Become more effective at your job with hands-on cyber security training in Reston. Save $200 thru 8/28.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,920 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity STI Graduate Student Research
    by Erik Avery - August 21, 2019 in Risk Management

    Cyber Protectionist policies are adversely impacting global cybersecurity despite their intent to mitigate threats to national security. These policies threaten the information security community by generating effects which increase the risk to the networks they are intended to protect. International product bans, data-flow restrictions, and increased internet-enabled crime are notable results of protectionist policies – all of which may be countered through identifying protectionist climates and subsequent threat. Analyzed historical evidence facilitates a metrics-based comparison between protectionist climate and cybersecurity threats to comprise the Cyber Protectionist Risk Matrix - a risk framework that establishes a new cybersecurity industry standard.

  • JumpStart Guide for SIEM in AWS Analyst Paper (requires membership in community)
    by J. Michael Butler - August 20, 2019 in Cloud Computing

    This paper explores the needs, implementation options, capabilities, and various considerations for organizations looking to implement SIEM/SOAR capabilities in Amazon Web Services (AWS). The paper compares the integration of SIEM and SOAR in the cloud environment to on-premises use. Suggestions for planning SIEM and SOAR integration into an AWS cloud environment also included.

  • Better Security Using the People You Have Analyst Paper (requires membership in community)
    by Matt Bromiley - August 13, 2019 in Security Awareness, Security Trends

    Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.

  • Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in community)
    by Don Murdoch - August 12, 2019 in Network Access Control, Clients and Endpoints

    Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.

  • SANS 2019 Incident Response (IR) Survey: It's Time for a Change Analyst Paper (requires membership in community)
    by Matt Bromiley - July 31, 2019 in Incident Handling, Security Trends

    The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.

  • ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis STI Graduate Student Research
    by Andy Piazza - July 29, 2019 in Threat Intelligence

    Risk management is a principal focus for most information security programs. Executives rely on their IT security staff to provide timely and accurate information regarding the threats and vulnerabilities within the enterprise so that they can effectively manage the risks facing their organizations. Threat intelligence teams provide analysis that supports executive decision-makers at the strategic and operational levels. This analysis aids decision makers in their commission to balance risk management with resource management. By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.

  • How to Protect Enterprise Systems with Cloud-Based Firewalls Analyst Paper (requires membership in community)
    by Kevin Garvey - July 26, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.

  • JumpStart Guide for Cloud-Based Firewalls in AWS Analyst Paper (requires membership in community)
    by Brian Russell - July 24, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today’s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.

  • Bye Bye Passwords: New Ways to Authenticate Analyst Paper (requires membership in community)
    by Matt Bromiley - July 23, 2019 in Authentication, Security Trends

    The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.

  • Are Your Security Controls Yesterday’s News? Analyst Paper (requires membership in community)
    by Matt Bromiley - July 18, 2019 in Security Awareness, Threats/Vulnerabilities

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
    The second spotlight (coming in October 2019) will focus on the input SANS received from a recent poll that gathered opinions from the SANS community on this topic.

  • Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey Analyst Paper (requires membership in community)
    by Chris Crowley and John Pescatore - July 9, 2019 in Security Trends, SOC

    In this survey, senior SANS instructor and course author Christopher Crowley, along with advisor and SANS director of emerging technologies John Pescatore, provide objective data to security leaders who are looking to establish a SOC or optimize an existing one. This report captures common and best practices, provides defendable metrics that can be used to justify SOC resources to management, and highlights the key areas that SOC managers should prioritize to increase the effectiveness and efficiency of security operations.

  • Attackers Inside the Walls: Detecting Malicious Activity STI Graduate Student Research
    by Sean Goodwin - July 2, 2019 in Intrusion Detection

    Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This paper investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.

  • Building Cloud-Based Automated Response Systems STI Graduate Student Research
    by Mishka McCowan - July 2, 2019 in Cloud Computing

    When moving to public cloud infrastructures such as Amazon Web Services (AWS), organizations gain access to tools and services that enable automated responses to specific threats. This paper will explore the advantages and disadvantages of using native AWS services to build an automated response system. It will examine the elements that organizations should consider including developing the proper skills and systems that are required for the long-term viability of such a system.

  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 in Reverse Engineering Malware

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.

  • How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in community)
    by Thomas J. Banasik - June 27, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.

  • Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in community)
    by Jake Williams - June 27, 2019 in Clients and Endpoints

    EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.

  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths STI Graduate Student Research
    by Brianne Fahey - June 26, 2019 in Logging Technology and Techniques, Tools

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.

  • Building and Maturing Your Threat Hunting Program Analyst Paper (requires membership in community)
    by David Szili - June 24, 2019 in Threat Hunting

    Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.

  • JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in community)
    by David Hazar - June 19, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.

  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 in Reverse Engineering Malware, Threat Intelligence

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.

  • How to Build a Data Security Strategy in AWS Analyst Paper (requires membership in community)
    by Dave Shackleford - June 13, 2019 in Cloud Computing, Data Protection

    When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.

  • Authentication: It Is All About the User Experience Analyst Paper (requires membership in community)
    by Matt Bromiley - June 12, 2019 in Authentication

    In a world where compromised user credentials can cost an enterprise millions of dollars, the importance of being able to validate user accounts is a crucial enterprise requirement. Yet implementation of modern authentication techniques is lagging, even though it provides better user experiences as well as stronger authentication. This paper examines how these techniques can be applied within your organization for your employees--the other custodians of your data. It also explores the benefits of the new WebAuthn specification.

  • Automating Response to Phish Reporting STI Graduate Student Research
    by Geoffrey Parker - June 12, 2019 in Email Issues

    Phish Reporting buttons have become easy buttons. They are used universally for reporting spam, real phishing attacks when detected, and legitimate emails. Phish Reporting buttons automate the reporting process for users; however, they have become a catch-all to dispose of unwanted messages and are now overwhelming Response Teams and overflowing Help Desk ticket queues. The excessive reporting leads to a problem of managing timely responses to real phishing attacks. Response times to false positives, spam, and legitimate messages incorrectly reported are also significant factors. Vendors sold phish alert buttons with phishing simulation systems which then became part of more in-depth training systems and later threat management systems. Because of this organic growth, many companies implemented a phish reporting system but did not know that they needed an automation system to manage the resulting influx of tickets. Triage systems can automate a high percentage of these phish alerts, freeing the incident response teams to deal with the genuine threats to the enterprise on a prioritized basis.

  • SANS 2019 State of OT/ICS Cybersecurity Survey Analyst Paper (requires membership in community)
    by Barbara Filkins and Doug Wylie - June 11, 2019 in Industrial Control Systems / SCADA, Security Trends

    In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.

  • Mobile A/V: Is it worth it? STI Graduate Student Research
    by Nicholas Dorris - June 5, 2019 in Mobile Security

    In the mid 2010’s, mobile devices such as smartphones and tablets have become ubiquitous with users employing these gadgets for various applications. While this pervasive adoption of mobile devices offers numerous advantages, attackers have leveraged the languid attitude of device owners to secure the owner’s gadgets. The diversity of mobile devices exposes them to a variety of security threats, as the industry lacks a comprehensive solution to protect mobile devices. In a bid to secure their assets and informational resources, individuals and corporations have turned to commercial mobile antivirus software. Most security providers present mobile versions of their PC antivirus applications, which are primarily based on the conventional signature-based detection techniques. Although the signature-based strategy can be valuable in identifying and mitigating profiled malware, it is not as effective in detecting unknown, new, or evolving threats, as it lacks adequate information and signature regarding these infections. Mobile attackers have remained ahead via obfuscation and transformation methods to bypass detection techniques. This paper seeks to ascertain whether current mobile antivirus solutions are effective, in addition to which default Android settings assist in the prevention or mitigation of various malware and their consequences.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.