Featuring the 25 most popular papers within the past week as of March 23, 2017
Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation STI Graduate Student Research
by Jeremiah Hainly - March 15, 2017 in Automation, Incident Handling, Free and Open Source Software
Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.
Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 Analyst Paper
by John Pescatore - March 20, 2017 in Cloud Computing, Data Protection
- Associated Webcasts: 2017 Cybersecurity Trends: Aiming Ahead of the Target to Increase Security
Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.
Securing DNS Against Emerging Threats: A Hybrid Approach Analyst Paper
by John Pescatore - March 16, 2017 in DNS Issues
- Associated Webcasts: Protecting Business Mobility Against Emerging Threats
- Sponsored By: InfoBlox
This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.
Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper
by Benjamin Wright - March 7, 2017 in Data Protection, Legal Issues
- Associated Webcasts: Complying with the General Data Protection Regulation: A Guide for Security Practitioners
- Sponsored By: Skybox Security, Inc.
The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey Analyst Paper
by Dave Shackleford - March 14, 2017 in Threats/Vulnerabilities
- Associated Webcasts: Cyber Threat Intelligence in Action-Skills and Implementations: Results of the 2017 Cyber Threat Intelligence Survey Part 1 Cyber Threat Intelligence in Action-Effectiveness of CTI Programs and Wish Lists for the Future: Results of the 2017 Cyber Threat Intelligence Survey Part 2
- Sponsored By: Arbor Networks Rapid7 Inc. Lookingglass Cyber Solutions, Inc. Anomali DomainTools ThreatConnect
Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.
Detection of Backdating the System Clock in Windows by Xiaoxi Fan - March 15, 2017 in Forensics
In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches, system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that "the system clock has not been backdated," he or she must examine multiple artifacts for corroboration.
DevSecOps Transformation: The New DNA of Agile Business Analyst Paper
by Dave Shackleford - February 21, 2017 in Security Trends, Threats/Vulnerabilities
This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please click this link.
Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection Analyst Paper
by Jerry Shenk - January 24, 2017 in Data Loss Prevention, Social Engineering
The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.
Tracking Online Counterfeiters by Emilio Casbas - March 16, 2017 in Intrusion Detection
The counterfeiting market makes-up a vast global business where the impact of fraudulent activity is hard to quantify. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents their most common tactics and its relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites.
Cloud Security Monitoring STI Graduate Student Research
by Balaji Balakrishnan - March 13, 2017 in Cloud Computing
This paper discusses how to apply security log monitoring capabilities for Amazon Web Services (AWS) Infrastructure as a Service(IaaS) cloud environments. It will provide an overview of AWS CloudTrail and CloudWatch Logs, which can be stored and mined for suspicious events. Security teams implementing AWS solutions will benefit from applying security monitoring techniques to prevent unauthorized access and data loss. Splunk will be used to ingest all AWS CloudTrail and CloudWatch Logs. Machine learning models are used to identify the suspicious activities in the AWS cloud infrastructure. The audience for this paper are the security teams trying to implement AWS security monitoring.
Attack and Defend: Linux Privilege Escalation Techniques of 2016 STI Graduate Student Research
by Michael Long II - January 30, 2017 in Linux Issues, Privilege Management, Penetration Testing
Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.
Tor Browser Artifacts in Windows 10 STI Graduate Student Research
by Aron Warren - February 24, 2017 in Forensics
The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.
The DevSecOps Approach to Securing Your Code and Your Cloud Analyst Paper
by Dave Shackleford - February 7, 2017 in Security Trends, Threats/Vulnerabilities
- Sponsored By: CloudPassage
DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted. This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.
Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 in Active Defense, Forensics, Malicious Code
Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.
Building a World-Class Security Operations Center: A Roadmap Analyst Paper
by Alissa Torres - April 15, 2015
- Sponsored By: RSA
Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.
The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare STI Graduate Student Research
by Terrence OConnor - February 14, 2012 in Attacking Attackers, Information Warfare
We live in an era where a single soldier can digitally leak thousands of classified documents (possibly changing the course of war), attackers can compromise unmanned drone control software and intercept unencrypted video feeds, and recreational hackers can steal and release personal information from members of cyber think-tanks.
Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery
This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.
An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment
Key elements of information security risk, offering insight into risk assessment methodologies.
Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing
- Sponsored By: Core Security Technologies
CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.
Next-Gen Endpoint Risks and Protections: A SANS Survey Analyst Paper
by G. W. Ray Davidson, PhD - February 27, 2017 in Clients and Endpoints
- Associated Webcasts: Next-Gen Endpoints Risks and Protections: A SANS Survey Part 1: New Devices and Risks Next-Gen Endpoints Risks and Protections: A SANS Survey Part 2: Next-Gen Protection and Response
- Sponsored By: Guidance Software Sophos Inc. Carbon Black IBM Malwarebytes Great Bay Software
Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.
All papers are copyrighted. No re-posting or distribution of papers is permitted.