Get unparalleled cyber security training from industry leaders in Santa Monica. Save $200 thru 9/18.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,920 original computer security white papers in 110 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Exploring Osquery, Fleet, and Elastic Stack as an Open-source solution to Endpoint Detection and Response STI Graduate Student Research
    by Christopher Hurless - September 10, 2019 in Intrusion Detection

    Endpoint Detection and Response (EDR) capabilities are rapidly evolving as a method of identifying threats to an organization's computing environment. Global research and advisory company, Gartner defines EDR as: "Solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems" (Gartner, 2019). This paper explores the feasibility and difficulty of using open-source tools as a practical alternative to commercial EDR solutions. A business with sufficiently mature Incident Response (IR) processes might find that building an EDR solution “in house” with open-source tools provides both the knowledge and the technical capability to detect and investigate security incidents. The required skill level to begin using and gaining value from these tools is relatively low and can be acquired during the build process through problem deconstruction and solution engineering.


  • A New Needle and Haystack: Detecting DNS over HTTPS Usage STI Graduate Student Research
    by Drew Hjelm - September 10, 2019 in DNS Issues

    Encrypted DNS technologies such as DNS over HTTPS (DoH) give users new means to protect privacy while using the Internet. Organizations will face new obstacles for monitoring network traffic on their networks as users attempt to use encrypted DNS. First, the paper presents several tests to perform to detect encrypted DNS using endpoint tools and network traffic monitoring. The goal of this research is to present several controls that organizations can implement to prevent the use of encrypted DNS on enterprise networks.


  • How to Build a Threat Detection Strategy in Amazon Web Services (AWS) Analyst Paper (requires membership in SANS.org community)
    by David Szili - September 10, 2019 in Cloud Computing, Threat Hunting

    Threat detection and continuous security monitoring in the cloud must integrate traditional on-premises system monitoring with the cloud network infrastructure and cloud management plane. A successful, cloud-based threat detection strategy will collect data from systems, networks and the cloud environment in a central platform for analysis and alerting. This paper describes how to build a threat detection strategy that automates common tasks like data collection and analysis.


  • Success Patterns for Supply Chain Security Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - September 9, 2019 in Best Practices, Security Trends

    Many CISOs report that supply chain security is one of their top challenges. Supply chain attacks are on the rise, and the high financial impact of these attacks has increased CEO, board of director, and regulatory/auditor attention to supply chain security. In this whitepaper, John Pescatore, SANS Director of Emerging Security Trends, provides recommendations and guidance in addressing these concerns.


  • Changing the DevOps Culture One Security Scan at a Time STI Graduate Student Research
    by Jon-Michael Lacek - August 28, 2019 in Securing Code

    Information Security has always been considered a roadblock when it comes to project management and execution. This mentality is even further solidified when discussing Information Security from a DevOps perspective. A fundamental principle of a DevOps lifecycle is a development and operations approach to delivering a product that supports automation and continuous delivery. When an Information Technology (IT) Security team has to manually obtain the application code and scan it for vulnerabilities each time a DevOps team wants to perform a release, the goals of DevOps can be significantly impacted. This frequently leads to IT Security teams and their tools being left out of the release management lifecycle. The research presented in this paper will demonstrate that available pipeline plugins do not introduce significant delays into the release process and are able to identify all of the vulnerabilities detected by traditional application scanning tools. The art of DevOps is driving organizations to produce and release code at speeds faster than ever before, which means that IT Security teams need to figure out a way to insert themselves into this practice.


  • Container-Based Networks: Lowering the TCO of the Modern Cyber Range STI Graduate Student Research
    by Bryan Scarbrough - August 26, 2019 in Penetration Testing

    The rapid pace and ever-changing environment of cybersecurity make it difficult for companies to find qualified individuals, and for those same individuals to receive the training and experience they need to succeed. Some are fortunate enough to use cyber ranges for training and proficiency testing, but access is often limited to company employees. Limited access to cyber ranges precludes outsiders or newcomers from learning the skills necessary to meet the ever-growing demand for cybersecurity professionals. There have been several open-sourced initiatives such as Japan's Cybersecurity Training and Operation Network Environment (CyTrONE), and the University of Rhode Island's Open Cyber Challenge Platform (OCCP), but they require significant hardware to support. The average security professional needs a cyber range environment that replicates real-world Internet topologies, networks, and services, but operates on affordable equipment.


  • Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity STI Graduate Student Research
    by Erik Avery - August 21, 2019 in Risk Management

    Cyber Protectionist policies are adversely impacting global cybersecurity despite their intent to mitigate threats to national security. These policies threaten the information security community by generating effects which increase the risk to the networks they are intended to protect. International product bans, data-flow restrictions, and increased internet-enabled crime are notable results of protectionist policies – all of which may be countered through identifying protectionist climates and subsequent threat. Analyzed historical evidence facilitates a metrics-based comparison between protectionist climate and cybersecurity threats to comprise the Cyber Protectionist Risk Matrix - a risk framework that establishes a new cybersecurity industry standard.


  • JumpStart Guide for SIEM in AWS Analyst Paper (requires membership in SANS.org community)
    by J. Michael Butler - August 20, 2019 in Cloud Computing

    This paper explores the needs, implementation options, capabilities, and various considerations for organizations looking to implement SIEM/SOAR capabilities in Amazon Web Services (AWS). The paper compares the integration of SIEM and SOAR in the cloud environment to on-premises use. Suggestions for planning SIEM and SOAR integration into an AWS cloud environment also included.


  • Effectively Addressing Advanced Threats Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 19, 2019 in Security Trends, Threats/Vulnerabilities

    As security professionals well know, the wave of advanced threats never stops, and organizations are increasingly challenged in dealing with the onslaught. But not all threats are created equal. How do you identify the most critical and deal with those? In this survey, we asked the security community to share what advanced threats their organizations are facing and how they're allocating resources and technology.

    Register now for the associated webcast at 1 p.m. Eastern on Wednesday September 25, 2019: https://register.gotowebinar.com/register/6150616769136423937


  • Better Security Using the People You Have Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 13, 2019 in Security Awareness, Security Trends

    Is your organization making optimal use of technology and processes to support the people you currently have? Because, if not, there is more work to do-and it doesn't involve hiring more people. This paper looks at the people, process and technology trifecta to identify weak points in your security. Compensate for deficiencies, maximize the resources you have, and prepare for future security threats. Get tips on how to empower your employees and help them grow their skills relative to the sophistication of today's security challenges.


  • Device Visibility and Control: Streamlining IT and OT Security with Forescout Analyst Paper (requires membership in SANS.org community)
    by Don Murdoch - August 12, 2019 in Network Access Control, Clients and Endpoints

    Forescout's latest iteration of its eponymous platform builds on the product's long-standing reputation for handling network admission controls, and adds multifaceted IT/OT network device visibility and control. In this review, SANS analyst and instructor Don Murdoch delves deep into how Forescout can help organizations gain greater visibility into the devices on the network, through device discovery, auto classification, risk assessment and automating security controls.


  • SANS 2019 Incident Response (IR) Survey: It's Time for a Change Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 31, 2019 in Incident Handling, Security Trends

    The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.


  • ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis STI Graduate Student Research
    by Andy Piazza - July 29, 2019 in Threat Intelligence

    Risk management is a principal focus for most information security programs. Executives rely on their IT security staff to provide timely and accurate information regarding the threats and vulnerabilities within the enterprise so that they can effectively manage the risks facing their organizations. Threat intelligence teams provide analysis that supports executive decision-makers at the strategic and operational levels. This analysis aids decision makers in their commission to balance risk management with resource management. By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.


  • How to Protect Enterprise Systems with Cloud-Based Firewalls Analyst Paper (requires membership in SANS.org community)
    by Kevin Garvey - July 26, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.


  • JumpStart Guide for Cloud-Based Firewalls in AWS Analyst Paper (requires membership in SANS.org community)
    by Brian Russell - July 24, 2019 in Cloud Computing, Firewalls & Perimeter Protection

    This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today’s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.


  • Bye Bye Passwords: New Ways to Authenticate Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 23, 2019 in Authentication, Security Trends

    The "passwordless movement" is upon us! This paper addresses ways to change password handling and implement more secure authentication It examines the problem of passwords and password mismanagement, and provides tips and suggestions for increasing your organization's account security using modern industry standards.


  • Are Your Security Controls Yesterday’s News? Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 18, 2019 in Security Awareness, Threats/Vulnerabilities

    This spotlight paper, one of a two-part series, looks at just how successful an organization can expect to be if it's using old news, limited scope or "cookie-cutter" vulnerability scans as a way to assess its environment. SANS believes security control testing needs to improve significantly to emulate actual--not hypothetical--threats to an organization.
    The second spotlight (coming in October 2019) will focus on the input SANS received from a recent poll that gathered opinions from the SANS community on this topic.


  • Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Crowley and John Pescatore - July 9, 2019 in Security Trends, SOC

    In this survey, senior SANS instructor and course author Christopher Crowley, along with advisor and SANS director of emerging technologies John Pescatore, provide objective data to security leaders who are looking to establish a SOC or optimize an existing one. This report captures common and best practices, provides defendable metrics that can be used to justify SOC resources to management, and highlights the key areas that SOC managers should prioritize to increase the effectiveness and efficiency of security operations.


  • Attackers Inside the Walls: Detecting Malicious Activity STI Graduate Student Research
    by Sean Goodwin - July 2, 2019 in Intrusion Detection

    Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This paper investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.


  • Building Cloud-Based Automated Response Systems STI Graduate Student Research
    by Mishka McCowan - July 2, 2019 in Cloud Computing

    When moving to public cloud infrastructures such as Amazon Web Services (AWS), organizations gain access to tools and services that enable automated responses to specific threats. This paper will explore the advantages and disadvantages of using native AWS services to build an automated response system. It will examine the elements that organizations should consider including developing the proper skills and systems that are required for the long-term viability of such a system.


  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 in Reverse Engineering Malware

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.


  • How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Thomas J. Banasik - June 27, 2019 in Clients and Endpoints, Cloud Computing

    Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.


  • Why Traditional EDR Is Not Working - and What to Do About It Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - June 27, 2019 in Clients and Endpoints

    EDR, or endpoint detection and response, promises to revolutionize the way security analysts neutralize attacks. Unfortunately, EDR has not always lived up to the promised hype. This paper examines the challenges of traditional EDR platforms, and suggests what you can do to overcome them for effective EDR implementation. Paper includes a checklist of considerations for selecting and deploying an EDR platform.


  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths STI Graduate Student Research
    by Brianne Fahey - June 26, 2019 in Logging Technology and Techniques, Tools

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.


  • Building and Maturing Your Threat Hunting Program Analyst Paper (requires membership in SANS.org community)
    by David Szili - June 24, 2019 in Threat Hunting

    Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.