SANS Stay Sharp Training Live Online: Quickly sharpen your skills with 1-3 day blue team & cloud courses. Save 25% thru 11/11.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,070 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • The SANS Guide to Evaluating Attack Surface Management Analyst Paper (requires membership in community)
    by Pierre Lidome - October 26, 2020 in Cloud Security, Risk Management

    This guide provides an overview of the benefits and limitations of attack surface management and actionable guidance for organizations looking to evaluate an ASM solution.

  • Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive Graduate Student Research
    by Christopher Hurless - October 23, 2020 in Incident Handling

    There is a wealth of open-source tools available for information security. A characterization of the various open-source products will provide a means of fortifying endpoints and auditing those fortifications with an Endpoint Detection and Response (EDR) solution. High-quality security practices do not have to be expensive products, but they do need to hit several automation requirements to be effective. With this in mind, building robust, automated, EDR capability using open-source, community-driven tools that automate and standardize security responses is not only possible but practical. Having a set of predefined control settings on an endpoint goes beyond malware detection. It sets the stage to ensure that an organization’s endpoints are fortified from an attack before it happens. By implementing the Center for Internet Security (CIS) Desktop Benchmarks, organizations have a means of strengthening endpoints from attack. Adding Osquery allows them to have a tool for knowing when a machine has fallen out of a fortified state. Following the loss of fortification is the need to investigate the cause and return the device to its intended state which can be done using Elastic Stack and TheHive.

  • Prescriptive Model for Software Supply Chain Assurance in Private Cloud Environments Graduate Student Research
    by Robert Wood - October 14, 2020 in Cloud Security

    As companies embrace Continuous Integration/Continuous Deployment (CI/CD) environments, automated controls are critical for safeguarding the Software Development Life Cycle (SDLC). The ability to vet and whitelist container images before installation is vitally important to ensuring the security of corporate networks. Google Cloud offers the Container Registry in combination with Binary Authorization to understand the container footprint in the environment and provide a mechanism for enforcing policies. Grafeas and Kritis are open-source alternatives. This paper evaluates Grafeas and Kritis and provides specific recommendations for using these tools or equivalents in private cloud environments.

  • The All-Seeing Eye of Sauron: A PowerShell tool for data collection and threat hunting Graduate Student Research
    by Timothy Hoffman - October 14, 2020 in Threat Hunting

    The cost of a data breach directly relates to the time it takes to detect, contain, and eradicate it. According to a study by the Ponemon Institute, the average time to identify a breach in 2019 was 206 days (Ponemon Institute, 2019). Reducing this timeframe is paramount to reducing the overall timeline of removing a breach, and the costs associated with it. With ever-evolving adversaries creating new ways of compromising organizations, preventive security measures are essential, but not enough. Organizations should not assume they will be compromised, but instead that they already have been. Finding and removing these already existing breaches can be difficult. To find existing breaches, organizations need to conduct threat hunting, which seeks to uncover the presence of an attacker in an environment not previously discovered by existing detection technologies (Gunter & Seitz, 2018). This paper looks at the PowerShell tool, Eye of Sauron, which can be used for threat hunting by identifying indicators of compromise (IOCs), as well as anomaly detection using data stacking in a Windows environment. Its' capability to detect the presence of IOCs is tested in two scenarios, first in a simulated attack, and second after the introduction of malware.

  • Firebase: Google Cloud's Evil Twin by Brandon Evans - October 8, 2020 in Cloud Security

    Firebase allows a frontend application to connect directly to a backend database. Security wonks might think the previous sentence describes a vulnerability, but this is by design. Released in 2012, Firebase was a revolutionary cloud product that set out to "Make Servers Optional". This should raise countless red flags for all security professionals as the application server traditionally serves as the intermediary between the frontend and backend, handling authentication and authorization. Without it, all users could obtain full access to the database. Firebase attempts to solve this by moving authentication and authorization into the database engine itself. Unfortunately, this approach has several flaws.

  • A Startups Guide to Implementing a Security Program by Vanessa Pegueros - October 8, 2020 in Management & Leadership

    Startups struggle to balance survival with the practical implementation of a security program. There are numerous obstacles facing founders who want to generate a solid security foundation, including limited cash, lack of support from investors or the board, and conflicting priorities such as generating revenue. Despite these obstacles, customers and potential customers continue to demand a base level of security controls. This drive from customers, especially enterprise customers, for solid security programs has forced startups to develop a practical approach to security that works within the boundaries of their constraints. Implementation of key controls and processes can establish a solid security foundation and meet the needs of customers.

  • Enhancing the security capabilities of the Ubiquiti UniFi Security Gateway (USG) by Tim Coakley - October 8, 2020 in Firewalls & Perimeter Protection

    The UniFi Security Gateway (USG) is a popular security device manufactured by Ubiquiti; it is relatively unique within the marketplace for its affordability and adoption of use within both Enterprise and SOHO environments. The USG, at its core, provides a firewall, routing, and advanced security features for network protection, traffic management, and ease of integration. A balanced set of features come pre-packaged. However, advanced users and security practitioners seeking more granular detail may be disappointed with some of the box security reporting options.

  • No Strings on Me: Linux and Ransomware Graduate Student Research
    by Richard Horne - October 7, 2020 in Tools

    Ransomware poses an ever-increasing threat to businesses and organizations as it continues to evolve and change. Many organizations are forced to pay for solutions to this growing problem with expensive and out-of-date signature-based solutions. As the possibility looms for ransomware to impact all operating systems and businesses alike, organizations will need to focus on early detections and warnings to stay ahead of its spread. This paper aims to examine the probability of detecting ransomware throughout its lifecycle within Linux environments. In conjunction with detections, the ultimate goal of the ideas presented is to provide security teams with a more reliable and cost-effective method to detect, react, and neutralize Linux ransomware variants.

  • Shall We Play a Game?: Analyzing the Security of Cloud Gaming Services Graduate Student Research
    by Adam Knepprath - October 7, 2020 in Cloud Security

    The adoption of cloud gaming services is quickly growing. Like many services that are eager to go to market, cloud gaming services lack strong security measures. This paper provides an analysis of three cloud gaming service providers’ privacy policies, out of the box security, and mitigations end-users should consider.

  • Continuously Monitor and Assess Your Security Posture in the AWS Cloud Analyst Paper (requires membership in community)
    by Dave Shackleford - October 2, 2020 in Best Practices, Cloud Security

    Cloud computing is a large, often interconnected ecosystem of software-defined infrastructure and applications, and the cloud control plane offers a wide variety of configuration options for consumers to leverage. This paper describes the factors that tend to consistently drive the need for enhanced cloud security management and oversight, continuous monitoring strategies, how to apply CSPM to security operations, and how to integrate CSPM into a DevSecOps pipeline. The paper also covers CSPM reporting and compliance.

  • Invaders of the internet connected home by Jay Yaneza - October 1, 2020 in Internet of Things

    With this rising need of network connectivity to the average home, the role called the “administrator-of-things” exists in which there would be responsible individual/s worrying about some aspects of the home networked environment: uptime, updates, connectivity, troubleshooting … and security. In the not-so-distant-past, these aspects were just a worry of an enterprise systems/network administrator where the stakes were uptime and business continuity, and now these tasks have silently creeped in the household within the last few years. This paper would look into network-based threats that would attempt to break in and, in the process, explore the dangers that may befall the budding “administrator-of-things”.

  • The Poisoned Postman: Detecting Manipulation of Compliance Features in a Microsoft Exchange Online Environment Graduate Student Research
    by Rebel Powell - September 30, 2020 in Cloud Security

    Modern attack techniques frequently target valuable information stored on enterprise communications systems, including those hosted in cloud environments. Adversaries often look for ways to abuse tools and features in such systems to avoid introducing malicious software, which could alert defenders to their presence (Crowdstrike, 2020). While on-premise detection strategies have evolved to address this threat, cloud-based detection has not yet matched the adoption pace of cloud-based services (MITRE, 2020). This research examines how adversaries can perform feature attacks on organizations that use Microsoft Office 365's Exchange Online by exploring recent advanced persistent threat tactics in Exchange on-premise environments and applying variations of them to Exchange Online's Compliance and Discovery features. It also analyzes detection strategies and mitigations that businesses can apply to their systems to prevent such attacks.

  • Mitigating Risk with the CSA 12 Critical Risks for Serverless Applications Graduate Student Research
    by Mishka McCowan - September 30, 2020 in Cloud Security

    Since its introduction in 2014, serverless technology has seen significant adoption in businesses of all sizes. This paper will examine a subset of the 12 Most Critical Risks for Serverless Applications from the Cloud Security Alliance and the efficacy of their recommendations in stopping attacks. It will demonstrate practical attacks, measure the effectiveness of the Cloud Security Alliance recommendations in preventing them, and discuss how the recommendations can be applied more broadly.

  • Fight or Flight: Moving Small and Medium Businesses into the Cloud During a Major Incident Graduate Student Research
    by Drew Hjelm - September 30, 2020 in Incident Handling

    Incident responders often aid small and medium businesses (SMB) during crippling cyberattacks that cause outages of critical systems. Most SMBs lack sufficient capacity to monitor and protect their on-premises IT infrastructure. Many of these SMBs are already using cloud platforms in a limited fashion. These organizations can use more cloud services to improve security visibility against future attacks and possibly speed up recovery time. This research examines the feasibility thereof and discusses the challenges that organizations may face with rapid cloud migration, including software compatibility and insurance requirements.

  • Remote Penetration Testing with Ninja Pi by Jeremy Druin - September 28, 2020 in Penetration Testing

    Remote penetration testing can have significant advantages over on-site tests but some types of testing require a physical presence. However, having testers on-premise may increase costs, duration, and difficulty. Penetration testing "drop boxes" can provide the physical connectivity needed while allowing the testing team to work off-site. These drop boxes can be built with readily available hardware such as Raspberry Pi. When paired with Kali Linux and a few helpful scripts, the drop box becomes a viable alternative to onsite testing for many use-cases. Such drop boxes are available for purchase, but a pen tester can build their own in less than a day that connects to a cloud server for maximum flexibility. These custom boxes are less expensive, offer the opportunity to learn new skills, can be customized to get around challenging connectivity issues, and built to fit specific use-cases.

  • Compliance Benchmarks using Cloud Custodian by Vishnu Varma - September 25, 2020 in Cloud Security

    With the increased cloud adaption rate, many companies are looking for ready to use product available to define the security benchmarks at the beginning of their cloud transition. Companies involved in highly regulated industries such as banking, insurance, finance, and healthcare would also require complying with compliance frameworks. Even though many amazing open-source tools utilized for compliance benchmarks and enforcement, still many organizations chose the commercial tools to fulfill the requirements. The paper will examine multiple compliance benchmarks and frameworks that could enforce policies primarily using Cloud Custodian along with highlighting the ease of use and deployment strategies, mainly covering Amazon Web Services. Cloud Custodian is an open-source tool that provides the ability to set up rules for security, cost optimization, governance, and take action on resources.

  • Security Network Auditing: Can Zero-Trust Be Achieved? Graduate Student Research
    by Carl Garrett - September 23, 2020 in Auditing & Assessment

    Since 2010, government and business organizations have begun to adopt the Zero-Trust framework. Although the concept is a decade old, organizations are still in the infant stages of its implementation. Given that tablets and mobile phones have become an intricate part of business aids, all organizations will eventually integrate Zero-Trust into their environments. Many third-party vendors market Zero-Trust tools; though, they only provide one or two pieces to achieve "true" Zero-Trust. Designing a security auditing Zero-Trust framework, professionals must use a layered approach to defense-in-depth. They must also understand the principle of Least Common Mechanism because complicated information technology systems are challenging to control. In traditional perimeter networks, users must authenticate to an entire organizational network, where perimeter-less Zero-Trust networks are segmented; thus, users can log on a Zero-Trust network by accessing a single-segment at a time. This technology eliminates the need for virtual private networks (VPN), thus, providing faster access. Additionally, most organizations state they audit their systems. However, this project focuses on auditing Zero-Trust devices, applications, data, and network traffic, not continuous logging. When implementing the Zero-Trust framework, organizations will learn how to plan and audit for adequate security.

  • Replacing WINS in an Open Environment with Policy Managed DNS Servers Graduate Student Research
    by Mark Lucas - September 21, 2020 in DNS Issues

    In some environments, Windows workstations require placement on the open internet. In order to protect the read-write domain controllers, administrators locate them in a protected enclave behind a firewall, and read-only domain controllers authenticate workstations during day-to-day operations. While this is strong protection for the read-write domain controllers, the configuration breaks the standard dynamic DNS registration of Windows workstations with the read-write domain controller. In our environment, we have maintained WINS servers linked to Windows DNS via the WINS lookup function to continue finding workstations by name. The TechNet page on WINS (Davies, 2011) was last updated almost nine years ago, and Microsoft has been actively encouraging the abandonment of WINS (Ross & Mcillece, 2020). This paper explores Windows DNS Policies to replacing WINS with Dynamic DNS and policy-controlled responses to queries. Utilizing source IP addresses, DNS policies can regulate the provided answers. The operability of DNS Policies and the applicability to this solution is evaluated in depth.

  • Zeek Log Reconnaissance with Network Graphs Using Maltego Casefile Graduate Student Research
    by Ricky Tan - September 21, 2020 in Security Analytics and Intelligence

    Cyber defenders face a relentless barrage of network telemetry, in terms of volume, velocity, and variety. One of the most prolific types of telemetry are Zeek (formerly known as Bro) logs. Many “needle-in-a-haystack” approaches to threat discovery that rely on log examination are resource-intensive and unsuitable for time-sensitive engagements. This reality creates unique difficulties for teams with few personnel, skills, and tools. Such challenges can make it difficult for analysts to conduct effective incident response, threat hunting, and continuous monitoring of a network. This paper showcases an alternative to traditional investigative methods by using network graphs. Leveraging a freely available, commercial-off-the-shelf tool called Maltego Casefile, analysts can visualize key relationships between various Zeek log fields to quickly gain insight into network traffic. This research will explore variations of the network graph technique on multiple packet capture (PCAP) datasets containing known-malicious activity.

  • Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production Graduate Student Research
    by Daniel Behrens - September 21, 2020 in Industrial Control Systems / SCADA

    Due to the critical nature of industrial environments and the lifetime of deployed assets, many organizations do not have complete knowledge of what assets are operating in the environment and what communications are involved. With the continuous move to IP based communications for controls equipment, Cybersecurity continues to increase in importance and is a priority for many executives. Industrial controls are unique because they are interfacing with the real world, which has implications on human safety and the ability of an organization to maintain operations. Unfortunately, the criticality of these devices and the lack of robust network functions on many often requires the use of passive solutions to gather information. This paper will focus on outlining the potential impact of collecting network traffic, discussing the functions available on networking equipment to enable it, identifying possible deployment architectures and the pros and cons of each, and explaining a methodology to calculate the potential impacts.

  • 2020 SANS Enterprise Cloud Incident Response Survey Analyst Paper (requires membership in community)
    by Chris Dale - September 14, 2020 in Cloud Security, Security Trends

    Our 2020 Enterprise Cloud Incident Response Survey investigated the data sources and services that organizations are leveraging to detect, respond to and remediate incidents in the multi-cloud world. This report on the survey focuses less on which cloud service organizations are using, and more on what data sources they are taking advantage of, what services they find useful, and what methods are working in their programs.

  • Fashion Industry (Securely) 4.0ward Graduate Student Research
    by Shawna Turner - September 9, 2020 in Industrial Control Systems / SCADA

    The fashion market segment is going through a significant technological upgrade. The need to meet modern consumer expectations and desires requires wholesale changes in the way the fashion ecosystem has historically shared information and manufactured products. Fashion cannot use existing security guidance due to the consumer expectations that a fashion product provides a unified physical experience. The addition of significant new technology increases the risk of intellectual property loss. The fashion industry requires a list of minimum-security controls that address the entire ecosystem of fashion from the fashion houses to the supply chain to the factory floor to address information security concerns. This paper begins the process of developing a minimum viable list of controls by combining controls from the Purdue model with recommended controls from the Verizon 2019 Data Breach Investigation Report (DBIR). The paper focuses on proposed controls for the fashion sector; however, they apply to any manufacturing pivoting to Industry 4.0.

  • Detecting Malicious Activity in Large Enterprises Analyst Paper (requires membership in community)
    by Matt Bromiley - September 8, 2020 in Security Awareness, Security Trends, Threats/Vulnerabilities

    As they grow, organizations need to detect threats amid an alarming assortment of unexpected and complex conditions, often with a blend of legacy and current technologies. This paper explores options for advanced threat detections at enterprise scale.

  • How to Create a Comprehensive Zero Trust Strategy Analyst Paper (requires membership in community)
    by Dave Shackleford - September 2, 2020 in Security Modeling, Privilege Management

    To implement zero trust effectively, organizations must consider critical controls, such as network access and inspection controls, as well as the roles that visibility, vulnerability and discovery play in their least privilege strategies. SANS analyst Dave Shackleford explains how to build a microsegmentation access control model that addresses common business drivers, implements capabilities critical to microsegmentation, and applies microsegmentation and zero trust initiatives in ways that positively impact industry compliance requirements.

  • Enabling NIS Directive Compliance with Fortinet for Operational Technology Analyst Paper (requires membership in community)
    by Jason D. Christopher - September 1, 2020 in Country-specific Issues, Network Security, Risk Management

    The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper examines how Fortinet solutions can help comply with the NIS Directive.

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.