Attend OSINT Summit for FREE on Feb 11-12 to learn how top experts gather and analyze available info for their investigations.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,100 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Tactical Linguistics: Language Analysis in Cyber Threat Intelligence by Jason Spataro - January 15, 2021 in Threat Intelligence

    The capability to effectively collect and analyze data in strategic foreign languages when intelligence requirements are supported by it is a defining characteristic in a mature Cyber Threat Intelligence (CTI) program. Far beyond its use in attribution, language analysis can be leveraged to approach collection sources from a new perspective. This research seeks to provide a blueprint of those perspectives, as well as a set of critical considerations for those seeking to add or advance language analysis capabilities within their own CTI environments.


  • CTI, CTI, CTI: Applying better terminology to threat intelligence objects SANS.edu Graduate Student Research
    by Adam Greer - January 13, 2021 in Threat Intelligence

    Increased awareness of the need for actionable cyber-threat intelligence (CTI) has created a boom in marketing that has flooded industry publications, news, blogs, and marketing material with the singular term applied to an increasingly diverse set of technologies and practices. In 2015, Dave Shackleford and Stephen Northcutt published findings of a survey sponsored by some of the largest names in cyber-threat intelligence at the time in order to address the widespread confusion around what precisely cyber-threat intelligence is and how it is generated, delivered, and consumed. In this research, they note that "... a shortage of standards and interoperability around feeds, context, and detection may become more problematic as more organizations add more sources of CTI..." (Shackleford, 2015). However, IT security teams have matured drastically since then, and most research has been applied to automation and standards for specific sub-domains, such as dissemination. This paper analyzes the current CTI environment and uses a defined methodology to develop a taxonomy for the domain that clarifies the application of CTI to security programs and serves as a foundation to further domain research.


  • Tracing the Tracer: Analysis of a Mobile Contact Tracing Application SANS.edu Graduate Student Research
    by Anthony Wallace - January 4, 2021 in Mobile Security

    The pandemic has led to the rapid development of applications designed to take advantage of our hyper-connected world. The Ehteraz application was developed, deployed, and mandated in the nation of Qatar. Government regulation required citizens to register with the app to enter businesses such as malls and grocery stores which forced rapid adoption among the populace. Many citizens are concerned about the range of permissions the app requires to function. Unpacking the application and finding a method of dissecting network traffic was complicated by measures developers took to prevent miscreant-in-the-middle attacks and analysis. Sharing the journey of decrypting the traffic in this application may prove useful to future engineers reversing and bypassing protections to perform analysis on mobile app traffic. Initial analysis has confirmed the application sends only location and Bluetooth data to centralized servers owned by the Ministry of Interior of the State of Qatar.


  • Evaluating Open-Source HIDS with Persistence Tactic of MITRE Att&ck SANS.edu Graduate Student Research
    by Jon Chandler - January 4, 2021 in Intrusion Detection

    Small companies with limited budgets need to understand if open-source tools can provide adequate security coverage. The MITRE ATT&CK framework provides an excellent source to evaluate endpoint security tool effectiveness. A MITRE research paper provides the following insight into the value of ATT&CK, “The techniques in the ATT&CK model describe the actions adversaries take to achieve their tactical objectives” (Strom, et al., 2019). This paper examines two open-source endpoint tools, OSSEC and WAZUH, against the MITRE ATT&CK framework. This analysis will determine each endpoint tool’s ability to detect a select number of the MITRE ATT&CK framework persistence techniques. Out of the techniques reviewed, this paper will analyze the degree to which the ATT&CK technique can be accurately identified by the evaluated tools. MITRE also conducts evaluations but on proprietary tools. The results of the open-source endpoint tools analyzed here can be compared to the MITRE ATT&CK Evaluations conducted on the proprietary endpoint toolsets. The MITRE ATT&CK framework is a valuable methodology that allows a company to compare endpoint tools from a security risk and product evaluation perspective.


  • Developing a JavaScript Deobfuscator in .NET SANS.edu Graduate Student Research
    by Roberto Nardella - January 4, 2021 in Reverse Engineering Malware

    JavaScript, a core technology of the World Wide Web, is a recently born scripting language and, starting from its early years, became notorious within the cyber security community not only for well-known security problems like Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF), but also for its flexibility in offering a valid vehicle for the implementation of the first stage of a malware attack.


  • Analyzing Malicious Behavior Effectively with ExtraHop Reveal(x) Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 4, 2021 in Data Protection, Intrusion Detection

    In the past decade, the information security industry has learned a lot about what attackers do during campaigns against targets. Once a compromise has occurred, attackers attempt to maintain a persistent presence within the victims network, escalate privileges, and move laterally within the victims network to extract sensitive information to locations under the attackers control.

    ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. In this paper, Dave Shackleford reviews ExtraHops Reveal (x) and shares his insights on the many enhancements and new features that help intrusion analysis and investigation teams analyze malicious behavior in their environments more rapidly and effectively.


  • Practical Process Analysis – Automating Process Log Analysis with PowerShell by Matthew Moore - December 29, 2020 in Forensics, Tools

    Windows event log analysis is an important and often time-consuming part of endpoint forensics. Deep diving into user logins, process analysis, and PowerShell/WMI activity can take significant time, even with current tools. Additionally, while utilities exist to automatically parse out various Windows Logs, most of them do not include any native analytical functionality outside of the ability to manually filter on certain strings or event IDs. Window’s native scripting solution, PowerShell, combined with Microsoft’s Log Parser utility allowed for several scripts to be created with a focus on Process Creation and analysis. These scripts can detect processes spawning from unusual locations, processes that exist outside of a baseline ‘Allow List’, or processes that might otherwise appear to be normal, but are actually anomalous. These scripts complement other current tools such as Kape or Kansa, allowing for automated analysis of the data gathered.


  • A New Take on Cloud Shared Responsibility Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 22, 2020 in Cloud Security, Data Loss Prevention

    As the use of cloud computing has grown, so has the concept of the shared responsibility model for data protection and cybersecurity in general. While not a new concept, the nature of shared security responsibilities has changed with the advent of the cloud. While all cloud providers are wholly responsible for physical security of their data center environments, data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments, cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they are building infrastructure.


  • Ubuntu Artifacts Generated by the Gnome Desktop Environment SANS.edu Graduate Student Research
    by Brian Nishida - December 16, 2020 in Forensics

    This research identifies Gnome Desktop Environment (GDE) artifacts and demonstrates their utility in Linux forensic examinations. The classic Linux forensic examination is tailored to computer intrusions of victim servers because the enterprise's critical Linux systems are typically web servers, mail servers, and database servers. However, the emphasis on intrusions and servers has two shortcomings. First, in addition to network intrusions, digital forensic labs examine specimens from various investigations: e.g., child exploitation, homicide, and financial crimes, to name a few. Second, the majority of Linux users run GUI-based desktop versions rather than command-line server versions. In these cases, the GDE may be used to install applications, run applications, open files, join Wi-Fi networks, and upload files. These point-and-click actions have been overlooked in the classic Linux examination; therefore, they will be explored in this research. Lastly, the importance of these GDE artifacts will be demonstrated in three practical scenarios.


  • Automating Google Workspace Incident Response SANS.edu Graduate Student Research
    by Megan Roddie - December 16, 2020 in Forensics

    Incident responders require a toolset and resources that allow them to efficiently investigate malicious activity. In the case of Google Workspace, there are an increasing number of subscribers, but resources to assist in the analysis of security incidents are lacking. The goal of this research is to develop a tool that expands on Google’s default administrative capabilities with the intent of providing value to incident responders. Through providing both additional context and purposeful views, incident responders can more quickly identify malicious activity and respond accordingly.


  • Detecting System Log Loss Through One-Way Communication Channels SANS.edu Graduate Student Research
    by Jason Leverton - December 16, 2020 in Logging Technology and Techniques

    Organizations are consolidating log collecting, monitoring, and incident response activities. There are many reasons an organization could find itself in this situation, whether they are attempting their first deployment of security architecture or they are shifting to a SaaS Cybersecurity product. These data collection points may not always be located within the same trust boundary, or even within the same organization. They may also be communicating through highly restrictive gateways. These collection points could gather information from multiple networks, all with different classifications, security postures, or network owners. There are incidents when communication flowing from one organization to another may have restrictions on two-way communication and rely entirely on a one-way communication channel. The lack of a two-way connection presents a challenge when continuous monitoring is required. Most host-based agents and log transfer mechanisms rely solely on established connections (TCP). This paper examines the transfer of logs through a one-way communication channel. It aims to detect and measure the amount of log loss on the channel and intuit the time, size, and volume of log messages lost. The goal is not to provide error correction but instead to introduce error detection.


  • SANS 2020 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
    by Mathias Fuchs and Joshua Lemon - December 13, 2020 in Security Trends, Threats/Vulnerabilities

    According to past SANS surveys, many organizations aren't hunting for threats before they become incidents. This year's SANS Threat Hunting Survey looks at why that is and how security departments can reap the benefits of proactive hunting. For example: How do hunters conduct their searches for signs of a threat not yet detected by other security systems? Are they regularly checking on known threats targeting misconfigurations and other vulnerabilities? Do they find value in looking for totally unknown attack types?


  • Detecting and Preventing the Top AWS Database Security Risks SANS.edu Graduate Student Research
    by Gavin Grisamore - December 9, 2020 in Cloud Security

    Engineers regularly perform risky actions while deploying and operating databases on cloud services like AWS. Engineers are often focused on delivering value to customers and less on the security of the cloud infrastructure. Security teams are increasingly concerned with identifying these cloud-native risks and putting migrations in place to secure their critical data and limit exposure without inhibiting development workflows or velocity. This paper examines several common AWS database security risks and addresses how to implement detection and prevention controls to mitigate the risks.


  • Mitigating Attacks on a Supercomputer with KRSI SANS.edu Graduate Student Research
    by Billy Wilson - December 9, 2020 in Intrusion Prevention, Linux Issues

    Kernel Runtime Security Instrumentation (KRSI) provides a new form of mandatory access control, starting in the 5.7 Linux kernel. It allows systems administrators to write modular programs that inject errors into unwanted systems operations. This research deploys KRSI on eight compute nodes in a high-performance computing (HPC) environment to determine whether KRSI can successfully thwart attacks on a supercomputer without degrading performance. Five programs are written to demonstrate KRSI’s ability to target unwanted behavior related to filesystem permissions, process execution, network events, and signals. System performance and KRSI functionality are measured using various benchmarks and an adversary emulation script. The adversary emulation activities are logged and mitigated with minimal performance loss, but very extreme loads from stress testing tools can overload a ring buffer and cause logs to drop.


  • Is it Ever Really Gone? The Impact of Private Browsing and Anti-Forensic Tools SANS.edu Graduate Student Research
    by Rick Schroeder - December 9, 2020 in Forensics

    Digital forensics analysts are tasked with identifying which websites a user visited. Several factors determine the level of difficulty this poses for the forensic analyst. Network-based security tools, such as web content filters, provide a quick and easy look at a user’s browsing history. When network-based tools aren’t available forensic analysts rely on artifacts that reside on the hard drive to paint the picture of user activity and answer questions involving browsing history. These artifacts can be deleted or tampered with, removing key pieces of evidence from the system. Although this adds a layer of complexity to the investigation, it does not end the investigation. Analysts should employ multiple methods to recover evidence. Information from web browsing sessions is often written to more than one location. Knowing where to find that data and how to interpret it will add value and credibility to an investigation. Digital forensic analysts need to think outside the box and perform in-depth analysis to complete an investigation involving a private browsing mode.


  • Smart Enterprise Visibility with DTEX InTERCEPT Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - December 7, 2020 in Intrusion Detection, Security Analytics and Intelligence

    In this SANS product review, Matt Bromiley examines DTEX InTERCEPT, a holistic platform designed to detect suspicious user activity, providing analysts and management with enough context to understand the security risk to the organization and the next steps to take. By focusing on threat actors' behaviors, defenders can take back the advantage and catch attackers before they can launch their attacks.


  • Measuring Cybersecurity Controls Effectiveness with Security Validation Analyst Paper (requires membership in SANS.org community)
    by John Hubbard - December 7, 2020 in Breaches, Data Protection

    Security vendors may promise the world when it comes to the capabilities of their products, but how do you know they will work as expected when the attackers come knocking? Without a strategy to validate the continuous health and operation of your data collection and security appliances you could be operating under false security assumptions with very serious consequences. Building an effective security validation strategy can help guarantee, regardless of the constant flux of your business and IT infrastructure, that your Security Operations Center (SOC) will be immediately alerted to any sign of compromise. If you're searching for answers in this area, join this webinar where we will discuss the need for testing your security controls and key features in order to find a security validation solution.



  • How to Manage the Shift to Cloud Security Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 2, 2020 in Cloud Security, Mobile Security

    This paper explores how SASE (secure access service edge) combines different elements of cloud services, networking and security into a unified fabric. SASE may help organizations move data, systems and applications more seamlessly into the cloud.


  • Reverse Engineering Virtual Machine File System 6 (VMFS 6) SANS.edu Graduate Student Research
    by Michael Smith - November 19, 2020 in Forensics

    Virtual Machine File System (VMFS) 6 is a proprietary file system. The file system’s proprietary nature means that many forensic applications are unable to parse the file system. There is a lack of support because proprietary file systems do not have to follow an accepted standard and can make modifications that break forensic tools with any release. This instability means that maintaining parsers for these file systems can become costly very quickly. This vacuum of support for proprietary file systems has created an opportunity for open-source utilities to grow in ways that support parsing these file systems. Skilled forensic examiners scour the open-source community and publicly available research for parsers and digital artifacts analyses when they encounter file systems or files unsupported by large forensic applications. The goal of this research is two-fold. First, to increase the understanding of VMFS 6 with its myriad digital artifacts. Second, to conclusively determine the recoverability of a deleted file.


  • Continuous Monitoring Effectiveness Against Detecting Insider Threat SANS.edu Graduate Student Research
    by Steven Austin - November 19, 2020 in Intrusion Detection

    More organizations are implementing some form of Continuous Monitoring, yet there is an increase in insider threat incidents. The number of insider threat incidents has increased by 47% in two years, from 3,200 in 2018 to 4,716 in 2020 (Epstein, 2020). This data shows insider threat is an on-going problem for organizations despite efforts to implement Continuous Monitoring. The results of this research provide organizations with evidence of Continuous Monitoring effectiveness against detecting malicious insider attack techniques.


  • 20/20 Vision for Implementing a Security Operations Center Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - November 18, 2020 in SOC, Threats/Vulnerabilities

    Organizations want to transform the Security Operations Center (SOC) with automation and orchestration. Threat intelligence needs to be ingested, defense expenditures need to be optimized based on attacker tactics and techniques, new technology needs to be implemented, cloud resources and other external resources are taking the place of traditional on-premises systems, and skilled staff are scarce. To accomplish this modernization in stream with existing operations, a clear strategy for the capabilities and implementation is needed. How will you develop this strategic vision? Most organizations will look to the industry standards and reference implementations to determine a strategy before proceeding. This paper and webcast will help you explore what those models are. It will identify and discuss several models of what a SOC is. The relative merits and shortcomings will be identified, and value propositions will be offered. Your strategic outlook and your implementation will be substantially improved as a result.


  • Ransomware Prevention Special Report: How to Address a Pervasive and Unrelenting Threat Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson - November 17, 2020 in Security Trends, Threats/Vulnerabilities

    Ransomware is a fast-growing threat affecting thousands of government agencies and municipalities, and now it is even targeting itself toward halting critical ICS/SCADA operations. This paper explains why and how ransomware is spreading, introduces standards and provide guidance for detecting and recovering from ransomware, based on US-CERT and NIST resources.


  • Effective ICS Cybersecurity Using the IEC 62443 Standard Analyst Paper (requires membership in SANS.org community)
    by Jason Dely - November 17, 2020 in Industrial Control Systems / SCADA, Network Security, Risk Management, Standards

    IEC 62443 is the global standard for the security of ICS networks, designed to help organizations reduce the risk of failure and exposure of ICS networks to cyberthreats. This paper explores how that standard can provide guidance to enterprises looking to choose and implement technical security capabilities. It also addresses how Fortinet's layered solutions may help asset owners and system integrators reach IEC 62443 compliance.


  • Supercharge Incident Response with DDI Visibility Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 16, 2020 in Cloud Security, Incident Handling

    A simple and efficient way to gain an advantage over attackers—and control of your environment’s security—is to utilize the data you already generate and own. This paper explores how organizations should rely on and incorporate key data points (DNS, DHCP, and IPAM) into nearly every aspect of their security approach.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.