Pen Test Austin - Two NEW courses, NetWars, CyberCity, Challenge coins all in Austin, TX!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,870 original computer security white papers in 109 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Taming the Endpoint Chaos Within: A Review of Panda Security Adaptive Defense 360 Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson - March 26, 2019 in Intrusion Detection, Intrusion Prevention

    To survive in a world dealing with automated malware and targeted adversarial attacks, organizations must move past traditional mindsets and implementations. Antivirus is insuf cient, but so is focusing heavily on preventive controls. At the same time, too much focus on detection also introduces security risks. Organizations must establish a balance between protection mechanisms and detection. A successful implementation requires automated solutions that scale while simultaneously providing ease of administration for both preventive and detection capabilities.


  • Information Security Best Practices While Managing Projects by Dallas Smith - March 25, 2019 in Best Practices

    To maximize long-term return on investment (ROI) with a project’s delivery, taking information security into account with all aspects of an environment is essential. Fortunately, there are opportunities for project managers to incorporate the application of information security best practices with their projects. The goal of this paper is to bring a deeper understanding of why information security should be front and center to all project stakeholders. The article will discuss ways that project managers can incorporate information security best practices by the use of (1) vendor selection and management, (2) risk assessments, (3) contract negotiation and business associate agreements, and (4) how information security plays a significant role in all phases of a project’s life cycle (initiation, planning, execution, monitoring and controlling, and closure). By understanding and following these information security practices, project managers ensure that their projects do not introduce their organization to unneeded risk, thereby saving the organization time and money.


  • SSL/TLS Interception Challenge from the Shadow to the Light by Ngoc Huy Nguyen - March 25, 2019 in Covert Channels

    Secure Sockets Layer and Transport Layer Security (SSL/TLS) protocols are created to provide confidentiality for sensitive information exchange over the Internet. They can be used to protect privacy and confidentiality but can also be used to hide malicious activities. Organizations are currently facing traffic inspection challenges due to growing encrypted SSL/TLS traffic on the Internet. From criminal perspectives, attackers are moving more and more to encrypted traffic to hide their nefarious activities. Data exfiltration, malicious communication with Command and Control (C&C) and malicious downloads use SSL/TLS encrypted traffic. SSL/TLS interception is a double-edged sword that could be used to prevent and detect abnormal communications. This paper explains how organizations and security analysts can manage these challenges. It describes how to overcome them with advantages and drawbacks.


  • Security Gets Smart with AI Analyst Paper (requires membership in SANS.org community)
    by G.W. Ray Davidson and Barbara Filkins - March 23, 2019 in Security Analytics and Intelligence, Security Trends

  • Empowering Incident Response via Automation Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 20, 2019 in Automation, Incident Handling

  • Logon Banners by Keelan Stewart - March 20, 2019 in Legal Issues

    Logon banners have been a common feature of operating systems and applications for many years. Organizations have adopted logon banners for a myriad of purposes, from threatening unauthorized users with severe repercussions to informing employees that they should not have an expectation of privacy on workstations. The impetus for logon banners typically comes from executive leadership or the legal department, often in response to an incident or lawsuit where such a disclaimer could have aided their stance. Drafting a comprehensive logon banner is daunting, especially when assigned to an arbitrary department with an expectation of quick completion. Understanding the common elements of a logon banner and having a framework to identify requirements, select elements, and write the text allows anybody tasked with implementing a logon banner to do so correctly the first time. This paper considers laws and legal topics from the perspective of the United States and may not be applicable to other jurisdictions.




  • Hunting and Gathering with PowerShell by Troy Wojewoda - March 13, 2019 in Threat Hunting

    PowerShell has been used extensively over the years by both malware authors and information security professionals to carry out disparate objectives. This paper will focus on the latter by detailing various techniques and use-cases for digital defenders. There is no "one-size fits all" model that encompasses a dedicated blue-team. Roles and responsibilities will differ from organization to organization. Therefore, topics covered will range from system administration to digital forensics, incident response as well as threat hunting. Using the latest in the PowerShell framework, system variables will be collected for the purpose of establishing baselines as well as useful datasets for hunting operations. The focus will then shift to use-cases and techniques for incident responders and threat hunters.


  • Maximizing SOC Effectiveness and Efficiency with Integrated Operations and Defense - SANS Institute Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - March 12, 2019 in Best Practices, Security Analytics and Intelligence, Security Trends

    SANS examines how to maximize the organization's resources by unifying operations and defense. Doing so can help provide effective defense approaches to protect security operations for today, and for what attacks lie in the future.


  • Gaining Endpoint Log Visibility in ICS Environments STI Graduate Student Research
    by Michael Hoffman - March 11, 2019 in Industrial Control Systems / SCADA

    Security event logging is a base IT security practice and is referenced in Industrial Control Security (ICS) standards and best practices. Although there are many techniques and tools available to gather event logs and provide visibility to SOC analysis in the IT realm, there are limited resources available that discuss this topic specifically within the context of the ICS industry. As many in the ICS community struggle with gaining logging visibility in their environments and understanding collection methodologies, logging implementation guidance is further needed to address this concern. Logging methods used in ICS, such as WMI, Syslog, and Windows Event Forwarding (WEF), are common to the IT industry. This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations. The comparison between the two logging methods is made in an ICS lab representing automation equipment commonly found in energy facilities.


  • Taking SIEM to the Cloud: A SANS Review of Securonix Next-Gen SIEM v6.1 Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - March 1, 2019 in Automation, Security Analytics and Intelligence

  • Understanding the Adversary with Deception Technology Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - February 26, 2019 in Security Awareness, Security Trends, Threats/Vulnerabilities

  • How to Optimize Security Operations in the Cloud Through the Lens of the NIST Framework Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - February 25, 2019 in Best Practices, Cloud Computing

    The use of cloud services by businesses and government agencies has grown rapidly, with the movement of production workloads to infrastructure as a service (IaaS) growing at more than 35 percent per year. This move to cloud-based services has required security programs to extend operations beyond the data center and to re-evaluate security architectures, processes and controls to maintain effectiveness and efficiency in their efforts to secure their sensitive business applications, be they local or cloud-based.


  • PowerShell Security: Is it Enough? STI Graduate Student Research
    by Timothy Hoffman - February 20, 2019 in Microsoft Windows

    PowerShell is a core component of any modern Microsoft Windows environment and is used daily by administrators around the world. However, it has also become an “attacker’s tool of choice when conducting fileless malware attacks” (O’Connor, 2017). According to a study by Symantec, the number of prevented PowerShell attacks increased by over 600% between the last half of 2017 and the first half of 2018 (Wueest, 2018). This is a staggering number of prevented attacks, but the more concerning problem is the unknown number of undetected attacks that occurred during this time. Modern attackers often prefer to “live off the land,” using native tools already in an environment to prevent detection; PowerShell is a prime example of this is. These statistics lead to a suggestion that current PowerShell security may not be effective enough, or organizations are improperly implementing it. This paper investigates the efficiency of PowerShell security, analyzing the success of security features like execution policies, language modes, and Windows Defender, as well as the vulnerabilities introduced by leaving PowerShell 2.0 enabled in an environment. Multiple attack campaigns will be conducted against these security features while implemented individually and collectively to validate their effectiveness in preventing PowerShell from being used maliciously.


  • Continuous Security Monitoring in non-Active Directory Environments by Blair Gillam - February 20, 2019 in Secure Monitoring

    Active Directory-centric monitoring techniques, tools, and methodologies have dominated information security conferences in recent years. Many alternative centralized directory services, including FreeIPA and OpenLDAP, are found in modern enterprises. Diagnostic and performance monitoring for these alternatives is well documented; however, security-related events can be recorded in different formats and multiple locations across both directory servers and clients. This paper investigates continuous security monitoring techniques for FreeIPA that can be leveraged by defenders to analyze and visualize common directory service security events in non-Active Directory environments. It explores change detection rules that can be applied at the user, group, and directory levels and presents example security metrics for detecting anomalous activity.


  • Cyber Threats to the Bioengineering Supply Chain STI Graduate Student Research
    by Scott Nawrocki - February 12, 2019 in Threats/Vulnerabilities

    Biotechnology and pharmaceutical companies rely on the sequencing of DNA to conduct research, develop new drug therapies, solve environmental challenges and study emerging infectious diseases. Synthetic biology combines biology and computer engineering disciplines to read, synthetically write and store DNA sequences utilizing bioinformatics applications. Bioengineers begin with a computerized genetic model and turn that model into a living cell (2011, Smolke). Genetic editing is making headlines as there are rumors that a genetically modified human, immune to HIV, was born in China. As the soil on our farms becomes depleted of nitrogen, genetic research is focusing on applications as a means to reintroduce nitrogen into the ground. Reliance on oil and pollution has paved the way for research into bio-fuels. Genomic research advances have outpaced the security of these applications and technology which leaves them vulnerable to attack (2017, Ney). As information security professionals, we must keep pace with these advances. This research will demonstrate the stages of a network-based attack, recommend Critical Security Controls countermeasures and introduce the concept of a Bioengineering Systems Kill Chain.


  • PDF Metadata Extraction with Python by Christopher A. Plaisance - February 5, 2019 in Forensics

    This paper explores techniques for programmatically extracting metadata from PDF files using Python. It begins by detailing the internal structure of PDF documents, focusing on the internal system of indirect references and objects within the PDF binary, the document information dictionary metadata type, and the XMP metadata type contained in the file’s metadata streams. Next, the paper explores the most common means of accessing PDF metadata with Python, the high-level PyPDF and PyPDF2 libraries. This examination discovers deficiencies in the methodologies used by these modules, making them inappropriate for use in digital forensics investigations. An alternative low-level technique of carving the PDF binary directly with Python, using the re module from the standard library is described, and found to accurately and completely extract all of the pertinent metadata from the PDF file with a degree of completeness suitable for digital forensics use cases. These low-level techniques are built into a stand-alone open source Linux utility, pdf-metadata, which is discussed in the paper’s final section.


  • Intrusion Prevention System Signature Management Theory by Joshua Levine - February 5, 2019 in Intrusion Prevention

    The intrusion prevention system (IPS) serves as one of the critical components for a defense-in-depth solution. IPS appliances allow for active, inline protection for known and unknown threats passing across a network segment at all layers of the OSI model. The employment, tuning, and upkeep of signatures on an IPS may lead to a negative impact on production traffic if not properly maintained. This document serves as baseline guidance to help shape the development of an organizational IPS signature management policy. Concepts are presented to address the lifecycle of an IPS signature from employment to expiration. Through proper maintenance, placement, and tuning of signatures, an unwanted impact to network traffic can be kept to a minimum while also achieving an optimal balance of security and network performance. By understanding the tenants of effective IPS signature evaluation, employment, tuning, and expiration, organizations can maintain an acceptable network security posture along with adequate levels of network performance.


  • The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey Analyst Paper (requires membership in SANS.org community)
    by Rebekah Brown and Robert M. Lee - February 4, 2019 in Security Trends, Threats/Vulnerabilities

    In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.


  • PyFunnels: Data Normalization for InfoSec Workflows STI Graduate Student Research
    by TJ Nicholls - February 1, 2019 in Free and Open Source Software

    Information security professionals cannot afford delays in their workflow due to the challenge of integrating data. For example, when data is gathered using multiple tools, the varying output formats must be normalized before automation can occur. This research details a Python library to normalize output from industry standard tools and act as a consolidation point for that functionality. Information security professionals should collaborate using a centralized resource that facilitates easy access to output data. Doing so will bypass extraneous tasks and jump straight to the application of practical data.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 in Security Basics, Forensics, Incident Handling, Linux Issues, Free and Open Source Software

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.


  • ICS Layered Threat Modeling by Mounir Kamal - January 22, 2019 in Industrial Control Systems / SCADA

    The ultimate goal of building cybersecurity architecture is to protect systems from potential threats that can cause imminent harm to the institution. Often, we hear a common expression in the information security world “security by design,” which is a deeper terminology than it looks, as it requires compiling a list of possible threats against targeted systems. Building a threat model will guide us on how to build a secure architecture and achieve the security by design concept, and this is what precisely the paper aims to explore. This paper is an intensive study to collect accurate and plausible threat models that can help to secure ICS architecture by design.


  • Enterprise Security with a Fluid Perimeter Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - January 22, 2019 in Intrusion Detection

    Between BYOD, the cloud, third-party providers and a fluctuating mobile workforce, it is growing more difficult to maintain a rigid security policy. This paper examines critical techniques to addressing this issue, including the role of baselining, integrating and automating response, and defending against attacks more quickly--as well as specific action items for better protection.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.