SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPHunting Threats Inside Packet Captureshttps://www.sans.org/reading-room/whitepapers/threathunting/hunting-threats-packet-captures-38440Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions. Wed, 23 May 2018 00:00:00 +0000Extracting Timely Sign-in Data from Office 365 Logshttps://www.sans.org/reading-room/whitepapers/logging/extracting-timely-sign-in-data-office-365-logs-38435Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole. Tue, 22 May 2018 00:00:00 +0000Methods for the Controlled Deployment and Operation of a Virtual Patching Programhttps://www.sans.org/reading-room/whitepapers/threats/methods-controlled-deployment-operation-virtual-patching-program-38430In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches. Sun, 20 May 2018 00:00:00 +0000Automated Detection and Analysis using Mathematical Calculationshttps://www.sans.org/reading-room/whitepapers/detection/automated-detection-analysis-mathematical-calculations-38425A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.Thu, 17 May 2018 00:00:00 +0000Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platformhttps://www.sans.org/reading-room/whitepapers/analyst/automate-threat-detection-incident-response-review-rsa-netwitness-platform-38420In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.Thu, 10 May 2018 00:00:00 +000010 Endpoint Security Problems Solved by the Cloudhttps://www.sans.org/reading-room/whitepapers/analyst/10-endpoint-security-problems-solved-cloud-38415SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.Fri, 04 May 2018 00:00:00 +0000Agile Security Patchinghttps://www.sans.org/reading-room/whitepapers/bestprac/agile-security-patching-38410Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.Thu, 03 May 2018 00:00:00 +0000Do Random IP Lookups Mean Anything?https://www.sans.org/reading-room/whitepapers/detection/random-ip-lookups-anything-38405Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable. Wed, 02 May 2018 00:00:00 +0000Tailoring Intelligence for Automated Responsehttps://www.sans.org/reading-room/whitepapers/tools/tailoring-intelligence-automated-response-38400Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.Wed, 02 May 2018 00:00:00 +0000Back to Basics: Focus on the First Six CIS Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/analyst/basics-focus-first-cis-critical-security-controls-38395Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.Tue, 01 May 2018 00:00:00 +0000Security Testing and Vendor Selection with BreakingPointhttps://www.sans.org/reading-room/whitepapers/modeling/security-testing-vendor-selection-breakingpoint-38390In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs. Mon, 30 Apr 2018 00:00:00 +0000Reverse Engineering of WannaCry Worm and Anti Exploit Snort Ruleshttps://www.sans.org/reading-room/whitepapers/malicious/reverse-engineering-wannacry-worm-anti-exploit-snort-rules-38385Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results. Fri, 27 Apr 2018 00:00:00 +0000Understanding Mobile Device Wi-Fi Traffic Analysishttps://www.sans.org/reading-room/whitepapers/detection/understanding-mobile-device-wi-fi-traffic-analysis-38380Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology. Tue, 24 Apr 2018 00:00:00 +0000Learning CBC Bit-flipping Through Gamificationhttps://www.sans.org/reading-room/whitepapers/vpns/learning-cbc-bit-flipping-gamification-38375Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment. Tue, 24 Apr 2018 00:00:00 +0000Securing the Corporate WLAN in a Healthcare Regulated Organizationhttps://www.sans.org/reading-room/whitepapers/compliance/securing-corporate-wlan-healthcare-regulated-organization-38370Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI. Fri, 06 Apr 2018 00:00:00 +0000Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaperhttps://www.sans.org/reading-room/whitepapers/analyst/securing-hybrid-cloud-traditional-vs-tools-strategies-whitepaper-38365This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.Mon, 02 Apr 2018 00:00:00 +0000Evaluation of Comprehensive Taxonomies for Information Technology Threatshttps://www.sans.org/reading-room/whitepapers/threatintelligence/evaluation-comprehensive-taxonomies-information-technology-threats-38360Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation. Mon, 26 Mar 2018 00:00:00 +0000An Evaluator's Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirushttps://www.sans.org/reading-room/whitepapers/cloud/evaluators-guide-cloud-based-ngav-guide-evaluating-next-generation-antivirus-38355The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.Mon, 26 Mar 2018 00:00:00 +0000Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platformhttps://www.sans.org/reading-room/whitepapers/analyst/stopping-advanced-malware-pre-post-execution-review-ensilos-comprehensive-endpoint-security-platform-38350Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.Tue, 20 Mar 2018 00:00:00 +0000Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Toolshttps://www.sans.org/reading-room/whitepapers/tools/pick-tool-tool-developing-practical-typology-selecting-digital-forensics-tools-38345One of the most common challenges for a digital forensic examiner is tool selection. In recent years, examiners have enjoyed a significant expansion of the digital forensic toolbox – in both commercial and open source software. However, the increase of digital forensics tools did not come with a corresponding organizational structure for the toolbox. As a result, examiners must conduct their own research and experiment with tools to find one appropriate for a particular task. This study collects input from forty six practicing digital forensic examiners to develop a Digital Forensics Tools Typology, an organized collection of tool characteristics that can be used as selection criteria in a simple search engine. In addition, a novel method is proposed for depicting quantifiable digital forensic tool characteristics.Fri, 16 Mar 2018 00:00:00 +0000PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Datahttps://www.sans.org/reading-room/whitepapers/breaches/pci-dss-security-breaches-preparing-security-breach-affects-cardholder-data-38340Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach. Fri, 16 Mar 2018 00:00:00 +0000PCAP Next Generation: Is Your Sniffer Up to Snuff?https://www.sans.org/reading-room/whitepapers/detection/pcap-generation-sniffer-snuff-38335The PCAP file format is widely used for packet capture within the network and security industry, but it is not the only standard. The PCAP Next Generation (PCAPng) Capture File Format is a refreshing improvement that adds extensibility, portability, and the ability to merge and append data to a wire trace. While Wireshark has led the way in supporting the new format, other tools have been slow to follow. With advantages such as the ability to capture from multiple interfaces, improved time resolution, and the ability to add per-packet comments, support for the PCAPng format should be developing more quickly than it has. This paper describes the new standard, displays methods to take advantage of new features, introduces scripting that can make the format useable, and makes the argument that migration to PCAPng is necessary. Fri, 16 Mar 2018 00:00:00 +0000Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Securityhttps://www.sans.org/reading-room/whitepapers/clients/pinpoint-remediate-unknown-threats-review-encase-endpoint-security-38330With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.Thu, 15 Mar 2018 00:00:00 +0000VMRay Analyzer: Rapid Malware Analysis for Incident Response (IR) Teamshttps://www.sans.org/reading-room/whitepapers/analyst/vmray-analyzer-rapid-malware-analysis-incident-response-ir-teams-38325In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.Mon, 12 Mar 2018 00:00:00 +0000Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analyticshttps://www.sans.org/reading-room/whitepapers/threats/managing-user-risk-review-logrhythm-cloudai-user-entity-behavior-analytics-38320In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.Mon, 26 Feb 2018 00:00:00 +0000