Final Week! Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends May 24!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Active Defense

Featuring 7 Papers as of February 10, 2017

  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.

  • Active Defense via a Labyrinth of Deception STI Graduate Student Research
    by Nathaniel Quist - December 5, 2016 

    A network baseline allows for the identification of malicious activity in real time. However, a baseline requires that every listed action is known and accounted, presenting a nearly impossible task in any production environment due to an ever-changing application footprint, system and application updates, changing project requirements, and not least of all, unpredictable user behaviors. Each obstacle presents a significant challenge in the development and maintenance of an accurate and false positive free network baseline. To surmount these hurdles, network architects need to design a network free from continuous change including, changing company requirements, untested systems or application updates, and the presence of unpredictable users. Creating a static, never-changing environment is the goal. However, this completely removes the functionality of a production network. Or does it? Within this paper, I will detail how this type of static environment, referred to as the Labyrinth, can be placed in front of a production environment and provide real time defensive measures against hostile and dispersed attacks, from both human actors and automated machines. I expect to prove the Labyrinth is capable of detecting changes in its environment in real time. It will provide a listing of dynamic defensive capabilities like identifying attacking IP addresses, rogue-process start commands, modifications to registry values, alterations in system memory and recording the movements of an attacker's tactics, techniques, and procedures. At the same time, the Labyrinth will add these values to block list, protecting the production network lying behind. Successful accomplishment of these goals will prove the viability and sustainability of a Labyrinth defending network (Revelle, 2011) environments.

  • Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 

    Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.

  • Ransomware by Susan Bradley - October 3, 2016 

    On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

  • Active Defense Through Deceptive Configuration Techniques STI Graduate Student Research
    by Nathaniel Quist - January 29, 2016 

    Honeypots are making a profound impact in the security world. Their ability to infer information about an attacker’s Tactics, Techniques, and Procedures (TTPs), allow defenders to configure their defenses to respond to emerging threats, capture 0-Day exploits, and identify malicious users within a network.

  • The Sliding Scale of Cyber Security Analyst Paper
    by Robert M. Lee - September 1, 2015 

    The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.