SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPThe 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concernshttps://www.sans.org/reading-room/whitepapers/analyst/2018-industrial-iot-security-survey-shaping-iiot-security-concerns-38505IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.Wed, 18 Jul 2018 00:00:00 +0000Times Change and Your Training Data Should Too: The Effect of Training Data Recency on Twitter Classifiershttps://www.sans.org/reading-room/whitepapers/artificialintelligence/times-change-training-data-too-effect-training-data-recency-twitter-classifiers-38500Sophisticated adversaries are moving their botnet command and control infrastructure to social media microblogging sites such as Twitter. As security practitioners work to identify new methods for detecting and disrupting such botnets, including machine-learning approaches, we must better understand what effect training data recency has on classifier performance. This research investigates the performance of several binary classifiers and their ability to distinguish between non-verified and verified tweets as the offset between the age of the training data and test data changed. Classifiers were trained on three feature sets: tweet-only features, user-only features, and all features. Key findings show that classifiers perform best at +0 offset, feature importance changes over time, and more features are not necessarily better. Classifiers using user-only features performed best, with a mean Matthews correlation coefficient of 0.95 ± 0.04 at +0 offset, 0.58 ± 0.43 at -8 offset, and 0.51 ± 0.21 at +8 offset. The R2 values are 0.90, 0.34, and 0.26, respectively. Thus, the classifiers tested with +0 offset accounted for 56% to 64% more variance than those tested with −8 and +8 offset. These results suggest that classifier performance is sensitive to the recency of the training data relative to the test data. Further research is needed to replicate this experiment with botnet vs. non-botnet tweets to determine if similar classifier performance is possible and the degree to which performance is sensitive to training data recency. Wed, 11 Jul 2018 00:00:00 +0000Content Security Policy in Practicehttps://www.sans.org/reading-room/whitepapers/securecode/content-security-policy-practice-38495The implementation of Content Security Policy to leverage web browser capability in protecting a web application from cross-site scripting attack has been a challenge for many legacy web applications. Typical web applications maintained over the years accumulate a number of web pages that do not follow a consistent design. There are no widely available tools to quickly transform legacy web pages to adopt Content Security Policy. The results of this research cover the outcome of implementing a set of tools to address this need.Fri, 06 Jul 2018 00:00:00 +0000One-Click Forensic Analysis: A SANS Review of EnCase Forensichttps://www.sans.org/reading-room/whitepapers/application/one-click-forensic-analysis-review-encase-forensic-38490When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.Wed, 27 Jun 2018 00:00:00 +0000Using Image Excerpts to Jumpstart Windows Forensic Analysishttps://www.sans.org/reading-room/whitepapers/forensics/image-excerpts-jumpstart-windows-forensic-analysis-38485There are many options available for acquiring, processing and analyzing forensic disk images. Choices range from feature-rich commercial tools that provide all-in-one solutions, to open source scripts for carrying out specific tasks. The availability of these tools and the hard work of those who contribute to the forensic community have made the job of the examiner much easier. Even with recent advances, analysis can still be time-consuming, particularly in the acquisition and processing of Windows full disk images. One alternative is to extract and analyze the files historically known to contain the most relevant data first. In many cases, a relatively small number of files contain the majority of information needed to perform a forensic examination. Tests were performed on Windows images to analyze some of these high-value artifacts to find an efficient approach for selectively acquiring and extracting different types of metadata. A script was then written to automate repetitive steps and leverage open source tools found on most recent Linux version of the SANS Sift virtual machine. Mon, 25 Jun 2018 00:00:00 +0000Cloud Security: Are You Ready?https://www.sans.org/reading-room/whitepapers/bestprac/cloud-security-ready-38480As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations. Mon, 18 Jun 2018 00:00:00 +0000Windows 10 as a Forensic Platformhttps://www.sans.org/reading-room/whitepapers/forensics/windows-10-forensic-platform-38475Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations. Fri, 15 Jun 2018 00:00:00 +0000Stopping IoT-based Attacks on Enterprise Networkshttps://www.sans.org/reading-room/whitepapers/analyst/stopping-iot-based-attacks-enterprise-networks-38470The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.Thu, 14 Jun 2018 00:00:00 +0000Endpoint Protection and Response: A SANS Surveyhttps://www.sans.org/reading-room/whitepapers/clients/endpoint-protection-response-survey-38460Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.Tue, 12 Jun 2018 00:00:00 +0000Back to Basics: Building a Foundation for Cyber Integrityhttps://www.sans.org/reading-room/whitepapers/analyst/basics-building-foundation-cyber-integrity-38455File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.Wed, 06 Jun 2018 00:00:00 +0000Passive Analysis of Process Control Networkshttps://www.sans.org/reading-room/whitepapers/detection/passive-analysis-process-control-networks-38450In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture. Fri, 01 Jun 2018 00:00:00 +0000Reverse Engineering of WannaCry Worm and Anti Exploit Snort Ruleshttps://www.sans.org/reading-room/whitepapers/malicious/reverse-engineering-wannacry-worm-anti-exploit-snort-rules-38445Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.Sun, 27 May 2018 00:00:00 +0000Hunting Threats Inside Packet Captureshttps://www.sans.org/reading-room/whitepapers/threathunting/hunting-threats-packet-captures-38440Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions. Wed, 23 May 2018 00:00:00 +0000Extracting Timely Sign-in Data from Office 365 Logshttps://www.sans.org/reading-room/whitepapers/logging/extracting-timely-sign-in-data-office-365-logs-38435Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole. Tue, 22 May 2018 00:00:00 +0000Methods for the Controlled Deployment and Operation of a Virtual Patching Programhttps://www.sans.org/reading-room/whitepapers/threats/methods-controlled-deployment-operation-virtual-patching-program-38430In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches. Sun, 20 May 2018 00:00:00 +0000Automated Detection and Analysis using Mathematical Calculationshttps://www.sans.org/reading-room/whitepapers/detection/automated-detection-analysis-mathematical-calculations-38425A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.Thu, 17 May 2018 00:00:00 +0000Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platformhttps://www.sans.org/reading-room/whitepapers/analyst/automate-threat-detection-incident-response-review-rsa-netwitness-platform-38420In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.Thu, 10 May 2018 00:00:00 +000010 Endpoint Security Problems Solved by the Cloudhttps://www.sans.org/reading-room/whitepapers/threats/10-endpoint-security-problems-solved-cloud-38415SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.Fri, 04 May 2018 00:00:00 +0000Agile Security Patchinghttps://www.sans.org/reading-room/whitepapers/bestprac/agile-security-patching-38410Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.Thu, 03 May 2018 00:00:00 +0000Do Random IP Lookups Mean Anything?https://www.sans.org/reading-room/whitepapers/malicious/random-ip-lookups-anything-38405Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable. Wed, 02 May 2018 00:00:00 +0000Tailoring Intelligence for Automated Responsehttps://www.sans.org/reading-room/whitepapers/analyst/tailoring-intelligence-automated-response-38400Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.Wed, 02 May 2018 00:00:00 +0000Back to Basics: Focus on the First Six CIS Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/securitytrends/basics-focus-first-cis-critical-security-controls-38395Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.Tue, 01 May 2018 00:00:00 +0000Security Testing and Vendor Selection with BreakingPointhttps://www.sans.org/reading-room/whitepapers/analyst/security-testing-vendor-selection-breakingpoint-38390In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs. Mon, 30 Apr 2018 00:00:00 +0000Understanding Mobile Device Wi-Fi Traffic Analysishttps://www.sans.org/reading-room/whitepapers/mobile/understanding-mobile-device-wi-fi-traffic-analysis-38380Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology. Tue, 24 Apr 2018 00:00:00 +0000Learning CBC Bit-flipping Through Gamificationhttps://www.sans.org/reading-room/whitepapers/testing/learning-cbc-bit-flipping-gamification-38375Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment. Tue, 24 Apr 2018 00:00:00 +0000