Choose from Seven Cyber Security Courses at SANS Atlanta 2018. Save $200 thru 4/25.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.  




How does your organization use its SOC? Take the SANS SOC Survey, share best practices, and enter to win a $400 Amazon gift card | https://www.surveymonkey.com/r/2018SANSSOCSurvey

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,780 original computer security white papers in 106 different categories.

Latest 25 Papers Added to the Reading Room

  • Securing the Corporate WLAN in a Healthcare Regulated Organization STI Graduate Student Research
    by Jim Pomeroy - April 6, 2018 in Compliance

    Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI.


  • Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaper Analyst Paper
    by Dave Shackleford - April 2, 2018 in Cloud Computing, Security Trends

    This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.


  • Evaluation of Comprehensive Taxonomies for Information Technology Threats STI Graduate Student Research
    by Steven Launius - March 26, 2018 in Threat Intelligence

    Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation.


  • An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper
    by Barbara Filkins - March 26, 2018 in Clients and Endpoints, Cloud Computing

    The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.


  • Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform Analyst Paper
    by Dave Shackleford - March 20, 2018 in Intrusion Detection, Threat Hunting

    Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.


  • Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools STI Graduate Student Research
    by J. Richard “Rick” Kiper, Ph.D. - March 16, 2018 in Forensics, Tools, Training

    One of the most common challenges for a digital forensic examiner is tool selection. In recent years, examiners have enjoyed a significant expansion of the digital forensic toolbox – in both commercial and open source software. However, the increase of digital forensics tools did not come with a corresponding organizational structure for the toolbox. As a result, examiners must conduct their own research and experiment with tools to find one appropriate for a particular task. This study collects input from forty six practicing digital forensic examiners to develop a Digital Forensics Tools Typology, an organized collection of tool characteristics that can be used as selection criteria in a simple search engine. In addition, a novel method is proposed for depicting quantifiable digital forensic tool characteristics.


  • PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Data STI Graduate Student Research
    by Christian J. Moldes - March 16, 2018 in Breaches, Compliance, Incident Handling

    Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach.


  • PCAP Next Generation: Is Your Sniffer Up to Snuff? STI Graduate Student Research
    by Scott D. Fether - March 16, 2018 in Intrusion Detection, Network Security

    The PCAP file format is widely used for packet capture within the network and security industry, but it is not the only standard. The PCAP Next Generation (PCAPng) Capture File Format is a refreshing improvement that adds extensibility, portability, and the ability to merge and append data to a wire trace. While Wireshark has led the way in supporting the new format, other tools have been slow to follow. With advantages such as the ability to capture from multiple interfaces, improved time resolution, and the ability to add per-packet comments, support for the PCAPng format should be developing more quickly than it has. This paper describes the new standard, displays methods to take advantage of new features, introduces scripting that can make the format useable, and makes the argument that migration to PCAPng is necessary.


  • Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security Analyst Paper
    by Jake Williams - March 15, 2018 in Clients and Endpoints, Forensics

    With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.


  • VMRay Analyzer: Rapid Malware Analysis for Incident Response (IR) Teams Analyst Paper
    by Matt Bromiley - March 12, 2018 in Incident Handling

    In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.


  • Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics Analyst Paper
    by Dave Shackleford - February 26, 2018 in Breaches, Incident Handling, Threats/Vulnerabilities

    In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Using Windows 10 and Windows Server 2016 to create an Endpoint Detection and Response solution STI Graduate Student Research
    by Sebastian Godin - February 21, 2018 in Intrusion Detection

    It has been established best practice to supplement Microsoft Windows with third-party endpoint security solutions that defend against viruses, malware, internet-based, and other threats. With each iteration of Windows, Microsoft has added security measures that are native to the OS like Windows Defender, Security policy editor, and more. Microsoft has made many noticeable advances in Windows 10 and Windows Server 2016 that improves the overall security posture of endpoints. This new modern Windows enterprise ecosystem, when utilized properly, can be leveraged like an Endpoint Detection and Response capability. This capability can be achieved without third party software and can reduce costs to the enterprise that can be reinvested into other projects.


  • Adapting AppSec to a DevOps World by Stephen Deck - February 20, 2018 in Application and Database Security

    DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and as often as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand.


  • Immutability Disrupts the Linux Kill Chain Analyst Paper
    by Hal Pomeranz - February 20, 2018 in Linux Issues

    New exploits aimed at Linux systems are able to succeed by achieving root access to the OS. But what if you could lock down the OS and enforce security policies from outside of it? This Spotlight Paper explores the concept of ‘immutability’ as a way of interdicting the Linux kill chain.


  • Automating Static File Analysis and Metadata Collection Using Laika BOSS by Charles DiRaimondi - February 19, 2018 in Malicious Code

    Laika BOSS is a file-centric recursive object scanning framework developed by Lockheed Martin that provides automation of common analysis tasks, generation of rich file object metadata and the ability to easily apply file-based signature detections to identify malicious files through static analysis. While performing triage and analysis of malware, analysts typically perform repeatable tasks using a variety of standalone utilities and use these tools to gather information that will be useful in understanding adversary tools and in developing future detections. This paper will provide guidance to analysts by reviewing concepts core to the Laika BOSS framework, integrating custom Yara rules for file-based detections, searching and filtering scan object metadata, and describing how to develop, test and implement new Laika BOSS modules to extend and automate new functionality and capabilities into the framework. As part of performing this research, new modules and tools will be released to the security community that will enhance the capabilities and value obtained by using the Laika BOSS framework to perform static malware analysis and metadata collection.


  • NOC/SOC Integration: Opportunities for Increased Efficiency in Incident Response within Cyber-Security by Nelson Hernandez - February 14, 2018 in Incident Handling

    Managing, monitoring and defending enterprise networks with siloed Network Operation Centers (NOC) and Security Operation Centers (SOC) is a challenge. Each team running 24/7 incident response, event monitoring/correlation, generating/escalating trouble tickets and up channeling communications which provide an opportunity to integrate NOC and SOC functions. Integrating both teams at the first tier through cross-training, rewriting Standard Operating Procedures (SOP's) with coordination points, standardizing shared and coordinated communications, sharing and integrating dashboards and other data tools as cybersecurity continues to evolve. Adoption of integration as an industry best practice can capitalize on federated data, improve communication, increase visibility and situational awareness, optimize resource sharing and increase efficiencies.


  • CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Analyst Paper
    by Dave Shackleford - February 5, 2018 in Threat Intelligence, Threats/Vulnerabilities

    The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.


  • Building a Custom SIEM Integration for an API-Based Log Source Azure AD Graph Sign-In Events by Jason Mihalow - February 3, 2018 in Logging Technology and Techniques

    Enterprise security breaches can quickly paralyze operations and cripple the ability to do business if security teams are not adequately equipped to collect all critical log data from the services an organization uses. Vendors lead us to believe that we are comprehensively covered with their "out-of-the box" log source integrations. It can be challenging for security professionals to find issues with these integrations and it is usually not until a security incident that we realize that crucial log data is missing. This paper takes a critical look at a hidden gap in "out-of-the-box" integrations in SIEM platforms for API log sources, which we, as security professionals, rely on for our detection and analysis of security incidents. As organizations turn from on premises log sources with push style log delivery methods to cloud-based solutions where logs are pulled from an API endpoint, new issues arise that have not been seen before. These issues can lead to undetected gaps of missing data between the true record of API log data and what is found in the SIEM platform.


  • Learning Cryptography by Doing It Wrong: Cryptanalysis of the Vigenere Cipher by Jeremy Druin - February 3, 2018 in Encryption & VPNs

    When studying complex ideas, it may help to begin with a simpler example to better understand its concepts. Modern cryptography and cryptanalysis are exceptionally complex, so a case study from classical cryptography can aid understanding. The Vigenere Cipher is a good example. Vigenere was widely considered to be a secure cipher for three centuries. It is non-trivial to cryptanalyze, offering a stretch goal for beginners, but not impossible to comprehend. Vigenere provides practice of multiple techniques such as statistical analysis, histograms, and Index of Coincidence. Statistical properties of files before and after encryption can be compared to show attributes that allow encrypted files to be detected. A method of detecting the encryption key length for a Vigenre cipher will be introduced. Ultimately, a strategy to recover the key for JPEG encrypted files will be demonstrated. To help the reader follow this analysis, open source software will be provided that performs encryption, decryption, and cryptanalysis. Besides learning about classical ciphers and having fun, we will reinforce the importance of proper cipher choice for the modern InfoSec professional.


  • DNS: An Asset, Not a Liability Analyst Paper
    by Matt Bromiley - January 30, 2018 in Attacking Attackers, Intrusion Detection, Intrusion Prevention

    The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.


  • High Assurance File Filtering, It's Not Magic STI Graduate Student Research
    by Adam Gould - January 29, 2018 in Data Loss Prevention

    This paper examines file type identification techniques to inform further research to improve the security of cross domain solutions (CDS), which are regarded as the most reliable technologies of high-assurance file filtering solutions. Traditionally only used in highly classified government environments, CDS are slowly being adopted by other institutions in the financial, healthcare and mining sectors due to the increasing recognition of the value and importance of the protection of intellectual property (IP). The portable document format (PDF) is one of the primary document formats in which IP is shared and distributed. By using PDFs as a case study, this paper proposes recommendations specifically for software file format specification creators to develop file type sub-specifications that can be easily validated for the purposes of IP control and security. The recommendations herein will conceptually apply to all file types, although it should be noted that not all techniques and recommendations will be applicable to every file type due to unique properties that exist in different classes of file types.


  • Increase the Value of Static Analysis by Enhancing its Rule Set STI Graduate Student Research
    by Michael Matthee - January 29, 2018 in Securing Code

    Static analysis tool vendors are debating whether to allow their customers a rule-set tailored to their environment. There is no empirical evidence to support each argument or counter-argument. Veracode does not accept custom rules and argues that lock-down is in their customers best interest. Checkmarx enables their customer to customize a rule-set under very special license agreements, while open-source tools such as SonarQube allow for complete customization. Putting vendor concerns and priorities aside, should the enterprise add a tailored rule-set by adding rules that enforce its secure coding standards too? More importantly, does a tailored rule-set increase the value of static code analysis to the business? In this study, four different static analysis tools Veracode, IBM AppScan, Burp Proxy Scanner and SonarQube scan a JavaScript application. After showing the limitations of the default rule-set for each scanner, the research study adds rules that cover the distinct design and coding standards of the sample application. It is not possible to add a custom rule-set to every scanner. For that reason, the experiment adds the tailored rule-set to the SonarQube platform and combines the results of the two scanning tools: the one tool enforces security standards while the other finds common flaws in the code. While prior research shows that combining the strengths of multiple code analysis tools deliver better results in general, this research study proves that a tailored rule-set improves the outcome even more. The research undertaking recommends practical steps to increase the coverage of automated static analysis and maximize its value to the enterprise.


  • Building the New Network Security Architecture for the Future Analyst Paper
    by Sonny Sarai - January 22, 2018 in Cloud Computing, Data Protection, Internet of Things

    With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.


  • Bug Bounty Programs: Enterprise Implementation STI Graduate Student Research
    by Jason Pubal - January 17, 2018 in Application and Database Security

    Bug bounty programs are incentivized, results-focused programs that encourage security researchers to report security issues to the sponsoring organization. These programs create a cooperative relationship between security researchers and organizations that allow the researchers to receive rewards for identifying application vulnerabilities. Bug bounty programs have gone from obscurity to being embraced as a best practice in just a few years: application security maturity models have added bug bounty programs and there are standards for vulnerability disclosure best practices. Through leveraging a global community of researchers available 24 hours a day, 7 days a week, information security teams can continuously deliver application security assessments keeping pace with agile development and continuous integration deployments complementing existing controls such as penetration testing and source code reviews.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.