1 Day Left to Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand Training

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of June 15, 2021

  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity SANS.edu Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 in Intrusion Detection, Forensics, Logging Technology and Techniques, Threat Hunting

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.


  • You've Had the Power All Along: Process Forensics With Native Tools SANS.edu Graduate Student Research
    by Trevor McAfee - August 27, 2020 in Incident Handling

    Many organizations are interested in standing up threat response teams but are unable, or unwilling, to provide funding or approval for third-party tools. This lack of support requires threat response teams to utilize built-in, OS-specific tools, to investigate suspicious processes and files. These tools can provide a significant amount of useful information when scrutinizing a suspicious process or file. However, these tools and their output are often unwieldy. A lack of cohesiveness requires running multiple similar commands to gather all the data for an investigation, and then manually combining and correlating that data. This paper examines the data of interest during an incident response and the native Microsoft Windows tools used to obtain it. This paper also discusses how to use PowerShell to automate the collection and compilation of this important data.


  • Six Steps To Successful Mobile Validation by Heather Mahalik, John Bair, Alexis, Brignoni, Stephen Coates, Mike Dickinson, Mattia Epifani, Jessica Hyde, Vladimir Katalov, Scott Koenig, Paul Lorentz, Christophe Poirier, Lee Reiber, Martin Westman, Mike Williamson, Ian Whiffin, and Oleg Skulkin - May 7, 2021 in Mobile Security

    Digital forensics is a complex and ever-changing field that requires a lot of testing, tools and validation. This paper is written by experts in smartphone forensics who have many years' experience in research, tool development, validation, testimony and who care about educating the community on the recommended steps to ensure mobile data is extracted, examined and reported in a manner that is trusted.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Machine Learning Techniques for Intrusion Detection by Yih Han Tan - June 9, 2021 in Intrusion Detection

    This paper aims to equip intrusion analysts with the basic techniques needed to apply machine learning to intrusion detection. It will first review and describe the different approaches to machine learning-based classification (e.g., logistic regression, support vector machines) before explaining the challenges of applying it to network intrusion detection. It will also review methods of data preprocessing, model training, and testing. This paper then describes experiments carried out on a dataset (NSL-KDD) that is widely used to test intrusion detection algorithms. Two sets of experiments demonstrating the application of commonly used machine learning-based classification and methods extensively used to improve model performance (e.g., boosting, bagging, stacking, label smoothing, and embedding) are performed. With a knowledge of the underlying algorithms and the provided source code, network operators can experiment with and eventually apply machine learning-based intrusion detection to their network.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 in Forensics

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.


  • The OSI Model: An Overview by Rachelle Miller - September 13, 2001 in Standards

    This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.


  • Windows 10 as a Forensic Platform SANS.edu Graduate Student Research
    by Ferenc Kovacs - June 15, 2018 in Forensics

    Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations.


  • The Value of Contemporaneous Notes and Why They Are a Requirement for Security Professionals by Seth Enoka - September 30, 2019 in Forensics

    Contemporaneous notes, or notes taken as soon as practicable after an event or action takes place, are invaluable to analysts in security roles performing activities such as digital forensics and incident response. There are various situations where contemporaneous notes provide a disproportionate return on time invested. However, there is no standard which defines the minimum information to record or indicates why every analyst should create some form of contemporaneous notes, whether in the civil or criminal domain. Timestamping, “write-once” versus write-many modalities, and how to edit or amend contemporaneous notes are important considerations. Additionally, including enough information such that the analyst, or any analyst, can follow the notes after time has elapsed and still achieve the same results and conclusions is essential when taking contemporaneous notes. The evidentiary value of contemporaneous notes should be defined and understood by every security professional.


  • CIS CSC Controls vs. Ransomware: An Evaluation by Dylan Malloy - May 19, 2021 in Critical Controls

    Cybercriminals continue to develop and enhance both new and existing ransomware variants, exploiting vulnerabilities to compromise computer systems and wreak havoc on individuals and organizations. Ransomware, while everchanging, typically relies heavily on a lack of controls in place for it to be promptly stopped or eradicated; however, many controls set out to reduce the overall impact of ransomware, if not stop it entirely. Organizations often try to protect themselves from ransomware by investing money into their security stack, Anti-virus, Endpoint Detection and Response, and Host Intrusion Prevention System. However, these tools will not be nearly as effective without the proper controls to align their functions. Implementing CIS Critical Security Controls can significantly reduce the impact of ransomware, or even potentially stop it in its tracks, meaning minimal disruptions to operations.


  • Fear of the Unknown: A Meta-Analysis of Insecure Object Deserialization Vulnerabilities SANS.edu Graduate Student Research
    by Karim Lalji - October 28, 2020 in Penetration Testing

    Deserialization vulnerabilities have gained significant traction in the past few years, resulting in this category of weakness taking eighth place on the OWASP Top 10. Despite the severity, deserialization vulnerabilities tend to be among the less popular application exploits discussed (Bekerman, 2020) and frequently misunderstood by security consultants and penetration testers without a development background. This knowledge discrepancy leaves adversaries with an advantage and security professionals with a disadvantage. This research will aim to demonstrate exploitation techniques using insecure deserialization on multiple platforms, including Java, .NET, PHP, and Android, to obtain a metanalysis of exploitation techniques and defensive strategies.


  • Application Whitelisting: Panacea or Propaganda SANS.edu Graduate Student Research
    by Jim Beechey - January 18, 2011 in Application and Database Security, System Administration

    Every day, organizations of all sizes struggle to protect their endpoints from a constant barrage of malware. The number of threats continues to increase dramatically each year.


  • The Importance of Security Awareness Training by Cindy Brodie - January 14, 2009 in Security Awareness

    One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee (CTG, 2008).


  • Physical Security and Why It Is Important SANS.edu Graduate Student Research
    by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Methods for Understanding and Reducing Social Engineering Attacks SANS.edu Graduate Student Research
    by Michael Alexander - May 3, 2016 in Critical Controls, Social Engineering

    Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.


  • How to Fuel Your DevSecOps in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 2, 2021 in Application and Database Security, Cloud Security

    To build an effective and successful security automation strategy for the DevOps pipeline, organizations need to consider all parts of the pipeline. This includes securing code and repositories, monitoring and controlling privilege allocation, scanning all checked-in and modified code for vulnerabilities, and scanning all builds and images for package and component vulnerabilities. And by monitoring all running assets through cloud fabric logging, they can use event-driven automation to remediate or alert on issues. In this whitepaper, SANS Analyst Dave Shackleford describes how to bring security teams into all phases of development and during cloud operations to increase visibility and improve security posture.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Case Study: Critical Controls that Could Have Prevented Target Breach SANS.edu Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • The Scary and Terrible Code Signing Problem You Don't Know You Have SANS.edu Graduate Student Research
    by Sandra Dunn - October 28, 2015 in Digital Certificates, Critical Controls

    SSL 3.0 / TLS 1.0 certificates are built on the X.509v3 PKI standard and provide the framework that the code signing process uses. Code signing uses PKI and X.509v3 certificates issued by a trusted certificate authority to validate that the code being installed on a device comes from a trusted vendor.


  • Data Loss Prevention by Prathaben Kanagasingham - September 5, 2008 in Data Loss Prevention

    Data breach has been one of the biggest fears that organizations face today. Quite a few organizations have been in the news for information disclosure and a popular recent case is that of T.J.Maxx. While DLP is not a panacea to such attacks, it should certainly be in the arsenal of tools to defend against such risks.


  • Hardware Keyloggers SANS.edu Graduate Student Research
    by Glen Roberts - July 29, 2016 in Physical Security

    Most information security professionals are familiar with keyloggers. However, while the security industry has produced plenty of defenses for software-based keyloggers, hardware keyloggers continue to pose a daunting problem for the typical enterprise. A deeper understanding of these insidious devices can lead to viable techniques for both protection and detection.


  • Insider Threat The Theft of Intellectual Property in Windows 10 by Eduard Du Plessis - March 11, 2021 in Forensics

    The prevalence of the theft of intellectual property investigations has grown over the past years and when investigated it will most likely be on a Windows 10 machine. It is important to have a clear framework on how to approach and execute such an investigation accurately and timeously. In this paper we will identify and analyse important Windows 10 artefacts that will reveal the user, the file and folders opened, applications used and the location of the files and folders. These artefacts are LNK (Link) Files, Jump Lists, Shell Bags, Prefetch files, USB connections and Network Mappings. We will demonstrate how to acquire and analyse these artefacts using a set of lightweight and powerful digital forensic software tools that are also affordable. The reader will find that by systematically analysing and correlating artefact events a timeline can be build that tells a story.


  • The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee - October 5, 2015 in Industrial Control Systems / SCADA

    Read this paper to gain an understanding of an adversary's campaign against ICS. The first two parts of the paper introduce the two stages of the ICS Cyber Kill Chain. The third section uses the Havex and Stuxnet case studies to demonstrate the ICS Cyber Kill Chain in action.


  • Secure Architecture for Industrial Control Systems SANS.edu Graduate Student Research
    by Luciana Obregon - October 15, 2015 in Industrial Control Systems / SCADA

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organization’s support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.