The Best Online Cybersecurity Training in the World - SANS OnDemand

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past month as of April 4, 2020

  • Learning from the Dridex Malware - Adopting an Effective Strategy by Lionel Teo Jia Yeong - October 29, 2015 in Intrusion Detection

    Dridex Malware first surface at the third quarter of 2014 (Olson, 2014) targeting specifically companies in financial and banking industry.


  • Logfile Analysis: Identifying a Network Attack by Michael Fleming - July 21, 2001 in Intrusion Detection

    Although all parts of the backup strategy are equally important, this paper will focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Incident Response in a Zero Trust World STI Graduate Student Research
    by Heath Lawson - February 27, 2020 in Incident Handling

    Zero Trust Networks is a new security model that enables organizations to provide continuously verified access to assets and are becoming more common as organizations adopt cloud resources (Rose, S., Borchert, O., Mitchell, S., & Connelly, S., 2019). This new model enables organizations to achieve much tighter control over access to their resources by using a variety of signals that provide great insight to validate access requests. As this approach is increasingly adopted, incident responders must understand how Zero Trust Networks can enhance their existing processes. This paper provides a comparison of incident response capabilities in Zero Trust Networks compared to traditional perimeter-centric models, and guidance for incident responders tasked with managing incidents using this new paradigm.


  • Preventing Living off the Land Attacks STI Graduate Student Research
    by David Brown - March 5, 2020 in Penetration Testing

    Increasingly, attackers are relying on trusted Microsoft programs to carry out attacks against individuals and organizations (Symantec, 2017). The software typically comes installed by default in Windows and is often required for the essential functionality of the operating system. These types of attacks are called “living off the land,” and they can be challenging to detect and prevent. This paper examines the viability of using Microsoft AppLocker to thwart living off the land attacks without impacting the legitimate operating system and administrative use of the underlying Microsoft programs.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • The OSI Model: An Overview by Rachelle Miller - September 13, 2001 in Standards

    This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.



  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


  • Automated Detection and Disinfection of Ransomware Attacks using Roadblock Software by Hemant Kumar - March 18, 2020 in Reverse Engineering Malware

    We often hear about ransomware locking data and demanding the ransom. Ransomware is a kind of malware that prohibits users from accessing their system or files and mostly requires a ransom payment to regain access. This results in data loss, downtime, lost productivity, including reputational harm. Financial losses from ransomware attacks are predicted to exceed 11.5 Billion Dollars in 2019 with ransomware attacks on businesses every 14 seconds. The extension and complexity of ransomware are advancing at a high rate. Malware authors utilize several sophisticated techniques to evade current security defenses, and all the encryption happens in less than a minute. So, there is a need to develop an automated software that performs detection of various kind of ransomware without depending on the signature of malware, and that can also disinfect the live system against various kind of ransomware attacks under a minute and thus containing the infection from further spreading it to other systems. The software should also notify the incident response team of the detected ransomware attacks and its IOCs so that they can further protect the organization from a similar type of attack. Roadblock software solves this problem by detecting various kinds of ransomware attacks and dis-infecting the system without any need for a reboot in less than a minute. It leads to no data loss, no downtime, no lost productivity, and no reputational harm. The dis-infection process is not dependent on malware signatures or malware coding, and it works by performing fast and deep forensics of the system that is pre-installed with Roadblock, so that it can detect new ransomware variant.


  • Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response by Gordon Fraser - September 21, 2016 in Forensics

    A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.


  • “Is there a Yelp for Ransomware?” Incident response planning that doesn’t rely on Plan B by Matt Freeman - August 1, 2016 in Acceptable Use

    What if there was a service that could classify the impact of each variant of ransomware?


  • Women in Cybersecurity: Spanning the Career Life Cycle Analyst Paper (requires membership in SANS.org community)
    by Heather Mahalik - March 16, 2020 in Management & Leadership, Security Trends

    In this paper, survey author and SANS instructor Heather Mahalik explores key results of our survey of successful women in varied roles within the cybersecurity community and draws on experiences of such women to provide practical advice to women all along their career life cycle.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - March 17, 2020 in Intrusion Detection, Threat Hunting

    Deception technologies significantly improve security teams' capabilities to quickly and accurately detect attackers that intentionally avoid looking malicious. But how do these cyber technologies work to address key security concerns? This paper explores how to collect threat intelligence and attack attribution information associated with malicious behaviors that fly under the radar in an attempt to carry out Active Directory and ransomware attacks, phishing and credential hijacking, vulnerable applications, and more.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Unix-style approach to web application testing by Andras Veres-Szentkiralyi - February 27, 2020 in Penetration Testing

    Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.


  • Detecting and Preventing Unauthorized Outbound Traffic by Brian Wippich - October 29, 2007 in Intrusion Detection

    This paper will describe some of the risks associated with outbound traffic, methods for securing this traffic, techniques for circumventing these controls, and methods for detecting and preventing these techniques. There is no way to eliminate all risk associated with outbound traffic short of closing all ports. However, a good understanding of these risks should allow you to make informed decisions on securing this traffic.


  • Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication STI Graduate Student Research
    by Michael Hoffman - February 12, 2020 in Industrial Control Systems / SCADA

    Modbus TCP and other legacy ICS protocols ported over from serial communications are still widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate PLC code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution (Bodungen, Singer, Shbeeb, Hilt, & Wilhoit, 2017). This paper examines the viability of deploying PLC configuration modifications, programming best practices, and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluation of ICS protocols and device configurations.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Preparing to face new vulnerabilities by Jacelyn Faucher - June 25, 2008 in Security Basics

    This document illustrates the benefit of being prepared to deal with new vulnerabilities. We don't really know when that's going to happen, but it will. Let's look at a typical scenario: Monday morning, panic is in the air. The boss heard the existence of a big new vulnerability on the radio on his way to work.


  • Detecting and Preventing Anonymous Proxy Usage STI Graduate Student Research
    by John Brozycki - November 6, 2008 in Intrusion Detection

    This paper explores methods organizations may use to detect and prevent anonymous proxy usage.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.