iPad Air w/ Smart Keyboard, Surface Go, or $300 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,010 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Applying the Scientific Method to Threat Hunting by Jeremy Kerwin - May 28, 2020 in Threat Hunting

    Threat hunting is a proactive approach to discover attackers within an organization. Without the use of a repeatable framework, the practice of threat hunting is challenging and time-consuming for an analyst. The scientific method, used in fields such as medicine and physics is a repeatable methodology that can be applied to threat hunting to detect threats to an organization.

  • Factoring Enterprise IoT Devices into Detection and Response Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 27, 2020 in Intrusion Detection, Internet of Things

    With the advent of the cloud, corporate networks are becoming more complex. There is a constant state of change with new types of devices installed daily. To keep pace, you will need an approach to threat detection and response that enables your team’s full visibility so it can quickly adapt and include enterprise IoT devices in its response plans. This paper explores the growth of enterprise IoT devices inside corporate networks and how they change the shape of incident detection and response. The enterprise device landscape is dynamic; it’s prudent for your information security team to track changes to understand the effects on your network.

  • Is Your Threat Hunting Working? A New SANS Survey for 2020 Analyst Paper (requires membership in SANS.org community)
    by Mathias Fuchs - May 26, 2020 in Threat Hunting

    Although threat hunting has become a mandatory task to establish an acceptable level of security, the demand for skilled hunters far exceeds the number of available specialists. In this new research, SANS queried organizations about how they approach threat hunting, the barriers to success and how they measure their efforts. This paper explores what exactly leads to the shortage of suitable personnel and how it affects security organizations’ capabilities to utilize threat hunting teams.

  • Responding to Incidents in Industrial Control Systems: Identifying Threats/Reactions and Developing the IR Process Analyst Paper (requires membership in SANS.org community)
    by Don C. Weber - May 21, 2020 in Industrial Control Systems / SCADA, Threats/Vulnerabilities

    Threats, attacks and incidents are not decreasing. Industrial control systems (ICS) have become increasingly vulnerable as cyber criminals discover that OT environments are viable targets. This paper outlines the incident response process in OT environments, and provide examples of the pitfalls of being unprepared.

  • QUIC & The Dead: Which of the Most Common IDS/IPS Tools Can Best Identify QUIC Traffic? STI Graduate Student Research
    by Lehlan Decker - May 20, 2020 in Intrusion Detection

    The QUIC protocol created by Google for use in their popular browser Chrome has begun to be adopted by other browsers. Some organizations have a robust strategy to handle TLS with HTTP2. However, QUIC (HTTP/2 over UDP) lacks visibility via crucial information security tools such as Wireshark, Zeek, Suricata, and Snort. Lack of visibility is due to both its use of TLS 1.3 for encryption and UDP for communication. The defender is at a disadvantage as selective blocking of QUIC isn’t always possible. Moreover, some QUIC traffic may be legitimate, and so outright blocking of endpoints that use QUIC is likely to cause more issues than it solves. To complicate matters further, QUIC has begun to appear in Command and Control (C2) frameworks like Merlin as an additional means of hiding traffic.

  • Quantifying Threat Actor Assessments STI Graduate Student Research
    by Andy Piazza - May 20, 2020 in Threat Intelligence

    The cyber threat landscape is a complex mix of adversaries, vulnerabilities, and emerging capabilities. Within this environment, Chief Information Security Officers (CISOs) must prioritize resources and projects to maximize their defenses against the most significant threats. The challenge, though, lies in assessing threats to an organization in a meaningful way. By assessing threat actors’ intent to target a specific organization for certain attack types, information security leaders can determine which malicious actors are most likely to target their enterprise. The assessment of the threat actors’ documented capabilities for those specific attack types allows leaders to wade through the fear, uncertainty, and doubt (FUD) of vendor marketing and nation-state saber-rattling to prioritize capabilities for defensive posturing. This paper introduces the Threat Box, a Cartesian coordinate system, which portrays threat actors’ intent and capabilities as an executive communication tool for information security leaders to depict the prioritization of threat actors.

  • Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative? STI Graduate Student Research
    by Dennis Taggart - May 18, 2020 in Cloud Computing

    The basic tenets of information security remain relatively unchanged even while specific examples of security-related tools, processes, and procedures may shift in popularity over time. Deciding what to prioritize and recommend as a security professional can be challenging, but the most straightforward cases are those justified by the quantitative reduction of risk. In this search for quantitative risk reduction, it is worthwhile for security professionals to consider that the methods used to fulfill basic security needs in one environment may not provide the same benefit in another. The 2019 version of the Cloud Security Alliance's Top Threats to Cloud Computing document warns of critical security issues facing public cloud consumers (Cloud Security Alliance, 2019, p.40). The CSA also acknowledges their work concentrates less on some of the more traditional security threats like “vulnerabilities and malware”, while calling for further research (Cloud Security Alliance, 2019, p.40). This whitepaper inhabits the category of additional research and also occupies a space parallel, but perhaps not identical to classical security views. This research assumes a slightly-less-traditional approach by not taking the value of flow logging, or its costs in the cloud, for granted. It further asserts that given limited resources, there may be more directly valuable logging sources available. This paper establishes a quantitative methodology for judging the effectiveness of flow and non-flow logging as applied in a public cloud environment. It exercises this methodology by simulating top cloud computing threats and examining the capabilities of each.

  • 2020 SANS Automation and Integration Survey Analyst Paper (requires membership in SANS.org community)
    by Don Murdoch - May 18, 2020 in Automation, Security Trends

    This year's Automation and Integration Survey aimed to quantify automation experiences and more concretely understand how organizations are able to maximize their security investment and improve operations through automation efforts. This paper explores what automation activities have been successful, why they have been successful, and how organizations set up their automation activities to achieve meaningful results.

  • How to Implement a Software-Defined Network Security Fabric in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 18, 2020 in Network Access Control, Cloud Computing

    Maintaining control and visibility of network assets in hybrid networks creates many security challenges. In this paper, you'll learn proven strategies such as building a control stack of cloud-native and third-party controls to ensure confidentiality and availability of assets; using SD-WAN and cloud security-as-a-service to provide edge security in a unified network fabric; and leveraging infrastructure-as-code for automation and management of infrastructure.

  • Efficacy of UNIX HIDS STI Graduate Student Research
    by Janusz Pazgier - May 15, 2020 in Intrusion Detection

    There has been an increase in UNIX-based adversarial activity, as enterprises and users shift towards the platform (WatchGuard, 2017). The focus of this paper is to demonstrate the effectiveness of three separately installed host-based intrusion detection systems (HIDS): OSSEC, Samhain, and Auditd, and their ability to detect specific MITRE ATT&CK tactics. Custom scripts implement the ATT&CK tactics of privilege escalation, persistence, and data exfiltration. The goal is to inform security professionals about the pros and cons of implementing each of these HIDS.

  • Dealing with DoH: Methods to Increase DNS Visibility as DoH Gains Traction STI Graduate Student Research
    by Scott Fether - May 6, 2020 in Intrusion Detection, DNS Issues

    Microsoft is planning to implement DNS over HTTPS (DoH) in the native Windows DNS Client (Jensen, Pashov, & Montenegro, 2019). Firefox and Chrome have already implemented this protocol in their browsers. Because of DoH’s encrypted nature and use of port 443, security analysts will need to adjust their log collection and analysis techniques. Much of the literature available regarding DoH suggests either preventing the use of DoH (Hjelm, 2019, p. 20) or utilizing SSL/TLS proxies to inspect the queries (Middlehurst, 2018). Firefox can generate host logs on DoH resolution, which includes unencrypted queries and answers. This research will explore various inspection and logging techniques that will identify the most effective approach to analyzing DoH.

  • All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 6, 2020 in Intrusion Prevention, Threats/Vulnerabilities

    As organizations move to the cloud, browser dependency becomes more prevalent. That's why we say the browser is the new endpoint. By limiting the impact a browser can have on a victim system, organizations can prevent web code from reaching the endpoint. Find out how browser isolation works, key factors to consider when evaluating, implementing and testing solutions, and how to integrate browser isolation into your security posture to stop attacks earlier.

  • Cyber Range – The Future of Cyber Security Training by Carlos Perez Gonzalez - May 5, 2020 in Training

    Both the private and government sectors are looking for talent. Thousands of vacancies are going unfilled as the industry struggles with a shortage of adequately trained professionals. According to the latest forecasts, there will be 3.5 million unfilled cybersecurity jobs by 2021. The challenges related to finding talent are not new, and this problem has grown in the last years with an increase in cyber-attacks.

  • Birthday Hunting by Jack Burgess - May 4, 2020 in Incident Handling, Threat Hunting

    The Birthday Problem has a number of applications to incident response. Existing tools can both narrow the focus of the incident response team and limit their experience to a small subset of alerts. This leaves specialized tools to do the analysis before anything is investigated, imposing a range of biases. We show the use of randomly selected investigation of nodes in the environment has a significant likelihood of finding the adversary. This allows for the evaluation of threat hunting and security operations. The approach is then extended to the evaluation of cybersecurity machine learning products. These products may be complicated and opaque. The approach presented avoids the need to understand the internals, shifting analyst focus to business as usual operations.

  • Detecting DLL Search Order Hijacking: How using a purple team approach can help create better defensive techniques and a more tactical SIEM by Lasse Hauballe Jensen - May 4, 2020 in Logging Technology and Techniques

    Many SIEM analysts will recognize the feeling of being overwhelmed with security logs and alerts, and having to deal with them using a SIEM that gets slower and slower. For many, it may even seem that the SIEM has transitioned into being an overpriced log storage system. Figuring out how to make the SIEM faster, more tactical, and defensive-oriented will also be a way to make the analysts better and happier. It will also provide more accurate reporting for managers, and lastly, it will reduce storage and processing requirements reducing the overall cost of running a SIEM.

  • Corporate Information Governance with Business Wisdom by David Alexander Cruz Urena - May 4, 2020 in Governance

    Whether a secret ingredient used for a lemonade stand across the street or the business strategies of a Fortune 50 corporation on Wall Street, organizations that collect, process, or transmit any data have the legal and moral responsibility to govern it. Governing information goes beyond technical capabilities. Further, it is unwise to rely on a department to define, organize, present, and protect information. With the explosion of information into every business activity, information governance is a practice that businesses must exercise. This paper provides actionable and comprehensive strategies to develop effective corporate information governance. Three principles are addressed: governance of accountability, clarity of purpose, and clarity of collaboration.

  • Transforming Detection and Response: A SANS Review of Cortex XDR Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 4, 2020 in Clients and Endpoints, Intrusion Detection

    To help their teams detect and respond to the ever-growing list of security threats, many organizations have turned toward endpoint detection and response (EDR) platforms within their environment. This product review explores the intuitive and insightful security platform Cortex XDR, provided by Palo Alto Networks. A platform designed to help decrease the time an organization needs to detect and respond to threats, Cortex XDR brings multiple data sources together, including network, endpoint and cloud, to assist analysts in performing enterprise investigations.

  • Creating an Active Defense PowerShell Framework to Improve Security Hygiene and Posture STI Graduate Student Research
    by Kyle Snihur - April 28, 2020 in Active Defense

    Security professionals are inundated with alerts, and analysts are suffering alert fatigue with no actionable intelligence (Miliard, 2019). Poor priorities and lack of resources put enterprises at risk (Wilson, 2015). In Windows domains, PowerShell can be used to aggregate data and provide actionable reports and alerts for security professionals continuously. This paper explores the viability of creating an Active Defense PowerShell framework for small to medium-sized organizations to improve security hygiene and posture. The benefits include providing actionable alerts and emails that security professionals can quickly address. Aggregated data can also be used to identify and prioritize holes in an organization's security posture.

  • SANS Top New Attacks and Threat Report Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - April 27, 2020 in Security Trends, Threats/Vulnerabilities

    SANS instructors presented their analysis of new attack techniques currently in use and shared their projections for future exploits at the annual 2020 RSA Conference in San Francisco. In this paper, SANS Director of Emerging Security Trends John Pescatore highlights key themes from that report and other sources.

  • How to Design a Least Privilege Architecture in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 23, 2020 in Intrusion Detection, Security Modeling

    A least privilege architecture reduces risk and minimize disruptions by allowing only the minimum required authority to perform tasks. This architecture should include authentication and authorization controls, network access and inspection controls, and monitoring/enforcement controls for both the network and workloads. Learn what it takes to create a granular security environment that provides strong attack resistance.

  • Zero Trust: What You Need to Know to Secure Your Data and Networks Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 20, 2020 in Network Security, Security Trends

    In the ongoing movement toward increasingly hybrid software-based environments, enterprises are designing dynamic security architecture models to start adopting an overarching theme: one of "zero trust." The core elements of a well-rounded zero trust model are still in the development stage but this paper explores the critical missing element to securing your data and network in a zero trust architecture.

  • Top 5 Considerations for Multicloud Security by Brandon Evans - April 15, 2020 in Application and Database Security, Cloud Computing

    The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. This paper will examine five critical considerations for securely using the three biggest public cloud providers: Amazon Web Services, Microsoft Azure, and the Google Cloud Platform. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control. By embracing multicloud as inevitable and working to understand it, security and compliance professionals can help move the organization forward safely.

  • Mission Implausible: Defeating Plausible Deniability with Digital Forensics STI Graduate Student Research
    by Michael Smith - April 2, 2020 in Forensics

    The goal of plausible deniability is to hide potentially sensitive information while maintaining the appearance of compliance. In simple terms, it is granting someone access to a safe but keeping items of real value successfully hidden in a false bottom. Encryption platforms such as VeraCrypt and TrueCrypt achieve this goal in the digital realm using nested encryption. This nesting typically takes one of two forms; a deniable file system or a deniable operating system (OS). The deniable file system uses the interior of an encrypted container to mask its presence, akin to the false bottom to the safe analogy. The deniable operating system uses an encrypted bootable partition to mask the presence of a second OS, much like a safe that reveals a different compartment based on how a key turns in the lock. The use of encryption to create a scenario for plausible deniability presents a significant threat to the success of law enforcement and digital forensic professionals. Performing registry analysis and digital forensics is the metaphorical equivalent of using a magnifying glass to look for clues inside the safe with a false bottom or a key-based compartment. When forensics is successful in revealing clues of a deniable file system, it effectively defeats the case for plausible deniability. The goal of this research is to explore the digital forensics metaphorical equivalent of such clues.

  • Tracking Penetration Test Activities STI Graduate Student Research
    by Joshua Arey - April 2, 2020 in Work Monitoring

    Most penetration testers (“pentesters”) are required to track their actions during a penetration test event but rarely do so in enough detail to recreate all of their activities accurately. Instead, pentesters often only track activities that lead to findings disclosed in the final penetration testing (“pentest”) report. Tracking testing activities can be challenging and often gets disregarded when it slows down a pentest engagement. Fortunately, there are automatic logging mechanisms on most pentest systems available for leveraging to help automatically track pentest activities. However, many logging capabilities do not sufficiently record the generated network traffic from the attacking system, and network monitoring tools do not record what actions triggered the sending of packets. Customizing system logging configurations and incorporating system monitoring tools such as auditd can help automatically track testing activities on Linux-based pentest systems. This additional logging allows for accurate tracking in enough detail for an auditor to accurately determine what actions a pentester took against the pentest targets.

  • 2020 SANS Network Visibility and Threat Detection Survey Analyst Paper (requires membership in SANS.org community)
    by Ian Reynolds - March 31, 2020 in Intrusion Detection, Threat Hunting

    Organizations have untapped opportunities to strengthen the way they analyze network data and increase visibility. Visibility brings increased situational awareness, allowing for rapid threat identification and investigation for faster resolution of internal performance issues and security breaches. Investing time in understanding how and where to capitalize on these opportunities will bring real and measurable benefits.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.