3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,140 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Cyber Risk Profile of a Merger or Acquisition SANS.edu Graduate Student Research
    by Tyler Whittington - May 13, 2021 in Risk Management

    Companies often use mergers and acquisitions to expand their market share and increase profitability. To appropriately assess a potential target, acquiring companies regularly dedicate time and resources to identify risks and quantify the target company's value. A company's cyber risk is not commonly considered a factor in pre-acquisition assessments, nor does an organization's Information Security team frequently play an active role in this process.


  • Six Steps To Successful Mobile Validation by Heather Mahalik, John Bair, Alexis, Brignoni, Stephen Coates, Mike Dickinson, Mattia Epifani, Jessica Hyde, Vladimir Katalov, Scott Koenig, Paul Lorentz, Christophe Poirier, Lee Reiber, Martin Westman, Mike Williamson, Ian Whiffin, and Oleg Skulkin - May 7, 2021 in Mobile Security

    Digital forensics is a complex and ever-changing field that requires a lot of testing, tools and validation. This paper is written by experts in smartphone forensics who have many years' experience in research, tool development, validation, testimony and who care about educating the community on the recommended steps to ensure mobile data is extracted, examined and reported in a manner that is trusted.


  • Staying Invisible: Analyzing Private Browsing and Anti-forensics on Mac OS X SANS.edu Graduate Student Research
    by Rick Schroeder - May 6, 2021 in Forensics

    The increasing desire to protect personal information has resulted in enhanced privacy features in web browsers. Private browsing modes combined with the growing popularity of disk cleaning tools present a problem for forensic analysts. The increase in privacy features results in a reduction of forensic evidence on the suspect system. This added complexity makes it difficult for an investigator to determine which websites were browsed by the suspect. When the primary sources of forensic evidence are tampered with, it is necessary to identify secondary sources. In Windows-based investigations, secondary evidence is often discovered within hibernation files, operating system artifacts, or error logs. Digital forensic analysts require similar files in macOS. They need to understand how and when logs are written. Identifying and understanding secondary sources of evidence is essential for an analyst to support the details of their case.


  • ExcavationPack: A Framework for Processing Data Dumps SANS.edu Graduate Student Research
    by TJ Nicholls - May 6, 2021 in Free and Open Source Software

    Data dumped online from breaches is rich with information but can be challenging to process. The data is often unstructured and littered with different data types. This research presents a framework using Docker containers to process unstructured data. The container-focused approach enables flexible data processing strategies, horizontal scaling of resources, the efficacy of processing strategies, and future growth. Security professionals utilizing this framework will be able to identify points of interest in data dumps.


  • GPS for Authentication: Is the Juice Worth the Squeeze? SANS.edu Graduate Student Research
    by Adam Baker - May 6, 2021 in Authentication

    For decades, location has been used as a validating factor in authentication. However, this has almost exclusively reflected IP address-based geolocation, a far less precise data point than a GPS coordinate. This paper will compare the precision of IP address location data to that of GPS coordinates, to determine if the increased available precision of GPS coordinates provides sufficient enhancement in value to justify expanding the use of GPS coordinates for authentication.


  • Identifying the Android Operating System Version thru UsageStats by Alexis Brignoni - April 28, 2021 in Forensics

    Locating the Android operating system version within a digital forensic extraction is necessary to properly apply operating system specific domain knowledge when parsing the data for forensic artifacts. Most automated tools that parse Android full file system extractions depend on the /system/build.prop file to determine the Android version among other device identifiers. Due to how variable Android implementations are regarding access to the data source a build.prop file might not be available in a particular forensic extraction. Is there a way to determine the Android version of an extraction by only looking at the userdata directory? The answer is yes. This was useful to me since some of my digital forensics tooling for Android extractions would benefit from programmatically identifying the Android version when a build.props file is not available.


  • How to Build a Security Posture Strategy for the Control Plane and Assets in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 28, 2021 in Best Practices, Cloud Security

    Security operations teams need to adjust their strategies as the surface area of the cloud grows. This means stronger configuration practices, including identity policies and authentication, storage configuration, workload configuration, and tuning. Based on the shared responsibility model, these are all control requirements for which cloud tenants are responsible. Improving cloud security posture requires increased visibility and centralized control over cloud configuration and workload management. This whitepaper is designed to help you build an effective and timely strategy for securing your control plane.


  • Contextualizing the MITRE ATT&CK Framework Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 27, 2021 in Forensics, Threats/Vulnerabilities

    Getting the right data to test security controls effectively is easier said than done. Too often, organizations are testing attacker techniques without the context necessary to build effective security control tests. While the MITRE ATT&CK framework provides useful information, when used in conjunction with threat intel reports it can provide a deeper understanding of how, why, and when attackers may abuse a technique. Using real-world examples, this paper shows you how to build efficient, life cycle-appropriate tests that identify visibility gaps and more in order to improve your defenses.


  • Scoping an Intrusion Using Identity, Host, and Network Indicators Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - April 22, 2021 in Intrusion Detection, Intrusion Prevention

    Second half of a two-part series, this paper covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion. Defenders fail to discover the full extent of adversary infrastructure. Defenders claim "containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only known items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication. This paper highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.


  • Understanding Your Attack Surface Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 21, 2021 in Intrusion Detection, Intrusion Prevention

    What does it mean to evaluate your attack surface? For many organizations, it may simply mean running a vulnerability scanner against their perimeter and hoping an attacker does not do the same. This legacy thinking leaves out all the nooks and crannies that attackers have become adept at finding. Your attack service should also include your system and network configurations, brand exposure, and knowledge of how your data is secured amongst numerous cloud providers. In this paper, we will provide our review of Netenrich's Attack Surface Intelligence (ASI) application. Offering unique insight into the aforementioned data points - and then some - Netenrich presents a novel way to examine enterprise exposure and evaluate potential risks. ASI provides the best of both worlds - a convenient, high-level point of view on organizational risk, while still providing the granular context that analysts need to analyze and remediate potential risks.


  • How to Use Historical Passive DNS for Defense Investigations and Risk Assessments Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 20, 2021 in Threat Hunting, Threats/Vulnerabilities

    Passive DNS offers a wealth of historical DNS records analysts can use to gain valuable insight into changes over time, changes that can provide them with valuable context in their threat hunting investigations. In this paper, SANS Analyst Dave Shackleford explores Farsight Security's Passive DNS Database (DNSDB) as a tool for identifying threats, reducing risk, and resolving incidents. In addition to sharing his experiences of what it's like to work with DNSDB database, Shackleford walks through five real-world use cases that demonstrate how to conduct searches, limit query results, and use the context of those results to reduce risks and resolve incidents.


  • A SANS 2021 Report: Top Skills Analysts Need to Master Analyst Paper (requires membership in SANS.org community)
    by Ismael Valenzuela - April 20, 2021 in Security Awareness, Security Basics

    As one of the highest-paid jobs in the field, security analysts must become "all-around defenders," highly competent in threat detection, while maintaining excellent analytical and communication skills. But what are the technical and nontechnical skills required to acquire mastery in this role? In this whitepaper, SANS author, instructor, and analyst Ismael Valenzuela answers these questions and examines the top skills that security analysts need.


  • Vulnerability Management Blueprint for the Clinical Environment SANS.edu Graduate Student Research
    by Adi Sitnica - April 14, 2021 in HIPAA

    The industry-standard vulnerability management process is largely inapplicable within clinical settings. Unique medical industry-specific devices and other complexities and limitations, such as vendor-owned and managed systems and regulated and other non-standard hardware, limit the general effectiveness of the process. This document explores a standard clinical footprint and provides guidance (or a 'blueprint') to further developing and maturing the vulnerability management operational model for clinical settings, with the primary goal of risk reduction within the confines of a clinical environment.


  • SANS 2021 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 13, 2021 in Security Awareness, Security Trends

    This SANS survey explored the types of services organizations are using, what types of controls and tools provide the most value, and how effective cloud security brokering is for a range of use cases.


  • A Multi-leveled Approach for Detection of Coercive Malicious Documents Employing Optical Character Recognition SANS.edu Graduate Student Research
    by Josiah Smith - April 8, 2021 in Intrusion Detection

    Authors of malicious documents often include a graphical asset used to lure the potential victim to "enable editing" and to "enable content" to activate the macro's embedded logic. While these graphical lures vary in theme, language, and content, they commonly have similar coercive text. Using Optical Character Recognition to produce text files of the images provides the ability to anchor the images' contents. While attackers have been known to intentionally manipulate images to bypass OCR-based detection, some additional techniques can surface the textual contents. Optical Character Recognition can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.


  • How to Architect a Security-Driven Networking Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 5, 2021 in Network Access Control, Cloud Security

    As organizations shift more resources to the cloud, defenses have grown organically along with the increase in size and complexity of networks. Today, a new model of security-driven networking, known as security-driven layered defense, is helping organizations create a strong set of proactive layered network defenses. In this whitepaper, SANS analyst Dave Shackleford explains how security teams are using this model to strengthen their network defenses and describes the capabilities and features they should consider when designing a robust, cloud-centered network security strategy.


  • Network Security: Protecting Your Organization Against Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 31, 2021 in Threat Hunting, Threats/Vulnerabilities

    Recent supply chain attacks have proven that third parties are an unexpected, yet trusted, entry vector into an organization. By utilizing legitimate methods to breach an organization, threat actors can hide under the radar with escalated privileges. Furthermore, attackers have shown that they are security-savvy, knowledgeable of enterprise defenses and their workarounds. Enterprise defense should be structured around BOTH system and network data; without, you will never see the full picture. With this webcast, we will outline NDR capabilities and how bringing endpoint and network together will prove to be a one-two punch to bring down even advanced attackers. We will specifically outline how to mitigate common third-party attack surfaces, what could have been done differently in the wake of the attack, and have the recent attacks provided enough reason to consider changes in implementation.


  • Pentest as a Service with Cobalt Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 16, 2021 in Penetration Testing, Threats/Vulnerabilities

    What if organizations could turn external penetration testing into an interactive experience they could use to regularly evaluate and increase their security posture? It is possible. SANS instructor Matt Bromiley reviews Cobalt's "pentest as a service" platform, an experience he describes as "an information security experience unlike many others"--but in a good way. In this paper, Bromiley examines using Cobalt to schedule, perform, interact with, and act upon penetration testing results. And more.


  • SANS 2021 Endpoint Monitoring in a Dispersed Workforce Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 15, 2021 in Security Awareness, Security Trends

    Past SANS surveys show that endpoints serve as some of the most common points to launch an attack more deeply into a targeted organizations network. Our 2021 survey investigates how effectively organizations are (or are not) using solutions that offer auditing or advanced endpoint detection and response (EDR) capabilities.


  • Missing SQLite Records Analysis by Shafik G. Punja and Ian Whiffin - March 12, 2021 in Forensics

    This article will specifically discuss the identification of missing records, within the SQLite database in its use as an application file format. The various analysis tools that will be used to analyze missing records within SQLite databases will be noted throughout the article. The authors are working from the premise that recovery of deleted, partially recoverable, or wholly intact recoverable records, is no longer viable. What will not be covered is the explanation on the various methods to recover deleted records. For that we direct you to the only textbook on this subject authored in 2018 by Paul Sanderson, titled, SQLite Forensics.


  • Insider Threat The Theft of Intellectual Property in Windows 10 by Eduard Du Plessis - March 11, 2021 in Forensics

    The prevalence of the theft of intellectual property investigations has grown over the past years and when investigated it will most likely be on a Windows 10 machine. It is important to have a clear framework on how to approach and execute such an investigation accurately and timeously. In this paper we will identify and analyse important Windows 10 artefacts that will reveal the user, the file and folders opened, applications used and the location of the files and folders. These artefacts are LNK (Link) Files, Jump Lists, Shell Bags, Prefetch files, USB connections and Network Mappings. We will demonstrate how to acquire and analyse these artefacts using a set of lightweight and powerful digital forensic software tools that are also affordable. The reader will find that by systematically analysing and correlating artefact events a timeline can be build that tells a story.


  • Malware Detection in Encrypted TLS Traffic Through Machine Learning SANS.edu Graduate Student Research
    by Bryan Scarbrough - March 10, 2021 in Artificial Intelligence

    The proliferation of TLS across the Internet leads to a safer environment for the end user but a more obscure setting for the network defender. This research demonstrates what can be learned using Machine Learning analysis of TLS traffic without decryption. It applies a novel approach to TLS analysis by analyzing data available in the unencrypted portion of the handshake combined with Open-source Intelligence (OSINT) data about Internet Protocol (IP) addresses and domain names. The metadata is then analyzed using three different machine learning algorithms: Support Vector Machine (SVM), One-Class SVM (OC-SVM), and an Autoencoder Neural Network. This research also addresses the imbalanced data distribution between malicious and benign traffic with the OC-SVM and the Autoencoder Neural Network. Finally, this research demonstrates that when using the correct header data the SVM and OC-SVM classify malware with a more than 99% F2 score and the Autoencoder approximately 95% F2.


  • Remote Workforce Impact on Threat Defenses SANS.edu Graduate Student Research
    by Sean Goodwin - March 10, 2021 in Clients and Endpoints, Home & Small Office, Telecommuting

    As organizations embrace remote work, the defensive security posture needs to be re-examined to effectively address threats while facing new or different constraints and tools. This paper investigates the prevention and detection control effectiveness against the known adversary Tactics, Techniques, and Procedures (TTPs) documented within the MITRE ATT&CK (R) taxonomy in a remote working (work from home, WFH) environment.


  • Hunting in Network Telemetry Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - March 5, 2021 in Threat Hunting, Threats/Vulnerabilities

    An extension of Chris Crowley's 2020 paper "20/20 Vision for Implementing a Security Operations Center" about technology deployment of the triad of host, network, and correlation capabilities; this webcast will outline how Vectra enables hunting within network telemetry data. Hunting is looking at data available throughout the environment with the assumption that previously developed detection engineering has failed, yet compromise relevant data is present. Hunting is different from investigation as it does not begin with an indicator, rather it starts with a hypothesis. Hunting presumes latent, undiscovered compromise. With this in mind, we'll discuss how Vectra can be used to identify problematic systems based on unexpected or unauthorized network activity. Specifically, this webcast will focus on using the Vectra tool for initial discovery. (The next webcast in the series will be held April 28th and will cover discovering the scope of the intrusion after the discovery of a compromise.)


  • Preventing Windows 10 SMHNR DNS Leakage SANS.edu Graduate Student Research
    by Robert Upchurch - March 3, 2021 in DNS Issues

    Microsoft enables Smart Multi-Homed Name Resolution (SMHNR) by default, sending name lookups out of all the connected interfaces for all configured name resolution protocols: DNS, LLMNR, and NetBIOS over TCP/IP (NetBT). Research on the effect that SMHNR has on DNS behavior showed that several users were concerned with DNS leakage ("DNS Leaks," 2017). DNS leakage is where unauthorized parties can observe, intercept, and possibly tamper with the name lookups or the lookup responses. Users were also frustrated by operational issues, such as attempting to resolve a private network hostname and receiving no response, a slow response, or an incorrect response while connected to a VPN ("Windows 10", 2015). This frustration led to users attempting to disable SMHNR ("Turn Off," 2021), but it did not always resolve the issue. The process to disable SMHNR varied based on the edition of Windows used, so the goal was to investigate the effect of SMHNR on DNS behavior and pursue an edition agnostic, native operating system method to mitigate that effect. Testing revealed that Name Resolution Policy Table (NRPT) rules provided a simple, scalable, and agile mechanism for controlling DNS client behavior that was effective across the multiple editions of Windows and worked irrespective of whether SMHNR was on or off.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.