Two weeks of training and 14 courses available in San Francisco - Mar. 16-27. Save $300 thru 1/22!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,960 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Threat Hunting and Discovery: A SANS Review of Vectra Cognito Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 15, 2020 in Best Practices, Threat Hunting

  • Lateral traffic movement in Virtual Private Clouds STI Graduate Student Research
    by Andy Huang - January 3, 2020 in Cloud Computing

    Cloud vendors have introduced virtual private cloud (VPC) structures to bring the benefits of private cloud into the public cloud. These structures provide vertical segmentation and isolation for application projects implemented within them. However, the security context needs to be considered as applications communicate with one another between VPCs using technologies such as peering and privatelinks. Applications are usually highly dependent on each other for data and functionality, leading to cross-connections between VPC structures. The implications between different connection setups need to be vetted to ensure that access is not overly permissive, thus leading to possible lateral movement of traffic.


  • Defense in Depth: Can Geolocation Help Prevent Tax Fraud? STI Graduate Student Research
    by Jon Glas - January 3, 2020 in Logging Technology and Techniques

    Abstract: Accountants and tax filing businesses use complex software to automate the preparation and electronic filing of tax returns. Cybercriminals harvest identities, breach networks, and impersonate legitimate users to leverage tax software to defraud the government, the affected businesses, and citizens for over $1 billion annually (McTigue, 2018). The IRS and tax software companies have partnered to implement controls focused on authentication, authorization, and detection to identify fraudulent tax returns before they are processed. These controls successfully prevent upwards of $10 billion of fraudulent filing a year (McTigue, 2018), but those controls focus on an analysis of the ‘who’ and ‘what’ components of tax returns. This paper uses Geolocation tools to look at the ‘where’ component of tax returns by analyzing legitimate and fraudulent tax return electronic filing data to look for trends and patterns. The goal of this paper is to determine if Geolocation technologies can be used as an additional layer of controls to support a defense in depth approach of fraud prevention.


  • Defense in Depth for a Small Office/Home Office STI Graduate Student Research
    by Gregory Melton - December 18, 2019 in Home & Small Office

    Much attention is given to enterprise security with expensive solutions and teams of both IT and security personnel, but the home office may only ever be proactively defended by a single amateur or hobbyist. Large scale corporate solutions may deal with Advanced Persistent Threats (APTs) and corporate espionage, but there are far fewer solutions to home office threats. This paper focuses on best practices for a home network running minimal servers to protect from casual browsing and careless home users. This research intends to demonstrate meaningful defense of endpoints in a local network by drastically reducing potential communication to C2 nodes and data exfiltration with proper filtering and minimal extra hardware.


  • How to Leverage a CASB for Your AWS Environment Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - December 17, 2019 in Cloud Computing, Data Protection

    As organizations move applications and data to the cloud, the number of applications they can leverage grows constantly, as do the areas where data can reside. Cloud access security brokers (CASBs) provide the convenience and means to integrate with modern technologies and implement security controls. Discover how CASBs help you make sense of auditing data, provide data protection and storage security, take advantage of common CASB features to secure deployments.


  • Workforce Transformation: Challenges, Risks and Opportunities Analyst Paper (requires membership in SANS.org community)
    by David Hazar - December 17, 2019 in Risk Management, Security Trends

    Shifts in globalization, demographics, work styles and work sourcing are transforming the way companies manage their businesses. In this survey, SANS, in cooperation with RSA, examines the risk factors associated with workforce transformation, what organizations are most concerned about, and what organizations are doing to mitigate risks.


  • Building an Audit Engine to Detect, Record, and Validate Internal Employees' Need for Accessing Customer Data STI Graduate Student Research
    by Jekeon Jack Cha - December 11, 2019 in Digital Privacy

    When using Software-as-a-Service (SaaS) products, customers are asked to store and entrust a large volume of personal data to SaaS companies. Unfortunately, consumers are living in a world of numerous data breaches and significant public privacy violations. As a result, customers are rightfully skeptical of the privacy policies that businesses provide and are looking for service providers who can distinguish their commitment to customer data privacy. This paper examines the viability of building an accurate audit engine to detect, record, and validate internal employees’ reasons for accessing a particular customer’s data. In doing so, businesses can gain clear visibility into their current processes and access patterns to meet the rising privacy demand of their customers.


  • Looking for Linux: WSL Key Evidence STI Graduate Student Research
    by Amanda Draeger - December 11, 2019 in Secure Monitoring

    Microsoft released Windows Subsystem for Linux (WSL) in 2016 to much fanfare, but little research into the security implications of installing this feature followed. This lack of research, and lack of documentation, is a problem for the administrators who want to take advantage of its feature set while monitoring their systems for unusual behavior. Native Windows logging can provide visibility into WSL’s behavior, but there has been no research on which logs can provide this visibility, and what exact information they can provide. This paper examines how to monitor a Windows 10 system with WSL installed for common indicators of malicious activity.


  • Detecting Malicious Authentication Events in SaaS Applications Using Anomaly Detection STI Graduate Student Research
    by Gavin Grisamore - December 11, 2019 in Intrusion Detection

    SaaS applications have been exploding in popularity due to their ease of deployment, use, and maintenance. Security teams are struggling to keep pace with the growing list of applications used in their environment as well as with the process of tracking the data these applications hold. Attackers have been taking advantage of these visibility gaps and have targeted SaaS applications regularly. By using log data from the applications themselves, security teams can use anomaly detection techniques to find and respond to such attacks. Anomaly detection allows security teams to more quickly identify and remedy a data breach by condensing large amounts of data into a shortened list of events that are outliers. The detection techniques used can help security teams respond to or prevent the next data breach.


  • Protecting the User: A Review of Mimecast's Web Security Service Analyst Paper (requires membership in SANS.org community)
    by David Szili - December 11, 2019 in Email Issues, Threats/Vulnerabilities

    The web remains a primary vector for cyberattacks, as either the initiation point or the way to complete the adversaries' mission. In this review, SANS instructor David Szili shares his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular.


  • Threat Hunting with Consistency Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - December 8, 2019 in Best Practices, Threat Hunting

  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 in Forensics

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.


  • Assisted Security Investigations Using Cognitive Computing by Lori Stroud - December 3, 2019 in SOC

    The purpose of this research is to illustrate the application of cognitive computing and machine learning concepts through the building and training of a chatbot that simulates human conversation for cybersecurity investigation scenarios. The SOC chatbot will offer best-practice advisory dialogue to security analysts as they proceed through security incident investigations, thus simulating technical mentorship. As a security analyst progresses through various investigations, they will become more practiced in the recommended and appropriate workflows, gain investigative tool proficiency, and become more confident in handling standalone investigations. The SOC chatbot will serve as a training tool for less experienced analysts and afford more time to upper-tier analysts to respond to escalated security incidents, as they will no longer need to walk through incidents alongside junior analysts. Security analysts serving in a tier 1 SOC role are ideal end-users of the SOC chatbot. As the first line of defense, their primary function is to address SIEM events. They are familiar with basic security concepts, incident ticketing systems, and hold the appropriate level of access for data gathering and external research.


  • How to Build a Threat Hunting Capability in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - December 3, 2019 in Cloud Computing, Threat Hunting

    Threat hunting is more of an art than a science, in that its approach and implementation can differ substantially among enterprises and still be successful. In cloud environments, where the threat landscape is always changing, security teams must know what data to collect and how to analyze it in order to tease out suspicious anomalies. In addition to these topics, this whitepaper walks you through the threat hunting process, describing tools and techniques you can use to find and neutralize threats.


  • 2019 SANS Survey on Next-Generation Endpoint Risks and Protections Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson and John Hubbard - December 2, 2019 in Best Practices, Security Trends

    Past SANS surveys show that endpoints of all types are being breached and used to dig deeper into organizations' networks. Our 2019 Next-Generation Endpoint Survey explores how attack methods and payloads are changing, whether organizations are containing breaches effectively, and more--including recommendations and guidance in addressing these concerns.


  • Catch Me If You Can: Detecting Server-Side Request Forgery Attacks on Amazon Web Services STI Graduate Student Research
    by Sean McElroy - November 27, 2019 in Cloud Computing, Intrusion Detection

    Cloud infrastructure offers significant benefits to organizations capable of leveraging rich application programming interfaces (APIs) to automate environments at scale. However, unauthorized access to management APIs can enable threat actors to compromise the security of large amounts of sensitive data very quickly. Practitioners have documented techniques for gaining access through Server-Side Request Forgery (SSRF) vulnerabilities that exploit management APIs within cloud providers. However, mature organizations have failed to detect some of the most significant breaches, sometimes for months after a security incident. Cloud services adoption is increasing, and firms need effective methods of detecting SSRF attempts to identify threats and mitigate vulnerabilities. This paper examines a variety of tools and techniques to detect SSRF activity within an Amazon Web Services (AWS) environment that can be used to monitor for real-time SSRF exploit attempts against the AWS API. The research findings outline the efficacy of four different strategies to answer the question of whether security professionals can leverage additional vendor-provided and open-source tools to detect SSRF attacks.


  • Exploring the Human Fingerprints on Malware by Tobias Johansson and Robert M. Lee - November 22, 2019 in Threats/Vulnerabilities

    Much of the focus of cyber threat intelligence is countering adversaries and the tools and capabilities they leverage to do target organizations harm. Malware is a popular choice by many adversaries to fulfill their goals such as access development or destructive purposes. Malware contains a wealth of information to analyze for the purpose of cyber threat intelligence. The development, operationalizing, and utilization of malware is performed by humans and these human interactions leave traces of how the malware is leveraged, its configuration data, or even the choice of the malware itself. Malware is often not unique to specific adversaries but these traces, identified in the paper simply as human fingerprints, can be useful in clustering intrusions into sets for structured analysis and satisfying intelligence requirements. This is not a new concept and there are many researchers who take advantage of these practices today. The purpose of this paper is to introduce this concept to a wider audience and also structure it around the Diamond Model as a useful tool for analysis.


  • Taming the Wild West: Finding Security in Linux Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 22, 2019 in Cloud Computing, Linux Issues

    Although Linux has historically been less prone to attacks, increased enterprise use on-premises and in the cloud means it has become as common a target as Windows environments. This paper looks at the deficiencies of Linux from a security perspective and how to lock Linux down more effectively.


  • Israel's Attack on Hamas' Cyber Headquarters Under Customary International Humanitarian Law by Jonathan Matkowsky - November 21, 2019 in Active Defense

    During intense military fighting in May 2019, Israel stopped the Hamas organized-armed-group from harming Israeli sites as part of establishing offensive cyber capabilities in the Gaza Strip tied to its war effort. Israel attacked the headquarters from which Hamas’ cyber unit operated, including any information systems and related cyber-infrastructure in the facility. Under customary international humanitarian law, the attack on Hamas’ headquarters appears to be a cyber-specific example of a lawful military objective due to its inherent nature, as suggested by Prof. R. Chesney (2019). This paper discusses the principles of international humanitarian law—military necessity, humanity, distinction, and proportionality—applicable from an Israeli law perspective to the targeted strike on the Hamas’ cyber headquarters, including support that the principles have achieved the status of customary international humanitarian law. Israel did not disclose whether Hamas only used the facility for intelligence gathering tied to the war effort alone, or if that intelligence was also being used to develop cyber weapons. Both are inherently lawful military objectives under customary international humanitarian law, according to Prof. Dinstein (2016). A key takeaway is that applying the principles of customary international humanitarian law may sometimes favor using traditional military force, and other times favor using cyber activity.


  • Someone to Watch Over You: A Review of CrowdStrike’s Falcon OverWatch Analyst Paper (requires membership in SANS.org community)
    by Joe Sullivan - November 19, 2019 in Intrusion Detection, Threat Hunting

    Technology alone cannot stop 100% of threats against endpoints. Ensuring security requires that people and processes be an integral part of threat hunting. That’s where CrowdStrike’s Falcon OverWatch comes in--with a team of live, trained threat hunting analysts whose job it is to alert you to advanced attack techniques that can go undetected by automated tools. In this review, SANS puts OverWatch through its paces to detect and alert on sophisticated attacks like credential theft, defense evasion and lateral movement, making it possible for on-premises security teams to respond to threats immediately.


  • JumpStart Guide to Investigations and Cloud Security Posture Management in AWS Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - November 8, 2019 in Cloud Computing, Risk Management, Secure Monitoring

    Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.


  • Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures STI Graduate Student Research
    by Daniel Carbonaro - November 7, 2019 in Standards

    Organizations’ supply chains are growing increasingly interdependent and complex, the result of which is an ever-increasing attack surface that must be defended. Current supply chain security frameworks offer effective guidance to organizations to help mitigate their supply chains from attack. However, they are limited in their scope and impact and can be extremely complex for organizations to adopt effectively. To further complicate issues, the ability of an organization to identify the scope of their supply chains may be a complicated endeavor. This paper seeks to give context not only to the challenges facing security within the ICT Supply Chain, but attempts to give a hybrid framework for any business regardless of size or function to follow when attempting to mitigate threats both to and from within their supply chain.


  • Guarding the Modern Castle: Providing Visibility into the BACnet Protocol STI Graduate Student Research
    by Aaron Heller - October 30, 2019 in Industrial Control Systems / SCADA

    Building automation devices are used to monitor and control HVAC, security, fire, lighting, and other similar functions in a building or across a campus. Over 60% of the global market for building automation relies on the BACnet protocol to enable communication between field devices (BSRIA, 2018). There are few open-source network intrusion detection or prevention systems (NIDS/NIPS) capable of interpreting and monitoring the BACnet protocol (Hurd & McCarty, 2017). This blind spot presents a significant security risk. The maloperation of building automation systems can cause physical damage and financial losses, and can allow an attacker to pivot from a building automation network into other networks (Balent & Gordy, 2013). A BACnet/IP protocol analyzer was created for an open-source NIDS/NIPS called Zeek to help minimize this network security blind spot. The analyzer was tested with publicly available BACnet capture files, including some with protocol anomalies. The new analyzer and test cases provide network defenders with a tool to implement a BACnet/IP capable NIDS/NIPS as well as insight into how to defend the modern-day “castles” that rely on the Building Automation and Control network protocol.


  • An AWS Network Monitoring Comparison STI Graduate Student Research
    by Nichole Dugan - October 30, 2019 in Cloud Computing

    AWS recently released network traffic mirroring in their environment. As this is a relatively new feature, users of the service in the past have used tools such as Security Onion to monitor traffic using a hosted base model of forwarding network traffic to analyze the data. It may not be apparent to an organization which option works best for them, so an analysis should be done of both the traffic mirroring and host based options to determine the benefits and drawbacks of each method. This paper seeks to compare the two types of network monitoring available in the AWS environment, traffic mirroring and host based, and determine which method is more cost-effective, and, through testing, determine which method generates more alerts.


  • How to Perform a Security Investigation in AWS A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - October 30, 2019 in Cloud Computing, Forensics

    Because the technologies that enable investigations in the cloud differ from those on premises, as do the levels of responsibility, organizations need to put in place a cloud-specific incident response plan. By planning out how they will perform investigations using solutions such as AWS, organizations can validate that any obligations they may have as a security organization can be met as effectively in cloud environments as they did in-house.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.