Learn How to Thwart Cyber Attackers with Training at SANS Boston. Save $350 thru 2/20.

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of February 16, 2019

  • The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey Analyst Paper (requires membership in SANS.org community)
    by Rebekah Brown and Robert M. Lee - February 4, 2019 in Security Trends, Threats/Vulnerabilities

    In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.


  • 2018 Secure DevOps: Fact or Fiction? Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Barbara Filkins - November 5, 2018 in Cloud Computing, Security Trends

    A new SANS survey indicates that fewer than half (46%) of survey respondents are confronting security risks up front in requirements and service design in 2018--and only half of respondents are fixing major vulnerabilities. This report chronicles how security practitioners are managing the collaborative, agile nature of DevOps and weave it seamlessly into the development process.


  • PDF Metadata Extraction with Python by Christopher A. Plaisance - February 5, 2019 in Forensics

    This paper explores techniques for programmatically extracting metadata from PDF files using Python. It begins by detailing the internal structure of PDF documents, focusing on the internal system of indirect references and objects within the PDF binary, the document information dictionary metadata type, and the XMP metadata type contained in the file’s metadata streams. Next, the paper explores the most common means of accessing PDF metadata with Python, the high-level PyPDF and PyPDF2 libraries. This examination discovers deficiencies in the methodologies used by these modules, making them inappropriate for use in digital forensics investigations. An alternative low-level technique of carving the PDF binary directly with Python, using the re module from the standard library is described, and found to accurately and completely extract all of the pertinent metadata from the PDF file with a degree of completeness suitable for digital forensics use cases. These low-level techniques are built into a stand-alone open source Linux utility, pdf-metadata, which is discussed in the paper’s final section.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Cyber Threats to the Bioengineering Supply Chain STI Graduate Student Research
    by Scott Nawrocki - February 12, 2019 in Threats/Vulnerabilities

    Biotechnology and pharmaceutical companies rely on the sequencing of DNA to conduct research, develop new drug therapies, solve environmental challenges and study emerging infectious diseases. Synthetic biology combines biology and computer engineering disciplines to read, synthetically write and store DNA sequences utilizing bioinformatics applications. Bioengineers begin with a computerized genetic model and turn that model into a living cell (2011, Smolke). Genetic editing is making headlines as there are rumors that a genetically modified human, immune to HIV, was born in China. As the soil on our farms becomes depleted of nitrogen, genetic research is focusing on applications as a means to reintroduce nitrogen into the ground. Reliance on oil and pollution has paved the way for research into bio-fuels. Genomic research advances have outpaced the security of these applications and technology which leaves them vulnerable to attack (2017, Ney). As information security professionals, we must keep pace with these advances. This research will demonstrate the stages of a network-based attack, recommend Critical Security Controls countermeasures and introduce the concept of a Bioengineering Systems Kill Chain.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • 2017 State of Application Security: Balancing Speed and Risk Analyst Paper (requires membership in SANS.org community)
    by Jim Bird - October 24, 2017 in Application and Database Security

    Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.


  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 in Security Basics, Forensics, Incident Handling, Linux Issues, Free and Open Source Software

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.


  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity STI Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 in Intrusion Detection, Forensics, Logging Technology and Techniques, Threat Hunting

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Intrusion Prevention System Signature Management Theory by Joshua Levine - February 5, 2019 in Intrusion Prevention

    The intrusion prevention system (IPS) serves as one of the critical components for a defense-in-depth solution. IPS appliances allow for active, inline protection for known and unknown threats passing across a network segment at all layers of the OSI model. The employment, tuning, and upkeep of signatures on an IPS may lead to a negative impact on production traffic if not properly maintained. This document serves as baseline guidance to help shape the development of an organizational IPS signature management policy. Concepts are presented to address the lifecycle of an IPS signature from employment to expiration. Through proper maintenance, placement, and tuning of signatures, an unwanted impact to network traffic can be kept to a minimum while also achieving an optimal balance of security and network performance. By understanding the tenants of effective IPS signature evaluation, employment, tuning, and expiration, organizations can maintain an acceptable network security posture along with adequate levels of network performance.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 in Security Awareness, Threats/Vulnerabilities

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.


  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 in Threat Hunting

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.


  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 in Auditing & Assessment, Security Awareness, Security Basics, Management & Leadership, Security Policy Issues, Protocols

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Secure Architecture for Industrial Control Systems STI Graduate Student Research
    by Luciana Obregon - October 15, 2015 in Industrial Control Systems / SCADA

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organization’s support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.


  • Don't Knock Bro STI Graduate Student Research
    by Brian Nafziger - December 12, 2018 in Incident Handling

    Today's defenders often focus detections on host-level tools and techniques thereby requiring host logging setup and management. However, network-level techniques may provide an alternative without host changes. The Bro Network Security Monitor (NSM) tool allows today's defenders to focus detection techniques at the network-level. An old method for controlling a concealed backdoor on a system using a defined sequence of packets to various ports is known as port-knocking. Unsurprisingly, old methods still offer value and malware, defenders, and attackers still use port-knocking. Current port-knocking detection relies on traffic data mining techniques that only exist in academia writing without any applicable tools. Since Bro is a network-level tool, it should be possible to adapt these data mining techniques to detect port-knocking within Bro. This research will document the process of creating and confirming a port-knocking network-level detection with Bro that will provide an immediate and accessible detection technique for organizations.


  • A Security Checklist for Web Application Design by Gail Bayse - May 2, 2004 in Securing Code

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.