World-class instructors teaching today's, critical cyber skills - SANS Online Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Active Defense

Featuring 11 Papers as of April 16, 2021

  • How Sweet It Is: A Comparative Analysis of Remote Desktop Protocol Honeypots Graduate Student Research
    by Lauri Marc Ahlman - January 28, 2021 

    Remote Desktop Protocol (RDP) and other remote administrative services are consistently targeted by attackers seeking to gain access to protected systems. Honeypots are a valuable tool for network defenders to learn about attacker tools and techniques. This paper proposes an architecture for an RDP honeypot running on a Linux host. The proposed solution includes a capability to replay RDP sessions and observe attacker activity and keystrokes. Further, this paper presents a comparative analysis between this proposed solution and an RDP honeypot using the open-source project PyRDP (Gonzalez, 2020) which is represented as a Windows environment.

  • Recognizing Suspicious Network Connections with Python Graduate Student Research
    by Gregory Melton - June 17, 2020 

    Endpoint protection solutions tend to focus on system indicators and known malicious code to defend both enterprise and Small Office-Home Office (SOHO) users. In the absence of a Security Operations Center (SOC) or paid antivirus services, there are few proactive defense options for hobbyists and SOHO owners. A significant problem is how advanced persistent threat (APT) actors’ Tactics, Techniques, and Procedures (TTPs) have changed over the years; it is common for advanced actors to exploit poorly defended subcontractors and seemingly less relevant targets. This brings the Small Office-Home Office into the picture as a pivotal defense point against advanced attackers. This research intends to focus on attackers using Shell, terminal, or Remote Access Tool (RAT) connections to SOHO endpoints. This research seeks to block interactive connections with system-level network logging and blacklist automation. This method will recognize malicious connections and automatically block them in near real-time.

  • Creating an Active Defense PowerShell Framework to Improve Security Hygiene and Posture Graduate Student Research
    by Kyle Snihur - April 28, 2020 

    Security professionals are inundated with alerts, and analysts are suffering alert fatigue with no actionable intelligence (Miliard, 2019). Poor priorities and lack of resources put enterprises at risk (Wilson, 2015). In Windows domains, PowerShell can be used to aggregate data and provide actionable reports and alerts for security professionals continuously. This paper explores the viability of creating an Active Defense PowerShell framework for small to medium-sized organizations to improve security hygiene and posture. The benefits include providing actionable alerts and emails that security professionals can quickly address. Aggregated data can also be used to identify and prioritize holes in an organization's security posture.

  • Israel's Attack on Hamas' Cyber Headquarters Under Customary International Humanitarian Law by Jonathan Matkowsky - November 21, 2019 

    During intense military fighting in May 2019, Israel stopped the Hamas organized-armed-group from harming Israeli sites as part of establishing offensive cyber capabilities in the Gaza Strip tied to its war effort. Israel attacked the headquarters from which Hamas’ cyber unit operated, including any information systems and related cyber-infrastructure in the facility. Under customary international humanitarian law, the attack on Hamas’ headquarters appears to be a cyber-specific example of a lawful military objective due to its inherent nature, as suggested by Prof. R. Chesney (2019). This paper discusses the principles of international humanitarian law—military necessity, humanity, distinction, and proportionality—applicable from an Israeli law perspective to the targeted strike on the Hamas’ cyber headquarters, including support that the principles have achieved the status of customary international humanitarian law. Israel did not disclose whether Hamas only used the facility for intelligence gathering tied to the war effort alone, or if that intelligence was also being used to develop cyber weapons. Both are inherently lawful military objectives under customary international humanitarian law, according to Prof. Dinstein (2016). A key takeaway is that applying the principles of customary international humanitarian law may sometimes favor using traditional military force, and other times favor using cyber activity.

  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.

  • Active Defense via a Labyrinth of Deception Graduate Student Research
    by Nathaniel Quist - December 5, 2016 

    A network baseline allows for the identification of malicious activity in real time. However, a baseline requires that every listed action is known and accounted, presenting a nearly impossible task in any production environment due to an ever-changing application footprint, system and application updates, changing project requirements, and not least of all, unpredictable user behaviors. Each obstacle presents a significant challenge in the development and maintenance of an accurate and false positive free network baseline. To surmount these hurdles, network architects need to design a network free from continuous change including, changing company requirements, untested systems or application updates, and the presence of unpredictable users. Creating a static, never-changing environment is the goal. However, this completely removes the functionality of a production network. Or does it? Within this paper, I will detail how this type of static environment, referred to as the Labyrinth, can be placed in front of a production environment and provide real time defensive measures against hostile and dispersed attacks, from both human actors and automated machines. I expect to prove the Labyrinth is capable of detecting changes in its environment in real time. It will provide a listing of dynamic defensive capabilities like identifying attacking IP addresses, rogue-process start commands, modifications to registry values, alterations in system memory and recording the movements of an attacker's tactics, techniques, and procedures. At the same time, the Labyrinth will add these values to block list, protecting the production network lying behind. Successful accomplishment of these goals will prove the viability and sustainability of a Labyrinth defending network (Revelle, 2011) environments.

  • Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 

    Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.

  • Ransomware by Susan Bradley - October 3, 2016 

    On a daily basis, a file gets clicked. An email attachment gets opened. A website gets browsed. Seemingly normal actions in every office, on every personal computer, can suddenly become a ransomware incident if the file or attachment or banner ad was intended to infect a system and all files that the user had access to by ransomware. What was once a rare occurrence, now impacts networks ranging from small businesses to large companies to governments.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

  • Active Defense Through Deceptive Configuration Techniques Graduate Student Research
    by Nathaniel Quist - January 29, 2016 

    Honeypots are making a profound impact in the security world. Their ability to infer information about an attacker’s Tactics, Techniques, and Procedures (TTPs), allow defenders to configure their defenses to respond to emerging threats, capture 0-Day exploits, and identify malicious users within a network.

  • The Sliding Scale of Cyber Security by Robert M. Lee - September 1, 2015 

    The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.