SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPData Mining in the Dark: Darknet Intelligence Automationhttps://www.sans.org/reading-room/whitepapers/threatintelligence/data-mining-dark-darknet-intelligence-automation-38175Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework. Fri, 17 Nov 2017 00:00:00 +0000Leverage Risk Focused Teams to Strengthen Resilience against Cyber Riskshttps://www.sans.org/reading-room/whitepapers/recovery/leverage-risk-focused-teams-strengthen-resilience-cyber-risks-38170Information security, risk management, audit and business continuity teams must continue to evolve and mature to combat the growing cyber risks impacting business operations. Each team has standards and frameworks, but they often dont speak the same language or understand how each group intersects in protecting the organization. This research identifies opportunities to reduce resource duplication and integrate information security and risk-focused teams to strengthen the organizations resilience against cyber risks. Fri, 17 Nov 2017 00:00:00 +0000The State of Honeypots: Understanding the Use of Honey Technologies Todayhttps://www.sans.org/reading-room/whitepapers/detection/state-honeypots-understanding-honey-technologies-today-38165The aim of this study is to fill in the gaps in data on the real-world use of honey technologies. The goal has also been to better understand information security professionals views and attitudes towards them. While there is a wealth of academic research in cutting-edge honey technologies, there is a dearth of data related to the practical use of these technologies outside of research laboratories. The data for this research was collected via a survey which was distributed to information security professionals. This research paper includes details on the design of the survey, its distribution, analysis of the results, insights, lessons learned and two appendices: the survey in its entirety and a summary of the data collected. Fri, 17 Nov 2017 00:00:00 +0000Cyber Defense Challenges from the Small and Medium-Sized Business Perspectivehttps://www.sans.org/reading-room/whitepapers/hsoffice/cyber-defense-challenges-small-medium-sized-business-perspective-38160With 5.7 million SMBs in the United States, it is essential that the risks involving cybersecurity events are identified. Small and medium-sized businesses (SMBs) face different challenges than large enterprises in regard to cybersecurity. The goal of this project was to survey SMBs and reveal organizational barriers that impact the cybersecurity posture of SMBs. An online survey was administered with a final sample size of 22 SMBs. Significant results showed that the top challenges were finances to pay talent, regulatory compliance and professionally available talent. As a result of inadequate information technology (IT) and cybersecurity staffing, 64% of respondents were unaware if a successful cyber-attack had taken place. The significant challenge SMBs face is their security posture and knowing if they have been or are being targeted against a cyber-attack. The main objective of this project was to show the security profile of the typical SMB. Educational, software and hardware tools should be promoted to increase the security posture of SMBs. Further research might focus more on the staffing and dedicated hours of IT and cybersecurity employees.Fri, 17 Nov 2017 00:00:00 +0000Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXihttps://www.sans.org/reading-room/whitepapers/forensics/exploring-effectiveness-approaches-discovering-acquiring-virtualized-servers-esxi-38155As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate. Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi. Fri, 17 Nov 2017 00:00:00 +0000Cyber Threat Intelligence Support to Incident Handlinghttps://www.sans.org/reading-room/whitepapers/threatintelligence/cyber-threat-intelligence-support-incident-handling-38150Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning. Fri, 17 Nov 2017 00:00:00 +0000Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Courthttps://www.sans.org/reading-room/whitepapers/forensics/tackling-unique-digital-forensic-challenges-law-enforcement-jurisdiction-ninth-us-circuit-court-38145The creation of a restrictive digital evidence search protocol by the U.S. Ninth Circuit Court of Appeals - the most stringent in the United States - triggered intense legal debate and caused significant turmoil regarding digital forensics procedures and practices in law enforcement operations. Understanding the Court's legal reasoning and the U.S. Department of Justice's counter-arguments regarding this protocol is critical in appreciating how the tension between privacy concerns and the challenges to law enforcement stand at the center of this unique Information Age issue. By focusing on the Court's core assumption that the seizure and search of electronically stored information are inherently overly intrusive, digital forensics practitioners have a worthy target to focus their efforts in the advancement of digital forensics processes, procedures, techniques, and tool-sets. This paper provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the Court's decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement. Fri, 17 Nov 2017 00:00:00 +0000Supplementing Windows Audit, Alerting, and Remediation with PowerShellhttps://www.sans.org/reading-room/whitepapers/assurance/supplementing-windows-audit-alerting-remediation-powershell-38140This paper outlines the use of PowerShell to supplement audit, alerting, and remediation platform for Windows environments. This answers the question of why use PowerShell for these purposes. Several examples of using PowerShell are included to start the thought process on why PowerShell should be the security multi-tool of first resort. Coverage includes how to implement these checks in a secure, automatable way. To demonstrate the concepts discussed, small code segments are included. The intent of the included code segments is to inspire the reader's creativity and create a desire to use PowerShell to address challenges in their environment. Finally, a short section includes resources for code examples and learning tools. While some knowledge of PowerShell will aid the reader, the intended audience of this paper is the PowerShell novice. Thu, 16 Nov 2017 00:00:00 +0000Threat Rigidity in Cybersecurityhttps://www.sans.org/reading-room/whitepapers/critical/threat-rigidity-cybersecurity-38135Fear Uncertainty and Doubt (FUD) works as an influence strategy by amateur cybersecurity professionals over an organization, and as a result, FUD Fatigue develops causing a negative impact on their credibility (Anderson 2014). Is there a better way to effect change while maintaining credibility? A social science theory called Threat Rigidity (Staw et al.,1980) addresses organizational responses to threats by describing a constriction in control and a restriction in information processing. The theory of Threat Rigidity theory and its concepts describes FUD Fatigue in that FUD is utilized to spur the threat-rigidity response and will cause a decrement in performance when the level of response is inappropriate for the threat. Threat Rigidity leveraged by a competent cybersecurity professional allows for not only the management of a threat but also the ability to implement critical controls to safeguard the organization from future attacks and move the organization back into an innovative state. Fri, 03 Nov 2017 00:00:00 +0000Creating a Logging Infrastructurehttps://www.sans.org/reading-room/whitepapers/logging/creating-logging-infrastructure-38130Logs are an essential aspect of understanding what is occurring in a company's network infrastructure and a company's applications. Log events help analysts to understand the health of the network and give insight into many types of issues. This paper explains how to set up a logging infrastructure by covering log formats and data sources. Then the discussion includes different ways to collect logs and transmit them. This paper then goes over how to pick relevant log sources and events to enable for collection. A company-wide architecture describes the process of collecting logs from offices across the world. Once the company-wide architecture is set up, the paper goes over some correlations using data from a real production network. The paper finishes by reviewing tools that are used to process, index, and correlate all the events that are received. Fri, 03 Nov 2017 00:00:00 +0000Building the Airplane in Mid-Flight: Bringing Cyber Security Structure to Special Operations Unitshttps://www.sans.org/reading-room/whitepapers/infosec/building-airplane-mid-flight-bringing-cyber-security-structure-special-operations-units-38125Special operations units, born in the fire of urgency and required to be dynamically flexible, may operate for many years without a single cyber security representative. Once hired mid-stream into such a construct, a cyber security professional can be immediately overwhelmed with the breadth of the challenge before him or her: how to overcome cultural and technical challenges to introduce a comprehensive cyber security program into the ad-hoc structure of multi-classification, multi-network, multi-agency information systems and personnel. However, when armed with the lessons from cyber professionals from similar units who were thrown into a similar cauldron and succeeded, a newly-hired information security officer or manager can bring order to the unconventional chaos and ensure continued mission success. This paper will examine the experiences of cyber security professionals who overcame the challenges of securing information systems and personnel in units decidedly different from the rigid DoD structure or the corporate world. After reading, new information security professionals will have practical principles for securing their systems and soldiers, staying out of jail, and enjoying their jobs! Fri, 03 Nov 2017 00:00:00 +0000Cloud Security: Defense in Detail if Not in Depthhttps://www.sans.org/reading-room/whitepapers/cloud/cloud-security-defense-detail-in-depth-38120Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.Tue, 31 Oct 2017 00:00:00 +0000Closing the Skills Gap with Analytics and Machine Learninghttps://www.sans.org/reading-room/whitepapers/analyst/closing-skills-gap-analytics-machine-learning-38115It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.Mon, 30 Oct 2017 00:00:00 +0000Blueprint for CIS Control Application: Securing the Oracle E-Business Suitehttps://www.sans.org/reading-room/whitepapers/analyst/blueprint-cis-control-application-securing-oracle-e-business-suite-38110This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.Thu, 26 Oct 2017 00:00:00 +0000Privacy and the Internet of Thingshttps://www.sans.org/reading-room/whitepapers/internet/privacy-internet-things-38105The Internet of Things has gotten a lot of attention over the past year or so, and for good reason. From a security perspective, Internet-connected devices are easy targets, especially when they are not designed with security in mind. But, in addition to the concerns of botnets and DoS attacks, some newer devices also raise information privacy concerns. Wed, 25 Oct 2017 00:00:00 +00002017 State of Application Security: Balancing Speed and Riskhttps://www.sans.org/reading-room/whitepapers/application/2017-state-application-security-balancing-speed-risk-38100Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.Tue, 24 Oct 2017 00:00:00 +0000Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wiresharkhttps://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095Though attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years have highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a slow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase in attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to quickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary defenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple virtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will be used to illustrate and compare normal Modbus TCP communications between the Master and PLC workstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that manipulates the Modbus TCP communications against both workstations.Fri, 20 Oct 2017 00:00:00 +0000Enhance Your Investigations with Network Datahttps://www.sans.org/reading-room/whitepapers/forensics/enhance-investigations-network-data-38090Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach. In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations. Thu, 19 Oct 2017 00:00:00 +0000 Targeted Attack Protection: A Review of Endgame's Endpoint Security Platformhttps://www.sans.org/reading-room/whitepapers/analyst/targeted-attack-protection-review-endgames-endpoint-security-platform-38085SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.Tue, 17 Oct 2017 00:00:00 +0000Online Safety in a Foreign Language - Connecting with Teenshttps://www.sans.org/reading-room/whitepapers/awareness/online-safety-foreign-language-connecting-teens-38080The inescapable dangers of our increasingly connected world are likely most threatening to our young adults. Teens, especially, see social media and related online platforms as inextricable from their public and private personas. These digital natives have grown up being comfortable with sharing all aspects of their lives with the Internet - without the healthy suspicion and caution of those who have seen the technology grow over the years. The importance of protecting our teenage Internet denizens apparent, it falls to parents, teachers, and industry professionals to effectively educate this group. What follow are tested methods and associated research on relating to and informing teenagers so they might understand and properly mitigate the risks they face. Importantly, this paper explores these topics in a way that doesn't overstate the dangers or attempt to upheave the norms of communication so organic to this generation. Mon, 16 Oct 2017 00:00:00 +0000Can the "Gorilla" Deliver? Assessing the Security of Google's New "Thread" Internet of Things (IoT) Protocolhttps://www.sans.org/reading-room/whitepapers/internet/gorilla-deliver-assessing-security-googles-thread-internet-things-iot-protocol-38070Security incidents associated with Internet of Things (IoT) devices have recently gained high visibility, such as the Mirai botnet that exploited vulnerabilities in remote cameras and home routers. Currently, no industry standard exists to provide the right combination of security and ease-of-use in a low-power, low-bandwidth environment. In 2014, the Thread Group, Inc. released the new Thread networking protocol. Google's Nest Labs recently open-sourced their implementation of Thread in an attempt to become a market standard for the home automation environment. The Thread Group claims that Thread provides improved security for IoT devices. But in what way is this claim true, and how does Thread help address the most significant security risks associated with IoT devices? This paper assesses the new IEEE 802.15.4 "Thread" protocol for IoT devices to determine its potential contributions in mitigating the OWASP Top 10 IoT Security Concerns. It provides developers and security professionals a better understanding of what risks Thread addresses and what challenges remain. Fri, 06 Oct 2017 00:00:00 +0000AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysishttps://www.sans.org/reading-room/whitepapers/analyst/appsec-roi-justifying-appsec-program-value-stream-analysis-38065In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.Wed, 04 Oct 2017 00:00:00 +0000Cyber Security and Data Integrity Problems Within the GAMP 5 Validation Processhttps://www.sans.org/reading-room/whitepapers/hipaa/cyber-security-data-integrity-problems-gamp-5-validation-process-38060When addressing the pharmaceutical industry's computerized systems risk within manufacturing, the International Society for Pharmaceutical Engineering (ISPE) has created the Good Automated Manufacturing Process (GAMP) as a leading industry standard. It is a validation process based on user requirements and product quality that applies information security through its computer systems validation (CSV) guidance. Problems arise due to information security roles, methodologies and technical controls not being clearly defined within GAMP guidance. These gaps within the CSV process are further exacerbated by cultural issues within the quality unit because they manage all aspects of information security and do not apply industry best business practices used in other industries. Finally, these gaps result in systems which do not incorporate the most basic protections for systems and data that should be expected from this industry. When compared to other industries like the Payment Card Industry (PCI), the security measures are woefully inadequate given the criticality of information processed by these life science systems. Because the production of pharmaceuticals is drastically different than other industries due the level of regulation on activities outside of computerized systems, relying on the International Standards Organization (ISO) or the United States National Institute of Science and Technology (NIST) as recommended by the ISPE is not adequate. Specialized guidance on how information security principles must be modified to fit within this model must be explored to provide relevance to the CSV process.Tue, 26 Sep 2017 00:00:00 +0000Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecturehttps://www.sans.org/reading-room/whitepapers/critical/hardening-byod-implementing-critical-security-control-3-bring-device-byod-architecture-38055The increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.Fri, 22 Sep 2017 00:00:00 +0000Botnet Resiliency via Private Blockchainshttps://www.sans.org/reading-room/whitepapers/covert/botnet-resiliency-private-blockchains-38050Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts. Fri, 22 Sep 2017 00:00:00 +0000