3 Days Left to Save $400 on SANS Baltimore Spring 2017

Reading Room: Most Popular Papers

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Featuring the 25 most popular papers within the past week as of February 27, 2017

  • OS X as a Forensic Platform STI Graduate Student Research
    by David M. Martin - February 22, 2017 in Mac/Apple Issues, Forensics

    The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options.


  • DevSecOps Transformation: The New DNA of Agile Business Analyst Paper
    by Dave Shackleford - February 21, 2017 in Security Trends, Threats/Vulnerabilities

    This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.


  • Tor Browser Artifacts in Windows 10 STI Graduate Student Research
    by Aron Warren - February 24, 2017 in Forensics

    The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.


  • Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection Analyst Paper
    by Jerry Shenk - January 24, 2017 in Data Loss Prevention, Social Engineering

    The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.


  • Indicators of Compromise TeslaCrypt Malware STI Graduate Student Research
    by Kevin Kelly - February 16, 2017 in Security Awareness, Best Practices

    Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections.


  • The DevSecOps Approach to Securing Your Code and Your Cloud Analyst Paper
    by Dave Shackleford - February 7, 2017 in Security Trends, Threats/Vulnerabilities

    DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.


  • Packets Don't Lie: LogRythm NetMon Freemium Review Analyst Paper
    by Dave Shackleford - January 18, 2017 in Intrusion Detection, Data Loss Prevention

    With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.


  • Attack and Defend: Linux Privilege Escalation Techniques of 2016 STI Graduate Student Research
    by Michael Long II - January 30, 2017 in Linux Issues, Privilege Management, Penetration Testing

    Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.


  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 in Active Defense, Forensics, Malicious Code

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.


  • PLC Device Security - Tailoring needs by Wen Chinn Yew - February 15, 2017 in Threats/Vulnerabilities

    Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio.


  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper
    by John Pescatore - January 24, 2017 in Best Practices, Data Protection

    Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Building and Maintaining a Denial of Service Defense for Businesses STI Graduate Student Research
    by Matt Freeman - January 25, 2017 in Critical Controls, Getting Started/InfoSec, Security Trends

    Distributed Denial of Service (DDoS) attacks have been around for decades but still cause problems for most businesses. While easy to launch, DDoS attacks can be difficult to sustain and even more difficult to monetize for attackers. From the business perspective, a DDoS attack might result in lost revenue but is unlikely to have the same long term impact that a data breach may have. Recent changes in the IT landscape have made DDoS a more attractive attack vector for hackers. The industry trend to connect more and more devices to the Internet (often with minimal to no security), dubbed the "Internet of Things" has created a new marketplace for bad actors to sell their resource exhaustion services. Businesses need to consider all options when planning and implementing a defensive posture against denial of service attacks. As security vendors continue to offer new (and expensive) options to defend against these attacks, how does an InfoSec manager know which is best for their business. Using an "Offense informs the Defense" approach, this paper will analyze the methods used during DDoS attacks in order to determine the most appropriate defensive postures.


  • Implementing the Critical Security Controls Analyst Paper
    by Jim D. Hietala - January 24, 2017 in Critical Controls

    This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CIS Control adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they’ve experienced.


  • Impediments to Adoption of Two-factor Authentication by Home End-Users STI Graduate Student Research
    by Preston Ackerman - February 10, 2017 in Authentication

    Cyber criminals have proven to be both capable and motivated to profit from compromised personal information. The FBI has reported that victims have suffered over $3 billion in losses through compromise of email accounts alone (IC3 2016). One security measure which has been demonstrated to be effective against many of these attacks is two-factor authentication (2FA). The FBI, the Department of Homeland Security US Computer Emergency Readiness Team (US-CERT), and the internationally recognized security training and awareness organization, the SANS Institute, all strongly recommend the use of two-factor authentication. Nevertheless, adoption rates of 2FA are low.


  • Digital Ghost: Turning the Tables Analyst Paper
    by Michael J. Assante - February 1, 2017 in Industrial Control Systems / SCADA

    The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • From Security Perspective, the Quickest Way to Assess Your Web Application by Mohammed Alduhaymi - February 3, 2017 in Web Application Security

    The aim of this paper is to explain how to assess web applications with a fast, easy and effective method. A framework has been created as a Chrome Extension to solve two problems. 1. The first problem is when the IT team wants to know the security posture of their web application, but they did not have the budget/time to hire a penetration tester. Therefore, they can use this framework "WPSecAnalyzer Chrome Extension" to check their web application scores from a security perspective without having a deep knowledge of penetration testing. 2. The second problem is when the penetration tester wants to do the reconnaissance phase, he will use many tools, which will consume his time/effort. Consequently, to reduce the time/effort consumed he can use "WPSecAnalyzer Extension" to check many issues/vulnerabilities from one place with an efficient and effective method. The Chrome Extension which is called "WPSecAnalyzer" checks and verifies eleven issues/vulnerabilities on any website the end user visits, and provides him with a report based on the findings. The report will have the score of the website, as well as a list of the findings based on eleven issues/vulnerabilities.


  • Getting Owned By Malicious PDF - Analysis by Mahmud Ab Rahman - August 30, 2010 in Malicious Code

    The last two years was not so good for Adobe Acrobat Reader users especially for those using versions prior to version 9. Core Security had released the advisory to address about util.printf stack buffer overflow vulnerability on Adobe Acrobat Reader with CVE tag CVE-2008-2992 (CoreSecurity, 2008). An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crashing the application, denying service to the legitimate user. More information on this vulnerability can be obtained by reading a paper on the vulnerability and exploitation analysis written by a CoreSecurity researcher via this link http://www.coresecurity.com/content/adobe-reader-buffer-overflow.


  • Dissect the Phish to Hunt Infections STI Graduate Student Research
    by Seth Polley - February 3, 2017 in Security Awareness

    Internal defense is a perilous problem facing many organizations today. The sole reliance on external defenses is all too common, leaving the internal organization largely unprotected. The times when internal defense is actually considered, how many think beyond the fallible antivirus (AV) or immature data loss prevention (DLP) solutions? Considering the rise of phishing emails and other social engineering campaigns, there is a significantly increased risk that an organization’s current external and internal defenses will fail to prevent compromises. How would a cyber security team detect an attacker establishing a foothold within the center of the organization or undetectable malware being downloaded internally if a user were to fall for a phishing attempt?


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.