World-class instructors teaching today's, critical cyber skills - SANS Online Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Analyst Papers

Featuring 473 Papers as of April 28, 2021

To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

You must be a member of the SANS.org Community to view this paper

  • Scoping an Intrusion Using Identity, Host, and Network Indicators by Christopher Crowley - April 22, 2021 

    Second half of a two-part series, this paper covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion. Defenders fail to discover the full extent of adversary infrastructure. Defenders claim "containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only known items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication. This paper highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.

  • View All Analyst Papers

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.