Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Reading Room: Most Popular Papers

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Featuring the 25 most popular papers within the past month as of September 22, 2017

  • Cracking Active Directory Passwords or "How to Cook AD Crack" by Martin Boller - August 23, 2017 in Penetration Testing

    It is too early to write the obituary on passwords, and they are still the most prevalent form of authentication for most corporations. You may be using Multi-Factor Authentication for some users, but there's still a password in use somewhere. Many end-users and IT Pros does not understand the art of creating and maintaining good passwords, and most organizations utilize Active Directory, which stores unsalted passwords using a weak hashing algorithm, further weakening their security. This paper discusses several methods to acquire the password hashes from Active Directory, how to use them in Pass the Hash attacks, and how to crack them, revealing the clear text passwords they represent. It ends with a short discussion on how to report on the password security of the organization tested.


  • Road Map to a Secure, Smart Infrastructure Analyst Paper
    by Barbara Filkins - August 9, 2017 in Security Awareness, Threats/Vulnerabilities

    This paper provides a multifaceted security approach for securing infrastructure systems that are being targeted by attackers and malware.


  • Triaging Alerts with Threat Indicators by Gregory Pickett - August 25, 2017 in Threat Intelligence

    Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don't know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn't enough time to get to them all. What if analysts could skip over those alerts that aren't a threat and just focus their time on those that are? If they were able to do that, they just might have enough time in the day to get through all of them. The answer to this question is Threat Indicators. Using past behavior, as measured by Threat Indicators, security analysts can determine how likely an adversary in an alert is a threat. Those that are less threatening can then be skipped over in favor of those that are allowing an analyst to get through their alerts much more quickly. It may even be quick enough for them to get through them all. This paper explores the use of Threat Indicators in through both theory and practice. Finally, it will measure its success through its use in the analysis of actual alerts to determine how effective this approach is in identifying threats and through this identification whether or not analysts able to get through their alerts more quickly.


  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 in Automation, Incident Handling, Threat Intelligence

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.


  • A Practical Example of Incident Response to a Network Based Attack STI Graduate Student Research
    by Gordon Fraser - August 16, 2017 in Incident Handling

    A commonly accepted Incident Response (IR) process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This paper examines this process in the context of a practical working example of a network based attack. It begins with the identification of a potential incident, followed by the detailed analysis of the network traffic to reconstruct the actions of the attacker, and leads up to determining indicators of compromise that can be used to identify other victims. This paper provides a practical example of responding to a network based incident.


  • The Efficiency of Context: Review of WireX Systems Incident Response Platform Analyst Paper
    by Jerry Shenk - September 5, 2017 in Incident Handling

    WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.


  • Basic NGIPS Operation and Management for Intrusion Analysts by Mike Mahurin - August 15, 2017 in Intrusion Detection, Intrusion Prevention, Network Security

    Next Generation Intrusion Prevention Systems (NGIPS) are often referred to as the panacea to modern malware, network intrusion, advanced persistent threat, and application control for complex modern applications. Many vendors position these products in a way that minimizes the value of tuning and intrusion analysis to get the optimum security capability of the solution. This paper will provide a guide for how to maximize the capabilities of these technologies by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.


  • Sensitive Data at Risk: The SANS 2017 Data Protection Survey Analyst Paper
    by Barbara Filkins - September 5, 2017 in Data Protection, Threats/Vulnerabilities

    Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.


  • 2017 Threat Landscape Survey: Users on the Front Line Analyst Paper
    by Lee Neely - August 14, 2017 in Clients and Endpoints, Threats/Vulnerabilities

    Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Packet Capture on AWS STI Graduate Student Research
    by Teri Radichel - August 14, 2017 in Cloud Computing, Intrusion Detection, Network Security

    Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.


  • Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey Analyst Paper
    by Eric Cole - July 31, 2017 in Security Awareness, Threats/Vulnerabilities

    It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. This survey highlights the importance of managing internal threats as the key to winning at cyber security.


  • Complement a Vulnerability Management Program with PowerShell STI Graduate Student Research
    by Colm Kennedy - August 10, 2017 in Security Awareness, Management & Leadership

    A vulnerability management program is a critical task that all organizations should be running. Part of this program involves the need to patch systems regularly and to keep installed software up to date. Once a vulnerability program is in place organizations need to remediate discovered vulnerabilities quickly. Occasionally some discovered vulnerabilities are false positives. The problem with false positives is that manually vetting them is time-consuming. There are tools available, which assist in showing what patches may be missing, like SCCM, but can be rather costly. For organizations concerned that these types of programs hurt their budgets, there are free options available. PowerShell is free software that, if utilized, can complement an organization's vulnerability management program by assisting in scanning for unpatched systems. This paper presents a PowerShell script that provides Administrators with further insight into what systems are unpatched and streamlines investigations of possible false positives, with no additional cost.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense STI Graduate Student Research
    by Matthew Hosburgh - July 21, 2017 in Intrusion Detection, Intrusion Prevention, Threat Hunting

    Today's adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. One of the largest breaches of classified information was carried out by an insider. Months after the incident had occurred, the Department of Defense (DoD) only began to realize the implications of the leak. The damage did not solely rest with the United States. A cascade of consequences was felt in many parts of the world, resulting from this breach. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools such as the Web Bug Server and Molehunt can be leveraged as a means to proactively hunt insider threats. To keep up with the continually evolving human adversary, defenders must employ these offensive tactics to annoy and attribute their adversaries.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • A Technical Approach at Securing SaaS using Cloud Access Security Brokers STI Graduate Student Research
    by Luciana Obregon - September 6, 2017 in Cloud Computing

    The adoption of cloud services allows organizations to become more agile in the way they conduct business, providing scalable, reliable, and highly available services or solutions for their employees and customers. Cloud adoption significantly reduces total cost of ownership (TCO) and minimizes hardware footprint in data centers. This paradigm shift has left security professionals securing abstract environments for which conventional security products are no longer effective. The goal of this paper is to analyze a set of cloud security controls and security deployment models for SaaS applications that are purely technical in nature while developing practical applications of such controls to solve real-world problems facing most organizations. The paper will also provide an overview of the threats targeting SaaS, present use cases for SaaS security controls, test cases to assess effectiveness, and reference architectures to visually represent the implementation of cloud security controls.


  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 in Forensics, Incident Handling, Malicious Code

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.


  • HL7 Data Interfaces in Medical Environments: Attacking and Defending the Achille's Heel of Healthcare STI Graduate Student Research
    by Dallas Haselhorst - September 12, 2017 in HIPAA, Encryption & VPNs

    On any given day, a hospital operating room can be chaotic. The atmosphere can make one’s head spin with split-second decisions. In the same hospital environment, medical data also whizzes around, albeit virtually. Beyond the headlines involving medical device insecurities and hospital breaches, healthcare communication standards are equally as insecure. This fundamental design flaw places patient data at risk in nearly every hospital worldwide. Without protections in place, a hospital visit today could become a patient’s worst nightmare tomorrow. Could an attacker collect the data and sell it to the highest bidder for credit card or tax fraud? Or perhaps they have far more malicious plans such as causing bodily harm? Regardless of their intentions, healthcare data is under attack and it is highly vulnerable. This research focuses on attacking and defending HL7, the unencrypted and unverified data standard used in healthcare for nearly all system-to-system communications.


  • Securing Industrial Control Systems-2017 Analyst Paper
    by Bengt Gregory-Brown - July 11, 2017 in Industrial Control Systems / SCADA

    We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners. Our mission is to turn these inputs into actionable intelligence to support new developments and address trends in the field to inform the crucial business decisions. Here we report on these trends and other changes that make active use of ICS as a core enabler for business imperatives and provide actionable advice for today's security practitioners.


  • Artificial Intelligence and Law Enforcement by John Wulff - August 21, 2017 in Threat Intelligence

    After the 9/11 terrorist attacks against the United States, law enforcement, and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for information dissemination was State Fusion Centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) is the preferred technology for analyzing data to recognize behavioral patterns and create a method for the sharing of data in the fight against crime and terrorism. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. The use of AI can directly affect the cost of operations. Criminal activity locations can be predicted by AI so equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development and testing of these applications so that the options available to law enforcement and the intelligence communities can be increased.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 in Auditing & Assessment, Security Awareness, Security Basics, Management & Leadership, Security Policy Issues, Protocols

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.