NEW Managing Security Vulnerabilities: Enterprise and Cloud Course in Boston. Save $300 thru 2/26

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past year as of February 22, 2020

  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Detecting and Preventing Anonymous Proxy Usage STI Graduate Student Research
    by John Brozycki - November 6, 2008 in Intrusion Detection

    This paper explores methods organizations may use to detect and prevent anonymous proxy usage.


  • Detecting and Preventing Unauthorized Outbound Traffic by Brian Wippich - October 29, 2007 in Intrusion Detection

    This paper will describe some of the risks associated with outbound traffic, methods for securing this traffic, techniques for circumventing these controls, and methods for detecting and preventing these techniques. There is no way to eliminate all risk associated with outbound traffic short of closing all ports. However, a good understanding of these risks should allow you to make informed decisions on securing this traffic.


  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 in Forensics

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.


  • Defending Infrastructure as Code in GitHub Enterprise STI Graduate Student Research
    by Dane Stuckey - January 21, 2020 in Securing Code

    As infrastructure workloads have changed, cloud workflows have been adopted, and elastic provisioning and de-provisioning have become standard, manual processes. As a result, semi-automated infrastructure management workflows have proven insufficient. One of the most widely implemented solutions to these problems has been the adoption of declarative infrastructure as code, a philosophy and set of tools which use machine-readable files that declare the desired state of infrastructure. Unfortunately, infrastructure as code has introduced new attack surfaces and techniques that traditional network defense controls may not adequately cover or account for. This paper examines a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.


  • Lateral traffic movement in Virtual Private Clouds STI Graduate Student Research
    by Andy Huang - January 3, 2020 in Cloud Computing

    Cloud vendors have introduced virtual private cloud (VPC) structures to bring the benefits of private cloud into the public cloud. These structures provide vertical segmentation and isolation for application projects implemented within them. However, the security context needs to be considered as applications communicate with one another between VPCs using technologies such as peering and privatelinks. Applications are usually highly dependent on each other for data and functionality, leading to cross-connections between VPC structures. The implications between different connection setups need to be vetted to ensure that access is not overly permissive, thus leading to possible lateral movement of traffic.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Defense in Depth for a Small Office/Home Office STI Graduate Student Research
    by Gregory Melton - December 18, 2019 in Home & Small Office

    Much attention is given to enterprise security with expensive solutions and teams of both IT and security personnel, but the home office may only ever be proactively defended by a single amateur or hobbyist. Large scale corporate solutions may deal with Advanced Persistent Threats (APTs) and corporate espionage, but there are far fewer solutions to home office threats. This paper focuses on best practices for a home network running minimal servers to protect from casual browsing and careless home users. This research intends to demonstrate meaningful defense of endpoints in a local network by drastically reducing potential communication to C2 nodes and data exfiltration with proper filtering and minimal extra hardware.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Defense in Depth: Can Geolocation Help Prevent Tax Fraud? STI Graduate Student Research
    by Jon Glas - January 3, 2020 in Logging Technology and Techniques

    Abstract: Accountants and tax filing businesses use complex software to automate the preparation and electronic filing of tax returns. Cybercriminals harvest identities, breach networks, and impersonate legitimate users to leverage tax software to defraud the government, the affected businesses, and citizens for over $1 billion annually (McTigue, 2018). The IRS and tax software companies have partnered to implement controls focused on authentication, authorization, and detection to identify fraudulent tax returns before they are processed. These controls successfully prevent upwards of $10 billion of fraudulent filing a year (McTigue, 2018), but those controls focus on an analysis of the ‘who’ and ‘what’ components of tax returns. This paper uses Geolocation tools to look at the ‘where’ component of tax returns by analyzing legitimate and fraudulent tax return electronic filing data to look for trends and patterns. The goal of this paper is to determine if Geolocation technologies can be used as an additional layer of controls to support a defense in depth approach of fraud prevention.


  • Pass-the-hash attacks: Tools and Mitigation by Bashar Ewaida - February 23, 2010 in Penetration Testing

    Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006). Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters). In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • The OSI Model: An Overview by Rachelle Miller - September 13, 2001 in Standards

    This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.


  • Threat Hunting and Discovery: A SANS Review of Vectra Cognito Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 15, 2020 in Best Practices, Threat Hunting

    Vectra's Cognito security analytics platform aims to address modern attacks by analyzingmany of the attacker behaviors outlined in MITRE's ATT&CK matrix, which thoroughly describes an attack campaign and its phases. Security teams are facing pressure to detect attacks and respond to them more rapidly, which is difficult when trying to find evidence of lateral movement, reconnaissance, privilege escalation and other stealthy behavior. SANS reviewed the Cognito platform to understand how it can be used to rapidly analyze network data and provide a behavior-focused model of detection and response.


  • Catch Me If You Can: Detecting Server-Side Request Forgery Attacks on Amazon Web Services STI Graduate Student Research
    by Sean McElroy - November 27, 2019 in Cloud Computing, Intrusion Detection

    Cloud infrastructure offers significant benefits to organizations capable of leveraging rich application programming interfaces (APIs) to automate environments at scale. However, unauthorized access to management APIs can enable threat actors to compromise the security of large amounts of sensitive data very quickly. Practitioners have documented techniques for gaining access through Server-Side Request Forgery (SSRF) vulnerabilities that exploit management APIs within cloud providers. However, mature organizations have failed to detect some of the most significant breaches, sometimes for months after a security incident. Cloud services adoption is increasing, and firms need effective methods of detecting SSRF attempts to identify threats and mitigate vulnerabilities. This paper examines a variety of tools and techniques to detect SSRF activity within an Amazon Web Services (AWS) environment that can be used to monitor for real-time SSRF exploit attempts against the AWS API. The research findings outline the efficacy of four different strategies to answer the question of whether security professionals can leverage additional vendor-provided and open-source tools to detect SSRF attacks.


  • The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare STI Graduate Student Research
    by Terrence OConnor - February 14, 2012 in Attacking Attackers, Information Warfare

    We live in an era where a single soldier can digitally leak thousands of classified documents (possibly changing the course of war), attackers can compromise unmanned drone control software and intercept unencrypted video feeds, and recreational hackers can steal and release personal information from members of cyber think-tanks.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Outline for a Successful Security Program by Jeff Norem - September 26, 2003 in Security Basics

    This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Securely Deploying Android Devices by Angel Alonso-Parrizas - September 23, 2011 in System Administration

    Nowadays it is necessary for most companies to provide e-mail/Internet access to employees outside of the office, hence many business provide their staff with BlackBerrys, iPhones, Android or other smartphones with Internet connectivity.


  • How to Leverage a CASB for Your AWS Environment Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - December 17, 2019 in Cloud Computing, Data Protection

    As organizations move applications and data to the cloud, the number of applications they can leverage grows constantly, as do the areas where data can reside. Cloud access security brokers (CASBs) provide the convenience and means to integrate with modern technologies and implement security controls. Discover how CASBs help you make sense of auditing data, provide data protection and storage security, take advantage of common CASB features to secure deployments.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.