SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPThe Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect ithttps://www.sans.org/reading-room/whitepapers/threathunting/importance-business-information-cyber-threat-intelligence-cti-information-required-collect-37740Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information. Thu, 20 Apr 2017 00:00:00 +0000Snort and SSL/TLS Inspectionhttps://www.sans.org/reading-room/whitepapers/detection/snort-ssl-tls-inspection-37735An intrusion detection system (IDS) can analyze and alert on what it can see, but if the traffic is tunneled into an encrypted connection, the IDS cannot perform its analysis on that traffic. The difficulty of looking into the packet payload makes the encrypted traffic one of the challenging issues to IDS. In Snort, the encrypted traffic inspector is available optionally and can only inspect connections’ handshakes with no further inspection of the payload after the connection has established. However, encrypted traffic can be entirely decrypted using the private key (decryption key), but there are some issues associated with SSL/TLS key exchanges that could increase the difficulty of decrypting traffic provided the private key.Thu, 20 Apr 2017 00:00:00 +0000Integrating Prevention, Detection and Response Work Flows: SANS Survey on Security Optimizationhttps://www.sans.org/reading-room/whitepapers/bestprac/integrating-prevention-detection-response-work-flows-survey-security-optimization-37730Are the prevention, detection, response and prediction functional groups operating in unison with shared data and workflow, or are they remaining true to the tradition of operational silos in most technology groups? In this survey, we analyze satisfaction with staffing levels, tools and management-support architectures to help provide best practices and guidance for IT security practitioners.Wed, 19 Apr 2017 00:00:00 +0000Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platformhttps://www.sans.org/reading-room/whitepapers/analyst/speed-scalability-matter-review-logrhythm-7-siem-analytics-platform-37727Just how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation. Thu, 13 Apr 2017 00:00:00 +0000Identifying Vulnerable Network Protocols with PowerShellhttps://www.sans.org/reading-room/whitepapers/access/identifying-vulnerable-network-protocols-powershell-37722Microsoft Windows PowerShell has led to several exploit frameworks such as PowerSploit, PowerView,and PowerShell Empire. However, few of these frameworks investigate network traffic for exploitative potential. Analyzing a small amount of network traffic can lead to the discovery of possible network-based attack vectors such as Virtual Router Redundancy Protocol (VRRP), Dynamic Trunking Protocol (DTP), Link Local Multicast Name Resolution (LL-MNR) and PXE boot attacks, to name a few. How does one gather and analyze this traffic when Windows does not include an integrated packet analysis tool? Microsoft Windows PowerShell includes several network analysis and network traffic related capabilities. This paper will explore the use of these capabilities with the goal of building a PowerShell reconnaissance module which will capture, analyze, and identify commonly misconfigured protocols without the need to install a third-party tool within a Microsoft Windows environment. Thu, 06 Apr 2017 00:00:00 +0000Securing the Home IoT Network https://www.sans.org/reading-room/whitepapers/access/securing-home-iot-network-37717The Internet of Things (IoT) has proven its ability to cause massive service disruption because of the lack of security in many devices. The vulnerabilities that allow those denial of service attacks are often caused due to poor or no security practices when developing or installing the products. The common home network is not designed to protect against the design errors in IoT devices that expose the privacy of the users. The affordable price of single board computers (SBC) and their small power requirements and customization capabilities can help improve the protection of the home IoT network. SBC can also add powerful features such as auditing, inspection, authentication, and authorization to improve controls pertaining to who and what can have access. Implementing a home-control gateway when properly configured reduces some common risks associated with IoT such as vendor-embedded backdoors and default credentials. Having an open source trusted device with a configuration shared and audited by many experts can reduce many of the bugs and misconfigurations introduced by vendor security program deficiencies. Wed, 05 Apr 2017 00:00:00 +0000Detecting Attacks Against The 'Internet of Things'https://www.sans.org/reading-room/whitepapers/internet/detecting-attacks-039-internet-things-039-37712The need to detect attacks against our networks has exploded with the rapid adoption of connected devices affectionately dubbed the "Internet of Things" (or IoT). Manufacturers are rapidly producing devices to meet consumer and market demand which creates a shortened time-to-market in manufacturing. The level of security in the product development lifecycle becomes questionable, as well as production standards. Vulnerabilities have been showing up targeting the physical interfaces of IoT devices, wireless protocols, and user interfaces. It is imperative that intrusion analysts understand how to assess the attack surface, analyze threats, and develop the capability to detect attacks in IoT environments. This paper will review threats, vulnerabilities, attacks, and intrusion detection as it applies to the IoT. Thu, 30 Mar 2017 00:00:00 +0000SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solutionhttps://www.sans.org/reading-room/whitepapers/analyst/soc-as-a-service-benefits-security-operations-center-high-costs-diy-solution-37707<p>Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?</p> <p>This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.</p>Tue, 28 Mar 2017 00:00:00 +0000Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017https://www.sans.org/reading-room/whitepapers/analyst/cyber-security-trends-aiming-target-increase-security-2017-37702Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.Mon, 20 Mar 2017 00:00:00 +0000Tracking Online Counterfeitershttps://www.sans.org/reading-room/whitepapers/detection/tracking-online-counterfeiters-37697The counterfeiting market makes-up a vast global business where the impact of fraudulent activity is hard to quantify. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents their most common tactics and its relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites. Thu, 16 Mar 2017 00:00:00 +0000Securing DNS Against Emerging Threats: A Hybrid Approachhttps://www.sans.org/reading-room/whitepapers/dns/securing-dns-emerging-threats-hybrid-approach-37692This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.Thu, 16 Mar 2017 00:00:00 +0000Auto-Nuke It from Orbit: A Framework for Critical Security Control Automationhttps://www.sans.org/reading-room/whitepapers/incident/auto-nuke-orbit-framework-critical-security-control-automation-37687Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.Wed, 15 Mar 2017 00:00:00 +0000Detection of Backdating the System Clock in Windowshttps://www.sans.org/reading-room/whitepapers/forensics/detection-backdating-system-clock-windows-37682In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches, system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that "the system clock has not been backdated," he or she must examine multiple artifacts for corroboration. Wed, 15 Mar 2017 00:00:00 +0000Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Surveyhttps://www.sans.org/reading-room/whitepapers/threats/cyber-threat-intelligence-uses-successes-failures-2017-cti-survey-37677Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.Tue, 14 Mar 2017 00:00:00 +0000Cloud Security Monitoringhttps://www.sans.org/reading-room/whitepapers/cloud/cloud-security-monitoring-37672This paper discusses how to apply security log monitoring capabilities for Amazon Web Services (AWS) Infrastructure as a Service(IaaS) cloud environments. It will provide an overview of AWS CloudTrail and CloudWatch Logs, which can be stored and mined for suspicious events. Security teams implementing AWS solutions will benefit from applying security monitoring techniques to prevent unauthorized access and data loss. Splunk will be used to ingest all AWS CloudTrail and CloudWatch Logs. Machine learning models are used to identify the suspicious activities in the AWS cloud infrastructure. The audience for this paper are the security teams trying to implement AWS security monitoring. Mon, 13 Mar 2017 00:00:00 +0000Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitionershttps://www.sans.org/reading-room/whitepapers/legal/preparing-compliance-general-data-protection-regulation-gdpr-technology-guide-security-practitioners-37667The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.Tue, 07 Mar 2017 00:00:00 +0000In-Depth Look at Tuckman's Ladder and Subsequent Works as a Tool for Managing a Project Teamhttps://www.sans.org/reading-room/whitepapers/leadership/in-depth-tuckman-039-s-ladder-subsequent-works-tool-managing-project-team-37662Bruce Tuckman's 1965 research on modeling group development, titled "Developmental Sequence in Small Groups," laid out a framework consisting of four stages a group will transition between while members interact with each other: forming, storming, norming, and performing. This paper will describe in detail the original Tuckman model as well as derivative research in group development models. Traditional and virtual team environments will both be addressed to assist IT project managers in understanding how a team evolves over time with a goal of achieving a successful project outcome. Wed, 01 Mar 2017 00:00:00 +0000Medical Data Sharing: Establishing Trust in Health Information Exchangehttps://www.sans.org/reading-room/whitepapers/legal/medical-data-sharing-establishing-trust-health-information-exchange-37657Health information exchange (HIE) "allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient's vital medical information electronically--improving the speed, quality, safety and cost of patient care" (HealthIT.gov, 2014). The greatest gain in the use of HIE is the ability to achieve interoperability across providers that, except for the care of a given patient, are unrelated. But, by its very nature, HIE also raises concern around the protection and integrity of shared, sensitive data. Trust is a major barrier to interoperability. Wed, 01 Mar 2017 00:00:00 +0000Next-Gen Endpoint Risks and Protections: A SANS Surveyhttps://www.sans.org/reading-room/whitepapers/analyst/next-gen-endpoint-risks-protections-survey-37652Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.Mon, 27 Feb 2017 00:00:00 +0000Migration to Office 365, a Case Study on Security and Administration in the Non-profit Sectorhttps://www.sans.org/reading-room/whitepapers/microsoft/migration-office-365-case-study-security-administration-non-profit-sector-37647A non-profit serves a mixed community of staff and volunteers. Its email archiving and spam filter services were going to reach the end of life in January 2017. Generous charity pricing for Office 365 from Microsoft was an incentive to move away from the existing hosted Exchange platform. The company needed to develop a strategy for migration to Microsoft Office 365. It had to upgrade Microsoft Office software as well as migrate email. How could it accomplish the transition as well as maintain or improve security? Mon, 27 Feb 2017 00:00:00 +0000Tor Browser Artifacts in Windows 10https://www.sans.org/reading-room/whitepapers/forensics/tor-browser-artifacts-windows-10-37642The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis. Fri, 24 Feb 2017 00:00:00 +0000OS X as a Forensic Platformhttps://www.sans.org/reading-room/whitepapers/forensics/os-forensic-platform-37637The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options. Wed, 22 Feb 2017 00:00:00 +0000DevSecOps Transformation: The New DNA of Agile Businesshttps://www.sans.org/reading-room/whitepapers/analyst/devsecops-transformation-dna-agile-business-37632This is an additional resource that accompanies the analyst paper, "The DevSecOps Approach to Securing Your Code and Your Cloud". To view the paper please <a href = "https://www.sans.org/reading-room/whitepapers/analyst/devsecops-approach-securing-code-cloud-37597" target = "_blank">click this link</a>.Tue, 21 Feb 2017 00:00:00 +0000Indicators of Compromise TeslaCrypt Malwarehttps://www.sans.org/reading-room/whitepapers/awareness/indicators-compromise-teslacrypt-malware-37622Malware has become a growing concern in a society of interconnected devices and realtime communications. This paper will show how to analyze live ransomware malware samples, how malware processes locally, over time and within the network. Analyzing live ransomware gives a unique three-dimensional perspective, visually locating crucial signatures and behaviors efficiently. In lieu of reverse engineering or parsing the malware executable’s infrastructure, live analysis provides a simpler method to root out indicators. Ransomware touches just about every file and many of the registry keys. Analysis can be done, but it needs to be focused. The analysis of malware capabilities from different datasets, including process monitoring, flow data, registry key changes, and network traffic will yield indicators of compromise. These indicators will be collected using various open source tools such as Sysinternals suite, Fiddler, Wireshark, and Snort, to name a few. Malware indicators of compromise will be collected to produce defensive countermeasures against unwanted advanced adversary activity on a network. A virtual appliance platform with simulated production Windows 8 O/S will be created, infected and processed to collect indicators to be used to secure enterprise systems. Different tools will leverage datasets to gather indicators, view malware on multiple layers, contain compromised hosts and prevent future infections. Thu, 16 Feb 2017 00:00:00 +0000PLC Device Security - Tailoring needshttps://www.sans.org/reading-room/whitepapers/threats/plc-device-security-tailoring-37612Programmable Logic Controller (PLC) is widely used in many industries. With increasing concern and interest in the security of these controllers and their impact to the industries, there is a growing trend to integrate security directly into them. It is not realistic or wise to have a one size fit all solution. This paper presents focus areas and requirements suited for various classes of PLCs in the market. It looks at the threats and vulnerabilities faced by them and current security solutions adopted. The paper then recommends how PLC vendors should have different but extensible security solutions applied across various classes of controllers in their product portfolio. Wed, 15 Feb 2017 00:00:00 +0000