Prove Skill Mastery with GIAC Certs - Free Cert Attempt Included with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Intrusion Detection

Featuring 229 Papers as of June 9, 2021

  • Machine Learning Techniques for Intrusion Detection by Yih Han Tan - June 9, 2021 

    This paper aims to equip intrusion analysts with the basic techniques needed to apply machine learning to intrusion detection. It will first review and describe the different approaches to machine learning-based classification (e.g., logistic regression, support vector machines) before explaining the challenges of applying it to network intrusion detection. It will also review methods of data preprocessing, model training, and testing. This paper then describes experiments carried out on a dataset (NSL-KDD) that is widely used to test intrusion detection algorithms. Two sets of experiments demonstrating the application of commonly used machine learning-based classification and methods extensively used to improve model performance (e.g., boosting, bagging, stacking, label smoothing, and embedding) are performed. With a knowledge of the underlying algorithms and the provided source code, network operators can experiment with and eventually apply machine learning-based intrusion detection to their network.

  • Scoping an Intrusion Using Identity, Host, and Network Indicators Analyst Paper (requires membership in community)
    by Christopher Crowley - April 22, 2021 

    Second half of a two-part series, this paper covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion. Defenders fail to discover the full extent of adversary infrastructure. Defenders claim "containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only known items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication. This paper highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.

  • Understanding Your Attack Surface Analyst Paper (requires membership in community)
    by Matt Bromiley - April 21, 2021 

    What does it mean to evaluate your attack surface? For many organizations, it may simply mean running a vulnerability scanner against their perimeter and hoping an attacker does not do the same. This legacy thinking leaves out all the nooks and crannies that attackers have become adept at finding. Your attack service should also include your system and network configurations, brand exposure, and knowledge of how your data is secured amongst numerous cloud providers. In this paper, we will provide our review of Netenrich's Attack Surface Intelligence (ASI) application. Offering unique insight into the aforementioned data points - and then some - Netenrich presents a novel way to examine enterprise exposure and evaluate potential risks. ASI provides the best of both worlds - a convenient, high-level point of view on organizational risk, while still providing the granular context that analysts need to analyze and remediate potential risks.

  • A Multi-leveled Approach for Detection of Coercive Malicious Documents Employing Optical Character Recognition Graduate Student Research
    by Josiah Smith - April 8, 2021 

    Authors of malicious documents often include a graphical asset used to lure the potential victim to "enable editing" and to "enable content" to activate the macro's embedded logic. While these graphical lures vary in theme, language, and content, they commonly have similar coercive text. Using Optical Character Recognition to produce text files of the images provides the ability to anchor the images' contents. While attackers have been known to intentionally manipulate images to bypass OCR-based detection, some additional techniques can surface the textual contents. Optical Character Recognition can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.

  • Unpacking the Hype: What You Can (and Can't) Do to Prevent/Detect Software Supply Chain Attacks Analyst Paper (requires membership in community)
    by Jake Williams - February 24, 2021 

    This paper focuses on the SolarWinds compromise and what it can teach us about detecting software supply chain compromises.

  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in community)
    by Dave Shackleford - February 22, 2021 

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.

  • Using Deep Instinct for Cyberthreat Prevention Analyst Paper (requires membership in community)
    by Jake Williams - January 29, 2021 

    Although not an endpoint detection and response (EDR) tool, Deep Instinct does provide some features that stray into the EDR space and takes a fundamentally different approach to detection than traditional EPP. This paper reviews this platform and highlights use cases as applicable.

  • Analyzing Malicious Behavior Effectively with ExtraHop Reveal(x) Analyst Paper (requires membership in community)
    by Dave Shackleford - January 4, 2021 

    In the past decade, the information security industry has learned a lot about what attackers do during campaigns against targets. Once a compromise has occurred, attackers attempt to maintain a persistent presence within the victims network, escalate privileges, and move laterally within the victims network to extract sensitive information to locations under the attackers control.

    ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. In this paper, Dave Shackleford reviews ExtraHops Reveal (x) and shares his insights on the many enhancements and new features that help intrusion analysis and investigation teams analyze malicious behavior in their environments more rapidly and effectively.

  • Evaluating Open-Source HIDS with Persistence Tactic of MITRE Att&ck Graduate Student Research
    by Jon Chandler - January 4, 2021 

    Small companies with limited budgets need to understand if open-source tools can provide adequate security coverage. The MITRE ATT&CK framework provides an excellent source to evaluate endpoint security tool effectiveness. A MITRE research paper provides the following insight into the value of ATT&CK, “The techniques in the ATT&CK model describe the actions adversaries take to achieve their tactical objectives” (Strom, et al., 2019). This paper examines two open-source endpoint tools, OSSEC and WAZUH, against the MITRE ATT&CK framework. This analysis will determine each endpoint tool’s ability to detect a select number of the MITRE ATT&CK framework persistence techniques. Out of the techniques reviewed, this paper will analyze the degree to which the ATT&CK technique can be accurately identified by the evaluated tools. MITRE also conducts evaluations but on proprietary tools. The results of the open-source endpoint tools analyzed here can be compared to the MITRE ATT&CK Evaluations conducted on the proprietary endpoint toolsets. The MITRE ATT&CK framework is a valuable methodology that allows a company to compare endpoint tools from a security risk and product evaluation perspective.

  • Smart Enterprise Visibility with DTEX InTERCEPT Analyst Paper (requires membership in community)
    by Matt Bromiley - December 7, 2020 

    In this SANS product review, Matt Bromiley examines DTEX InTERCEPT, a holistic platform designed to detect suspicious user activity, providing analysts and management with enough context to understand the security risk to the organization and the next steps to take. By focusing on threat actors' behaviors, defenders can take back the advantage and catch attackers before they can launch their attacks.

  • Continuous Monitoring Effectiveness Against Detecting Insider Threat Graduate Student Research
    by Steven Austin - November 19, 2020 

    More organizations are implementing some form of Continuous Monitoring, yet there is an increase in insider threat incidents. The number of insider threat incidents has increased by 47% in two years, from 3,200 in 2018 to 4,716 in 2020 (Epstein, 2020). This data shows insider threat is an on-going problem for organizations despite efforts to implement Continuous Monitoring. The results of this research provide organizations with evidence of Continuous Monitoring effectiveness against detecting malicious insider attack techniques.

  • Threat Intelligence Solutions: A SANS Review of Anomali ThreatStream Analyst Paper (requires membership in community)
    by TJ Banasik - November 2, 2020 

    Cyber threat data from multiple sources overwhelm todays Security Operations Centers (SOCs) without a centralized method to aggregate it. Many organizations have immature threat intelligence programs that rely on select external threat feeds, which users struggle to analyze. A cyber threat intelligence program requires people, processes, and technology to process, exploit, and disseminate threat data. In this product review, SANS had the opportunity to review the Anomali ThreatStream® product, a threat intelligence platform providing a unified solution for collecting, curating, and disseminating threat intelligence. ThreatStream rationalizes multiple threat data sources into a single high-fidelity repository by automatically normalizing, de-duplicating, removing false positives, and enriching the threat data, then associating all related threat indicators. ThreatStream applies a highly accurate machine learning algorithm for scoring indicators of compromise (IOCs).

  • Verifying Universal Windows Platform (UWP) Signatures at Scale Graduate Student Research
    by Joal Mendonsa - October 28, 2020 

    Enterprise security teams often use native Windows tools, like PowerShell, to check signatures and quickly establish where a binary is a known-good or is unknown and worthy of further investigation. Unfortunately, a new and growing class of applications – Universal Windows Platform (UWP) applications – incorrectly appear to be unsigned when checked using traditional methods. This paper will demonstrate a way to efficiently validate UWP applications in a networked environment, strictly using Microsoft tools, and without placing additional binaries on remote systems.

  • Intuitive Endpoint Security: A SANS Review of Morphisec Analyst Paper (requires membership in community)
    by Matt Bromiley - August 18, 2020 

    Endpoint security can be a tricky topic for organizations. In many cases, security teams utilize endpoint security products that are bulky and cumbersome, barely effective and only make their jobs more difficult. Furthermore, many security products rely so heavily on detecting an incident after the fact that they hardly seem effective in preventing cyber incidents. This leaves the security team constantly chasing alerts through the network, rather than implementing preventative techniques. In this paper SANS instructor Matt Bromiley reviews the Morphisec platform, which reverses much of this approach. Morphisec is geared toward the prevention of malicious activity through the careful morphing of process memory.

  • Browser Isolation: A SANS Review of Cyberinc's Isla Analyst Paper (requires membership in community)
    by Matt Bromiley - July 28, 2020 

    The browser is an integral part of users' day-to-day activities, providing access to internal resources, sensitive data and third-party services. Via the use of webmail and malicious links, it is also an integral piece of the entry vector for attackers. In this product review, Matt Bromiley reviews Cyberinc's Isla, a browser isolation platform that addresses this common incident entry vector by getting in front of browser-borne threats and effectively rendering them harmless.

  • Methods to Employ Zeek in Detecting MITRE ATT&CK Techniques Graduate Student Research
    by Michael McPhee - July 15, 2020 

    MITRE ATT&CK techniques and their respective detections, while a significant step forward in democratizing threat intelligence, are predominantly focused on endpoint visibility through direct management or via agents. Some detection approaches leverage network sensors (e.g., Zeek) like BZAR (Fernandez, Wunder, Azoff, & Tylabs) in network-based detection of ATT&CK techniques. However, many of these earlier solutions focus on Microsoft Windows-specific protocols. They do not provide broad coverage of less-sophisticated endpoints, industrial systems, or infrastructure devices themselves (such as routers, switches, wireless devices). This paper will explore the feasibility of network-based detections using combinations of CLI utilities and Zeek IDS to augment or replace endpoint-focused detections and extend ATT&CK's utility to the rest of the network.

  • Securing the Soft Underbelly of a Supercomputer with BPF Probes Graduate Student Research
    by Billy Wilson - June 18, 2020 

    High-performance computing (HPC) sites have a mission to help researchers obtain results as quickly as possible, but research contracts often require security controls that degrade performance. One standard solution is to secure a set of login nodes that mediate access to an enclave of lightly monitored compute nodes, referred to as “the soft underbelly of a supercomputer” by one DoD representative (National, 2016). Recent advances in the BPF subsystem, a Linux tracing technology, have provided a new means to monitor compute nodes with minimal performance degradation. Well-crafted BPF traces can detect malicious activity on an HPC cluster without slowing down systems or the researchers that depend on them. In this paper, a series of low-profile attacks are conducted against a compute cluster under heavy computational load, and BPF probes are attached to detect the attacks. The probes successfully log all attacks, and performance loss is less than one percent for all benchmarks save for one inconclusive set.

  • Factoring Enterprise IoT Devices into Detection and Response Analyst Paper (requires membership in community)
    by Matt Bromiley - May 27, 2020 

    With the advent of the cloud, corporate networks are becoming more complex. There is a constant state of change with new types of devices installed daily. To keep pace, you will need an approach to threat detection and response that enables your team’s full visibility so it can quickly adapt and include enterprise IoT devices in its response plans. This paper explores the growth of enterprise IoT devices inside corporate networks and how they change the shape of incident detection and response. The enterprise device landscape is dynamic; it’s prudent for your information security team to track changes to understand the effects on your network.

  • QUIC & The Dead: Which of the Most Common IDS/IPS Tools Can Best Identify QUIC Traffic? Graduate Student Research
    by Lehlan Decker - May 20, 2020 

    The QUIC protocol created by Google for use in their popular browser Chrome has begun to be adopted by other browsers. Some organizations have a robust strategy to handle TLS with HTTP2. However, QUIC (HTTP/2 over UDP) lacks visibility via crucial information security tools such as Wireshark, Zeek, Suricata, and Snort. Lack of visibility is due to both its use of TLS 1.3 for encryption and UDP for communication. The defender is at a disadvantage as selective blocking of QUIC isn’t always possible. Moreover, some QUIC traffic may be legitimate, and so outright blocking of endpoints that use QUIC is likely to cause more issues than it solves. To complicate matters further, QUIC has begun to appear in Command and Control (C2) frameworks like Merlin as an additional means of hiding traffic.

  • Efficacy of UNIX HIDS Graduate Student Research
    by Janusz Pazgier - May 15, 2020 

    There has been an increase in UNIX-based adversarial activity, as enterprises and users shift towards the platform (WatchGuard, 2017). The focus of this paper is to demonstrate the effectiveness of three separately installed host-based intrusion detection systems (HIDS): OSSEC, Samhain, and Auditd, and their ability to detect specific MITRE ATT&CK tactics. Custom scripts implement the ATT&CK tactics of privilege escalation, persistence, and data exfiltration. The goal is to inform security professionals about the pros and cons of implementing each of these HIDS.

  • Dealing with DoH: Methods to Increase DNS Visibility as DoH Gains Traction Graduate Student Research
    by Scott Fether - May 6, 2020 

    Microsoft is planning to implement DNS over HTTPS (DoH) in the native Windows DNS Client (Jensen, Pashov, & Montenegro, 2019). Firefox and Chrome have already implemented this protocol in their browsers. Because of DoH’s encrypted nature and use of port 443, security analysts will need to adjust their log collection and analysis techniques. Much of the literature available regarding DoH suggests either preventing the use of DoH (Hjelm, 2019, p. 20) or utilizing SSL/TLS proxies to inspect the queries (Middlehurst, 2018). Firefox can generate host logs on DoH resolution, which includes unencrypted queries and answers. This research will explore various inspection and logging techniques that will identify the most effective approach to analyzing DoH.

  • Transforming Detection and Response: A SANS Review of Cortex XDR Analyst Paper (requires membership in community)
    by Matt Bromiley - May 4, 2020 

    To help their teams detect and respond to the ever-growing list of security threats, many organizations have turned toward endpoint detection and response (EDR) platforms within their environment. This product review explores the intuitive and insightful security platform Cortex XDR, provided by Palo Alto Networks. A platform designed to help decrease the time an organization needs to detect and respond to threats, Cortex XDR brings multiple data sources together, including network, endpoint and cloud, to assist analysts in performing enterprise investigations.

  • How to Design a Least Privilege Architecture in AWS Analyst Paper (requires membership in community)
    by Dave Shackleford - April 23, 2020 

    A least privilege architecture reduces risk and minimize disruptions by allowing only the minimum required authority to perform tasks. This architecture should include authentication and authorization controls, network access and inspection controls, and monitoring/enforcement controls for both the network and workloads. Learn what it takes to create a granular security environment that provides strong attack resistance.

  • 2020 SANS Network Visibility and Threat Detection Survey Analyst Paper (requires membership in community)
    by Ian Reynolds - March 31, 2020 

    Organizations have untapped opportunities to strengthen the way they analyze network data and increase visibility. Visibility brings increased situational awareness, allowing for rapid threat identification and investigation for faster resolution of internal performance issues and security breaches. Investing time in understanding how and where to capitalize on these opportunities will bring real and measurable benefits.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in community)
    by Kyle Dickinson - March 17, 2020 

    Deception technologies significantly improve security teams' capabilities to quickly and accurately detect attackers that intentionally avoid looking malicious. But how do these cyber technologies work to address key security concerns? This paper explores how to collect threat intelligence and attack attribution information associated with malicious behaviors that fly under the radar in an attempt to carry out Active Directory and ransomware attacks, phishing and credential hijacking, vulnerable applications, and more.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in community)
    by Kyle Dickinson - February 18, 2020 

    Deception technologies can significantly improve an organization's capability to quickly and accurately detect attackers that intentionally avoid looking malicious. At the same time, deception technologies can collect threat intelligence and attack attribution information to improve response effectiveness. Implemented as network-accessible resources, on endpoints and even in cloud implementations, deception technologies can cover major attack surfaces to assist with attack malicious behaviors like account hijacking, phishing, vulnerable applications, and more.

  • How to Improve Security Visibility and Detection/Response Operations in AWS Analyst Paper (requires membership in community)
    by Dave Shackleford - February 12, 2020 

    Security teams handle a sizable stream of alerts, creating noise and impairing their ability to determine which incidents to prioritize. Used together, logging and event monitoring, along with automation strategies and tools, can enable teams to build an effective and efficient continuous cloud security monitoring strategy. By implementing large-scale analytics processing, integrating SIEM solutions that improve detection and investigation of potential threats, and leveraging SOAR technologies to auto-remediate events, security teams have the power to create more signal and less noise for actionable responses.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in community)
    by Kyle Dickinson - February 5, 2020 

    Deception technologies can significantly improve an organization's capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness. By deploying decoy lures, misdirections, and systems to attract and snare attackers, organizations can take back the advantage on today's digital battlefield. All it takes for the attacker to touch one deceptive resource.

  • Detecting Malicious Authentication Events in SaaS Applications Using Anomaly Detection Graduate Student Research
    by Gavin Grisamore - December 11, 2019 

    SaaS applications have been exploding in popularity due to their ease of deployment, use, and maintenance. Security teams are struggling to keep pace with the growing list of applications used in their environment as well as with the process of tracking the data these applications hold. Attackers have been taking advantage of these visibility gaps and have targeted SaaS applications regularly. By using log data from the applications themselves, security teams can use anomaly detection techniques to find and respond to such attacks. Anomaly detection allows security teams to more quickly identify and remedy a data breach by condensing large amounts of data into a shortened list of events that are outliers. The detection techniques used can help security teams respond to or prevent the next data breach.

  • Catch Me If You Can: Detecting Server-Side Request Forgery Attacks on Amazon Web Services Graduate Student Research
    by Sean McElroy - November 27, 2019 

    Cloud infrastructure offers significant benefits to organizations capable of leveraging rich application programming interfaces (APIs) to automate environments at scale. However, unauthorized access to management APIs can enable threat actors to compromise the security of large amounts of sensitive data very quickly. Practitioners have documented techniques for gaining access through Server-Side Request Forgery (SSRF) vulnerabilities that exploit management APIs within cloud providers. However, mature organizations have failed to detect some of the most significant breaches, sometimes for months after a security incident. Cloud services adoption is increasing, and firms need effective methods of detecting SSRF attempts to identify threats and mitigate vulnerabilities. This paper examines a variety of tools and techniques to detect SSRF activity within an Amazon Web Services (AWS) environment that can be used to monitor for real-time SSRF exploit attempts against the AWS API. The research findings outline the efficacy of four different strategies to answer the question of whether security professionals can leverage additional vendor-provided and open-source tools to detect SSRF attacks.

  • Someone to Watch Over You: A Review of CrowdStrike’s Falcon OverWatch Analyst Paper (requires membership in community)
    by Joe Sullivan - November 19, 2019 

    Technology alone cannot stop 100% of threats against endpoints. Ensuring security requires that people and processes be an integral part of threat hunting. That’s where CrowdStrike’s Falcon OverWatch comes in--with a team of live, trained threat hunting analysts whose job it is to alert you to advanced attack techniques that can go undetected by automated tools. In this review, SANS puts OverWatch through its paces to detect and alert on sophisticated attacks like credential theft, defense evasion and lateral movement, making it possible for on-premises security teams to respond to threats immediately.

  • ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors Analyst Paper (requires membership in community)
    by Dave Shackleford - September 30, 2019 

  • Exploring Osquery, Fleet, and Elastic Stack as an Open-source solution to Endpoint Detection and Response Graduate Student Research
    by Christopher Hurless - September 10, 2019 

    Endpoint Detection and Response (EDR) capabilities are rapidly evolving as a method of identifying threats to an organization's computing environment. Global research and advisory company, Gartner defines EDR as: "Solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems" (Gartner, 2019). This paper explores the feasibility and difficulty of using open-source tools as a practical alternative to commercial EDR solutions. A business with sufficiently mature Incident Response (IR) processes might find that building an EDR solution “in house” with open-source tools provides both the knowledge and the technical capability to detect and investigate security incidents. The required skill level to begin using and gaining value from these tools is relatively low and can be acquired during the build process through problem deconstruction and solution engineering.

  • Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities Analyst Paper (requires membership in community)
    by Matt Bromiley - September 5, 2019 

    In this final part of a two-part review, Matt Bromiley continues his review of the Fidelis Elevate platform, shifting focus to endpoint security. He examines how Fidelis Endpoint provides endpoint insight and response, highlighting capabilities such as behavioral monitoring and detections, enterprisewide threat hunting, and response automation, as well as ease of integration with Fidelis Elevate to bring networks and endpoints together. With this kind of holistic visibility, the job of securing modern enterprises becomes significantly easier and more achievable.

  • Attackers Inside the Walls: Detecting Malicious Activity Graduate Student Research
    by Sean Goodwin - July 2, 2019 

    Small and medium-sized businesses (SMBs) do not always have the budget for an advanced intrusion detection system (IDS) technology. Open-source software can fill this gap, but these free solutions may not provide full coverage for known attacks, especially once the attacker is inside the perimeter. This paper investigates the IDS capabilities of a stand-alone Security Onion device when combined with built-in event logging in a small Windows environment to detect malicious actors on the internal network.

  • Taming the Endpoint Chaos Within: A Review of Panda Security Adaptive Defense 360 Analyst Paper (requires membership in community)
    by Justin Henderson - March 26, 2019 

    Endpoint security requires a solution that scales, is easy to maintain and provides a comprehensive integration into the endpoint itself. This review of Panda Security Adaptive Defense 360 details how the endpoint platform prevents malicious executables, automates complex tasks and provides scalability. Panda Security's EDR approach applies prevention controls in combination with detective controls, and allows security teams to deploy preventive technologies while retaining insight into environments.

  • Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - March 14, 2019 

    Endpoint security remains a top security priority for most organizations. SANS reviews the CB Predictive Security Cloud (PSC), which focuses on securing endpoints by using a single lightweight agent that provides security professionals with actionable insights about cyberattacks. It uses behavioral analytics and big data in the cloud to prevent emerging threats; helps with vulnerability assessment and compliance reporting; and assists in threat hunting and incident response.

  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.

  • Enterprise Security with a Fluid Perimeter Analyst Paper (requires membership in community)
    by Matt Bromiley - January 22, 2019 

    Between BYOD, the cloud, third-party providers and a fluctuating mobile workforce, it is growing more difficult to maintain a rigid security policy. This paper examines critical techniques to addressing this issue, including the role of baselining, integrating and automating response, and defending against attacks more quickly--as well as specific action items for better protection.

  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.

  • Investigate East-West Attacks on Critical Assets with Network Traffic Analysis Analyst Paper (requires membership in community)
    by Dave Shackleford - October 3, 2018 

    Once attackers compromise a network, they attempt to maintain a persistent presence in the network and focus on data access and exfiltration. Such east-west attacks can be challenging to detect and remediate. SANS reviewed ExtraHop Networks Reveal(x) network traffic analysis platform, which aims to address the east-west challenge. Read on to learn more.

  • Processing experimental protocols against IDS by Tommy Adams - August 10, 2018 

    Experimental protocols such as TCP Fastopen, QUIC, and Multipath TCP are not uncommon on Internet-connected networks. If a network has modern operating systems and browsers, it is a near certainty that experimental protocols are traversing the network. This paper will examine potential consequences of experimental protocols to current network security monitoring practices and the potential for intrusion detection evasion. This paper will provide a roadmap by which an analyst may process any new, odd, or experimental traffic against their open-source intrusion detection system.

  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.

  • Automated Detection and Analysis using Mathematical Calculations by Lionel Teo - May 17, 2018 

    A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.

  • Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform Analyst Paper (requires membership in community)
    by Ahmed Tantawy - May 10, 2018 

    In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.

  • Do Random IP Lookups Mean Anything? by Jay Yaneza - May 2, 2018 

    Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.

  • Understanding Mobile Device Wi-Fi Traffic Analysis by Erik Choron - April 24, 2018 

    Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology.

  • Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - March 20, 2018 

    Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.

  • PCAP Next Generation: Is Your Sniffer Up to Snuff? Graduate Student Research
    by Scott D. Fether - March 16, 2018 

    The PCAP file format is widely used for packet capture within the network and security industry, but it is not the only standard. The PCAP Next Generation (PCAPng) Capture File Format is a refreshing improvement that adds extensibility, portability, and the ability to merge and append data to a wire trace. While Wireshark has led the way in supporting the new format, other tools have been slow to follow. With advantages such as the ability to capture from multiple interfaces, improved time resolution, and the ability to add per-packet comments, support for the PCAPng format should be developing more quickly than it has. This paper describes the new standard, displays methods to take advantage of new features, introduces scripting that can make the format useable, and makes the argument that migration to PCAPng is necessary.

  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.

  • Using Windows 10 and Windows Server 2016 to create an Endpoint Detection and Response solution Graduate Student Research
    by Sebastian Godin - February 21, 2018 

    It has been established best practice to supplement Microsoft Windows with third-party endpoint security solutions that defend against viruses, malware, internet-based, and other threats. With each iteration of Windows, Microsoft has added security measures that are native to the OS like Windows Defender, Security policy editor, and more. Microsoft has made many noticeable advances in Windows 10 and Windows Server 2016 that improves the overall security posture of endpoints. This new modern Windows enterprise ecosystem, when utilized properly, can be leveraged like an Endpoint Detection and Response capability. This capability can be achieved without third party software and can reduce costs to the enterprise that can be reinvested into other projects.

  • DNS: An Asset, Not a Liability Analyst Paper (requires membership in community)
    by Matt Bromiley - January 30, 2018 

    The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.

  • Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environments Graduate Student Research
    by Alfredo Hickman - January 13, 2018 

    The unique and intrinsic methods by which Linux application containers are created, deployed, networked, and operated do not lend themselves well to the conventional application of methods for conducting intrusion detection and analysis in traditional physical and virtual machine networks. While similarities exist in some of the methods used to perform intrusion detection and analysis in conventional networks as compared to container networks, the effectiveness between the two has not been thoroughly measured and assessed: this presents a gap in application container security knowledge. By researching the efficacy of these methods as implemented in container networks compared to traditional networks, this research will provide empirical evidence to identify the gap, and provide data useful for identifying and developing new and more effective methods to secure application container networks

  • The State of Honeypots: Understanding the Use of Honey Technologies Today Graduate Student Research
    by Andrea Dominguez, - November 17, 2017 

    The aim of this study is to fill in the gaps in data on the real-world use of honey technologies. The goal has also been to better understand information security professionals views and attitudes towards them. While there is a wealth of academic research in cutting-edge honey technologies, there is a dearth of data related to the practical use of these technologies outside of research laboratories. The data for this research was collected via a survey which was distributed to information security professionals. This research paper includes details on the design of the survey, its distribution, analysis of the results, insights, lessons learned and two appendices: the survey in its entirety and a summary of the data collected.

  • A Spicy Approach to WebSockets: Enhancing Bro’s WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy Graduate Student Research
    by Jennifer Gates - September 22, 2017 

    Although the Request for Comments (RFC) defining WebSockets was released in 2011, there has been little focus on using the Bro Intrusion Detection System (IDS) to analyze WebSockets traffic. However, there has been progress in exploiting the WebSockets protocol. The ability to customize and expand Bro’s capabilities to analyze new protocols is one of its chief benefits. The developers of Bro are also working on a new framework called Spicy that allows security professionals to generate new protocol parsers. This paper focuses on the development of Spicy and Bro scripts that allow visibility into WebSockets traffic. The research conducted compared the data that can be logged with existing Bro protocol analyzers to data that can be logged after writing a WebSockets protocol analyzer in Spicy. The research shows increased effectiveness in detecting malicious WebSockets traffic using Bro when the traffic is parsed with a Spicy script. Writing Bro logging scripts tailored to a particular WebSockets application further increases their effectiveness.

  • Security Tools for the SMB and SME Segments by James Waite - September 11, 2017 

    Modern small and medium businesses (SMBs) operate with limited staff and budgets. Today's business environment requires businesses to do more with less. Businesses also have information that they need to protect. This protection is either mandated by law (HIPAA), industry requirements (PCI) or best practices (NIST). What are the recommended policies and tools an SMB should have in place to provide adequate and responsible information security? What tools should an SMB concentrate their time, effort and money towards? Should these tools be network-based tools, monitoring both inline and spanned traffic? Should these tools be end point tools that provide the same functionality and minimize the network tool components? Or should there be a mix of tools? Are certain tools required on end points, in the network or both? What are an SMB's regulatory requirements and how does this affect the choice in tools? These are the difficult questions that require thoughtful, concise and researched guidance.

  • Basic NGIPS Operation and Management for Intrusion Analysts by Mike Mahurin - August 15, 2017 

    Next Generation Intrusion Prevention Systems (NGIPS) are often referred to as the panacea to modern malware, network intrusion, advanced persistent threat, and application control for complex modern applications. Many vendors position these products in a way that minimizes the value of tuning and intrusion analysis to get the optimum security capability of the solution. This paper will provide a guide for how to maximize the capabilities of these technologies by providing a basic framework on how to effectively manage, tune, and augment a NGIPS solution with Open Source tools.

  • Packet Capture on AWS Graduate Student Research
    by Teri Radichel - August 14, 2017 

    Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.

  • Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense Graduate Student Research
    by Matthew Hosburgh - July 21, 2017 

    Today's adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. One of the largest breaches of classified information was carried out by an insider. Months after the incident had occurred, the Department of Defense (DoD) only began to realize the implications of the leak. The damage did not solely rest with the United States. A cascade of consequences was felt in many parts of the world, resulting from this breach. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools such as the Web Bug Server and Molehunt can be leveraged as a means to proactively hunt insider threats. To keep up with the continually evolving human adversary, defenders must employ these offensive tactics to annoy and attribute their adversaries.

  • Intrusion detection through traffic analysis from the endpoint using Splunk Stream by Etrik Eddy - May 24, 2017 

    With technologies such as software-defined wide area networking (SD-WAN) and cloud operations, the traditional scheme of intrusion detection and packet capture at the network perimeter is quickly becoming less viable as a model for network intrusion detection. One alternative is to dynamically collect network traffic at the endpoint using the Splunk Stream and then using Splunk to analyze the traffic for indicators of compromise. This method allows for network-level detection on large, disparate networks which don’t have consolidated egress points for traffic.

  • Deception Matters: Slowing Down the Adversary with illusive networks® Analyst Paper (requires membership in community)
    by Eric Cole, PhD - May 1, 2017 

    Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.

  • Hunting through Log Data with Excel by Greg Lalla - April 24, 2017 

    Gathering and analyzing data during an incident can be a long and tedious process. The vast amounts of data involved in even a single system intrusion can be overwhelming. Larger and well-funded incident response teams typically have a Security Information and Event Management (SIEM) product at their disposal to help the responder sift through this data to find artifacts relevant to the intrusion. This paper will demonstrate to the reader how to use Microsoft Excel and some of its more advanced features during an intrusion if a SIEM or similar product is not available to the incident responder.

  • Snort and SSL/TLS Inspection by Yousef Bakhdlaghi - April 20, 2017 

    An intrusion detection system (IDS) can analyze and alert on what it can see, but if the traffic is tunneled into an encrypted connection, the IDS cannot perform its analysis on that traffic. The difficulty of looking into the packet payload makes the encrypted traffic one of the challenging issues to IDS. In Snort, the encrypted traffic inspector is available optionally and can only inspect connections’ handshakes with no further inspection of the payload after the connection has established. However, encrypted traffic can be entirely decrypted using the private key (decryption key), but there are some issues associated with SSL/TLS key exchanges that could increase the difficulty of decrypting traffic provided the private key.

  • Detecting Attacks Against The 'Internet of Things' by Adam Kliarsky - March 30, 2017 

    The need to detect attacks against our networks has exploded with the rapid adoption of connected devices affectionately dubbed the "Internet of Things" (or IoT). Manufacturers are rapidly producing devices to meet consumer and market demand which creates a shortened time-to-market in manufacturing. The level of security in the product development lifecycle becomes questionable, as well as production standards. Vulnerabilities have been showing up targeting the physical interfaces of IoT devices, wireless protocols, and user interfaces. It is imperative that intrusion analysts understand how to assess the attack surface, analyze threats, and develop the capability to detect attacks in IoT environments. This paper will review threats, vulnerabilities, attacks, and intrusion detection as it applies to the IoT.

  • SOC-as-a-Service: All the Benefits of a Security Operations Center Without the High Costs of a DIY Solution Analyst Paper (requires membership in community)
    by Sonny Sarai - March 28, 2017 

    Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?

    This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.

  • Tracking Online Counterfeiters by Emilio Casbas - March 16, 2017 

    The counterfeiting market makes-up a vast global business where the impact of fraudulent activity is hard to quantify. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents their most common tactics and its relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites.

  • Intrusion Detection Evasion Techniques and Case Studies Graduate Student Research
    by Pierce Gibbs - January 23, 2017 

    The number of security breaches is increasing significantly each year. Global Internet traffic is expected to be on the order of zettabytes for 2016 and then doubling by 2020. In addition to increased traffic, the percentage of attack traffic is also increasing. The sophistication of attacks is also increasing. Attacks range in complexity from simple protocol, insertion, or desynchronization attacks that exploit the vagueness and incompleteness of the RFCs to polymorphic blending attacks that camouflage attack and exfiltration traffic to match normal traffic for that particular network. Various evasion techniques have been described in articles within this field of study, but there has not been a collective discussion on the variety of evasion techniques. A comprehensive compilation of the most common evasion techniques is needed to aid Intrusion Detection System providers and to assist various decision makers as they determine how best to apply limited resources to protect assets. This paper is a case study analysis designed to detail the most common intrusion evasion techniques that exist in the wild today.

  • Packets Don't Lie: LogRythm NetMon Freemium Review Analyst Paper (requires membership in community)
    by Dave Shackleford - January 18, 2017 

    With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.

  • Continuous Monitoring: Build A World Class Monitoring System for Enterprise, Small Office, or Home by Austin Taylor - December 15, 2016 

    For organizations who wish to prevent data breaches, incident prevention is ideal, but detection of an attempted or successful breach is a must. This paper outlines guidance for network visibility, threat intelligence implementation and methods to reduce analyst alert fatigue. Additionally, this document includes a workflow for Security Operations Centers (SOC) to efficiently process events of interest thereby increasing the likelihood of detecting a breach. Methods include Intrusion Detection System (IDS) setup with tips on efficient data collection, sensor placement, identification of critical infrastructure along with network and metric visualization. These recommendations are useful for enterprises, small homes, or offices who wish to implement threat intelligence and network analysis.

  • Detecting Malicious SMB Activity Using Bro by Richie Cyrus - December 13, 2016 

    Attackers utilize the Server Message Block (SMB) protocol to blend in with network activity, often carrying out their objectives undetected. Post-compromise, attackers use file shares to move laterally, looking for sensitive or confidential data to exfiltrate out a network. Traditional methods for detecting such activity call for storing and analyzing large volumes of Windows event logs, or deploying a signature-based intrusion detection solution. For some organizations, processing and storing large amounts of Windows events may not be feasible. Pattern based intrusion detection solutions can be bypassed by malicious entities, potentially failing to detect malicious activity. Bro Network Security Monitor (Bro) provides an alternative solution allowing for rapid detection through custom scripts and log data. This paper introduces methods to detect malicious SMB activity using Bro.

  • Network Inspection of Duplicate Packets by Randy Devlin - November 11, 2016 

    Network Intrusion Analysis enables a security analyst to review network traffic for protocol conformity and anomalous behavior. The analyst’s goal is to detect network intrusion activity in near-real time. The detection provides details as to who the attackers are, the attack type, and potential remediation responses. Is it possible that a network security stack could render the analyst “blind” to detecting intrusions? This paper will review architecture, traffic flow, and inspection processes. Architecture review validates proper sensor placement for inspection. Traffic flow analyzes sources and destinations, approved applications, and known traffic patterns. Inspection process evaluates protocols and packet specific details. The combination of these activities can reveal scenarios that potentially result in limitations of network security inspection and analysis.

  • Forcepoint Review: Effective Measure of Defense Analyst Paper (requires membership in community)
    by Eric Cole, PhD - November 9, 2016 

    Effective security is all about the quality of the solution, not the quantity of products. Indeed, buying more products can make the problem worse. All of the major breaches over the last several years have had one thing in common: Multiple products were issuing alerts, but there were too many alerts and not enough people charged with monitoring and responding to them. When that is the case, putting more products in place spreads current resources even thinner--the problem gets worse, not better. This paper explains the advantages of an integrated defense-in-depth approach to security and looks at how Forcepoint's integrated solution suite meets the needs of such an approach.

  • Intrusion Detection Through Relationship Analysis by Patrick Neise - October 24, 2016 

    With the average time to detection of a network intrusion in enterprise networks assessed to be 6-8 months, network defenders require additional tools and techniques to shorten detection time. Perimeter, endpoint, and network traffic detection methods today are mainly focused on detecting individual incidents while security incident and event management (SIEM) products are then used to correlate the isolated events. Although proven to be able to detect network intrusions, these methods can be resource intensive in both time and personnel. Through the use of network flows and graph database technologies, analysts can rapidly gain insight into which hosts are communicating with each other and identify abnormal behavior such as a single client machine communicating with other clients via Server Message Block (SMB). Combining the power of tools such as Bro, a network analysis framework, and neo4j, a native graph database that is built to examine data and its relationships, rapid detection of anomalous behavior within the network becomes possible. This paper will identify the tools and techniques necessary to extract relevant network information, create the data model within a graph database, and query the resulting data to identify potential malicious activity.

  • PORTKnockOut: Data Exfiltration via Port Knocking over UDP by Matthew Lichtenberger - September 29, 2016 

    Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.

  • Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab Graduate Student Research
    by Shaun McCullough - September 20, 2016 

    This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.

  • Automating Provisioning of NetFlow Analyzers Graduate Student Research
    by Sumesh Shivdas - September 14, 2016 

    NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.

  • Profiling Web Applications for Improved Intrusion Detection by Manuel Leos Rivas - September 7, 2016 

    Web application firewalls using generic “out of the box” configurations work well for common vulnerabilities but lack the capability to address application-specific contexts. Due to this lack of context, it is difficult for the firewall to determine what it is ‘good’ versus ‘bad’. In addition, several learning features of certain high-end devices are inaccessible to companies and individuals. This document provides a generic approach to protecting web applications using freely available software by configuring ModSecurity. This approach enables differentiation between what is acceptable for the application and what may be interesting for investigation purposes. The process for creating an application profile should be well documented, repeatable, verifiable and automated as much as possible to ease integration into the application development lifecycle.

  • Deception Techniques as Part of Intrusion Detection Strategy Graduate Student Research
    by Colm Kennedy - August 1, 2016 

    Intrusion Detection Systems (IDS) are used to help the Security Analyst detect unauthorized or suspicious activity inside a network and on Endpoints (servers, workstations). An early stage in the Hackers methodology uses Active Recon on the network to find other machines they can pivot to and maintain their presence.

  • Scalable Methods for Conducting Cyber Threat Hunt Operations Graduate Student Research
    by Michael C. Long II - July 14, 2016 

    Information Security professionals commonly agree that organizations cannot prevent 100% of all cyber attacks. For this reason, organizations are encouraged to practice defense in depth so that if any one security measure fails, another will reduce the exposure and mitigate the impact. However, despite investing countless sums of money, manpower, and time into developing and maintaining a robust security infrastructure, organizations still struggle to identify and respond to cyber intrusions in a timely manner. Cyber Threat Hunt Teams have recently emerged as a proactive defense asset capable of methodically detecting and responding to advanced persistent threats that evade traditional rule or signature-based security solutions. This paper describes scalable methods and practices to plan and conduct cyber threat hunt operations throughout the enterprise.

  • Gh0st in the Dshell: Decoding Undocumented Protocols Graduate Student Research
    by David Martin - June 3, 2016 

    A 2015 study indicated that nearly 70 percent of traffic on the internet was made up of HTTP (57.39%) and HTTPS (9.53%) web traffic.

  • Neutrino Exploit Kit Analysis and Threat Indicators by Luis Rocha - April 13, 2016 

    Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.

  • Mimikatz Overview, Defenses and Detection Graduate Student Research
    by James Mulder - February 29, 2016 

    Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.

  • Incident identification through outlier analysis Graduate Student Research
    by Joshua Lewis - February 16, 2016 

    Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective.

  • Intrusion Detection and Prevention Systems Cheat Sheet: Choosing the Best Solution, Common Misconfigurations, Evasion Techniques, and Recommendations. Graduate Student Research
    by Phillip Bosco - January 25, 2016 

    There are many decisions a company must make while choosing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for their infrastructure. Pricing questions will arise to determine if it will fit into their budget.

  • Automated Network Defense through Threat Intelligence and Knowledge Management by Christopher O'Brien - January 4, 2016 

    Many organizations know that they should have cyber security threat intelligence, fewer know how to use it and fewer still are actually doing so.

  • Poaching: Hunting Without Permission by David Switzer - December 23, 2015 

    In the parlance of information security, hunting is proactively searching out a problem. An intrusion detection system (IDS) can miss a 0-day, so proactive and interactive hunting for indicators of compromise (IOCs) can be more productive than simply relying on automated tools.

  • Infrastructure Security Architecture for Effective Security Monitoring Graduate Student Research
    by Luciana Obregon - December 11, 2015 

    The biggest challenges that Information Security departments face is identifying the critical assets that makes an organization unique, locating these assets on the network, and building security defenses around them while maintaining functionality.

  • The LogLED An LED-Based Information Security Dashboard Graduate Student Research
    by Paul Ackerman - November 2, 2015 

    Each year, Mandiant produces a detailed view of breach-related information security trends called the M-trends report.

  • Learning from the Dridex Malware - Adopting an Effective Strategy by Lionel Teo Jia Yeong - October 29, 2015 

    Dridex Malware first surface at the third quarter of 2014 (Olson, 2014) targeting specifically companies in financial and banking industry.

  • Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool Graduate Student Research
    by Dallas Haselhorst - October 26, 2015 

    What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s).

  • Detecting a Targeted Data Breach with Ease: A SANS Product Review Analyst Paper (requires membership in community)
    by Jake Williams - October 21, 2015 

    A product review by Jake Williams. It examines LightCyber Magna, focusing on its effectiveness in detecting reconnaissance, lateral movement, data exfiltration and other threats.

  • Practical approaches for MTCP Security Graduate Student Research
    by Joshua Lewis - October 2, 2015 

    Multi-path TCP (MPTCP) is an emerging IETF standard for providing connection resilience and bandwidth aggregation. MPTCP evolves the existing TCP protocol by allowing multiple TCP flows for a TCP session. This provides exciting new possibilities for mobile devices that can maintain TCP sessions as connection paths are added or dropped, and multi-homed servers that allow TCP sessions to take advantage of a mesh topology. However, current network security monitoring infrastructure solutions cannot appropriately inspect MPTCP connections, leaving significant intrusion detection and data loss blind spots. This paper will discuss practical approaches for MPTCP security.

  • Automating the Hunt for Hidden Threats Analyst Paper (requires membership in community)
    by Eric Cole, PhD - October 1, 2015 

    An Analyst Program whitepaper by Dr. Eric Cole. It defines the process of automating the hunt for threats, and discusses how to deploy a continuous threat-hunting process while preparing a team to analyze threats to protect critical processes and data.

  • Fingerprinting Windows 10 Technical Preview by Jake Haaksma - September 17, 2015 

    Understanding the intricacies of a network is powerful information for security professionals and malicious attackers alike. Operating system (OS) fingerprinting is the process of determining the OS of a remote computer. This can be primarily accomplished by passively sniffing network packets between hosts or actively sending crafted packets to the ports of a target host in order to analyze its response. This paper attempts to fingerprint Windows 10 Technical Preview for the purpose of OS identification and to improve Nmap's OS detection database.

  • Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise by Jason Mack - August 10, 2015 

    As the interest in collecting actionable cyber intelligence has grown substantially over the last several years in response to the growing sophistication of attackers, with it has come the need for organizations to more readily process indicators of compromise – and act immediately upon them to determine if they are present in a given enterprise environment. While host-based tools have been designed for this very purpose, they can be challenging to deploy on an enterprise-wide basis and are dependent on frequent updates. This paper will propose several methodologies by which these indicators of compromise may be visible within network traffic. It will further study how key network security devices (e.g. Snort IDS, IPTables Firewall, Web Proxy, etc.) can be used to effectively identify and alert on indicators of compromise both on the way into the network and also via analysis of outbound traffic. In addition, STIX and TAXII will be thoroughly investigated as individual protocols, including how they can best be incorporated into the rapid generation of customized network monitoring rules.

  • IPv6 and Open Source IDS Graduate Student Research
    by Jon Mark Allen - May 14, 2015 

    This paper will examine the current support of IPv6 amongst three of the most popular open source intrusion detection systems: Snort, Suricata, and Bro. It will also examine support of the IPv6 protocol within the publicly available signatures and rules for each system, where applicable.

  • Enhancing Intrusion Analysis through Data Visualization by Wylie Shanks - February 12, 2015 

    Increasingly, companies are required to sift through large volumes of relevant data in order to meet their governance, risk, compliance and security needs.

  • An Analysis of Gameover Zeus Network Traffic by Daryl Ashley - February 9, 2015 

    In September of 2011, a peer-to-peer variant of Zeus emerged on the internet (Symantec, 2014).

  • Home Field Advantage - Using Indicators of Compromise to Hunt down the Advanced Persistent Threat Graduate Student Research
    by Matthew Toussain - September 25, 2014 

    Current cyber defense strategies focus on building a wall around the network and "digging in". Behind this cyber version of the Maginot Line, network defenders attempt to block adversary intrusions in any way possible.

  • Botnet Tracking Tools Graduate Student Research
    by Pierce Gibbs - August 14, 2014 

    Botnets are a serious threat to internet security.

  • IDS: File Integrity Checking by Lawrence Grim - August 7, 2014 

    The file integrity checking application is a host-based intrusion detection software.

  • Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention Analyst Paper (requires membership in community)
    by Tony Sager - July 29, 2014 

    All attacks follow certain stages. By observing those stages during an attack progression and then creating immediate protections to block those attack methods, organizations can achieve a level of closed-loop intelligence that can block and protect across this attack kill chain. This paper explains the many steps in the kill chain, along with how to detect unknown attacks by integrating intelligence into sensors and management consoles.

  • Wireshark: A Guide to Color My Packets by Roy Cheok - July 3, 2014 

    Incident Responders investigating technology-facilitated crime in an unfamiliar or even non-homogenous network environment can be given access to raw packet trace files.

  • Designing and Implementing a Honeypot for a SCADA Network Graduate Student Research
    by Charles Scott - June 20, 2014 

    This paper is based on a facilities network filled with Supervisory Control and Data Acquisition (SCADA)-type devices, controlling and monitoring everything from elevators, to pumps, to generators, to smart meters, to building access control systems.

  • Security Analytics: having fun with Splunk and a packet capture file (pcap) by Alexandre Teixeira - May 30, 2014 

    Security Analytics is one of the most discussed topics within the Information Security (IS) industry, especially when combined with another buzzword such as Big Data.

  • Intrusion Analysis Using Windows PowerShell Graduate Student Research
    by Michael Weeks - May 30, 2014 

    Microsoft during the late 90s and through the turn of the millennium was not held in high regard in terms to security.

  • SAMHAIN: Host Based Intrusion Detection via File Integrity Monitoring by Martinus Nel - May 6, 2014 

    This paper will focus on the installation and configuration of Samhain in a client / server architecture with some specific compile and runtime options explored.

  • Rootkit Detection with OSSEC Graduate Student Research
    by Sally Vandeven - April 16, 2014 

    Most malware consists of a malicious application that gets installed on a victim’s computer.

  • Integrating Wired and Wireless IDS Data by Michael D. Stanton - February 11, 2014 

    According to Gartner, smart phones and other mobile computing devices are rapidly replacing personal computers.

  • An Early Malware Detection, Correlation, and Incident Response System with Case Studies by Yaser Mansour - January 20, 2014 

    "The complexity of software is an essential property, not an accidental one" (Brooks, 1987).

  • An Approach to Detect Malware Call-Home Activities by Tyler (Tianqiang) Cui - January 17, 2014 

    In the internal network of a large organization, there may be a number of security measures or products in place, such as anti-virus, security patch management, Intrusion Prevention Systems (IPS), Firewalls, etc., and there is still some malware that goes undetected.

  • HTTP header heuristics for malware detection by Tobias Lewis - January 2, 2014 

    Signature based detection is one of the most fundamental techniques for identifying malicious activity on your network.

  • How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk? Graduate Student Research
    by Tim Proffitt - September 19, 2013 

    Metrics are used in many facets of a person's life and can be quite beneficial to the decision making process.

  • The Security Onion Cloud Client Network Security Monitoring for the Cloud Graduate Student Research
    by Joshua Brower - September 17, 2013 

    Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."

  • Implementing Active Defense Systems on Private Networks Graduate Student Research
    by Josh Johnson - August 20, 2013 

    As attacks become increasingly complex due to the sophistication, organization and motivation of adversaries, defensive strategies must mature in order to remain effective.

  • 60 Seconds on the Wire: A Look at Malicious Traffic Graduate Student Research
    by Kiel Wadner - August 19, 2013 

    Malware depends on its communication network to receive commands, extract information and infect systems.

  • Event Monitoring and Incident Response by Ryan Boyle - May 15, 2013 

    System security policies can still have security holes after implementation and may even introduce unintended consequences.

  • Log2Pcap by Joaquin Moreno - April 29, 2013 

    During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.

  • AirNIDS: The Need for Intrusion Detection on the Wireless Ether by Thomas Hoffecker - March 15, 2013 

    The inherent insecurities and vulnerabilities of wireless 802.11b networks are well known. The benefit of being wireless is the greatest drawback.

  • Monitoring Network Traffic for Android Devices by Angel Alonso-Parrizas - January 25, 2013 

    In order to detect possible intrusions or any unusual patterns, several techniques have been used in the past.

  • What's Running on Your Network? by Francois Begin - January 25, 2013 

    Now more than ever, IT infrastructures are targeted by malicious outsiders, ranging from ideologically motivated groups such as Anonymous (Norton, 2012) to corporations and governments utilizing highly sophisticated Advanced Persistent Threats (Juels & Yen, 2012).

  • How to identify malicious HTTP Requests by Niklas Sarokaari - January 21, 2013 

    Hypertext transfer protocol (HTTP) is a stateless protocol and it uses a message-based model.

  • Using Watermarks to Prevent Leaks by Allison Nixon - January 21, 2013 

    In a world of general purpose computing, the person that possesses a piece of data has complete control over it.

  • Host-Based Detection and Data Loss Prevention Using Open Source Tools by Chris Hoke - December 26, 2012 

    Defending connected networks has been a challenge for as long as there have been connected networks.

  • Web Application Attack Analysis Using Bro IDS by Ganesh Kumar - November 27, 2012 

    Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.

  • An Analysis of the Snort Data Acquisition Modules by Christopher Murphy - November 8, 2012 

    Snort is an open-source Intrusion Detection System (IDS) that runs on Linux, UNIX, BSD variants and Windows.

  • Surfing the Web Anonymously - The Good and Evil of the Anonymizer by Peter Chow - October 8, 2012 

    Companies of all sizes spend large amounts of time, resources, and money to ensure that their network resources and Internet connections are not being misused.

  • Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment by Sunil Gupta - August 8, 2012 

    Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.

  • Using and Configuring Security Onion to detect and prevent Web Application Attacks by Ashley Deuble - July 12, 2012 

    Security Onion contains software used for installing, configuring, and testing Intrusion Detection Systems. Security Onion contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, and tcpreplay (Burks, 2012).

  • IP Fragment Reassembly with Scapy Graduate Student Research
    by Mark Baggett - July 5, 2012 

    Overlapping IP fragments can be used by attackers to hide their nefarious intentions from intrusion detection system and analysts.

  • A Complete Guide on IPv6 Attack and Defense by Atik Pilihanto - March 19, 2012 

    Based on RFC 791, “the internet protocol is designed for use in interconnected systems of packet switched computer communication networks.

  • Using SNORT® for intrusion detection in MODBUS TCP/IP communications by Javier Jimenez Diaz - December 19, 2011 

    Not long ago, analog and purpose built communications systems use to be prevalent technologies on industrial plants. It wasn’t common to find either interoperability or compatibility among them. In the 70s communication Networking began to be used in Direct Digital Control (Berge Jonas, 2004).

  • Base64 Can Get You Pwned by Kevin Fiscus - September 12, 2011 

    Helix Pharmaceuticals is worried about security. In the cutthroat world of multi-billion dollar pharmaceutical companies, industrial espionage is a significant concern. In addition, political and social activists continually attempt to disrupt business as retribution for perceived injustices.

  • Denial of Service attacks and mitigation techniques: Real time implementation with detailed analysis by Subramani Rao - September 12, 2011 

    Amongst various security threats that have evolved lately, Denial of service (DoS) attack is the most destructive according to the security experts. A Denial of Service attack is a method of blocking service from its intended users.

  • An Experimental Study of Detecting and Correlating Different Intrusions by Ratna Deepika Kannan - September 12, 2011 

    With the ubiquitous growth of the Internet, retaining its security is a difficult task. Two decades ago, computer systems were generally not connected to the Internet or were simply a part of a small network.

  • Practical OSSEC by Chad Robertson - July 5, 2011 

    "OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response" (Trend Micro, 2010).

  • Using Decision Tree Analysis for Intrusion Detection: A How-To Guide by Jeff Markey - June 9, 2011 

    As the volume and sophistication of computer network attacks increase, it becomes increasingly difficult to detect and counter intrusions into a network of interest.

  • Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011 

    Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

  • Detecting and Responding to Data Link Layer Attacks Graduate Student Research
    by TJ OConnor - October 15, 2010 

    In this paper, we examine techniques for identifying signatures and anomalies associated with attacks against the data link layer on both wired and wireless networks. Methods for signature-based detection and anomaly-based detection are not new. Intrusion detection systems such as SNORT are quite capable of detecting some of the known data link layer attacks and include a mechanism for integrating Intrusion Prevention System (IPS) solutions. This paper does not advocate against the use of these solutions in organizations. What we present can augment your existing capabilities by detecting attacks that may be blind to your IDS.

  • Using OSSEC with NETinVM Graduate Student Research
    by Jon Mark Allen - September 17, 2010 

    The days of installing a firewall at the “edge” of the network and monitoring traffic from a single point have long vanished into the history books. Today's security “edge” has collapsed all the way to the desktop and traffic from practically every system in the network must be monitored, analyzed, and acted on to maintain a secure posture (Cummings, 2004). This type of intense monitoring requires a combination of intrusion detection systems (IDS), event correlation, and analysis.

  • Covert Channels Graduate Student Research
    by Erik Couture - August 19, 2010 

    Historically, the expression “covert channel” has broadly encompassed all communications that are hidden and communicate stealthily between endpoints. The goal of such a channel is not necessarily to obscure the data flowing through the channel, but to obscure the very fact that a channel exists. Often this data may be passed in plain sight of possible observers, but if properly engineered, may remain nearly impossible to detect. Covert channels represent a pure example of security through obscurity.

  • Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010 

    With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • SIEM Based Intrusion Detection with Q1Labs Qradar Graduate Student Research
    by Jim Beechey - February 18, 2010 

    Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.

  • Capturing and Analyzing Packets with Perl Graduate Student Research
    by John Brozycki - January 28, 2010 

    The steps in setting up a Windows system with Perl and the necessary add-ons to be able to run and create packet capturing Perl scripts.

  • Smart IDS - Hybrid LaBrea Tarpit by Cristian Ruvalcaba - December 28, 2009 

    The importance of IDS in corporate defense is seen as an ever growing necessity. Major strides have been made for numerous IDS tools, but some have seen a stalemate. The next evolutionary step in IDS would involve the concept of a 'Smart Intrusion Detection System (IDS)', one that generates signatures. The question of how to generate these signatures becomes instrumental, and can involve a number of different components. In this case, it could involve a tool that uses a hybrid LaBrea concept.

  • A Multi-Perspective View of PHP Remote File Include Attacks by Dennis Schwarz - November 10, 2009 

    This paper describes the mechanics of a RFI (remote file include) attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files.

  • Efficiently Deducing IDS False Positives Using System Profiling by Michael Karwaski - November 9, 2009 

    Security Whitepaper: How to create a simple, static inventory database and compare security alerts to see if they relate to the host in question. This will allow for greater visibility into which alerts are actually relevant to the end users network.

  • Harness the Power of SIEM by Dereck Haye - October 6, 2009 

    Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.

  • Detecting Torrents Using Snort Graduate Student Research
    by Richard Wanner - July 7, 2009 

    This paper decomposes BitTorrent and the associated protocols used in conjunction with BitTorrent downloads to devise a number of different ways to detect the aspects of this traffic. This research is then used to create Snort signatures which can be implemented to detect the BitTorrent traffic in your environment.

  • An Inexpensive Wireless IDS using Kismet and OpenWRT by Jason Murray - May 4, 2009 

    The discipline of network security has as one of its goals the protection of critical business network traffic. There are a number of preventative methods that can be employed to ensure that a network is designed well, but attackers will still attempt to exploit weaknesses to gain access to important business data and systems.

  • Snort 3.0 Beta 3 for Analysts by Doug Burks - April 15, 2009 

    This paper will demonstrate how analysts can begin experimenting with Snort 3.0 today by manually compiling the source code or by simply downloading a preconfigured bootable CD. This paper will also discuss the design of Snort 3.0 and its new features, such as multithreading, native inline bridging, dynamic reconfiguration, and native IPv6 support.

  • Capturing 10G versus 1G Traffic Using Correct Settings! Graduate Student Research
    by Emilio Valente - March 16, 2009 

    In this paper, I will describe the steps needed to tune the host TCP/IP stack for optimal throughput for use with 1 GigE network interfaces and 10 GigE network interfaces.

  • Detecting and Preventing Anonymous Proxy Usage Graduate Student Research
    by John Brozycki - November 6, 2008 

    This paper explores methods organizations may use to detect and prevent anonymous proxy usage.

  • Intrusion Detection Likelihood: A Risk-Based Approach by Blake Hartstein - November 5, 2008 

    The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

  • Intel IXP Network Processor Based Intrusion Detection by Greg Pangrazio - October 16, 2008 

    This paper will introduce the IXP series processors as well as outline the steps to create a functioning Snort based IDS on the IXP 425.

  • Network IDS & IPS Deployment Strategies by Nicholas Pappas - April 11, 2008 

    Information systems are more capable today than ever before. Society increasingly relies on computing environments ranging from simple home networks, commonly attached to high speed Internet connections, to the largest enterprise networks spanning the entire globe. Filling one's tax return, shopping online, banking online, or even reading news headlines posted on the Internet are all so convenient. This increased reliance and convenience, coupled with the fact that attacks are concurrently becoming more prevalent has consequently elevated the need to have security controls in place to minimize risk as much as possible.

  • Challenges of Managing an Intrusion Detection System (IDS) in the Enterprise Graduate Student Research
    by Russell Meyer - March 28, 2008 

    While every enterprise is unique, there are common challenges in managing, monitoring and reacting to network IDS alerts. These include: managing the flood of alerts, creating actionable reports, and following-up on the reported alerts. This paper will explore the IDS challenges of a large organization with examples of specific lessons learned in monitoring the internal network.

  • Fundamental Honeypotting by Justin Mitchell - January 7, 2008 

    Generally, honeypots accomplish the detection and collection of nefarious activity via emulating a given service or vulnerability then log the corresponding action or download the malicious code accordingly. Among other places, honeypots may reside within the LAN, DMZ, or external network (Internet).

  • Detecting and Preventing Unauthorized Outbound Traffic by Brian Wippich - October 29, 2007 

    This paper will describe some of the risks associated with outbound traffic, methods for securing this traffic, techniques for circumventing these controls, and methods for detecting and preventing these techniques. There is no way to eliminate all risk associated with outbound traffic short of closing all ports. However, a good understanding of these risks should allow you to make informed decisions on securing this traffic.

  • Distilling Data in a SIM: A Strategy for the Analysis of Events in the ArcSight ESM Graduate Student Research
    by James Voorhees - October 11, 2007 

    The ArcSight Enterprise Security Manager (ArcSight ESM, hereafter, simply ‘ArcSight’) collects and normalizes network data. It can include data from intrusion detection or protection systems (IDS/IPS), firewalls, servers, web servers, and other kinds of devices, including routers and switches. The data can comprise millions of events. This dataset must be reduced so that analysts can make sense of it and find the events of interest that indicate that action must be taken. This is no simple task. Nor can it be done in a day. It must be planned, then carried out with painstaking care. There is, however, no guide readily available that will tell you how to do this.

  • Tuning an IDS/IPS From The Ground UP by Brandon Greenwood - September 27, 2007 

    This paper examines one of the many different methodologies to configuring or tuning an Intrusion Detection System or Intrusion Prevention System (IDS/IPS). The proper configuration of an IDS is a bit of an art because there are so many different ways to do it. I have seen and listened to many people explain the ‘best’ way to configure a detection engine and while I don’t subscribe to a best way, I have taken bits and pieces from some of these methodologies and combined them into a system that has worked for me.

  • Detecting and Preventing Rogue Devices on the Network by Ibrahim Halil Saruhan - August 13, 2007 

    The main approach of this paper is to show how to use site survey to detect rogue devices in a wireless network. Site survey, if used correctly is extremely beneficial for detecting rogue devices. Rogue device detection can be considered the initial phase of wireless intrusion detection, in case it is not feasible to install sensors to cover all the wireless network area.

  • Assumptions in Intrusion Detection - Blind Spots in Analysis Graduate Student Research
    by Rodney Caudle - March 28, 2007 

    This paper examines one of the assumptions that form the foundations of packet analysis. A discussion of an approach to analyzing protocol stacks is presented. This approach can be used to determine gaps in the protocol stack where an analyst can be misled.

  • Enhancing IDS using, Tiny Honeypot Graduate Student Research
    by Richard Hammer - November 13, 2006 

    This paper will describe how to install, use, and deploy Tiny Honeypot (THP), written by George Bakos [Bakos, 2002], and then use the data returned by THP to write custom IDS rules. THP completes the incoming connection, records data received, can return custom responses, and simulate any application layer protocol. Completing the TCP connections allows the IDS to see the data payload instead of just the connection attempt.

  • A Framework to Collect Security Events for Intrusion Analysis by Jim Chrisos - April 3, 2006 

    This paper describes a framework to help security personnel have a starting point with which to collect and view security events from devices capable of reporting via syslog. Ideally, the reader will be able to follow along and use this paper in a way similar to a how-to reference guide.

  • Solaris 10 Filesystem Integrity Protection Using Radmind by Sam Wilson - May 17, 2005 

    This report is intended to provide information of value to security engineers who are choosing among various solutions to protect their Solaris systems from undesirable changes. In particular, the open-source product "Radmind" is described so it may be effectively compared to other, perhaps more well-known, commercial and open-source filesystem integrity applications.

  • Understanding Wireless Attacks and Detection by Christopher Low - May 17, 2005 

    This paper introduces wireless attacks from a OSI layer 2 perspective and attempts to understand how wireless attacks can be detected by looking at wireless frames at these layers.

  • A Honeypot Based Worm Alerting System by Jeff Kloet - May 5, 2005 

    Network administrators are always looking for simple and effective ways to make their company networks more secure and resilient from worms and viruses.

  • Building a tripwire System for SQL Server by Frank Ress - May 5, 2005 

    Tripwire is a well known host-based Intrusion Detection System (IDS) that is available for a wide range of operating systems in both commercial and noncommercial versions.

  • Maintaining a Secure Network by Robert Droppleman - August 15, 2004 

    Maintaining a secure network connected to the Internet is becoming more difficult as time goes on. New viruses are released daily, higher machine speeds and more sophisticated and automated tools mean that hackers can scan and attack wide sections of the Internet at a time

  • Enforcing Policy at the Perimeter by Derek Buelna - July 25, 2004 

    The rapid deployment of security patches and anti-virus updates has become a basic need within most IT organizations. The time between the disclosure of a vulnerability and its exploitation continues to decrease while vulnerabilities are becoming easier to exploit and are increasingly severe. Locally enforcing security policy on a large number of computers can be a challenge but keeping remote (VPN or dial-up connected) computers up to date can prove even more difficult.

  • Algorithm-based Approaches to Intrusion Detection and Response by Alexis Cort - June 9, 2004 

    Computer and network intrusions have been with us since the introduction of the computer, but intrusion detection systems are still somewhat new to the market (first implementations started in the early 90's).

  • Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth by Ted Holland - May 2, 2004 

    Over the past few years many papers and books have included articles explaining and supporting either Intrusion Detection Systems (IDS) or the newer technology on the security block, Intrusion Prevention Systems (IPS).

  • Running a World Class Intrusion Detection Program: More Than Just Picking the Right Tool by JD Aupperle - May 2, 2004 

    In today's security landscape, Intrusion detection systems have joined firewalls as "must have" tools, but getting the greatest benefit from these devices requires much more than a deploy and move on strategy.

  • Enterprise Security Management Reducing the Pain of Managing Multiple IDS Systems by David Leadston - March 25, 2004 

    ESM is an emerging market space within the security technology arena that consists of several vendors who provide a holistic view of all your security device information.

  • IDS Burglar Alarms: A How-To Guide by Mark Embrich - March 2, 2004 

    The goal of this paper is to make the task of building Intrusion Detection burglar alarms less daunting and incorporates modular "how-to" guides.

  • Secure Setup of a Corporate Detection and Scanning Environment by Dieter Sarrazyn - December 13, 2003 

    This paper covers the secure deployment of a distributed intrusion detection environment as well as the secure deployment of a distributed vulnerability scanning environment.

  • Wanted Dead or Alive: Snort Intrusion Detection System by Mark Eanes - December 13, 2003 

    A review of IDS deployment strategies using hubs, switches, or taps and a brief discussion on IDS implementation on the network is presented in this paper.

  • Intrusion detection evasion: How Attackers get past the burglar alarm by Corbin Carlo - December 13, 2003 

    The purpose of this paper is to show methods that attackers can use to fool IDS systems into thinking their attack is legitimate traffic.

  • Distributed NIDS: A HOW-TO Guide by Alan McCarty - November 6, 2003 

    This paper discusses the design, installation, configuration and monitoring of an NIDS, and provides the reader with a fully functional and powerfully distributed NIDS as a result.

  • Snort Alert Collection and Analysis Suite by Chip Calhoun - November 6, 2003 

    This document outlines separating Snort IDS Collection and Analysis Suite duties across a minimum of three servers (Snort sensor, MySQL database and an ACID web server) to gain optimal coverage and performance.

  • The Human Factor - Adding Intelligence and Action to Intrusion Detection by Daniel Hill - August 22, 2003 

    This paper explores the current state of Intrusion Detection Systems (IDS) technology, identifies system requirements and essential elements in the context of an overall architecture; and it highlights several systems, available today, that fit nicely into the suggested architecture.

  • Intrusion Detection with MOM - Going Above the Wire by Don Murdoch - July 29, 2003 

    In this paper, Microsoft Operations Manager 2000 (hence, MOM) will be discussed as a tool to aid the analyst in understanding what occurs within the operating system and the application level.

  • Intelligent Correlator for NIDS by Marco Bove - June 19, 2003 

    The goal of this work is the realization of a prototype of a system that reduces the number of false positives of a NIDS by triggering a real time collects for information upon alert reception.

  • Securing a Windows Snort Sensor for Hostile Environments by Michael Wunsch - June 3, 2003 

    This white paper documents how to secure a Windows' Snort sensor for deployment into extremely hostile environments.

  • IDMEF "Lingua Franca" for Security Incident Management by Douglas Corner - June 3, 2003 

    This paper examines the relationship of the Intrusion Detection Working Group specifications to transfer protocols well as an overview of the specifications themselves.

  • Intrusion Prevention - Part of Your Defense in Depth Architecture? by Roberta Spitzberg - June 2, 2003 

    This paper will explore Intrusion Protection Systems (IPS) from the perspective of using IPS as part of a Defense in Depth strategy.

  • Installing, Configuring, and Testing The Deception Tool Kit on Mac OS X by Jon Lucenius - May 30, 2003 

    This paper will introduce a Honey Pot known as the Deception Tool Kit (DTK) written by Fred Cohen. It will give an overview of what the DTK is, where to obtain it, how it works, and offers advice about when it should be deployed.

  • Intrusion Detection Is Dead. Long Live Intrusion Prevention! by Timothy Wickham - May 12, 2003 

    This practical will demonstrate the limitations and drawbacks of intrusion detection as well as the reasons why intrusion prevention is a vastly better method of securing a network

  • An Overview of PureSecureTM by Jeffrey Slonaker - May 12, 2003 

    This paper's objective was to examine the role of the Intrusion Detection System (IDS) in modern security strategies, establish a set of criteria for IDS evaluation, investigate the functionality of PureSecureTM, an application developed and marketed by Demarc Security, and present conclusions concerning its desirability as a working IDS.

  • Turning the tables: Loadable Kernel Module Rootkits deployed in a honeypot environment by Jonathan Rose - May 8, 2003 

    This paper addresses the topic of honeypots, which are one of the latest technologies available to track and monitor hackers and Internet attackers.

  • Archiving Event Logs by Jim Stansbury - May 8, 2003 

    Archived event logs often play an important role in the detection, investigation, and prosecution of a computer crime or other computer misuse.

  • The Keep Within the Castle Walls - An Experiment in Home Network Intrusion Detection by Gary Wallin - May 8, 2003 

    The author describes how to set up snort 1.9.1 on a virtual Linux machine, including before and after scenarios.

  • Distributed Intrusion Detection Systems: An Introduction and Review by Royce Robbins - February 5, 2003 

    A number of dIDS with global scope have been active for several years, and five of these are discussed and compared with each other in terms of focus, data source, notification tools, available agents, statistical reporting tools and linkage to security and vulnerability information.

  • Intrusion Prevention Systems- Security's Silver Bullet? by Dinesh Sequeira - November 14, 2002 

    This paper takes a look at Intrusion Prevention Systems (IPS), the technology behind these systems, why we need them, how they function, their pros and cons, and lists some highly rated products.

  • Hands in the Honeypot by Kecia Gubbels - November 3, 2002 

    This paper focuses on the description and analysis of honeypots as well as how and where they are used. I describe the process of setting up and running a honeypot.

  • Choosing an Intrusion Detection System that Best Suits your Organization by Dennis Mathew - September 16, 2002 

    A discussion on the nature of an IDS as well as a review of the various types of IDS' on the market with their varied approaches taken to detect intruders.

  • Doing My Part - Sending Data to the Internet Storm Center by Sydney Jensen - July 1, 2002 

    This paper documents the procedure that I set up to automate collecting and sending intrusion attempt information to and the Internet Storm Center, then discusses my results and some possible next steps.

  • A Single IDS Console Please: ManHunt 2.1 Pilot Test by Scott Reynolds - June 17, 2002 

    The paper discusses the implementation of ManHunt, the pilot version protocol anomaly based NIDS offered by Recourse Technologies that were evaluated against high level functional requirements detailed in the following case study.

  • Snort Install on Win2000/XP with Acid, and MySQL by Christina Neal - May 8, 2002 

    This paper is designed with as much detail as possible to help "newbies" easily install and configure Snort 1.8.6 on Windows 2000/XP.

  • A Thousand Heads Are Better Than One - The Present and Future of Distributed Intrusion Detection by Robert Zuver - April 30, 2002 

    This paper will focus on intrusion detection systems in general, and specifically on two examples of the most promising new weapon in the battle against Internet hackers and worms: distributed intrusion detection.

  • A Practical Guide to Running SNORT on Red Hat Linux 7.2 and Management Using IDS Policy Manger MySQL by William Metcalf - April 2, 2002 

    This paper demonstrates how to setup snort on Red Hat 7.2 and how to manage your sensor and view alerts from your windows 2000 workstation.

  • The Design and Theory of Data Visualization Tools and Techniques by Brian Sheffler - March 26, 2002 

    The purpose of this paper is to inform and educate security professionals about the analytical potential of using a tool or technique that renders visual representations of the data/traffic that traverses a given network. The emphasis is on the design and theory behind such tools. Included are examples of data visualization products that are commercially available.

  • SSH and Intrusion Detection by Heather Larrieu - March 17, 2002 

    This paper outlines the role and issues with the use of the SSH protocol, types and methods of intrusion detection, and proposes techniques and an architecture for an intrusion detection system that uses the SSH daemon as a sensor.

  • Network IDS: To Tailor, or Not to Tailor by Jon-Michael Brook - March 6, 2002 

    The following discussion centers on the benefits and detractors of rule-based Intrusion Detection Tailoring, and how, overall, it is best to leave tailoring for Network IDS systems to the product vendors.

  • Intrusion Detection Interoperability and Standardization by Pravin Kothari - February 19, 2002 

    This paper presents the motivation for such standardization efforts and an overview of a potential standard - IDMEF along with its communication protocol IDXP.

  • A Tool for Running Snort in Dynamic IP Address Assignment Environment by Shin Ishikawa - February 16, 2002 

    The purpose of this paper is to detail the creation of a small tool program which aids the operation of the Snort IDS in dynamically assigned IP address environment.

  • Suspicious Unix Log File Entries and Reporting Considerations by Cathy Gresham - February 12, 2002 

    In my Kickstart paper I covered basic Unix log files with a configuration file that gathered everything. I would like to expand on that and now cover messages found in those log files that would cause concern and require further investigation.

  • Using Snort For a Distributed Intrusion Detection System by Michael Brennan - January 29, 2002 

    This document will provide an option for setting up a distributed network intrusion detection system using open source tools including the intrusion detection software Snort.

  • Host Based Intrusion Detection: An Overview of Tripwire and Intruder Alert by Allison Hrivnak - January 29, 2002 

    Choosing the right software for an intrusion detection system can be a challenging task that often requires extensive research. While there are many different products available, Tripwire from Tripwire Inc. and Symantec's Intruder Alert offer two possible solutions for a host-based intrusion detection system.

  • IDS - Today and Tomorrow by Thomas Goeldenitz - January 22, 2002 

    This paper is not intended to predict the future, but bring to light emerging technologies and trends in the field of IDS that could make the life of the security specialist easier (if there is such a thing).

  • Do I Need to Be Concerned About These Firewall Log Entries? by Arvid Soderberg - January 15, 2002 

    In this paper, I'll highlight certain entries from the firewall log file and attempt to determine the level of concern that should be associated with them.

  • Protocol Anomaly Detection for Network-based Intrusion Detection by Kumar Das - January 5, 2002 

    This paper describes Intrusion Detection Systems (IDS) and compares the two main categories of detection principles, signature detection and anomaly detection; also described is a new type of anomaly detection based on protocol standards.

  • Host-Based Intrusion Systems for Solaris by Lynn Bogovich - January 1, 2002 

    This paper presents requirements for an Intrusion Detection System (IDS), as well as an analysis of currently available IDS software packages and a recommendation of the best HIDS package to manage a suite of Solaris machines.

  • Network Intrusion Detection - Keeping Up With Increasing Information Volume by Timothy Weber - December 22, 2001 

    This paper will detail ways to help a network-based IDS cope with the ever increasing volume of information that threatens its ability to fulfill its role in a defense-in-depth strategy.

  • Black ICE 2.5 Events, False Positives and Custom Attack Signatures by Alan Mercer - November 28, 2001 

    This paper aims to help BlackICE IDS administrators by identifying and classifying some events frequently seen by IDS agents in two common deployments - on a DMZ web server and on systems within an internal (mainly Microsoft) network.

  • An Informal Analysis of One Site's Attempts to Contact Host Owners by Laurie Zirkle - November 25, 2001 

    This paper will look at one system administrator's attempts to contact host owners of machines that scan or probe her network. After a brief discussion of various ways to identify possible contacts, this person's data will be used to show how different sites may respond and how probes have multiplied over a definitive period of time. The paper concludes by mentioning two projects that might help the overburdened system/network/security administrator to simplify the whole process of contacting a host owner.

  • The History and Evolution of Intrusion Detection by Guy Bruneau - October 13, 2001 

    The aim of this paper is to examine the origins of detecting, analysing and reporting of malicious activity, where it is today and where it appears to be heading in the future. Some of the many techniques and tools presently used in Network defence will be explored as well.

  • Intrusion Detection Systems: Definition, Need and Challenges by Abhijit Sarmah - October 3, 2001 

    This paper defines Intrusion Detection Systems and examines the need for such tools as well as the challenges of IDS implementation.

  • Intrusion Detection Systems: An Overview of RealSecure by Darrin Wassom - September 27, 2001 

    This paper reviews one IDS, RealSecure, to describe its plusses and minuses with special emphasis on filtering out false positives.

  • Intrusion Detection - Systems for Today and Tomorrow by George Ho - September 5, 2001 

    This paper will examine the intrusion detection systems, one of the relative new technologies in information security. It aims to explore, in high level, the intrusion detection systems available today, as well as new developments in the technology.

  • Building and Maintaining a NIDS Cluster Using FreeBSD and Snort by Michael Boman - August 30, 2001 

    This paper describes how to build a NIDS cluster with central logging and maintenance facilities.

  • Anti-IDS Tools and Tactics by Steve Martin - August 22, 2001 

    This paper focuses on Network ID Systems, and discusses the technical detail behind techniques that can be employed to counteract the utility of these systems and identifies tools that actually use the techniques described.

  • Selecting an Intrusion Detection System by Kathleen Buonocore - August 19, 2001 

    This paper examines five steps to follow when selecting an intrusion detection system (IDS): identify the need, gain a general understanding of intrusion detection systems, gain a detailed understanding of the network, evaluate various IDS systems, and determine policy and procedures.

  • Understanding Intrusion Detection Systems by Danny Rozenblum - August 9, 2001 

    The paper is designed to: outline the necessity of the implementation of Intrusion Detection systems in the enterprise environment; clarify the steps that need to be taken in order to efficiently implement your Intrusion Detection System; and, describe the necessary components.

  • Application of Neural Networks to Intrusion Detection by Jean-Philippe Planquart - July 29, 2001 

    This paper presents a "state of the art" of Intrusion Detection Systems, developing commercial and research tools, and a new way to improve false-alarm detection using Neural Network approach.

  • Using Snort v1.8 with SnortSnarf on a RedHat Linux System by Richard Greene - July 25, 2001 

    This analysis concentrates on several ways of getting the log file information from an open source IDS system called Snort. The tool that is explored for that purpose is SnortSnarf.

  • How to Choose Intrusion Detection Solution by Baiju Shah - July 24, 2001 

    This paper discues how Intrusion detection systems are crucial in securing any system but the effectiveness comes only from proper planning, deploying, monitoring, and responding to intrusions.

  • Logfile Analysis: Identifying a Network Attack by Michael Fleming - July 21, 2001 

    Although all parts of the backup strategy are equally important, this paper will focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.