases for threat modeling web apps and the DevSecOps platform, using a process that is both repeatable and improvable.

  • Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications STI Graduate Student Research
    by Alexander Fry - April 30, 2019 in Application and Database Security

    Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left - identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all - it must be trialed to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio.

  • Security Considerations for Voice over Wi-Fi (VoWiFi) Systems STI Graduate Student Research
    by Joel Chapman - April 30, 2019 in Telephone Issues, VOIP Issues

    As the world pivots from Public Switched Telephony Networks (PSTN) to Voice over Internet Protocol (VoIP)-based telephony architectures, users are employing VoIP-based solutions in more situations. Mobile devices have become a ubiquitous part of a person's identity in the developed world. In the United States in 2017, there were an estimated 224.3 million smartphone users, representing about 68% of the total population. The ability to route telephone call traffic over Wi-Fi networks will continue to expand the coverage area of mobile devices, especially into urban areas where high-density construction has previously caused high signal attenuation. Estimates show that by 2020, Wi-Fi-based calling will make up 53% of mobile IP voice service usage (roughly 9 trillion minutes per year) (Xie, 2018). In contrast to the more traditional VoIP solutions, however, the standards for carrier-based Voice over Wi-Fi (VoWiFi) are often proprietary and have not been well-publicized or vetted. This paper examines the vulnerabilities of VoWiFi calling, assesses what common and less well-known attacks are able to exploit those vulnerabilities, and then proposes technological or procedural security protocols to harden telephony systems against adversary exploitation.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.