Reading Room

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,750 original computer security white papers in 106 different categories.

Latest 25 Papers Added to the Reading Room

• BYOD Security Implementation for Small Organizations STI Graduate Student Research
  by Raphael Simmons - December 15, 2017 in Mobile Security

  The exponential improvement of the mobile industry has caused a shift in the way organizations work across all industry sectors. Bring your own device (BYOD) is a current industry trend that allows employees to use their personal devices such as laptops, tablets, mobile phones and other devices, to connect to the internal network. The number of external devices that can now connect to a company that implements a BYOD policy has allowed for a proliferation of security risks. The National Institute of Standards and Technology lists these high-level threats and vulnerabilities of mobile devices: lack of physical security controls, use of untrusted mobile devices, use of untrusted networks, use of untrusted applications, interaction with other systems, use of untrusted content, and use of location services. A well implemented Mobile Device Management (MDM) tool combined with network access controls can be used to mitigate the risks associated with a BYOD policy.

  •  Overview
  •  Download

• ---

• SOC Automation-Deliverance or Disaster Analyst Paper
  by Eric Cole, PhD - December 11, 2017 in Best Practices, Incident Handling, Threats/Vulnerabilities

  • Sponsored By: DFLabs

  Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts.

  •  Overview
  •  Download

• ---

• The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment STI Graduate Student Research
  by Tobais McCurry - December 5, 2017 in System Administration, Threat Hunting

  Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell.

  •  Overview
  •  Download

• ---

• Minerva Labs: Using Anti-Evasion to Block the Stealth Attacks Other Defenses Miss Analyst Paper
  by Eric Cole, PhD - December 4, 2017 in Attacking Attackers, Data Protection

  • Associated Webcasts: Using Anti-Evasion to Block Stealth Attacks with Minerva Labs
  • Sponsored By: Minerva Labs

  Attackers routinely use evasion to evade baseline anti-malware tools and ultimately compromise endpoints. How can enterprises prevent such intrusions without relying on after-the-fact detection? This paper explores a unique approach to preventing evasive malware from infecting endpoints, using Minerva's Anti-Evasion Platform to automatically block threats without ever scanning files or processes. SANS Reviewer Eric Cole, PhD, shares his findings regarding the ability of Minerva's Anti-Evasion Platform to block such evasive threats.

  •  Overview
  •  Download

• ---

• Security and Operations - An Overlooked But Necessary Partnership Analyst Paper
  by Sonny Sarai - December 4, 2017 in Best Practices, Incident Handling, Threats/Vulnerabilities

  • Associated Webcasts: Security and Ops Hacks
  • Sponsored By: Rapid7 Inc.

  This paper explores ways to foster cooperation between Security and Operations groups for better visibility into threats and threat pathways, while improving overall protection and network hygiene.

  •  Overview
  •  Download

• ---

• Who's in the Zone? A Qualitative Proof-of-Concept for Improving Remote Access Least-Privilege in ICS-SCADA Environments STI Graduate Student Research
  by Kevin Altman - December 4, 2017 in SCADA

  Remote access control in many ICS-SCADA environments is of limited effectiveness leading to excessive privilege for staff who have responsibilities bounded by region, site, or device. Inability to implement more restrictive least-privilege access controls may result in unacceptable residual risk from internal and external threats. Security vendors and ICS cybersecurity practitioners have recognized this issue and provide options to address these concerns, such as inline security appliances, network authentication, and user-network based access control. Each of these solutions reduces privileges but has tradeoffs. This paper evaluates network-based access control combined with security zones and its benefits for existing ICS-SCADA environments. A Proof-of-Concept (PoC) evaluates a promising option that is not widely known or deployed in ICS-SCADA.

  •  Overview
  •  Download

• ---

• Updated: Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper
  by Barbara Filkins - December 1, 2017 in Firewalls & Perimeter Protection, Management & Leadership

  • Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
  • Sponsored By: CarbonBlack

  This updated version of the 2016 paper that included the SANS guide to evaluating next-generation antivirus provides the background information organizations need to assist them in their efforts to procure next-generation antivirus. Review this document to establish your overall road map and help resolve any questions you may have on the procurement process after reading the companion piece: "SANS Step-by-Step Guide for Procuring Next-Generation Antivirus".

  •  Overview
  •  Download

• ---

• NGAV RFP Evaluation Master Template Analyst Paper
  by Barbara Filkins - November 30, 2017 in Firewalls & Perimeter Protection, Management & Leadership

  • Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
  • Sponsored By: CarbonBlack

  Click on the link in this file to access the Excel spreadsheet designed to help you compare the vendors from whom you have collected RFP information.

  •  Overview
  •  Download

• ---

• NGAV RFP Analyst Paper
  by Barbara Filkins - November 30, 2017 in Firewalls & Perimeter Protection, Management & Leadership

  • Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
  • Sponsored By: CarbonBlack

  This document is a standalone RFP for selecting a next-generation antivirus (NGAV) solution. For more information on how to procure NGAV, be sure to access the Step by Step Guide for Procuring Next-Generation Antivirus.

  •  Overview
  •  Download

• ---

• Step by Step Guide for Procuring Next-Generation Antivirus Analyst Paper
  by Barbara Filkins - November 30, 2017 in Firewalls & Perimeter Protection, Management & Leadership

  • Associated Webcasts: Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV Next-Generation Antivirus (NGAV) Buyer\'s Guide: Successful Strategies for Choosing and Implementing NGAV
  • Sponsored By: CarbonBlack

  This document outlines a procurement process you can use and customize when upgrading to NGAV. The key steps to successful procurement do not change and should apply to any NGAV procurement project.

  •  Overview
  •  Download

• ---

• Hacking Humans: The Evolving Paradigm with Virtual Reality STI Graduate Student Research
  by Andrew Andrasik - November 22, 2017 in Penetration Testing

  Virtual reality (VR) systems are evolving from high-end gaming and military applications to being used in day-to-day business operations and daily life. Cyber security professionals must begin now to prepare proactive threat analysis and incident handling plans that cover information systems and users. Previous compromises illustrate the devastating effects malware can have on the confidentiality, integrity, and availability of information systems. These disastrous consequences may be transferred directly to the user given his or her perception of events. Even in the early stages, VR represents a new paradigm within the information age. Today, users view information systems through a monitor that acts as a window into a virtual environment. Within VR, a user may become completely immersed while absorbing information from all five senses. VR represents a dichotomy that adds a potential human component to an information system compromise. This research project examines offensive tactics, techniques, and procedures, then exploits and extrapolates them to a compromised VR system and the user to illustrate the hazards associated with VR.

  •  Overview
  •  Download

• ---

• Data Mining in the Dark: Darknet Intelligence Automation STI Graduate Student Research
  by Brian Nafziger - November 17, 2017 in Threat Intelligence

  Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework.

  •  Overview
  •  Download

• ---

• Leverage Risk Focused Teams to Strengthen Resilience against Cyber Risks STI Graduate Student Research
  by Dave Bishop - November 17, 2017 in Disaster Recovery

  Information security, risk management, audit and business continuity teams must continue to evolve and mature to combat the growing cyber risks impacting business operations. Each team has standards and frameworks, but they often dont speak the same language or understand how each group intersects in protecting the organization. This research identifies opportunities to reduce resource duplication and integrate information security and risk-focused teams to strengthen the organizations resilience against cyber risks.

  •  Overview
  •  Download

• ---

• The State of Honeypots: Understanding the Use of Honey Technologies Today STI Graduate Student Research
  by Andrea Dominguez, - November 17, 2017 in Intrusion Detection

  The aim of this study is to fill in the gaps in data on the real-world use of honey technologies. The goal has also been to better understand information security professionals views and attitudes towards them. While there is a wealth of academic research in cutting-edge honey technologies, there is a dearth of data related to the practical use of these technologies outside of research laboratories. The data for this research was collected via a survey which was distributed to information security professionals. This research paper includes details on the design of the survey, its distribution, analysis of the results, insights, lessons learned and two appendices: the survey in its entirety and a summary of the data collected.

  •  Overview
  •  Download

• ---

• Cyber Defense Challenges from the Small and Medium-Sized Business Perspective STI Graduate Student Research
  by Aric Asti - November 17, 2017 in Home & Small Office

  With 5.7 million SMBs in the United States, it is essential that the risks involving cybersecurity events are identified. Small and medium-sized businesses (SMBs) face different challenges than large enterprises in regard to cybersecurity. The goal of this project was to survey SMBs and reveal organizational barriers that impact the cybersecurity posture of SMBs. An online survey was administered with a final sample size of 22 SMBs. Significant results showed that the top challenges were finances to pay talent, regulatory compliance and professionally available talent. As a result of inadequate information technology (IT) and cybersecurity staffing, 64% of respondents were unaware if a successful cyber-attack had taken place. The significant challenge SMBs face is their security posture and knowing if they have been or are being targeted against a cyber-attack. The main objective of this project was to show the security profile of the typical SMB. Educational, software and hardware tools should be promoted to increase the security posture of SMBs. Further research might focus more on the staffing and dedicated hours of IT and cybersecurity employees.

  •  Overview
  •  Download

• ---

• Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi STI Graduate Student Research
  by Scott Perry - November 17, 2017 in Best Practices, Forensics, Incident Handling

  As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate. Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi.

  •  Overview
  •  Download

• ---

• Cyber Threat Intelligence Support to Incident Handling STI Graduate Student Research
  by Brian Kime - November 17, 2017 in Threat Intelligence

  Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning.

  •  Overview
  •  Download

• ---

• Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court STI Graduate Student Research
  by John Garris - November 17, 2017 in Forensics, Legal Issues

  The creation of a restrictive digital evidence search protocol by the U.S. Ninth Circuit Court of Appeals - the most stringent in the United States - triggered intense legal debate and caused significant turmoil regarding digital forensics procedures and practices in law enforcement operations. Understanding the Court's legal reasoning and the U.S. Department of Justice's counter-arguments regarding this protocol is critical in appreciating how the tension between privacy concerns and the challenges to law enforcement stand at the center of this unique Information Age issue. By focusing on the Court's core assumption that the seizure and search of electronically stored information are inherently overly intrusive, digital forensics practitioners have a worthy target to focus their efforts in the advancement of digital forensics processes, procedures, techniques, and tool-sets. This paper provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the Court's decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement.

  •  Overview
  •  Download

• ---

• Supplementing Windows Audit, Alerting, and Remediation with PowerShell by Daniel Owen - November 16, 2017 in Information Assurance, Microsoft Windows, Scripting Tips

  This paper outlines the use of PowerShell to supplement audit, alerting, and remediation platform for Windows environments. This answers the question of why use PowerShell for these purposes. Several examples of using PowerShell are included to start the thought process on why PowerShell should be the security multi-tool of first resort. Coverage includes how to implement these checks in a secure, automatable way. To demonstrate the concepts discussed, small code segments are included. The intent of the included code segments is to inspire the reader's creativity and create a desire to use PowerShell to address challenges in their environment. Finally, a short section includes resources for code examples and learning tools. While some knowledge of PowerShell will aid the reader, the intended audience of this paper is the PowerShell novice.

  •  Overview
  •  Download

• ---

• Threat Rigidity in Cybersecurity STI Graduate Student Research
  by Mike Weeks - November 3, 2017 in Critical Controls

  Fear Uncertainty and Doubt (FUD) works as an influence strategy by amateur cybersecurity professionals over an organization, and as a result, FUD Fatigue develops causing a negative impact on their credibility (Anderson 2014). Is there a better way to effect change while maintaining credibility? A social science theory called Threat Rigidity (Staw et al.,1980) addresses organizational responses to threats by describing a constriction in control and a restriction in information processing. The theory of Threat Rigidity theory and its concepts describes FUD Fatigue in that FUD is utilized to spur the threat-rigidity response and will cause a decrement in performance when the level of response is inappropriate for the threat. Threat Rigidity leveraged by a competent cybersecurity professional allows for not only the management of a threat but also the ability to implement critical controls to safeguard the organization from future attacks and move the organization back into an innovative state.

  •  Overview
  •  Download

• ---

• Creating a Logging Infrastructure STI Graduate Student Research
  by Brian Todd - November 3, 2017 in Logging Technology and Techniques

  Logs are an essential aspect of understanding what is occurring in a company's network infrastructure and a company's applications. Log events help analysts to understand the health of the network and give insight into many types of issues. This paper explains how to set up a logging infrastructure by covering log formats and data sources. Then the discussion includes different ways to collect logs and transmit them. This paper then goes over how to pick relevant log sources and events to enable for collection. A company-wide architecture describes the process of collecting logs from offices across the world. Once the company-wide architecture is set up, the paper goes over some correlations using data from a real production network. The paper finishes by reviewing tools that are used to process, index, and correlate all the events that are received.

  •  Overview
  •  Download

• ---

• Building the Airplane in Mid-Flight: Bringing Cyber Security Structure to Special Operations Units STI Graduate Student Research
  by Adam Baker - November 3, 2017 in Getting Started/InfoSec

  Special operations units, born in the fire of urgency and required to be dynamically flexible, may operate for many years without a single cyber security representative. Once hired mid-stream into such a construct, a cyber security professional can be immediately overwhelmed with the breadth of the challenge before him or her: how to overcome cultural and technical challenges to introduce a comprehensive cyber security program into the ad-hoc structure of multi-classification, multi-network, multi-agency information systems and personnel. However, when armed with the lessons from cyber professionals from similar units who were thrown into a similar cauldron and succeeded, a newly-hired information security officer or manager can bring order to the unconventional chaos and ensure continued mission success. This paper will examine the experiences of cyber security professionals who overcame the challenges of securing information systems and personnel in units decidedly different from the rigid DoD structure or the corporate world. After reading, new information security professionals will have practical principles for securing their systems and soldiers, staying out of jail, and enjoying their jobs!

  •  Overview
  •  Download

• ---

• Cloud Security: Defense in Detail if Not in Depth Analyst Paper
  by Dave Shackleford - October 31, 2017 in Cloud Computing

  • Associated Webcasts: Cloud Security: Defense in Detail if Not in Depth. Part 1: Using Cloud Services to Address the Cloud Threat Environment Cloud Security: Defense in Detail if Not in Depth. Part 2: Changes Make the Cloud More Secure, but Is InfoSec Changing Even More? Cloud Security: Defense in Detail if Not in Depth. Part 1: Using Cloud Services to Address the Cloud Threat Environment
  • Sponsored By: Qualys McAfee BMC Software, Inc. Forcepoint LLC

  Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.

  •  Overview
  •  Download

• ---

• Closing the Skills Gap with Analytics and Machine Learning Analyst Paper
  by Ahmed Tantawy - October 30, 2017 in Security Analytics and Intelligence, Threat Hunting

  • Associated Webcasts: Closing the Skills Gap with Analytics and Machine Learning Closing the Skills Gap with Analytics and Machine Learning
  • Sponsored By: RSA

  It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.

  •  Overview
  •  Download

• ---

• Blueprint for CIS Control Application: Securing the Oracle E-Business Suite Analyst Paper
  by Barbara Filkins - October 26, 2017 in Security Awareness, Best Practices, Threats/Vulnerabilities

  • Sponsored By: Onapsis

  This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.

  •  Overview
  •  Download

• ---

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.