Q1 2017 Live Training Open for Registration!

Reading Room: Most Popular Papers

Featuring the 25 most popular papers within the past week as of September 1, 2016

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 in Active Defense, Incident Handling, Malicious Code

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.


  • Consideraciones para la implementacion de 802.1x en WLAN's by Juan Chamorro - May 5, 2005 in Wireless Access

    Hoy en dia, la implementacion de redes inalambricas es considerada como una solucion de movilidad, flexibilidad y productividad; por esto, el numero de implementaciones de este tipo de tecnologia aumenta y se confirma como una fuerte tendencia.


  • Building a Forensically Capable Network Infrastructure by Nik Alleyne - August 23, 2016 in Security Modeling

    The number of computer related security incidents continue to grow yearly, resulting in the need for ensuring network infrastructures are built to be forensically capable. During the period January 2011 to December 2015, the number of reported computer security incidents grew over this four-year period from 1,281 to 3,930. Similar to the increased number of reported computer security incidents, was the increased number of exposed records. During this same period, the number of exposed records jumped from 413 million to 736 million, with 2013 and 2014 having over 2 billion records exposed. Some challenges with becoming forensically capable, relates to understanding the business needs, identifying the people to support that need and ultimately the technology or tools to support business needs.


  • Hunting with Prevention Analyst Paper
    by Dave Shackleford - August 24, 2016 

    Traditional endpoint protection such as antivirus, while effective in some cases, is no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys.


  • Generating Hypotheses for Successful Threat Hunting by Robert M. Lee and David Bianco - August 15, 2016 in Threat Hunting, Threats/Vulnerabilities

    Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the humans key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.


  • Simple Approach to Access Control: Port Control and MAC Filtering by Bill Knaffl - August 22, 2016 in Network Access Control, Breaches, Critical Controls

    Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.


  • The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing Analyst Paper
    by Dave Shackleford - August 15, 2016 in Best Practices, Threats/Vulnerabilities

    Its 2016, and the attacks (and attackers) continue to be more brazen than ever. In this threat landscape, the use of cyber threat intelligence (CTI) is becoming more important to IT security and response teams than ever before. This paper provides survey results along with advice and best practices for getting the most out of CTI.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Automated Analysis of abuse mailbox for employees with the help of Malzoo by Niels Heijmans - August 23, 2016 in Threat Hunting

    For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.


  • Android Security: Web Browsers and Email Applications by Marsha Miller - August 29, 2016 in Critical Controls

    Mobile devices are popular communication tools that allow people to stay connected in most places at all times. Despite the varied proliferation of applications that can be installed on smartphones and tablets, web browsers and email applications are default applications that remain highly vulnerable if not properly addressed. This paper will compare several different mobile versions of these applications and use the E-mail and Web Browser Protections critical control to suggest ways to secure these end points.


  • Protect the Network from the Endpoint with the Critical Security Controls by G. W. Ray Davidson, PhD - August 22, 2016 in Network Access Control

    The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.


  • Incident Handling Preparation: Learning Normal with the Kansa PowerShell Incident Response Framework by Jason Simsay - August 22, 2016 in Incident Handling

    Preparation is a critical step in establishing an effective incident response program. Information Security professionals that will be called upon to handle an incident must prepare ahead of time. Kansa is a PowerShell Incident Response Framework developed by Dave Hull. The PowerShell Remoting feature is leveraged to establish a highly scalable and extensible system state collection platform. Once data is collected from across the Microsoft environment, an extensive set of frequency analysis scripts may be executed to enable incident handlers to turn unknowns into knowns and to discover anomalies and indicators of compromise.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • The GICSP: A Keystone Certification by Derek R. Harp and Bengt Gregory-Brown - August 29, 2016 in Training

    The Global Industrial Cyber Security Professional (GICSP) certification was conceived in the winter of 2013 to address a growing challenge spanning multiple industries. Rapid and accelerating changes in technology were increasingly opening process control and automation system networks and equipment to security exposures, and developing a workforce to protect these systems was a growing concern. As a step towards addressing these and other control system security issues, representatives from Shell, Chevron, Saudi Aramco, BP, Rockwell Automation, Yokogawa Industries, Emerson, ABB, Cimation and the SANS Institute came together and laid out the framework of what would become the GICSP.


  • Arming SMB's Against Ransomware Attacks by TIm Ashford - August 31, 2016 in Malicious Code

    Ransomware has become one of the most serious cyber threats to small and medium businesses today. A recent variant permanently deletes files within one hour of infection. The situation grows increasingly dire: the FBI even encourages victims to make payment, though there is still no guarantee that owners will recover their data (ICIT Fellows, 2016). Despite such threats, small and medium enterprises can follow recommended best practices to mitigate this risk. Businesses with tighter budgets and fewer security team members can adopt many of the protections available to the largest enterprises. The most important recommendation is the use of application whitelisting. In Windows environments, this can be accomplished through free tools within Active Directory. Other options will also be discussed, as well as a brief discussion of the future of ransomware.


  • In but not Out: Protecting Confidentiality during Penetration Testing Masters
    by Andrew Andrasik - August 22, 2016 in Penetration Testing

    In but not Out: Protecting Confidentiality during Penetration Testing Abstract:Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a companys network from an attackers perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources. Penetration testers may gain access to all compartmented sections of a network and document how to repeat successful exploits while saving restricted data to their laptops. This paper illustrates secure Tactics, Techniques, and Procedures (TTPs) to enable ethical hackers to complete their tests within scope while reducing managerial stress regarding confidentiality. A properly conducted independent penetration test should provide essential intelligence about a network without jeopardizing the confidentiality of proprietary data.


  • Filling the Gaps by Robert Smith - August 18, 2016 in Auditing & Assessment, Risk Management, Standards

    There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Introduction to Rundeck for Secure Script Executions by John Becker - August 11, 2016 in Privilege Management

    Many organizations today support physical, virtual, and cloud-based systems across a wide range of operating systems. Providing least privilege access to systems can be a complex mesh of sudoers files, profiles, policies, and firewall rules. While configuration management tools such as Puppet or Chef help ensure consistency, they do not inherently simplify the process for users or administrators. Additionally, current DevOps teams are pushing changes faster than ever. Keeping pace with new services and applications often force sysadmins to use more general access rules and thus expose broader access than necessary. Rundeck is a web-based orchestration platform with powerful ACLs and ssh-based connectivity to a wide range of operating systems and devices. The simple user interface for Rundeck couples with DevOps-friendly REST APIs and YAML or XML configuration files. Using Rundeck for server access improves security while keeping pace with rapidly changing environments.


  • A security assessment of Z-Wave devices and replay attack vulnerability Masters
    by Mark Devito - August 31, 2016 in Internet of Things

    Within many modern homes, there exists a compelling array of vulnerable wireless devices. These devices present the potential for unauthorized access to networks, personal data and even the physical home itself. The threat originates from the Internet-connected devices, a ubiquitous collection of devices the consumer market dubbed the Internet of Things (IoT). IoT devices utilize a variety of communication protocols; a replay attack against the Z-Wave protocol was accomplished and demonstrated at ShmooCon 2016. The attack was carried out using two HackRF radios. This paper attempts to conduct a similar attack but employing a $35 US SDR, a $130 US sub-1Ghz dongle, and readily available Open Source applications, instead of the more expensive HackRF hardware.


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment

    Key elements of information security risk, offering insight into risk assessment methodologies.


  • Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013 in Application and Database Security, Getting Started/InfoSec, Penetration Testing

    Web application security has become increasingly important to organizations.


  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.