3 Days Left to Save $400 on SANS Tyson's Corner Spring 2017

Reading Room: Most Popular Papers

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Featuring the 25 most popular papers within the past year as of January 23, 2017

  • SANS 2016 Security Analytics Survey Analyst Paper
    by Dave Shackleford - December 6, 2016 in Security Analytics and Intelligence

    Survey respondents have become more aware of the value of analytics and have moved beyond using them simply for detection and response to using them to measure and aid in improving their overall risk posture. Still, we’ve got a long way to go before analytics truly progresses in many security organizations. Read on to learn more.


  • Detecting and Preventing Anonymous Proxy Usage STI Graduate Student Research
    by John Brozycki - November 6, 2008 in Intrusion Detection

    This paper explores methods organizations may use to detect and prevent anonymous proxy usage.


  • Packets Don't Lie: LogRythm NetMon Freemium Review Analyst Paper
    by Dave Shackleford - January 18, 2017 in Intrusion Detection, Data Loss Prevention

    With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.


  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Continuous Monitoring: Build A World Class Monitoring System for Enterprise, Small Office, or Home STI Graduate Student Research
    by Austin Taylor - December 15, 2016 in Critical Controls, Intrusion Detection

    For organizations who wish to prevent data breaches, incident prevention is ideal, but detection of an attempted or successful breach is a must. This paper outlines guidance for network visibility, threat intelligence implementation and methods to reduce analyst alert fatigue. Additionally, this document includes a workflow for Security Operations Centers (SOC) to efficiently process events of interest thereby increasing the likelihood of detecting a breach. Methods include Intrusion Detection System (IDS) setup with tips on efficient data collection, sensor placement, identification of critical infrastructure along with network and metric visualization. These recommendations are useful for enterprises, small homes, or offices who wish to implement threat intelligence and network analysis.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Finding Bad with Splunk STI Graduate Student Research
    by David Brown - December 16, 2016 in Critical Controls

    There is such a deluge of information that it can be hard for information security teams to know where to focus their time and energy. This paper will recommend common Linux and Windows tools to scan networks and systems, store results to local filesystems, analyze results, and pass any new data to Splunk. Splunk will then help security teams narrow in on what has changed within the networks and systems by alerting the security teams to any differences between old baselines and new scans. In addition, security teams may not even be paying attention to controls, like whitelisting blocks, that successfully prevent malicious activities. Monitoring failed application execution attempts can give security teams and administrators early warnings that someone may be trying to subvert a system. This paper will guide the security professional on setting up alerts to detect security events of interest like failed application executions due to whitelisting. To solve these problems, the paper will discuss the first five Critical Security Controls and explain what malicious behaviors can be uncovered as a result of alerting. As the paper progresses through the controls, the security professional is shown how to set up baseline analysis, how to configure the systems to pass the proper data to Splunk, and how to configure Splunk to alert on events of interest. The paper does not revolve around how to implement technical controls like whitelisting, but rather how to effectively monitor the controls once they have been implemented.


  • Detecting DNS Tunneling STI Graduate Student Research
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Data Breach Impact Estimation STI Graduate Student Research
    by Paul Hershberger - January 3, 2017 in Data Protection, Data Loss Prevention

    Internal and External auditors spend a significant amount of time planning their audit processes to align their efforts with the needs of the audited organization. The initial phase of that audit cycle is the risk assessment. Establishing a firm understanding of the likelihood and impact of risk guides the audit function and aligns its work with the risks the organization faces. The challenge many auditors and security professionals face is effectively quantifying the potential impact of a data breach to their organization. This paper compares the data breach cost research of the Ponemon Institute and the RAND Corporation, comparing the models against breach costs reported by publicly traded companies by the Securities and Exchange Commission (SEC) reporting requirements. The comparisons will show that the RAND Corporation's approach provides organizations with a more accurate and flexible model to estimate the potential cost of data breaches as they relate to the direct cost of investigating and remediating a breach and the indirect financial impact associated with regulatory and legal action of a data breach. Additionally, the comparison indicates that data breach-related impacts to revenue and stock valuation are only realized in the short-term.


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • Detecting Malicious SMB Activity Using Bro STI Graduate Student Research
    by Richie Cyrus - December 13, 2016 in Intrusion Detection

    Attackers utilize the Server Message Block (SMB) protocol to blend in with network activity, often carrying out their objectives undetected. Post-compromise, attackers use file shares to move laterally, looking for sensitive or confidential data to exfiltrate out a network. Traditional methods for detecting such activity call for storing and analyzing large volumes of Windows event logs, or deploying a signature-based intrusion detection solution. For some organizations, processing and storing large amounts of Windows events may not be feasible. Pattern based intrusion detection solutions can be bypassed by malicious entities, potentially failing to detect malicious activity. Bro Network Security Monitor (Bro) provides an alternative solution allowing for rapid detection through custom scripts and log data. This paper introduces methods to detect malicious SMB activity using Bro.


  • A Black-Box Approach to Embedded Systems Vulnerability Assessment STI Graduate Student Research
    by Michael Horkan - December 5, 2016 in Security Basics, Risk Management

    Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Insider Threats and the Need for Fast and Directed Response Analyst Paper
    by Dr. Eric Cole - December 1, 2016 in Threats/Vulnerabilities

    As breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional perimeter defense to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. This report looks at how and why insider attacks occur and their implications.


  • EVTX and Windows Event Logging by Brandon Charter - November 13, 2008 in Logging Technology and Techniques

    This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.


  • Minimizing Legal Risk When Using Cybersecurity Scanning Tools STI Graduate Student Research
    by John Dittmer - January 19, 2017 in Legal Issues

    When cybersecurity professionals use scanning tools on the networks and devices of organizations, there can be legal risks that need to be managed by individuals and enterprises. Often, scanning tools are used to measure compliance with cybersecurity policies and laws, so they must be used with due care. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal network or system operations and to ensure the accuracy of the scanning results. Several challenges will be examined in depth, such as, measuring for scanner accuracy, proper methods of obtaining written consent for scanning, and how to set up a scanning session for optimum examination of systems or networks. This paper will provide cybersecurity professionals and managers with a better understanding of how and when to use the scanning tools while minimizing the legal risk to themselves and their enterprises.


  • Active Defense via a Labyrinth of Deception STI Graduate Student Research
    by Nathaniel Quist - December 5, 2016 in Active Defense

    A network baseline allows for the identification of malicious activity in real time. However, a baseline requires that every listed action is known and accounted, presenting a nearly impossible task in any production environment due to an ever-changing application footprint, system and application updates, changing project requirements, and not least of all, unpredictable user behaviors. Each obstacle presents a significant challenge in the development and maintenance of an accurate and false positive free network baseline. To surmount these hurdles, network architects need to design a network free from continuous change including, changing company requirements, untested systems or application updates, and the presence of unpredictable users. Creating a static, never-changing environment is the goal. However, this completely removes the functionality of a production network. Or does it? Within this paper, I will detail how this type of static environment, referred to as the Labyrinth, can be placed in front of a production environment and provide real time defensive measures against hostile and dispersed attacks, from both human actors and automated machines. I expect to prove the Labyrinth is capable of detecting changes in its environment in real time. It will provide a listing of dynamic defensive capabilities like identifying attacking IP addresses, rogue-process start commands, modifications to registry values, alterations in system memory and recording the movements of an attacker's tactics, techniques, and procedures. At the same time, the Labyrinth will add these values to block list, protecting the production network lying behind. Successful accomplishment of these goals will prove the viability and sustainability of a Labyrinth defending network (Revelle, 2011) environments.


  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment

    Key elements of information security risk, offering insight into risk assessment methodologies.


  • Legal Considerations When Creating an Incident Response Plan STI Graduate Student Research
    by Bryan Chou - December 22, 2016 in Legal Issues

    Creating a cybersecurity incident response plan (CSIRP) is basic requirements of any security program. CSIRPs generally follow the six phases of the incident response process (preparation, identification, containment, eradication, recovery, and lessons learned) or some derivation of those steps (Kral, 2011). Once a security event begins, the cybersecurity incident response team (CSIRT) is focused on identification, containment, eradication, and recovery.. In other words, they are trying to get operations back to normal. The preparation phase is the time to thoughtfully consider and research the legal decisions required during a security event. Legal considerations to include in the CSIRP include the pertinent laws and regulations, what to do if prosecution is a possibility, and maintaining attorney-client privilege.


  • Next Generation of Privacy in Europe and the Impact on Information Security: Complying with the GDPR STI Graduate Student Research
    by Edward Yuwono - December 5, 2016 in Legal Issues

    Human rights have a strong place within Europe, part of this includes the fundamental right to privacy. Over the years, individual privacy has strengthened through various European directives. With the evolution of privacy continuing in Europe through the release of the General Data Protection Regulation (GDPR), how will the latest iteration of European Union (EU) regulation affect organisations and what will information security leaders need to do to meet this change? This paper will explore the evolution of privacy in Europe, the objectives and changes this iteration of EU privacy regulation will provide, what challenges organisations will experience, and how information security could be leveraged to satisfy the regulation.


  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 in Penetration Testing

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.


  • A Checklist for Audit of Docker Containers STI Graduate Student Research
    by Alyssa Robinson - November 22, 2016 in Auditing & Assessment

    Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment. The very properties that make Docker containers useful, however, can pose challenges for audit, and the security capabilities and best practices are changing rapidly. As adoption of this technology grows, it is, therefore, necessary to create a standardized checklist for audit of Dockerized environments based on the latest tools and recommendations.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.