Featuring the 25 most popular papers within the past week as of October 28, 2016
Keys to Effective Anomaly Detection by Matt Bromiley - October 25, 2016 in Data Protection, Hackers, Incident Handling
- Sponsored By: Blue Coat Systems, Inc.
Simply put, an anomaly is something that seems abnormal or doesn’t t within an environment. A car with ve driving wheels would be an anomaly. In the context of an enterprise network, an anomaly is very much the same—something that does not t or is out of place. While anomalies in an enterprise network may be indicative of a con guration fault, they are often evidence of something much more worrisome: a malicious presence on the network.
The Information We Seek by Jose Ramos - October 25, 2016 in Information Assurance, Data Loss Prevention, Hackers
Whether you are performing a penetration test, conducting an investigation, or are skilled attackers closing in on a target, information gathering is the foundation that is needed to carry out the assessment. Having the right information paves the way for proper enumeration and simplifies attack strategies against a given target. Throughout this paper, we will walk through some strategies used to identify information on both people and networks. Some people claim that all data can be found using Google's search engine; but can third party tools found in Linux security distributions such as Kali Linux outperform the search engine giant? Maltego and The Harvester yield a wealth of information, but will the results be enough to identify a target? The right tool for the right job is essential when working with any project in life. Let's take a journey through the information gathering process to determine if there is a one size fits all tool, or if a multi-tool approach is needed to gather the essential information on a given target. We will compare and contrast many of the industry tools to determine the proper tool or tools needed to perform an adequate information gathering assessment.
From the Trenches: SANS 2016 Survey on Security and Risk in the Financial Sector Analyst Paper
by G. Mark Hardy - October 18, 2016 in Alternate Payment Systems, Firewalls & Perimeter Protection
- Associated Webcasts: From the Trenches, the SANS 2016 Survey on Security and Risk in the Financial Sector: Part 1 Incidents, Risks and Preparedness From the Trenches, the SANS 2016 Survey on Security and Risk in the Financial Sector: Part 2 Securing Financial Environments
- Sponsored By: ForeScout Technologies Guidance Software Arbor Networks WhiteHat Security NSFOCUS
The financial services industry is under a barrage of ransomware and spearphishing attacks that are rising dramatically. These top two attack vectors rely on the user to click something. Organizations enlist email security monitoring, enhanced security awareness training, endpoint detection and response, and firewalls/IDS/IPS to identify, stop and remediate threats. Yet, their preparedness to defend against attacks isn’t showing much improvement. Read on to learn more.
Intrusion Detection Through Relationship Analysis by Patrick Neise - October 24, 2016 in Intrusion Detection
With the average time to detection of a network intrusion in enterprise networks assessed to be 6-8 months, network defenders require additional tools and techniques to shorten detection time. Perimeter, endpoint, and network traffic detection methods today are mainly focused on detecting individual incidents while security incident and event management (SIEM) products are then used to correlate the isolated events. Although proven to be able to detect network intrusions, these methods can be resource intensive in both time and personnel. Through the use of network flows and graph database technologies, analysts can rapidly gain insight into which hosts are communicating with each other and identify abnormal behavior such as a single client machine communicating with other clients via Server Message Block (SMB). Combining the power of tools such as Bro, a network analysis framework, and neo4j, a native graph database that is built to examine data and its relationships, rapid detection of anomalous behavior within the network becomes possible. This paper will identify the tools and techniques necessary to extract relevant network information, create the data model within a graph database, and query the resulting data to identify potential malicious activity.
Getting C-Level Support to Ensure a High-Impact SOC Rollout Analyst Paper
by John Pescatore - October 24, 2016
- Associated Webcasts: Prioritizing and Planning to Ensure a High-Impact SOC Rollout
A Secure Approach to Deploying Wireless Networks by Joseph Matthews - October 19, 2016 in Wireless Access
Enterprise wireless networks are an important component of modern network architecture. They are required to support mobile devices and provide connectivity to various devices where wired connections are not practical or cost prohibitive. But the missing physical control of the medium does require additional precautions to control access to wireless networks. Most books and papers present the problem and the risks, but do not provide a fully secure solution with examples. The 802.11 standard for wireless networks does offer encryption and authentication methods like WPA. But in an enterprise environment, these controls have to be implemented in a scalable and manageable way. This paper presents a hands-on guide to implementing a secure wireless network in an enterprise environment and provides an example of a tested secure solution.
Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 in Active Defense, Incident Handling, Tools
Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.
Taking Action Against the Insider Threat Analyst Paper
by Eric Cole, PhD - October 5, 2016 in Threat Hunting, Threats/Vulnerabilities
- Associated Webcasts: Taking Action Against Insider Threats Taking Action Against Insider Threats
- Sponsored By: Dtex Systems
Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?
Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools
The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).
The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare Masters
by Terrence OConnor - February 14, 2012 in Attacking Attackers, Information Warfare
We live in an era where a single soldier can digitally leak thousands of classified documents (possibly changing the course of war), attackers can compromise unmanned drone control software and intercept unencrypted video feeds, and recreational hackers can steal and release personal information from members of cyber think-tanks.
Ransomware by Susan Bradley - October 3, 2016 in Active Defense, Security Awareness, Risk Management
On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.
Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery
This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013 in Application and Database Security, Getting Started/InfoSec, Penetration Testing
Web application security has become increasingly important to organizations.
Security and Accountability in the Cloud Data Center: A SANS Survey Analyst Paper
by Dave Shackleford - October 10, 2016 in Cloud Computing
- Associated Webcasts: Security and Accountability in the Cloud, the SANS 2016 Cloud Security Survey: Part 2 - Changes in Cloud Security Security and Accountability in the Cloud, the SANS 2016 Cloud Security Survey: Part 1 - Breach Landscape and the Top Threats and Challenges
- Sponsored By: Intel Security Rapid7 Inc. IBM CloudPassage Bitglass
Despite risk that is higher than more controlled on-premises traditional non-cloud systems, this survey found that almost a quarter of respondents (24%) are in organizations adopting a “cloud first” strategy. Using public cloud or on-premises applications as appropriate led the way, chosen by 46% of respondents, and 30% of respondents said they prefer on-premises applications. Read on to learn more about the state of cloud security and what we need to do to improve it.
Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response by Gordon Fraser - September 21, 2016 in Forensics
A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.
PORTKnockOut: Data Exfiltration via Port Knocking over UDP by Matthew Lichtenberger - September 29, 2016 in Security Awareness, Covert Channels, Intrusion Detection
Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.
Securing the “Internet of Things” Survey Analyst Paper
by John Pescatore - January 15, 2014 in Covert Channels, Internet of Things, Information Warfare
- Associated Webcasts: SANS Analyst Webcast: SANS Survey on Securing The Internet of Things
- Sponsored By: Codenomicon Norse
Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.
Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing
- Sponsored By: Core Security Technologies
CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.
Building a World-Class Security Operations Center: A Roadmap Analyst Paper
by Alissa Torres - April 15, 2015
- Sponsored By: RSA
Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.
An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment
Key elements of information security risk, offering insight into risk assessment methodologies.
Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics
Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
All papers are copyrighted. No re-posting or distribution of papers is permitted.