SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHPThe Sliding Scale of Cyber Security Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security.Tue, 01 Sep 2015 00:00:00 +0000A Proactive Approach to Incident Response, 31 Aug 2015 00:00:00 +0000Detecting and Preventing Attacks Earlier in the Kill Chain organizations place a strong focus on intrusion prevention technologies and not enough effort into detective technologies. Prevention of malicious attacks is ideal, but detection is mandatory in combatting cyber threats. Security vendors will only provide blocking signatures when there is a near zero false-positive rate. Because of this, there are signatures that are not implemented resulting in false-negatives from one’s security devices. This paper provides a look at tools that can be used to improve the detection of attackers at every phase of their attack. The intelligence learned from these attacks allows one to defend against these known attack vectors. This paper will look at a variety of open-source network IDS capabilities and other analysis tools to look at preventing and detecting attacks earlier in the cyber kill chain. Mon, 31 Aug 2015 00:00:00 +0000The Fall of SS7 – How Can the Critical Security Controls Help?–-critical-security-controls-help-36225For decades, the security of one of the fundamental protocols in telecommunications networks, Signaling System No. 7 (SS7), has been solely based on the mutual trust between the interconnecting operators. Operators relied on their trust in other operators to play by the rules, and the SS7 network has been regarded as a closed trusted network. This notion of trust and security has recently changed after several security researchers announced major vulnerabilities in the SS7 protocol that threatens the user’s privacy and can lead to user location tracking, fraud, denial of service, or even call interception. In this paper we will discuss each individual attack and examine the possibility of using the critical security controls to protect against such attacks and enhance the security of SS7 interconnections. Mon, 31 Aug 2015 00:00:00 +0000Breaking the Ice: Gaining Initial Access companies are spending an increasing amount of resources on security equipment, attackers are still successful at finding ways to breach networks. This is a compounded problem with many moving parts, due to misinformation within the security industry and companies placing focus on areas of security that yield unimpressive results. A company cannot properly defend and protect against what they do not adequately understand, which tends to be a misunderstanding of their own security defense systems and relevant attacks that cyber criminals commonly use today. These misunderstandings result in attackers bypassing even the most seemingly robust security systems using the simplest methods. The author will outline the common misconceptions within the security industry that ultimately lead to insecure networks. Such misconceptions include a company’s misallocation of their security budget, while other misconceptions include the controversies regarding which methods are most effective at fending off an attacker. Common attack vectors and misconfigurations that are devastating, but are highly preventable, are also detailed.Fri, 28 Aug 2015 00:00:00 +0000Using Hardware-Enabled Trusted Crypto to Thwart Advanced Threats, 28 Aug 2015 00:00:00 +0000Protecting Third Party Applications with RASP Infographic, 27 Aug 2015 00:00:00 +0000Deployment of a Flexible Malware Sandbox Environment Using Open Source Software identification and analysis of malware is one of the many tasks performed by incident handlers. Only a small number of commercial entities provide the technology capable of automating this. Most times these offerings are beyond the reach of small organizations due to the high costs associated with licensing and maintenance. One open source alternative is Cuckoo Sandbox. It is a free software project licensed under GNU GPLv3. It allows the user to analyze and collect data against suspected pieces of malware. The framework installation requires careful configuration by an experienced Linux administrator. The accepted method of deployment is to follow the prescribed steps and test the application “until it works.” Attempting to scale the sandbox environment beyond a few virtual machines becomes a complicated process due to the maintenance required for multiple Windows configurations. By using techniques borrowed from the DevOps methods, a small team of incident handlers can create a sandbox environment that is not only repeatable and consistent, but also scalable. The user can create multiple template “profiles,” which allow for flexible testing.Mon, 24 Aug 2015 00:00:00 +0000Preventing data leakage: A risk based approach for controlled use of the use of administrative and access privileges invest resources to protect their confidential information and intellectual property by trying to prevent data leakage or data loss. They adopt policies and implement technical controls to stop the loss and disclosure of sensitive information by outside attackers as well as inadvertent and malicious insiders. They follow best practices like the Critical Security Controls, specifically Control 12 (“Controlled Use of Administrative Privileges”) and Control 17 (“Data Protection”), to prevent the unauthorized leakage and disclosure of sensitive information. One type of data loss or data leakage prevention controls includes endpoint protection solutions to stop file transfers to USB storage devices or file uploads to public websites. However, the larger and more complex the business and organization the more users that may be granted exceptions to these policies and controls in order for them to be able to fulfill their job related tasks. The approval of these exceptions is often solely based on the business need for the individual user. This raises the question of how an approval for an exception does influence the risk of data leakage for an organization? What is the specific data leakage risk for granting an individual user a certain exception? This paper presents a new approach to risk based exception management, which will allow organizations to grant exceptions based on inherent data leakage risk. First, this paper introduces a concept for evaluating and categorizing users based on their access to sensitive information. Then in the second step, a ruleset is defined for granting exceptions based on the categorization of users, which enables individual approvers to make informed decisions regarding exception requests. The overall objective is to lower the data leakage risk for organizations by controlling and limiting exceptions where the access and thereby potential loss of information is the highest.Mon, 24 Aug 2015 00:00:00 +0000What Companies need to consider for e-Discovery the legal environment, Discovery is the process of identifying, locating, preserving, securing, collecting, preparing, reviewing, and producing facts, information, and materials for the purpose of producing/obtaining evidence for utilization in the legal process. Electronic Discovery (e-Discovery) is an extension of these processes into the digital environment and Electronically Stored Information (ESI). Legal departments are ill-prepared to deal with the digital environment of a business. Increasingly they are turning to the company’s Information Technology (IT) department in order to identify, locate, preserve, and collect ESI. This is not break/fix work that is typical in IT operations. This is a new area of Data Governance and Records Information Management. This paper explores the relationships between Executive Management, Legal, Risk Management, IT, and Security in fulfilling the demands and obligations for defensible e-Discovery. This analysis includes a discussion of the Electronic Discovery Reference Model (ERDM) and its integration with Information Governance Reference Model (IGRM).Mon, 24 Aug 2015 00:00:00 +0000Paying Attention to Critical Controls organizations such as the Australia DSD, the European Commission and the US NSA have developed their lists of top mitigations and actions they consider necessary for organizations and governments to implement. It has been further established by the international information security community that the twenty critical security controls are the top relevant guidelines for implementing and achieving greater security. Many of the controls require the deployment and installation of security software. But is installing software all there is to it? Will an organization be better defended by buying lots of security products? In one particular use case, attackers were able to break through the network defenses of an organization that implemented many of the security controls but did not do so properly. Under the sense of false security, the senior leadership woke up to some bad news when they learned that gigabytes of data were stolen from the organization’s network after controls were in place. The implementation of security controls should be done with careful planning and attention to detail. This paper covers what the attackers did to circumvent the controls in place in the organization, how they could have implemented the critical controls properly to prevent this compromise, and what an organization needs to do to avoid this pitfall.Fri, 21 Aug 2015 00:00:00 +0000Detect, Contain and Control Cyberthreats Analyst Program whitepaper by Dr. Eric Cole. It discusses the value of prioritizing mitigation efforts based on known risks and high- value targets, and how doing so can reinforce network defenses.Thu, 20 Aug 2015 00:00:00 +0000The Race to Detection: A Look at Rapidly Changing IR Practices the rapidly changing risk environment, those assigned to protect their organizations must be agile in adapting technology to meet the challenges presented to them. Read this paper to learn what leading incident response practices are doing, and what they plan for the future.Wed, 19 Aug 2015 00:00:00 +0000Insider-Focused Investigation Made Easier review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.Tue, 18 Aug 2015 00:00:00 +0000DevOps Rescuing White Lodging from Breaches the second time in fourteen months, multiple financial institutions lodged complaints of fraud on customer credit and debit cards recently used at White Lodging Services’ locations (Krebs, Hotel Franchise Firm White Lodging Investigates Breach, 2014). White Lodging, along with others, was attacked to gain access to the highly profitable credit card data in their financial systems. Companies are faced with the threat of many different malware specialized in Point of Sale systems. This paper will take a case study approach to examine the White Lodging breaches and show how adopting the Development Operations (DevOps) mindset could have worked to mitigate the breaches. This approach can provide an organization a systematic method to quickly implement the Sans Critical Controls.Tue, 18 Aug 2015 00:00:00 +0000Configuration Management with Windows PowerShell Desired State Configuration (DSC) information system baselines consistent with a formal configuration management plan can be a very difficult task. Changes to server based systems and networking must be monitored in order to provide some measure of compliance. A new distributed configuration management platform by Microsoft® called Desired State Configuration (DSC) makes this task easier. The objective of this paper is to describe in depth how PowerShell 4.0 can help to solve this common problem. DSC uses a declarative syntax that any skilled administrator can utilize to deploy software, monitor configuration drift and even report conformance. DSC is cross-platform compatible with hundreds of useful resources freely available. DSC leverages PowerShell 4.0 and gives administrators a useful way to automate configuration management.Tue, 18 Aug 2015 00:00:00 +0000Maturing and Specializing: Incident Response Capabilities Needed results reveal an increasingly complex response landscape and the need for automation of processes and services to provide both visibility across systems and best avenues of remediation. Read this paper for coverage of these issues, along with best practices and sage advice.Mon, 17 Aug 2015 00:00:00 +0000Following a Breach Simulating and Detecting a Common Attack networks are designed with multiple layers of preventive and detective controls. Even with these controls, networks continue to be breached and these breaches can go unnoticed for months. While preventive measures cannot stop all attacks and exploits, detective measures should be able to identify intrusions and malicious activity in a timely manner. The ability to detect this activity depends on the kinds of intrusion monitoring systems in place and the analysts’ ability to recognize and act on the alerts. This paper will outline the anatomy of a common attack, simulate the steps in an attack; including elements from the recent breach of Sally Beauty Supply, and determine how an attack can be detected. Fri, 14 Aug 2015 00:00:00 +0000Protecting Home Devices from Malicious or Blacklisted Websites majority of the devices on a home network have unrestricted outbound connectivity to the Internet. (Barcena & Wueest, 2015) Other than the use of “opendns”, which only provides some protection against phishing, fraud and limited blacklisting, a homeowner’s options are limited. To provide protection from known malicious sites and produce DNS query logs for further detailed analysis, a simple virtual machine set up with DNS is proposed. When coupled with “opendns”, unlimited blacklisting capability and automatic updates to block malicious sites from all devices is provided. The solution also provides the capability to analyze all the DNS logs using a log based Intrusion Detection System like OSSEC.Mon, 10 Aug 2015 00:00:00 +0000Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise the interest in collecting actionable cyber intelligence has grown substantially over the last several years in response to the growing sophistication of attackers, with it has come the need for organizations to more readily process indicators of compromise – and act immediately upon them to determine if they are present in a given enterprise environment. While host-based tools have been designed for this very purpose, they can be challenging to deploy on an enterprise-wide basis and are dependent on frequent updates. This paper will propose several methodologies by which these indicators of compromise may be visible within network traffic. It will further study how key network security devices (e.g. Snort IDS, IPTables Firewall, Web Proxy, etc.) can be used to effectively identify and alert on indicators of compromise both on the way into the network and also via analysis of outbound traffic. In addition, STIX and TAXII will be thoroughly investigated as individual protocols, including how they can best be incorporated into the rapid generation of customized network monitoring rules.Mon, 10 Aug 2015 00:00:00 +0000Securing Linux Containers components that make Linux containers possible have been available for several years, but recent projects, such as LXC and Docker, have made the technology much more accessible to users. Containers allow for even more efficient utilization of server resources through greater density and faster provisioning. However, securing containers is much more challenging than traditional virtualization methods, including KVM. The isolation layer between the container and the kernel, as well as between each container, is extremely thin. Weaknesses in the kernel or the container configuration can lead to compromises of containers or the entire system. The responsibility of managing the operating system within the container can also become blurry with time, and that can also lead to compromises of the container. Fortunately, Linux security modules, such as SELinux and AppArmor, along with careful configuration and container operating system management, can strengthen the thin walls around each container. Organizations that use mature Dev/Ops practices can also improve security within each container by automating the creation and deployment of container images. This paper will discuss the best strategies for securing a system running containers and the trade-offs that come with each.Mon, 10 Aug 2015 00:00:00 +0000Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.Mon, 10 Aug 2015 00:00:00 +0000Data Loss Prevention and a Point of Sales Breach could have used a data loss prevention solution to mitigate the success of its infamous data breach. However, organizations typically deploy data loss prevention with simple policies and rules that detect 15- or 16-digit number strings that might represent a credit card number; this strategy, would not be effective in the case of the Target attack due to the attackers packaging the “loot” with Base64 encoding directly on the point of sales systems. Therefore, a security practitioner requires alternative detection measures to detect this type of anomalous activity. Data loss prevention can support an organization’s ability to implement the Critical Security Controls, thereby providing the capability to detect such a sophisticated attack during the key stage of the Kill Chain model: Actions on Objective. Data loss prevention, when implemented with robust rules that reflect current attack tactics, techniques, and procedures, can reduce the likelihood of success by making it a bit more difficult to extract the valuable data. Mon, 10 Aug 2015 00:00:00 +0000Challenges for IDS/IPS Deployment in Industrial Control Systems Detection and Prevention Systems (IDS/IPS) are a key component of defense-in-depth strategy for information systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems need to incorporate this technology in order to properly defend against a growing threat landscape. This paper examines how to deploy this technology in a sample ICS/SCADA setting, identifies hurdles that both industrial control system vendors and asset owners must overcome in order to make IDS/IPS deployment successful, and provides recommendations for both vendors and owners in order to approach the use of these technologies. This paper is written with two audiences in mind. It is intended for the enterprise IT professional who is familiar with security technologies and best practices, but unfamiliar with ICS/SCADA, as well as ICS/SCADA engineers and managers who lack experience in enterprise security.Fri, 07 Aug 2015 00:00:00 +0000Observation and Response: An Intelligent Approach SANS Analyst Program whitepaper by J. Michael Butler. It discusses how properly focused observation and tracking efforts provide intelligence from inside the enterprise by monitoring for indicators of compromise such as odd point-in-time activities on the network, unusual machine-to-machine communications, outbound transfers, connection requests and many other suspicious activities. Fri, 07 Aug 2015 00:00:00 +0000