SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHPIncentivizing Cyber Security: A Case for Cyber Insurance the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be an enigma. Unlike traditional engineering problems, we cannot define the constraints and rules adequately. We lack the data and models to describe the variables, let alone the mathematical function. Read on for ideas on how ICS can benefit from cyber insurance.Tue, 27 Jun 2017 00:00:00 +0000Zero-Touch Detection and Investigation of Cloud Breaches: A Review of Lacework's Cloud Workload Security Platform's increasingly dynamic cloud environments present new challenges to security practitioners. With security talent in short supply, tailoring old policy-and-logs approaches to the needs of an organization can require time and resources it just doesn't have. In this review, SANS analyst and instructor Matt Bromiley shares his experience using Lacework's new Zero Touch Cloud Workload Security Platform to mitigate these challenges.Tue, 27 Jun 2017 00:00:00 +0000Complying with Data Protection Law in a Changing World to meet legal and political expectations for data security can expose your enterprise to fines, lawsuits, negative publicity and regulatory investigations. These expectations are rapidly evolving across the world, making it difficult for enterprises to effectively protect their brands. This white paper reveals the major steps a large, multinational enterprise can take to assure the public, authorities and business partners that it is behaving responsibly and is on a commendable path of compliance.Tue, 27 Jun 2017 00:00:00 +0000Next Generation Endpoint Protection – CIS Control 8, Malware Defense Effectiveness, Performance Metrics and False Positive Rates Center for Internet Security (CIS) Critical Security Controls v6.1 is comprised of battle tested and prioritized security controls that significantly reduce the risk to businesses from cyber breach. Endpoint security is the primary objective of Control eight, Malware Defenses which will be analyzed in this study. (Manage Cybersecurity Risk with the CIS Controls). This paper details a handful of real-world testing scenarios to determine which Next Generation Endpoint Security (NGES) products have the greatest effectiveness in blocking file based malware from executing, including freshly minted zero-day variants that have been repacked so they have unique hashes. In addition to measuring efficacy in blocking malware, this paper includes a secondary scope to examine the system resource consumption introduced by these products to give the reader a better understanding of the business impact these products have on the overall end-user experience. A tertiary scope analyzes the false positive rate of NGES with respect to common administrative tools used regularly by IT practitioners on the Microsoft Windows 10 Enterprise and Windows 2012 R2 Server platforms. Tue, 20 Jun 2017 00:00:00 +0000Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering through-bus-reverse-engineering-37825The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.Tue, 20 Jun 2017 00:00:00 +0000Testing Web Apps with Dynamic Scanning in Development and Operations secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.Thu, 15 Jun 2017 00:00:00 +0000The Show Must Go On! The 2017 SANS Incident Response Survey, the results of 2017 Incident Response survey were very promising. Organizations are building IR teams that suit their environments and their unique set of issues. Malware still looms as the root cause of a large majority of incidents; and IR teams still suffer from a shortage of skilled staff, lack of ownership and business silo issues. Read on to examine the results of the survey and guidelines and feedback to spur improvements. Mon, 12 Jun 2017 00:00:00 +0000Security by Design: The Role of Vulnerability Scanning in Web App Security growth in custom applications in the cloud has increased organizations' security exposure. Although more organizations want to test and remediate during development, this doesn't address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.Wed, 07 Jun 2017 00:00:00 +0000Using Cloud Deployment to Jump-Start Application Security cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.Wed, 24 May 2017 00:00:00 +0000Intrusion detection through traffic analysis from the endpoint using Splunk Stream technologies such as software-defined wide area networking (SD-WAN) and cloud operations, the traditional scheme of intrusion detection and packet capture at the network perimeter is quickly becoming less viable as a model for network intrusion detection. One alternative is to dynamically collect network traffic at the endpoint using the Splunk Stream and then using Splunk to analyze the traffic for indicators of compromise. This method allows for network-level detection on large, disparate networks which don’t have consolidated egress points for traffic. Wed, 24 May 2017 00:00:00 +0000Network Security Infrastructure and Best Practices: A SANS Survey infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.Tue, 23 May 2017 00:00:00 +0000Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence) paper will present results from a recent survey of DF/IR professionals and seek to provide relevant observations (together with published psychological, sociological, and neurological research) to discuss the similarities and intersections of DF/IR and music, as well as identify potential correlations between being a successful DF/IR professional and playing music. It will also discuss numerous challenges facing DF/IR professionals today and how learning to play and enjoy music can help DF/IR personnel both overcome some of those challenges and be more effective in their chosen field.Mon, 22 May 2017 00:00:00 +0000Future SOC: SANS 2017 Security Operations Center Survey primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.Tue, 16 May 2017 00:00:00 +0000How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect are our traditional email and endpoint security tools failing us? First, most email deployments lack any authentication of outside senders. Given this vulnerability, it’s trivial to execute spoo ng and falsi ed email content that purports to come from a trusted entity the recipient knows and trusts. Second, attackers are using cloud-based email and “detection-busting” techniques such as fake identities, deceptive sender names and phony domains to beat defenses. Clearly, given the prevalence of email-borne threats, protecting email infrastructure and end users needs to be a high priority for all security teams today. To this end, SANS had the opportunity to review Agari Enterprise Protect and the Agari Email Trust Platform.Tue, 09 May 2017 00:00:00 +0000Deception Matters: Slowing Down the Adversary with illusive networks® is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.Mon, 01 May 2017 00:00:00 +0000A New Era in Endpoint Protection antivirus solutions aren’t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.Wed, 26 Apr 2017 00:00:00 +0000Hunting Threats Inside Packet Captures of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions. Tue, 25 Apr 2017 00:00:00 +0000The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.Tue, 25 Apr 2017 00:00:00 +0000Show Me the Money! From Finding to Fixed to Funded both large and small, whether public or private, can always benefit from an information security audit to improve their security posture. This security audit will highlight vulnerabilities and provide prescriptive guidance on how to fix them within a formal report. The ability to motivate organizational teams to complete the necessary work has historically been a challenge. While tracking of these findings using a workflow management tool has its value, most organizations stop at simply tracking the deficiencies, rather than take the necessary steps to remediate them in a timely manner. Thus, vulnerabilities from a decade ago are still causing disruption in our present day hyper-connected world. By applying an economic incentive system to the resolution of those findings, much like a sales division incentive program, a company can create a remediation bounty program. This will assist in motivating non-managerial staff to conceive of innovative ways to apply necessary fixes quickly, and to manage systems that are less susceptible to nefarious actors and their less than honorable intentions.Mon, 24 Apr 2017 00:00:00 +0000No Safe Harbor: Collecting and Storing European Personal Information in the U.S. the European Court of Justice nullified the Safe Harbor Framework in October of 2015, it left more than 4,000 companies in legal limbo regarding their transfer of personal data for millions of European customers (Nakashima, 2015). The acceptance of the Privacy Shield Framework in July of 2016 expands the options for U.S. companies that need to transfer EU personal data to the US but does little to ameliorate the upheaval caused by the Safe Harbor annulment. This paper covers the history of data privacy negotiations between the Europe and the United States, providing an understanding of how the current compromises were reached and what threats they may face. It outlines the available mechanisms for data transfer, including Binding Corporate Rules, Standard Contractual Clauses, and the Privacy Shield Framework and compares their requirements, advantages, and risks. With this information, US organizations considering storing or processing European personal data can choose the transfer mechanism best suited to their situation. Mon, 24 Apr 2017 00:00:00 +0000Hunting through Log Data with Excel and analyzing data during an incident can be a long and tedious process. The vast amounts of data involved in even a single system intrusion can be overwhelming. Larger and well-funded incident response teams typically have a Security Information and Event Management (SIEM) product at their disposal to help the responder sift through this data to find artifacts relevant to the intrusion. This paper will demonstrate to the reader how to use Microsoft Excel and some of its more advanced features during an intrusion if a SIEM or similar product is not available to the incident responder. Mon, 24 Apr 2017 00:00:00 +0000The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information. Thu, 20 Apr 2017 00:00:00 +0000Snort and SSL/TLS Inspection intrusion detection system (IDS) can analyze and alert on what it can see, but if the traffic is tunneled into an encrypted connection, the IDS cannot perform its analysis on that traffic. The difficulty of looking into the packet payload makes the encrypted traffic one of the challenging issues to IDS. In Snort, the encrypted traffic inspector is available optionally and can only inspect connections’ handshakes with no further inspection of the payload after the connection has established. However, encrypted traffic can be entirely decrypted using the private key (decryption key), but there are some issues associated with SSL/TLS key exchanges that could increase the difficulty of decrypting traffic provided the private key.Thu, 20 Apr 2017 00:00:00 +0000Integrating Prevention, Detection and Response Work Flows: SANS Survey on Security Optimization the prevention, detection, response and prediction functional groups operating in unison with shared data and workflow, or are they remaining true to the tradition of operational silos in most technology groups? In this survey, we analyze satisfaction with staffing levels, tools and management-support architectures to help provide best practices and guidance for IT security practitioners.Wed, 19 Apr 2017 00:00:00 +0000Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation. Thu, 13 Apr 2017 00:00:00 +0000