Get the Skills you need from Home with SANS OnDemand

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,990 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Mission Implausible: Defeating Plausible Deniability with Digital Forensics STI Graduate Student Research
    by Michael Smith - April 2, 2020 in Forensics

    The goal of plausible deniability is to hide potentially sensitive information while maintaining the appearance of compliance. In simple terms, it is granting someone access to a safe but keeping items of real value successfully hidden in a false bottom. Encryption platforms such as VeraCrypt and TrueCrypt achieve this goal in the digital realm using nested encryption. This nesting typically takes one of two forms; a deniable file system or a deniable operating system (OS). The deniable file system uses the interior of an encrypted container to mask its presence, akin to the false bottom to the safe analogy. The deniable operating system uses an encrypted bootable partition to mask the presence of a second OS, much like a safe that reveals a different compartment based on how a key turns in the lock. The use of encryption to create a scenario for plausible deniability presents a significant threat to the success of law enforcement and digital forensic professionals. Performing registry analysis and digital forensics is the metaphorical equivalent of using a magnifying glass to look for clues inside the safe with a false bottom or a key-based compartment. When forensics is successful in revealing clues of a deniable file system, it effectively defeats the case for plausible deniability. The goal of this research is to explore the digital forensics metaphorical equivalent of such clues.


  • Tracking Penetration Test Activities STI Graduate Student Research
    by Joshua Arey - April 2, 2020 in Work Monitoring

    Most penetration testers (“pentesters”) are required to track their actions during a penetration test event but rarely do so in enough detail to recreate all of their activities accurately. Instead, pentesters often only track activities that lead to findings disclosed in the final penetration testing (“pentest”) report. Tracking testing activities can be challenging and often gets disregarded when it slows down a pentest engagement. Fortunately, there are automatic logging mechanisms on most pentest systems available for leveraging to help automatically track pentest activities. However, many logging capabilities do not sufficiently record the generated network traffic from the attacking system, and network monitoring tools do not record what actions triggered the sending of packets. Customizing system logging configurations and incorporating system monitoring tools such as auditd can help automatically track testing activities on Linux-based pentest systems. This additional logging allows for accurate tracking in enough detail for an auditor to accurately determine what actions a pentester took against the pentest targets.


  • 2020 SANS Network Visibility and Threat Detection Survey Analyst Paper (requires membership in SANS.org community)
    by Ian Reynolds - March 31, 2020 in Intrusion Detection, Threat Hunting

    Organizations have untapped opportunities to strengthen the way they analyze network data and increase visibility. Visibility brings increased situational awareness, allowing for rapid threat identification and investigation for faster resolution of internal performance issues and security breaches. Investing time in understanding how and where to capitalize on these opportunities will bring real and measurable benefits.



  • Automated Detection and Disinfection of Ransomware Attacks using Roadblock Software by Hemant Kumar - March 18, 2020 in Reverse Engineering Malware

    We often hear about ransomware locking data and demanding the ransom. Ransomware is a kind of malware that prohibits users from accessing their system or files and mostly requires a ransom payment to regain access. This results in data loss, downtime, lost productivity, including reputational harm. Financial losses from ransomware attacks are predicted to exceed 11.5 Billion Dollars in 2019 with ransomware attacks on businesses every 14 seconds. The extension and complexity of ransomware are advancing at a high rate. Malware authors utilize several sophisticated techniques to evade current security defenses, and all the encryption happens in less than a minute. So, there is a need to develop an automated software that performs detection of various kind of ransomware without depending on the signature of malware, and that can also disinfect the live system against various kind of ransomware attacks under a minute and thus containing the infection from further spreading it to other systems. The software should also notify the incident response team of the detected ransomware attacks and its IOCs so that they can further protect the organization from a similar type of attack. Roadblock software solves this problem by detecting various kinds of ransomware attacks and dis-infecting the system without any need for a reboot in less than a minute. It leads to no data loss, no downtime, no lost productivity, and no reputational harm. The dis-infection process is not dependent on malware signatures or malware coding, and it works by performing fast and deep forensics of the system that is pre-installed with Roadblock, so that it can detect new ransomware variant.


  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - March 17, 2020 in Intrusion Detection, Threat Hunting

    Deception technologies significantly improve security teams' capabilities to quickly and accurately detect attackers that intentionally avoid looking malicious. But how do these cyber technologies work to address key security concerns? This paper explores how to collect threat intelligence and attack attribution information associated with malicious behaviors that fly under the radar in an attempt to carry out Active Directory and ransomware attacks, phishing and credential hijacking, vulnerable applications, and more.


  • Women in Cybersecurity: Spanning the Career Life Cycle Analyst Paper (requires membership in SANS.org community)
    by Heather Mahalik - March 16, 2020 in Management & Leadership, Security Trends

    In this paper, survey author and SANS instructor Heather Mahalik explores key results of our survey of successful women in varied roles within the cybersecurity community and draws on experiences of such women to provide practical advice to women all along their career life cycle.


  • Knock, Knock: Is This Security Thing Working? Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 10, 2020 in Network Security, Security Trends

    Is our current state of information security working? Is it possible the "same old way" of doing things is simply making us feel secure...until the next breach proves us wrong? This paper explores how the movement toward virtualized data centers has removed obstacles to a long-held goal for information security: the concept of intrinsic security.


  • Uninitialized Memory Disclosures in Web Applications by Balint Varga-Perke - March 9, 2020 in Web Application Security

    Since modern web applications are implemented in memory-safe languages, vulnerabilities arising from erroneous memory handling are often overlooked during web application testing. Recent research however shows that some memory-unsafe parsers are still popular members of the software supply chain, reanimating old bug classes. Disclosure of uninitialized memory is one of these bug classes that poses unique challenges for black- and white-box testing and vulnerability research as well. This paper will give an overview on the bug class and public cases of such vulnerabilities affecting web applications. Challenges, and possible approaches of black-box detection will be discussed in detail. Since the processing model of the affected software has a determining effect on the impact of memory disclosures, the effect of the vulnerabilities will be assessed against multiple application platforms.


  • How to Leverage Endpoint Detection and Response (EDR) in AWS Investigations Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson - March 9, 2020 in Automation, Clients and Endpoints

    Endpoints are moving past EC2 virtual machines, and it is imperative for EDR solutions to evolve and support this evolution. This paper illustrates how to leverage endpoint detection and response (EDR) in Amazon Web Services (AWS) to achieve a higher standard of security while simplifying management overhead. Discover how to use EDR solutions to add thousands of host-based observables for threat hunting, auto-scale threat detection across cloud endpoints and integrate a cloud access security broker (CASB) to extend protection to cloud apps.


  • Preventing Living off the Land Attacks STI Graduate Student Research
    by David Brown - March 5, 2020 in Penetration Testing

    Increasingly, attackers are relying on trusted Microsoft programs to carry out attacks against individuals and organizations (Symantec, 2017). The software typically comes installed by default in Windows and is often required for the essential functionality of the operating system. These types of attacks are called “living off the land,” and they can be challenging to detect and prevent. This paper examines the viability of using Microsoft AppLocker to thwart living off the land attacks without impacting the legitimate operating system and administrative use of the underlying Microsoft programs.


  • Incident Response in a Zero Trust World STI Graduate Student Research
    by Heath Lawson - February 27, 2020 in Incident Handling

    Zero Trust Networks is a new security model that enables organizations to provide continuously verified access to assets and are becoming more common as organizations adopt cloud resources (Rose, S., Borchert, O., Mitchell, S., & Connelly, S., 2019). This new model enables organizations to achieve much tighter control over access to their resources by using a variety of signals that provide great insight to validate access requests. As this approach is increasingly adopted, incident responders must understand how Zero Trust Networks can enhance their existing processes. This paper provides a comparison of incident response capabilities in Zero Trust Networks compared to traditional perimeter-centric models, and guidance for incident responders tasked with managing incidents using this new paradigm.


  • Unix-style approach to web application testing by Andras Veres-Szentkiralyi - February 27, 2020 in Penetration Testing

    Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.


  • Cybersecurity in the Age of the Cloud Analyst Paper (requires membership in SANS.org community)
    by Frank Kim - February 21, 2020 

    The hand-selected resources in this eBook provide a well-rounded look at cybersecurity considerations and practices in the age of the cloud. Each report in the collection touches on different parts of the five functions of the NIST Cybersecurity Framework - identify, protect, detect, respond, and recover. The collection is rounded out by the recent SANS 2019 Cloud Security Survey to provide a snapshot of today's cloud security environment and associated concerns.


  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - February 18, 2020 in Intrusion Detection, Threat Hunting

    Deception technologies can significantly improve an organization's capability to quickly and accurately detect attackers that intentionally avoid looking malicious. At the same time, deception technologies can collect threat intelligence and attack attribution information to improve response effectiveness. Implemented as network-accessible resources, on endpoints and even in cloud implementations, deception technologies can cover major attack surfaces to assist with attack malicious behaviors like account hijacking, phishing, vulnerable applications, and more.


  • Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication STI Graduate Student Research
    by Michael Hoffman - February 12, 2020 in Industrial Control Systems / SCADA

    Modbus TCP and other legacy ICS protocols ported over from serial communications are still widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate PLC code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution (Bodungen, Singer, Shbeeb, Hilt, & Wilhoit, 2017). This paper examines the viability of deploying PLC configuration modifications, programming best practices, and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluation of ICS protocols and device configurations.


  • Are You Hitting the Mark with DMARC? by Robert Mavretich - February 12, 2020 in Email Issues

    As organizations struggle to protect their end-users from email attacks despite pragmatic methods such as phishing and awareness training, there is another tool available to assist in reducing this threat – Domain-based Message Authentication, Reporting, and Conformance (DMARC). Despite the many tangible benefits of DMARC, including monitoring, quarantining, and rejecting potentially harmful emails based on various indicators, many organizations have not moved to implement DMARC to make a positive difference in email protection and delivery worldwide. This paper highlights the benefits and outline steps that security technology departments can take to effectively partner with internal stakeholders (such as Sales and Marketing) to establish a win-win scenario of appropriately protecting the enterprise while furthering business goals.


  • Tips and Scripts for Reconnaissance and Scanning by Zoltan Panczel - February 12, 2020 in Threat Intelligence

    Nowadays, information is the key to success. Pentesters' and bounty hunters' first step is to collect information about the target. The crucial part of the recon process is to identify as many hosts as possible. There are plenty of useful, necessary tools to conduct this searching but with limited automated capabilities. The recon and scanning procedures are repetitive; hence, automating these is effective to minimize the effort. Testers can make a customized framework if they combine the primary tools with scripting. Based on the discovered vulnerabilities and work experience, a little tuning or modification of tools might open new opportunities to find bugs.


  • How to Improve Security Visibility and Detection/Response Operations in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 12, 2020 in Automation, Intrusion Detection

    Security teams handle a sizable stream of alerts, creating noise and impairing their ability to determine which incidents to prioritize. Used together, logging and event monitoring, along with automation strategies and tools, can enable teams to build an effective and efficient continuous cloud security monitoring strategy. By implementing large-scale analytics processing, integrating SIEM solutions that improve detection and investigation of potential threats, and leveraging SOAR technologies to auto-remediate events, security teams have the power to create more signal and less noise for actionable responses.


  • Boosting IAM and Privilege Control Using Illusive Networks’ Attack Surface Manager Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 11, 2020 in Intrusion Prevention, Privilege Management

    Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.


  • Using Illusive Networks' Attack Surface Manager to Enhance Vulnerability Management Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 11, 2020 in Intrusion Prevention, Privilege Management

    Illusive Networks' Attack Surface Manager (ASM) takes a unique approach to identify vulnerabilities within the network. SANS reviewed ASM and learned how it continuously discovers assets in the environment and monitors systems for artifacts, allowing it to pinpoint attack paths that could be exploited by adversaries who have gained initial access to an environment. The product can then map these paths to show whether important assets are vulnerable to attack, and can remediate issues on systems within the attack path.


  • 2020 SANS Cyber Threat Intelligence (CTI) Survey Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee - February 10, 2020 in Security Analytics and Intelligence, Threats/Vulnerabilities

    Over the past several years, SANS has seen a gradual maturation of cyber threat intelligence (CTI) and its applications in information security. This paper, based on results from the 2020 SANS CTI Survey, provides guidance on how organizations of all types can get the most out of CTI.


  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - February 5, 2020 in Intrusion Detection, Threat Hunting

    Deception technologies can significantly improve an organization's capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness. By deploying decoy lures, misdirections, and systems to attract and snare attackers, organizations can take back the advantage on today's digital battlefield. All it takes for the attacker to touch one deceptive resource.


  • Spends and Trends: SANS 2020 IT Cybersecurity Spending Survey Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins and John Pescatore - January 28, 2020 in Best Practices, Security Trends

    CISOs and security operations managers need information on the areas of security in which their peers plan to increase or decrease their investment. This paper explores what organizational leaders are emphasizing as they budget for and procure security tools and services to support their businesses amid evolving technologies and threats.


  • Defending Infrastructure as Code in GitHub Enterprise STI Graduate Student Research
    by Dane Stuckey - January 21, 2020 in Securing Code

    As infrastructure workloads have changed, cloud workflows have been adopted, and elastic provisioning and de-provisioning have become standard, manual processes. As a result, semi-automated infrastructure management workflows have proven insufficient. One of the most widely implemented solutions to these problems has been the adoption of declarative infrastructure as code, a philosophy and set of tools which use machine-readable files that declare the desired state of infrastructure. Unfortunately, infrastructure as code has introduced new attack surfaces and techniques that traditional network defense controls may not adequately cover or account for. This paper examines a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.