Best Offers of the Year Ends Tomorrow - Don't Miss Out! Get an iPad Air with Smart Keyboard or Pixel 4a Smartphone!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





Incident Handling

Featuring 158 Papers as of April 15, 2021

  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 22, 2021 

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.

  • Improving Incident Response Through Simplified Lessons Learned Data Capture SANS.edu Graduate Student Research
    by Andrew Baze - February 17, 2021 

    The Lessons Learned portion of the cybersecurity incident response process is often neglected, resulting in unfortunate missed opportunities that could help teams mature, identify important trends, and improve their security. Common incident handling frameworks and compliance regimes describe time-consuming and relatively complex processes designed to capture these valuable lessons. While an extensive and resource-heavy process may be necessary in some cases, it is often difficult for incident response teams to dedicate sufficient time to capture this lesson data at the end of an incident. Dedicating time is even more difficult when the team is simultaneously handling other incidents. This paper addresses the planning and implementation of a simplified approach to capturing Lessons Learned data at any time, as opposed to at the conclusion of an incident. This approach includes a tagging schema and demonstrates how identification of lesson type, sub-type, and associated work items can provide valuable data to further an organization's original Lessons Learned goals.

  • Supercharge Incident Response with Data Your Network Team Already Collects Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 16, 2020 

    A simple and efficient way to gain an advantage over attackers—and control of your environment’s security—is to utilize the data you already generate and own. This paper explores how organizations should rely on and incorporate key data points (DNS, DHCP, and IPAM) into nearly every aspect of their security approach.

  • Verifying Universal Windows Platform (UWP) Signatures at Scale SANS.edu Graduate Student Research
    by Joal Mendonsa - October 28, 2020 

    Enterprise security teams often use native Windows tools, like PowerShell, to check signatures and quickly establish where a binary is a known-good or is unknown and worthy of further investigation. Unfortunately, a new and growing class of applications – Universal Windows Platform (UWP) applications – incorrectly appear to be unsigned when checked using traditional methods. This paper will demonstrate a way to efficiently validate UWP applications in a networked environment, strictly using Microsoft tools, and without placing additional binaries on remote systems.

  • Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive SANS.edu Graduate Student Research
    by Christopher Hurless - October 23, 2020 

    There is a wealth of open-source tools available for information security. A characterization of the various open-source products will provide a means of fortifying endpoints and auditing those fortifications with an Endpoint Detection and Response (EDR) solution. High-quality security practices do not have to be expensive products, but they do need to hit several automation requirements to be effective. With this in mind, building robust, automated, EDR capability using open-source, community-driven tools that automate and standardize security responses is not only possible but practical. Having a set of predefined control settings on an endpoint goes beyond malware detection. It sets the stage to ensure that an organization’s endpoints are fortified from an attack before it happens. By implementing the Center for Internet Security (CIS) Desktop Benchmarks, organizations have a means of strengthening endpoints from attack. Adding Osquery allows them to have a tool for knowing when a machine has fallen out of a fortified state. Following the loss of fortification is the need to investigate the cause and return the device to its intended state which can be done using Elastic Stack and TheHive.

  • Fight or Flight: Moving Small and Medium Businesses into the Cloud During a Major Incident SANS.edu Graduate Student Research
    by Drew Hjelm - September 30, 2020 

    Incident responders often aid small and medium businesses (SMB) during crippling cyberattacks that cause outages of critical systems. Most SMBs lack sufficient capacity to monitor and protect their on-premises IT infrastructure. Many of these SMBs are already using cloud platforms in a limited fashion. These organizations can use more cloud services to improve security visibility against future attacks and possibly speed up recovery time. This research examines the feasibility thereof and discusses the challenges that organizations may face with rapid cloud migration, including software compatibility and insurance requirements.

  • Incident Response in a Security Operation Center by Josh Higgason - August 27, 2020 

    Cybercrime dates back to the late 1700s and remains a threat today. By observing current threats, such as phishing and data compromise, a better understanding may be gained regarding cyber campaigns and threat actors. Consequently, efforts must be made to prevent the continuous siphoning of millions of dollars from the economic system caused by cybercrime. Because the highly skilled personnel working with Incident Response in a Security Operation Center face many challenges, teamwork is essential to overcome the threats associated with cybercrime. Additional factors, such as working across multiple time zones with varying time shifts, personality differences, and unique technical skill levels and abilities, affect the ability to work as a team. Working through these differences brings cohesion and strength to the team. The security operations center learns to accomplish more with the time and resources at their disposal. To thwart cybercrime, the personnel in the Security Operations Center must address current issues, devise innovative plans, and adopt a new perspective to overcome the complicated problems they encounter.

  • You've Had the Power All Along: Process Forensics With Native Tools SANS.edu Graduate Student Research
    by Trevor McAfee - August 27, 2020 

    Many organizations are interested in standing up threat response teams but are unable, or unwilling, to provide funding or approval for third-party tools. This lack of support requires threat response teams to utilize built-in, OS-specific tools, to investigate suspicious processes and files. These tools can provide a significant amount of useful information when scrutinizing a suspicious process or file. However, these tools and their output are often unwieldy. A lack of cohesiveness requires running multiple similar commands to gather all the data for an investigation, and then manually combining and correlating that data. This paper examines the data of interest during an incident response and the native Microsoft Windows tools used to obtain it. This paper also discusses how to use PowerShell to automate the collection and compilation of this important data.

  • All for One, One for All: Bringing Data Together with Devo Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 19, 2020 

    Many organizations have an assortment of security tools that have been cobbled together over the years. In this review, SANS instructor Matt Bromiley examines a solution to the problem of bringing multiple tools together: Devo Security Operations. He puts Security Operations through its paces as a tool that provides enterprisewide insight, seamless investigation and hunting, automated data correlation and enrichment, and more so that analysts can get back to business of responding to threats.

  • Birthday Hunting by Jack Burgess - May 4, 2020 

    The Birthday Problem has a number of applications to incident response. Existing tools can both narrow the focus of the incident response team and limit their experience to a small subset of alerts. This leaves specialized tools to do the analysis before anything is investigated, imposing a range of biases. We show the use of randomly selected investigation of nodes in the environment has a significant likelihood of finding the adversary. This allows for the evaluation of threat hunting and security operations. The approach is then extended to the evaluation of cybersecurity machine learning products. These products may be complicated and opaque. The approach presented avoids the need to understand the internals, shifting analyst focus to business as usual operations.

  • Incident Response in a Zero Trust World SANS.edu Graduate Student Research
    by Heath Lawson - February 27, 2020 

    Zero Trust Networks is a new security model that enables organizations to provide continuously verified access to assets and are becoming more common as organizations adopt cloud resources (Rose, S., Borchert, O., Mitchell, S., & Connelly, S., 2019). This new model enables organizations to achieve much tighter control over access to their resources by using a variety of signals that provide great insight to validate access requests. As this approach is increasingly adopted, incident responders must understand how Zero Trust Networks can enhance their existing processes. This paper provides a comparison of incident response capabilities in Zero Trust Networks compared to traditional perimeter-centric models, and guidance for incident responders tasked with managing incidents using this new paradigm.

  • SANS 2019 Incident Response (IR) Survey: It's Time for a Change Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 31, 2019 

    The 2019 SANS Incident Response (IR) survey provides insight into the integration of IR capabilities to identify weak spots and best practices for improving IR functions and capabilities. In this survey paper, senior SANS instructor and IR expert Matt Bromiley explores what types of data, tools and information are key to investigations of an incident; the state of budget and staffing for IR; maturity of IR processes; impediments to IR implementations and plans for improvement; and more. The report also includes actionable advice for improving organizational IR practices.

  • The Foundation of Continuous Host Monitoring Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 2, 2019 

    Without the right architecture, continuous monitoring can cause more headaches than it cures. This paper examines some of the difficulties organizations face when trying to improperly scale forensic tools and/or concepts, and provides guidance on architectural decisions to help improve continuous monitoring implementations.

  • Empowering Incident Response via Automation Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 20, 2019 

    This paper examines where incident response automation can be used to empower your teams and bring their level of productivity and investigations to never-before-seen heights. Your analysts should be focused on solving the problems that require human intervention, not tripped up by technical hurdles that a computer could easily solve.

  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.

  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.

  • Don't Knock Bro SANS.edu Graduate Student Research
    by Brian Nafziger - December 12, 2018 

    Today's defenders often focus detections on host-level tools and techniques thereby requiring host logging setup and management. However, network-level techniques may provide an alternative without host changes. The Bro Network Security Monitor (NSM) tool allows today's defenders to focus detection techniques at the network-level. An old method for controlling a concealed backdoor on a system using a defined sequence of packets to various ports is known as port-knocking. Unsurprisingly, old methods still offer value and malware, defenders, and attackers still use port-knocking. Current port-knocking detection relies on traffic data mining techniques that only exist in academia writing without any applicable tools. Since Bro is a network-level tool, it should be possible to adapt these data mining techniques to detect port-knocking within Bro. This research will document the process of creating and confirming a port-knocking network-level detection with Bro that will provide an immediate and accessible detection technique for organizations.

  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.

  • Hardening OpenShift Containers to complement Incident Handling by Kurtis Holland - November 2, 2018 

    Incident Responders are always faced with not knowing if they have adequate information on a server is appropriately security controls hardened or susceptible to attack. There is no such thing as 100% security. You're under attack and now are scrambling to understand your risks and threat surface should a hacker gain a foot hold in your environment. You want a mix of commercial and open source tools in place to manage this threat. This paper will dive into the processes and demonstrate a design using tools available for managing Linux controls for Open Shift containers and how you scan the multiple products and layers involved in the development operations processes. The guess work by Incident Handlers will be minimized and a simple "eyes on glass" solution for the entire environment will be at your disposal so you can assess the software inventory, version levels, security scan reports, and assist identification and containment options.

  • It's Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 30, 2018 

    A new SANS survey finds that incident response (IR) teams are stanching serious data breaches faster in 2018--but they haven't managed to improve on a major hurdle that they reported in 2017: visibility into incidents. This report explores how organizations have structured their incident response functions, what systems they are conducting investigations on, and how they're uncovering threats.

  • PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Data SANS.edu Graduate Student Research
    by Christian J. Moldes - March 16, 2018 

    Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach.

  • VMRay Analyzer: Rapid Malware Analysis for Incident Response (IR) Teams Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 12, 2018 

    In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.

  • Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 26, 2018 

    In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.

  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.

  • NOC/SOC Integration: Opportunities for Increased Efficiency in Incident Response within Cyber-Security by Nelson Hernandez - February 14, 2018 

    Managing, monitoring and defending enterprise networks with siloed Network Operation Centers (NOC) and Security Operation Centers (SOC) is a challenge. Each team running 24/7 incident response, event monitoring/correlation, generating/escalating trouble tickets and up channeling communications which provide an opportunity to integrate NOC and SOC functions. Integrating both teams at the first tier through cross-training, rewriting Standard Operating Procedures (SOP's) with coordination points, standardizing shared and coordinated communications, sharing and integrating dashboards and other data tools as cybersecurity continues to evolve. Adoption of integration as an industry best practice can capitalize on federated data, improve communication, increase visibility and situational awareness, optimize resource sharing and increase efficiencies.

  • SOC Automation-Deliverance or Disaster Analyst Paper (requires membership in SANS.org community)
    by Eric Cole, PhD - December 11, 2017 

    Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts.

  • Security and Operations - An Overlooked But Necessary Partnership Analyst Paper (requires membership in SANS.org community)
    by Sonny Sarai - December 4, 2017 

    This paper explores ways to foster cooperation between Security and Operations groups for better visibility into threats and threat pathways, while improving overall protection and network hygiene.

  • Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi SANS.edu Graduate Student Research
    by Scott Perry - November 17, 2017 

    As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate. Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi.

  • The Efficiency of Context: Review of WireX Systems Incident Response Platform Analyst Paper (requires membership in SANS.org community)
    by Jerry Shenk - September 5, 2017 

    WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.

  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.

  • A Practical Example of Incident Response to a Network Based Attack SANS.edu Graduate Student Research
    by Gordon Fraser - August 16, 2017 

    A commonly accepted Incident Response (IR) process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This paper examines this process in the context of a practical working example of a network based attack. It begins with the identification of a potential incident, followed by the detailed analysis of the network traffic to reconstruct the actions of the attacker, and leads up to determining indicators of compromise that can be used to identify other victims. This paper provides a practical example of responding to a network based incident.

  • The Show Must Go On! The 2017 SANS Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - June 12, 2017 

    Overall, the results of 2017 Incident Response survey were very promising. Organizations are building IR teams that suit their environments and their unique set of issues. Malware still looms as the root cause of a large majority of incidents; and IR teams still suffer from a shortage of skilled staff, lack of ownership and business silo issues. Read on to examine the results of the survey and guidelines and feedback to spur improvements.

  • Future SOC: SANS 2017 Security Operations Center Survey Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - May 16, 2017 

    The primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.

  • Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation SANS.edu Graduate Student Research
    by Jeremiah Hainly - March 15, 2017 

    Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.

  • Node Router Sensors: What just happened? by Kim Cary - November 22, 2016 

    When an airliner crashes, one of the most important tasks is the recovery of the flight recorder or black box. This device gives precise & objective information about what happened and when before the crash. When an information security incident occurs on a network, it is equally important to have access to precise information about what happened to the victim machine and what it did after any compromise. A network of devices can be designed, economically constructed and managed to automatically capture and make available this type of data to information security incident handlers. In any environment, this complete record of network data comes with legal and ethical concerns regarding its use. Proper technical, legal and ethical operation must be baked into the design and operational procedures for devices that capture information on any network. These considerations are particularly necessary on a college campus, where such operations are subject to public discussion. This paper details the benefits, designs, operational procedures and controls and sample results of the use of "Node Router Sensors" in solving information security incidents on a busy college network.

  • BGP Hijinks and Hijacks - Incident Response When Your Backbone Is Your Enemy SANS.edu Graduate Student Research
    by Tim Collyer - November 21, 2016 

    The Border Gateway Protocol (BGP) is used to route packets across the Internet, usually at the level of the Internet backbone where Internet Service Providers (ISPs) pass traffic amongst themselves. Unfortunately, BGP was not designed with security in mind, like many of the protocols used in modern networks such as the Internet. Lack of security within BGP means that traffic is susceptible to misdirection and manipulation through either misconfiguration or malicious intent. Among the traffic manipulation possible within BGP routing is Autonomous System (AS) path injection, in which a new router can insert itself into the routing path of traffic. This can create a man-in-the-middle condition if the path injection is malicious in nature. Differentiation between a malicious incident and mere misconfiguration can be extremely challenging. Even more difficult for an affected company is to conduct incident response during a BGP-related incident. This paper explores the incident response options currently available to security teams to prevent, detect, and where possible, respond should a BGP incident arise.

  • Keys to Effective Anomaly Detection by Matt Bromiley - October 25, 2016 

    Simply put, an anomaly is something that seems abnormal or doesn’t t within an environment. A car with ve driving wheels would be an anomaly. In the context of an enterprise network, an anomaly is very much the same—something that does not t or is out of place. While anomalies in an enterprise network may be indicative of a con guration fault, they are often evidence of something much more worrisome: a malicious presence on the network.

  • Detecting Incidents Using McAfee Products by Lucian Andrei - October 10, 2016 

    Modern attacks against computer systems ask for a combination of multiple solutions in order to be prevented and detected. This paper will do the analysis of the capacities of commercial tools, with minimal configuration, to detect threats. Traditionally, companies use antivirus software to protect against malware, and a firewall combined with an IDS to protect against network attacks. This paper will analyze the efficacy of the following three combinations: antivirus, antivirus plus host IDS, and antivirus combined with a host IDS plus application whitelisting in order to withstand application attacks. Before doing the tests we predicted that the antivirus will block 20% of the attacks, the HIDS will detect an additional 15%, and McAfee Application Control will protect at least against 50% more of the attacks executed by an average attacker using known exploits, without much obfuscation of the payload. The success of defensive commercial tools against attacks will justify the investment a company will be required to make.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

  • Incident Handling Preparation: Learning Normal with the Kansa PowerShell Incident Response Framework by Jason Simsay - August 22, 2016 

    Preparation is a critical step in establishing an effective incident response program. Information Security professionals that will be called upon to handle an incident must prepare ahead of time. Kansa is a PowerShell Incident Response Framework developed by Dave Hull. The PowerShell Remoting feature is leveraged to establish a highly scalable and extensible system state collection platform. Once data is collected from across the Microsoft environment, an extensive set of frequency analysis scripts may be executed to enable incident handlers to turn unknowns into knowns and to discover anomalies and indicators of compromise.

  • Lessons Learned from Treatment of Trauma in Individuals and Organizations Under Repeated Cyber Attacks by Vanessa Pegueros - June 13, 2016 

    There has been significant research relative to the impacts of trauma on human beings and the associated treatment of that trauma. With the increasing frequency of cyber-attacks and associated breaches, people within organizations are experiencing similar traumatic effects felt by victims of a more physical attack or incident. There are significant parallels between the impacts of cyber-attacks on organizations and the impacts on individuals experiencing some form of trauma. There are key lessons to be learned from the treatment of trauma victims and the techniques to help organizations become more prepared and resilient relative to cyber- attacks. With the continued escalation of cyber-attacks, organizations should be working to implement solutions beyond just security technology and look to the process and people elements of the solution.

  • Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - June 7, 2016 

    Results of the 2016 Incident Response Survey indicate that the IR landscape is ever changing. Advanced industries are able to maintain effective IR teams, but as shown in this report, there are still hurdles to jump to increase the efficiency of many IR teams. Read this report to learn more.

  • Under The Ocean of the Internet - The Deep Web by Brett Hawkins - May 27, 2016 

    The Internet was a revolutionary invention, and its use continues to evolve. People around the world use the Internet every day for things such as social media, shopping, email, reading news, and much more. However, this only makes up a very small piece of the Internet, and the rest is filled by an area called The Deep Web.

  • Enterprise Survival Guide for Ransomware Attacks by Shafqat Mehmoon - May 3, 2016 

    Ransomware or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.

  • Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access SANS.edu Graduate Student Research
    by Scott Perry - April 29, 2016 

    News stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences.

  • Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud by Tom Arnold - April 21, 2016 

    As Head of Digital Forensics for Payment Software Company Inc. (“PSC”), a company that focuses exclusively on Clients that accept or process payments,1 we’ve responded to sites operating within cloud environments, most notably Amazon EC2.

  • Balancing Security and Innovation With Event Driven Automation SANS.edu Graduate Student Research
    by Teri Radichel - March 22, 2016 

    Organizations seek innovation via use of new technology. In order to save money and deliver new products and features quickly, software development teams want to use open source software (Black Duck Software, 2015), public cloud platforms and continuous deployment strategies (Right Scale, 2016).

  • How to Leverage PowerShell to Create a User- Friendly Version of WinDump SANS.edu Graduate Student Research
    by Robert Adams - January 18, 2016 

    Security professionals rely on a myriad of tools to accomplish their job. This is no different than the toolboxes that plumbers, electricians, and other trade professionals carry with them every day.

  • Poaching: Hunting Without Permission by David Switzer - December 23, 2015 

    In the parlance of information security, hunting is proactively searching out a problem. An intrusion detection system (IDS) can miss a 0-day, so proactive and interactive hunting for indicators of compromise (IOCs) can be more productive than simply relying on automated tools.

  • The Power and Implications of Enabling PowerShell Remoting Across the Enterprise SANS.edu Graduate Student Research
    by Robert Adams - December 23, 2015 

    The marketing department of Company X has been the target of a phishing attack.

  • Preparing to withstand a DDoS Attack by Gaurang Pandya - November 2, 2015 

    The Distributed Denial of Service or DDoS Attack is a distinct form of cyber threat with various aspects that differentiates it from other attack types.

  • Deployment of a Flexible Malware Sandbox Environment Using Open Source Software by Jose Ortiz - August 24, 2015 

    The identification and analysis of malware is one of the many tasks performed by incident handlers. Only a small number of commercial entities provide the technology capable of automating this. Most times these offerings are beyond the reach of small organizations due to the high costs associated with licensing and maintenance. One open source alternative is Cuckoo Sandbox. It is a free software project licensed under GNU GPLv3. It allows the user to analyze and collect data against suspected pieces of malware. The framework installation requires careful configuration by an experienced Linux administrator. The accepted method of deployment is to follow the prescribed steps and test the application “until it works.” Attempting to scale the sandbox environment beyond a few virtual machines becomes a complicated process due to the maintenance required for multiple Windows configurations. By using techniques borrowed from the DevOps methods, a small team of incident handlers can create a sandbox environment that is not only repeatable and consistent, but also scalable. The user can create multiple template “profiles,” which allow for flexible testing.

  • Coding For Incident Response: Solving the Language Dilemma SANS.edu Graduate Student Research
    by Shelly Giesbrecht - July 28, 2015 

    Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.

  • Incident Tracking In The Enterprise by Justin Hall - July 20, 2015 

    Some organizations employ Computer Security Incident Response Teams (CSIRTs) to investigate and respond to security incidents. They often find these investigations to be poorly executed, time consuming, and ultimately ineffective at discovering the root cause of a breach. Unfortunately, this is not usually due to the skill of the investigators, but rather due to the tools and processes they use to manage the investigations. This paper describes the use of purpose built case management software, integrated into the incident response process, to track these investigations. CSIRTs that take an organized, formal tracking approach will collaborate better and find their investigations to be more complete and useful to risk managers.

  • Psychology and the hacker - Psychological Incident Handling by Sean Atkinson - July 9, 2015 

    The understanding of the processes, techniques and skills of hackers or cyber-criminals can be ascertained through the practical application of forensic psychology techniques and behavioral analysis. The actions and methods used within an attack, through the monitoring of logs and forensic discovery, will contribute to a profile of the person/persons behind the intrusion. This information will be a new vector in determining infiltration techniques, if the actions leave a persistent threat (backdoor) or if it is a one-time “smash and grab”. If applied correctly, the detective controls can shorten avenues of determining risk and threats, as well as the magnitude of investigation required based upon the behavioral profile. Incident handling is based on the detection, response and resolution of security incidents. Given a new understanding of the person/persons behind such an incident, the process will be a preliminary part of the incident handling process. Using the methods of behavioral analysis, it creates a new dimension of understanding to the malicious activity and network analysis of what occurred in the environment.

  • Knitting SOCs SANS.edu Graduate Student Research
    by Courtney Imbert - May 26, 2015 

    Over time, the list of "must-have" security appliances and services has become ever larger.

  • Honeytokens and honeypots for web ID and IH SANS.edu Graduate Student Research
    by Rich Graves - May 14, 2015 

    Honeypots and honey tokens can be useful tools for examining follow-up to phishing attacks.

  • NetFlow Collection and Analysis Using NFCAPD, Python, and Splunk by David Mashburn - February 10, 2015 

    NetFlow is a traffic summary technology developed by Cisco systems. While intended as a management and auditing tool for networking professionals, NetFlow data can be a valuable resource for security analysts.

  • Cyber Breach Coaching SANS.edu Graduate Student Research
    by Michael Hoehl - January 12, 2015 

    Data Breaches and Cyber Security are a new source of worry for the modern CEO. As demonstrated by several recent security breaches, how an organization handles a crisis plays a major role in whether the CEO (and CIO, COO, CPO, etc.) stays employed. Further, Corporate officers can be held personally liable if information security safeguards are not sustained in a commercially reasonably manner to prevent breaches from occurring. This paper proposes a new chapter to the CEO Survival Guide, and explores the current Cyber Breach Coaching options available to executives and organizations.

  • A No-Budget Approach to Malware Containment SANS.edu Graduate Student Research
    by Paul Ackerman - January 9, 2015 

    Many small/medium sized businesses have little budget for Information Security yet face the same malware threat as larger organizations. In Information Security, we say that prevention is ideal and detection is necessary but what comes after detection? Specifically, what should a small team do to contain a malware infection? This paper is for those readers that do not have expensive tools to defend against malware and are left wondering how to contain an infection.

  • Under Threat or Compromise - Every Detail Counts Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - August 20, 2014 

    This paper outlines five major components of a life-cycle approach to defense and how companies can adopt this model to maximize security in the current threat landscape.

  • Securing Aviation Avionics by Marc Panet-Raymond - June 3, 2014 

    For the safety of the flying public, the majority of security research does not directly target the primary flight instruments

  • Incident Handling Annual Testing and Training by Kurtis Holland - April 29, 2014 

    Cybercrimes and the annual costs incurred by business are on the rise year over year.

  • Enhancing incident response through forensic, memory analysis and malware sandboxing techniques SANS.edu Graduate Student Research
    by Wylie Shanks - April 9, 2014 

    Almost daily, there are reports of successful data breaches and new threat vectors including compromised systems or vulnerable software.

  • Finding Advanced Threats Before They Strike: A Review of Damballa Failsafe Advanced Threat Protection and Containment Analyst Paper (requires membership in SANS.org community)
    by Jerry Shenk - March 18, 2014 

    Review of Damballa Failsafe's ability to collect and analyze evidence and presents precise information about infected devices.

  • Active Security Or: How I learned to stop worrying and use IPS with Incident handling by Doug Brown - January 9, 2014 

    Beyond the obvious nomenclature for viruses and worms, several lessons can also be gleaned from the world of epidemiology and applied to information security.

  • War Pi by Scott Christie - December 16, 2013 

    Wardriving requires a computer system with the proper tools installed and a Wi-Fi receiver. Locating Wi-Fi access points has evolved from lugging large computers around in cars, to wardriving apps on smartphones such as WiGLE Wi-Fi Service for Android devices (WiGLE, 2013).

  • Finding Hidden Threats by Decrypting SSL Analyst Paper (requires membership in SANS.org community)
    by Michael Butler - November 8, 2013 

    Paper describes the role of SSL, the role SSL decryption/inspection tools play in security, options for deploying inspection tools, and how the information generated by such inspection can be shared with other security monitoring systems.

  • Correlating Event Data for Vulnerability Detection and Remediation Analyst Paper (requires membership in SANS.org community)
    by Jacob Williams - October 8, 2013 

    Examination of how 2012 Saudi Aramco “spearphishing” attacks could have been thwarted with the help of a SIEM platform that combines the power of historical data with real-time data from network data sources and security policies.

  • The SANS Survey of Digital Forensics and Incident Response Analyst Paper (requires membership in SANS.org community)
    by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013 

    2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.

  • A Practical Social Media Incident Runbook SANS.edu Graduate Student Research
    by Trenton Bond - June 20, 2013 

    In the course of a few short years, social media has clearly become a valuable marketing and communication tool in business strategies.

  • Need for Speed: Streamlining Response and Reaction to Attacks Analyst Paper (requires membership in SANS.org community)
    by Michael Butler - June 7, 2013 

    Exploration of how to correlate information from disparately managed systems and bring visibility to their behavior with accurate, actionable reporting in as near-real time as possible.

  • Corporate vs. Product Security by Philip Watson - May 22, 2013 

    When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.

  • Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 22, 2013 

    Review of McAfee’s Enterprise Security Manager (ESM) 9.2 with focus on fundamental SIEM features and capabilities to meet business demand for security and threat intelligence.

  • Event Monitoring and Incident Response by Ryan Boyle - May 15, 2013 

    System security policies can still have security holes after implementation and may even introduce unintended consequences.

  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

  • Track 3 - Intrusion Detection In-Depth GIAC Certified Intrusion Analyst (GCIA) Practical Assignment Version 4.0 by Jan Stodola - October 19, 2012 

    Atrix Network Consulting (ANC) is a privately held network security company, mandated with security audit of ABC University network logs.

  • Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management SANS.edu Graduate Student Research
    by Barbara Filkins - October 18, 2012 

    The increasing use of electronic health record (EHR) systems, health information exchange (HIE) networks, and cloud computing significantly increases the exposure of sensitive medical information to loss of confidentiality, integrity, and availability due to data-related attacks, such as medical identity theft or insider threats (Ponemon Institute, 2011).

  • InfiniBand Fabric and Userland Attacks SANS.edu Graduate Student Research
    by Aron Warren - October 18, 2012 

    InfiniBand™ is not a word used much in the hacking community. It is much like the phrase "Apple exploits" was to "Windows exploits" about 5 years ago or so.

  • When Breaches Happen: Top Five Questions to Prepare For Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 17, 2012 

    This paper explores how to create processes to sort through data in the event of a breach that enable IT security and operations teams to respond immediately with actionable information.

  • Shedding Light on Security Incidents Using Network Flows by Kevin Gennuso - May 16, 2012 

    Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.

  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.

  • Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response by Kevin Fuller - February 14, 2012 

    What is a baseline? The primary definition of baseline is that it is a line that is a basis of measurement (Farlex Inc, 2011).

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Identifying Malicious Code Infections Out of Network by Ken Dunham - August 29, 2011 

    Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

  • Responding to Zero Day Threats by Adam Kliarsky - July 20, 2011 

    The internet has become a pervasive threat vector to organizations of all sizes. As new technologies are adopted to keep pace with business trends, surreptitious sources lurk in the shadows to exploit the weaknesses exposed. Sophisticated, targeted attacks such as Aurora, APT, Stuxnet, and Night Dragon have been making headlines, with goals of monetary gain and intellectual property theft.

  • Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools by Jonny Sweeny - June 28, 2011 

    When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.

  • Wireless Networks and the Windows Registry - Just where has your computer been? SANS.edu Graduate Student Research
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Following Incidents into the Cloud by Jeff Reed - March 1, 2011 

    The availability and use of cloud computing continues to grow. Discussions of and references to its benefits and issues grow at a similar pace. As it continues to move from a sort of ‘SOA of the Wild West’ into the mainstream, more companies will face the myriad questions arising from its use. When, why, where and how should integration with the cloud occur? How can one be certain that a cloud provider will survive through an organization’s technology integration lifecycle?

  • Wireless Mobile Security by Erik Couture - December 3, 2010 

    Mobile Security: Current threats and emerging protective measures

  • Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis SANS.edu Graduate Student Research
    by T.J. OConnor - September 13, 2010 

    Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.

  • Integrating Forensic Investigation Methodology into eDiscovery by Colin Chisholm - September 7, 2010 

    The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.

  • Orion Incident Response Live CD SANS.edu Graduate Student Research
    by John Jarocki - May 7, 2010 

    There are many frameworks for incident handling, including the Security Incident Handling Guide from the National Institute of Standards and Technology (NIST) (Scarefone, Grance, & Masone, 2008), (Mandia, Prosise, & Pepe, 2003), and the SANS six-step handling process (Skoudis, 2009). Carnegie-Mellon’s Software Engineering Institute even provided a study of these and more along with a framework for creating an incident management process tuned for a specific organization (Albert, Dorofee, Killcrece, & Zajicek, 2004). Tools for incident handling and response also exist, but responder tool kits are often built by collecting important tools one at a time until the expert incident handler has a custom set. This makes it difficult to bring in less-experienced incident response team members, and it creates challenges for collaboration during the incident as well as consistent collection and storage of evidence. Some Incident Response environments do exist, but they primarily focus on the analysis process, and do not provide a communication and collaboration framework. Nor do they usually provide a workflow based environment.

  • Scareware Traversing the World via a Web App Exploit by Mark Hillick - April 19, 2010 

    This paper will discuss the reasons behind this attack but more importantly, through following the six phases of Incident Handling in the SANS GCIH 504 course, it will provide direction on how such an incident should be handled from both the web-application side and the desktop perspective. This description will highlight how the attack was constructed with great precision and with greater control, resiliency and reliability than many top legitimate companies when they implement their IT solutions.

  • Incident Handling as a Service by Michel Lundell - March 1, 2010 

    This paper is about providing an incident handling service to companies that focus on their primary business and have limited resources to have an in-house IT security organization.

  • Winquisitor: Windows Information Gathering Tool by Michael Cardosa - January 19, 2010 

    Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.

  • Preventing Incidents with a Hardened Web Browser by Chris Crowley - December 15, 2009 

    There is substantial industry documentation on web browser security because the web browser is currently a frequently used vector of attack. This paper investigates current literature discussing the threats present in today's environment.

  • Cisco Security Agent and Incident Handling SANS.edu Graduate Student Research
    by Greg Farnham - October 1, 2009 

    An implementation of Cisco Security Agent (CSA) is analyzed and impacts to the incident handling process are identified. In addition, guidance is provided to configure CSA to support the incident handling process.

  • Simple Windows Batch Scripting for Intrusion Discovery SANS.edu Graduate Student Research
    by Tim Proffitt - September 29, 2009 

    Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

  • Mitigating Insider Sabotage by Joseph Garcia - September 28, 2009 

    How failing to create an effective termination policy and deploy correct user access controls to deter insider threats can be costly.

  • Investigative Tree Models SANS.edu Graduate Student Research
    by Rodney Caudle - September 15, 2009 

    Investigative tree models provide a structured approach to incident handling during incident response. This SANS whitepaper explores definable, reproducible structures to be created facilitating controlled cost exposure during an incident response cycle.

  • Security Incident Handling in High Availability Environments by Algis Kibirkstis - September 15, 2009 

    SANS Whitepaper discussing a security incident handling process for high-availability systems.

  • Protecting Against Insider Attacks SANS.edu Graduate Student Research
    by Brad Ruppert - August 10, 2009 

    Key factors in enhancing internal security controls and protecting a company from internal attacks. Often the greatest damage can be done by someone already inside these defenses. It is imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals that require it to perform their specific job function. The goal of this paper will be to identify high risk areas commonly neglected and to provide some best practice tips to enhance internal security controls.

  • Incident Handlers Guide to SQL Injection Worms by Justin Folkerts - June 18, 2009 

    This paper seeks to demystify an innovative type of attack known as a SQL Injection Worm.

  • Virtual Rapid Response Systems by Chris Mohan - June 10, 2009 

    This paper aims to provide organizations with a quick and effective response to IT security breaches at remote locations with a virtual response platform.

  • The SirEG Toolkit by François Bégin - April 23, 2009 

    This paper provides the reader an overview of the SirEG Toolkit, then discusses the type of data it captures on a suspicious host and more importantly, how that data is captured.

  • A Guide to Encrypted Storage Incident Handling SANS.edu Graduate Student Research
    by Wylie Shanks - April 9, 2009 

    Encrypted storage solutions provide confidentiality of data; however, they have also created a need for effective incident response. Privacy legislation and regulatory compliance mandates are increasingly driving encrypted storage solution deployments. This document provides incident handlers with a few tools and processes in order to respond effectively to incidents involving encrypted storage solutions.

  • Security Incident Handling in Small Organizations by Glenn Kennedy - December 16, 2008 

    Considerable research has been accomplished, with a focus on the steps necessary to create and organize an Incident Handling Team in large organizations, but the resources required for such a project do not scale down to anything usable by the Small Business community. This paper reviews current best practices in the security community, and proposes a compromise that scales these steps into something workable and acceptable to the SB community. The paper also references SANS checklists to assist the SB owner step through the processes before, during, and after a security incident, along with literature, vendor, and tool resources.

  • Intrusion Detection Likelihood: A Risk-Based Approach by Blake Hartstein - November 5, 2008 

    The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

  • Expanding Response: Deeper Analysis for Incident Handlers SANS.edu Graduate Student Research
    by Russ McRee - October 9, 2008 

    Most incident handlers likely have a toolkit they’re fond of that, in all probability, contains tools most handlers are familiar with. It is the intent of this paper to expand common horizons and discuss tools that may not readily appear in a typical toolkit.

  • Tips for Making Security Intelligence More Useful SANS.edu Graduate Student Research
    by Mason Pokladnik - October 9, 2008 

    Trends and incidents show us when security is working. When security is failing to meet the organization’s intended goal of reducing risk, we have to reevaluate our controls with the benefit of new security intelligence information. Just imagine what improvements could be made if we spent anywhere near the effort investigating the security implications of IT projects as we do the compliance issues.

  • Malware 101 - Viruses by Aman Hardikar - July 15, 2008 

    This paper provides new insights into establishing Incident Handling procedures for dealing with various types of malware. It also aims to give a detailed perspective into the various types of malware or malicious software and their propagation mechanisms.

  • Mining gold... A primer on incident handling and response by Stacy Jordan - June 23, 2008 

    Incident handling and response is a key area in the IT security arena. As a part of the GIAC GOLD program, several outstanding papers on the subject have been generated. This paper has collected information from those papers to serve as basic for future research. Topical areas in the paper include: defining what a incident is, incident handling process, how to create a computer incident response team and tools/resources for supporting incident handlers.

  • An approach to the ultimate in-depth security event management framework by Nicolas Pachis - June 23, 2008 

    "SANS 504: Hacker Techniques, Exploits and Incident Handling" illustrates the six steps to the incident handling process: preparation, identification, containment, eradication, recovery and lessons learned. This incident response system is derived from the SANS booklet, "Computer Security Incident Handling Step by Step: A Survival Guide for Computer Security Incident Handling". The two phases we want to take a look at in this paper are preparation and identification. While the other steps are important for the continuation of the business processes for your group, paying close attention during the preparation and identification phases can speed up your response time to an incident.

  • Creating and Maintaining Policies for Working with Law Enforcement SANS.edu Graduate Student Research
    by Tim Proffitt - May 21, 2008 
  • Incident Handling for SMEs (Small to Medium Enterprises) by Terry Morreale - May 20, 2008 
  • Breach Notification in Incident Handling by Jeffery Buffington - March 4, 2008 

    This document will provide the IT professional with a general understanding of what "breach notification" is, and demonstrate some of the variety found among the legal requirements for actually conducting notification. In addition, this document will identify some of the tools currently available that may assist an incident handler with determining what data may have actually been exposed, and offer suggested means of conducting the actual notification.

  • Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider by Ahmed Abdel-Aziz - February 11, 2008 

    Since the threat trend is moving from large number and unfocused attacks to fewer, highly targeted and financially motivated attacks [Kinghorn 2007], Espionage security incidents are naturally expected to be on the rise. Through the technical report, I hope to demonstrate to the readers an example of how social networking sites that are becoming evermore popular can aid an attacker [Walls 2007], especially in the reconnaissance and exploit stages of the attack. Also highlighting the danger of the improper use of the SSH reverse tunneling technique, and how important it is to have security policy that users are aware of and follow.

  • Baselines and Incident Handling by Chris Christianson - January 29, 2008 

    Preparation is an important part of the incident handling process (SANS, n.d.); it is the only part of the process that an incident handler can do ahead of time. Preparing well can help an incident handler to identify and respond to an incident more quickly. It can also help him or her to be more efficient throughout the entire incident handling process.

  • Documentation is to Incident Response as an Air Tank is to Scuba Diving by Chet Langin - December 11, 2007 

    That IP address you just traced may result in a search warrant, an arrest, and court action. Can your documentation justify these actions, and is it ready for scrutiny? Even routine vulnerability scans and bot incidents can have unexpected results. Getting it done right the first time saves effort in the long run, preserves requisite credibility, and can save face, possibly even your job.

  • Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit by Jamal Bandukwala - November 20, 2007 

    This paper will aid the incident handling and security community by explaining and demonstrating forensically sound processes to create a powerful multi session DVD. This can be customized to contain several of the most popular Linux live CDs and a second DVD/CD that contains other tools that may not be contained on the live multi session DVD.

  • Creating and Managing an Incident Response Team for a Large Company SANS.edu Graduate Student Research
    by Timothy Proffitt - July 18, 2007 

    Using good communication skills, clear policies, professional team members and utilizing training opportunities, a company can run a successful incident response team.

  • An Incident Handling Process for Small and Medium Businesses SANS.edu Graduate Student Research
    by Mason Pokladnik - June 18, 2007 

    This paper's intention is to assist you in getting an incident response capability off the ground in a SMB environment by analyzing some of the constraints of a smaller corporate environment.

  • International Cybercrime Treaty: Looking Beyond Ratification by Daniel Robel - March 28, 2007 

    For the purposes of this paper, a global incident can be defined as an incident involving the computers, network, or assets of more than one nation-state. An incident implies harm or the attempt to harm. The term incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.

  • Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics SANS.edu Graduate Student Research
    by Ricky Smith - February 9, 2007 

    One of the first things that an incident handler takes for a potential computer incident is verifying that an incident has actually occurred. As part of the verification process, the incident handler will need to examine the system looking for the evidence of the incident.

  • Incident Management 101 Preparation & Initial Response (aka Identification) by Robin Dickerson - January 17, 2005 

    According to SANS, there are six steps involved in properly handling a computer incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Incident Management 101 provides guidelines, procedures, and tools designed to assist security specialists with the first two phases of Incident Management Preparation and Initial Response (aka Identification phase).

  • Reporting Incidents to an ISP with BlackICE ClearICE Report Utility and the Importance of Submitting Firewall Logs to the Dshield.org Project by Victor Arnaud - March 9, 2004 

    This practical has two objectives: guide users of BlackICE to report incidents to their ISPs (using ClearICE Report Utility) and show users the importance of submitting firewall logs to the dshield.org project.

  • Windows Responders Guide by Koon Tan - July 14, 2003 

    This paper provides the first responder guide to handle incident occur on a Windows platform system.

  • Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting by Mary Hall - June 2, 2003 

    Development and implementation of a Computer Incident Response Team is a major undertaking in any organization.

  • Building a Low Cost Forensics Workstation by Matthew McMillon - April 6, 2003 

    This paper will outline the fundamentals of computer forensic investigation and then, based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.

  • Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine by Gary Belshaw - August 4, 2002 

    This document is intended to highlight the steps taken in ascertaining the level of damage done in a network break-in (or hack attack) on our system, and the steps taken in rectifying the damage.

  • What You Don't See On Your Hard Drive by Brian Kuepper - April 4, 2002 

    This paper will address the issue of retrieving data that has been deleted and hidden access and control of your computer, looking at the recent development of rootkits designed for Microsoft Windows operating systems.

  • Computer Forensics - We've Had an Incident, Who Do We Get to Investigate? by Karen Ryder - March 26, 2002 

    So how does a manager (IT or not) decide how to investigate an incident? This paper's aim is to provide Australian managers with a basis to make this decision by providing an insight into computer forensics and evidence handling, and giving advantages and disadvantages for each option.

  • The Coroners Toolkit - In depth by Clarke Jeffris - February 9, 2002 

    In this paper describes evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 hereafter referred to as TCT.

  • Deterring Cyber Attacks by Christy Bilardo - January 27, 2002 

    This paper provides a Strengths, Weaknesses, Opportunities and Threats [SWOT] Analysis to help you analyze three alternatives and recommend the best one to upper management.

  • One Incident Of Remediating The CRC 32 sshd1 Vulnerability by Rebecca Sander - January 12, 2002 

    The purpose of this paper is to document the process I used to respond to the CRC32 sshd1 vulnerability.

  • Computer Forensic Legal Standards and Equipment by Damian Tsoutsouris - December 6, 2001 

    Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies' top priority in this age of increased security conscious commerce

  • Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000 by Norman Haase - December 4, 2001 

    The purpose of this paper is to be an introduction to computer forensics.

  • From Events to Incidents by Charles Pham - November 29, 2001 

    This paper is an attempt at clarifying "events" and "incidents" for training purposes so that effective filtering can be apply when it come to reporting an incident.

  • Corporate Incident Handling Guidelines by David Theunissen - November 14, 2001 

    If you are a large multinational corporation without a large security function, this paper will help you approach some of the common problems in preparing incident handling procedures.

  • Combating Computer Crime by Jason Upchurch - September 26, 2001 

    Computer crime and computer related crimes are growing areas of concern for both law enforcement and businesses alike.

  • An Overview of Disk Imaging Tool in Computer Forensics by Madihah Saudi - September 24, 2001 

    The objective of this paper is to educate users on disk imaging tool, issues that arise in using disk imaging, offer recommended solutions to these issues and examples of disk imaging tool.

  • Incident Response and Creating the CSIRT in Corporate America by Chris Thompson - September 19, 2001 

    The purpose of this document is to discuss implementing a formal incident response organization.

  • Computer Incident Response Team by Michelle Borodkin - September 15, 2001 

    This paper is designed to answer the big questions about Computer Incident Response Teams including: What is a CIRT? Who should be on a CIRT and what function will they serve? And, What steps need to be taken to implement a CIRT?

  • Investigating an Internal Case of Internet Abuse by Mal Wright - September 6, 2001 

    I was recently required to investigate an incident of Internet abuse and this essay describes the detection, investigation and various tools used to collect the evidence.

  • CodeRed II: Incident Handling Process and Procedures by Michael Goodwin - September 5, 2001 

    This paper uses the CodeRed II virus as a template to generate questions to help you better prepare for the next virus outbreak.

  • Adventures in Computer Forensics by Diana Michaud - September 4, 2001 

    Computer forensics is one piece to the investigative puzzle.

  • Collection and Dissemination of Computer and Internet Security Related Information by Scott Fox - August 21, 2001 

    Ongoing advances in technology and the growth of the Internet are introducing not only an increase in the number of vulnerabilities being found, but also an increase in the complexity of system administration, incident handling and forensic analysis work.

  • Information Security: Handling Compromises by Craig Bowser - August 15, 2001 

    While the corporate sector may not be guarding national secrets, they are protecting valuable information such as trade secrets, financial documents and personal information.

  • Successful Partnerships for Fighting Computer Crime by Beth Binde - August 11, 2001 

    Given the wide range of possible criminal activities in the high technology arena, computer security officers need to be prepared to respond to computing incidents that are not only against the local acceptable use policy for computers and networks, but also violate federal, state or local statutes.

  • The Enemy Within: The Role of the Security Administrator in Apprehending and Terminating the Malicio by Robin Stuart - August 8, 2001 

    The following information is set forth to generally describe the tools available to security administrators to facilitate the apprehension and participate in the resolution of internal threats to your organization's sensitive or restricted resources.

  • Reporting Unauthorized Intrusions: A "How To" Guide by Melton Roland - July 26, 2001 

    This paper provides a "how to" guide for reporting unauthorized intrusions.

  • Nailing the Intruder by Vinay Disley - July 24, 2001 

    This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same.

  • Secure File Deletion: Fact or Fiction? by John Mallery - July 16, 2001 

    This paper will deal with how and where some of these files are created and how to securely remove them from a system.

  • Proposed Conceptual Tools for Managing Cost and Complexity When Securing Networks by Kathleen Howard - July 5, 2001 

    This paper will describe the cost and complexity issues facing security professionals, outline the desired outcome in facing these issues, and finally will suggest initial proposals for reaching those goals.

  • Identify Intrusions with Microsoft Proxy Server, Web Proxy Service and WinSock Proxy Service Log Fil by Saundra Coward - July 5, 2001 

    This paper provides a guide on how to identify intrusions using Microsoft's Proxy Server log files.

  • Developing a Computer Forensics Team by Christine Vecchio-Flaim - July 4, 2001 

    Efforts to establish sound information assurance programs are rapidly evolving due to increased connectivity, enhanced technology, and the continuous introduction of operating and application systems software.

  • Building an Incident Response Program To Suit Your Business by Tia Osborne - July 3, 2001 

    The purpose of this paper is to outline the key concepts of an Incident Response Program (IRP).

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





Latest Whitepapers

Recognizing Suspicious Network Connections with Python
By Gregory Melton

Examining Sysmon's Effectiveness as an EDR Solution
By Christian Vrescak

Replacing WINS in an Open Environment with Policy Managed DNS Servers
By Mark Lucas

Last 25 Papers »

Latest Tweets @SANSInstitute

We have over 15 new courses and courses in development set t [...]
April 19, 2021 - 11:35 PM

#SANSSecWest | #SANSLiveOnline starts in a few weeks! - 30+ [...]
April 19, 2021 - 10:15 PM

We're counting down the #20CoolestCareers in #Cybersecurity [...]
April 19, 2021 - 7:30 PM

Contact Us

Mon-Fri: 9am-8pm ET (phone/email)
Sat-Sun: 9am-5pm ET (email only)
301-654-SANS(7267)
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health and Security

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet