Online Training Special Offer: Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of February 21, 2020

  • Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication STI Graduate Student Research
    by Michael Hoffman - February 12, 2020 in Industrial Control Systems / SCADA

    Modbus TCP and other legacy ICS protocols ported over from serial communications are still widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate PLC code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution (Bodungen, Singer, Shbeeb, Hilt, & Wilhoit, 2017). This paper examines the viability of deploying PLC configuration modifications, programming best practices, and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluation of ICS protocols and device configurations.


  • How to identify malicious HTTP Requests by Niklas Sarokaari - January 21, 2013 in Intrusion Detection

    Hypertext transfer protocol (HTTP) is a stateless protocol and it uses a message-based model.


  • Are You Hitting the Mark with DMARC? by Robert Mavretich - February 12, 2020 in Email Issues

    As organizations struggle to protect their end-users from email attacks despite pragmatic methods such as phishing and awareness training, there is another tool available to assist in reducing this threat – Domain-based Message Authentication, Reporting, and Conformance (DMARC). Despite the many tangible benefits of DMARC, including monitoring, quarantining, and rejecting potentially harmful emails based on various indicators, many organizations have not moved to implement DMARC to make a positive difference in email protection and delivery worldwide. This paper highlights the benefits and outline steps that security technology departments can take to effectively partner with internal stakeholders (such as Sales and Marketing) to establish a win-win scenario of appropriately protecting the enterprise while furthering business goals.


  • Tips and Scripts for Reconnaissance and Scanning by Zoltan Panczel - February 12, 2020 in Threat Intelligence

    Nowadays, information is the key to success. Pentesters' and bounty hunters' first step is to collect information about the target. The crucial part of the recon process is to identify as many hosts as possible. There are plenty of useful, necessary tools to conduct this searching but with limited automated capabilities. The recon and scanning procedures are repetitive; hence, automating these is effective to minimize the effort. Testers can make a customized framework if they combine the primary tools with scripting. Based on the discovered vulnerabilities and work experience, a little tuning or modification of tools might open new opportunities to find bugs.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - February 18, 2020 in Intrusion Detection, Threat Hunting

    Deception technologies can significantly improve an organization's capability to quickly and accurately detect attackers that intentionally avoid looking malicious. At the same time, deception technologies can collect threat intelligence and attack attribution information to improve response effectiveness. Implemented as network-accessible resources, on endpoints and even in cloud implementations, deception technologies can cover major attack surfaces to assist with attack malicious behaviors like account hijacking, phishing, vulnerable applications, and more.


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Learning from the Dridex Malware - Adopting an Effective Strategy by Lionel Teo Jia Yeong - October 29, 2015 in Intrusion Detection

    Dridex Malware first surface at the third quarter of 2014 (Olson, 2014) targeting specifically companies in financial and banking industry.


  • The OSI Model: An Overview by Rachelle Miller - September 13, 2001 in Standards

    This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.


  • Methods for Understanding and Reducing Social Engineering Attacks STI Graduate Student Research
    by Michael Alexander - May 3, 2016 in Critical Controls, Social Engineering

    Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Defending Infrastructure as Code in GitHub Enterprise STI Graduate Student Research
    by Dane Stuckey - January 21, 2020 in Securing Code

    As infrastructure workloads have changed, cloud workflows have been adopted, and elastic provisioning and de-provisioning have become standard, manual processes. As a result, semi-automated infrastructure management workflows have proven insufficient. One of the most widely implemented solutions to these problems has been the adoption of declarative infrastructure as code, a philosophy and set of tools which use machine-readable files that declare the desired state of infrastructure. Unfortunately, infrastructure as code has introduced new attack surfaces and techniques that traditional network defense controls may not adequately cover or account for. This paper examines a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Detecting and Preventing Unauthorized Outbound Traffic by Brian Wippich - October 29, 2007 in Intrusion Detection

    This paper will describe some of the risks associated with outbound traffic, methods for securing this traffic, techniques for circumventing these controls, and methods for detecting and preventing these techniques. There is no way to eliminate all risk associated with outbound traffic short of closing all ports. However, a good understanding of these risks should allow you to make informed decisions on securing this traffic.


  • Detecting and Preventing Anonymous Proxy Usage STI Graduate Student Research
    by John Brozycki - November 6, 2008 in Intrusion Detection

    This paper explores methods organizations may use to detect and prevent anonymous proxy usage.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • Lateral traffic movement in Virtual Private Clouds STI Graduate Student Research
    by Andy Huang - January 3, 2020 in Cloud Computing

    Cloud vendors have introduced virtual private cloud (VPC) structures to bring the benefits of private cloud into the public cloud. These structures provide vertical segmentation and isolation for application projects implemented within them. However, the security context needs to be considered as applications communicate with one another between VPCs using technologies such as peering and privatelinks. Applications are usually highly dependent on each other for data and functionality, leading to cross-connections between VPC structures. The implications between different connection setups need to be vetted to ensure that access is not overly permissive, thus leading to possible lateral movement of traffic.


  • Case Study: The Home Depot Data Breach STI Graduate Student Research
    by Brett Hawkins - October 27, 2015 in Breaches, Case Studies

    The theft of payment card information has become a common issue in today's society. Even after the lessons learned from the Target data breach, Home Depot's Point of Sale systems were compromised by similar exploitation methods. The use of stolen third-party vendor credentials and RAM scraping malware were instrumental in the success of both data breaches. Home Depot has taken multiple steps to recover from its data breach, one of them being to enable the use of EMV Chip-and-PIN payment cards. Is the use of EMV payment cards necessary? If P2P (Point-to-Point) encryption is used, the only method available to steal payment card data is the installation of a payment card skimmer. RAM scraping malware grabbed the payment card data in the Home Depot breach, not payment card skimmers. However, the malware would have never been installed on the systems if the attackers did not possess third-party vendor credentials and if the payment network was segregated properly from the rest of the Home Depot network. The implementation of P2P encryption and proper network segregation would have prevented the Home Depot data breach.


  • A Security Checklist for Web Application Design by Gail Bayse - May 2, 2004 in Securing Code

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.


  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 in Forensics

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.