Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Work Monitoring

Featuring 7 Papers as of April 8, 2020

  • Tracking Penetration Test Activities Graduate Student Research
    by Joshua Arey - April 2, 2020 

    Most penetration testers (“pentesters”) are required to track their actions during a penetration test event but rarely do so in enough detail to recreate all of their activities accurately. Instead, pentesters often only track activities that lead to findings disclosed in the final penetration testing (“pentest”) report. Tracking testing activities can be challenging and often gets disregarded when it slows down a pentest engagement. Fortunately, there are automatic logging mechanisms on most pentest systems available for leveraging to help automatically track pentest activities. However, many logging capabilities do not sufficiently record the generated network traffic from the attacking system, and network monitoring tools do not record what actions triggered the sending of packets. Customizing system logging configurations and incorporating system monitoring tools such as auditd can help automatically track testing activities on Linux-based pentest systems. This additional logging allows for accurate tracking in enough detail for an auditor to accurately determine what actions a pentester took against the pentest targets.

  • Insider Threat Mitigation Guidance Graduate Student Research
    by Balaji Balakrishnan - October 9, 2015 

    Insider threats are complex and require planning to create multi-year mitigation strategies. Each organization should tailor its approach to meet its unique needs. The goal of this paper is to provide relevant best practices, policies, frameworks and tools available for implementing a comprehensive insider threat mitigation program. Security practitioners can use this paper as a reference and customize their mitigation plans according to their organizations' goals. The first section provides reference frameworks for implementing an insider threat mitigation program with the Intelligence and National Security Alliance (INSA) Insider Threat roadmap, Carnegie Mellon University's Computer Emergency Response Team (CERT) insider threat best practices, CERT insider threat program components, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other relevant guidance. This section provides an implementation case study of an insider threat mitigation program for an hypothetical organization. The second section of this paper will present example use cases on implementing operational insider threat detection indicators by using a risk scoring methodology and Splunk. A single event might not be considered anomalous, whereas a combination of events assigned a high-risk score by the methodology might be considered anomalous and require further review. A risk scoring method can assign a risk score for each user/identity for each anomalous event. These risk scores are aggregated daily to identify username/identity pairs associated with a high risk score. Further investigation can determine if any insider threat activity was involved. This section explains how to implement a statistical model using standard deviation to find anomalous insider threat events. The goal is to provide implementation examples of different use cases using a risk scoring methodology to implement insider threat monitoring.

  • Next Generation Firewalls and Employee Privacy in the Global Enterprise Graduate Student Research
    by Ryan Firth - September 30, 2014 

    An obligation to protect company resources is something nearly every organization tries to instill in their staff.

  • Securing the K-12 School Network through Effective Internet Access Control, Network Traffic Monitoring, and Data Analysis. by Barry Young - September 17, 2008 

    Internet access control, network traffic monitoring, and related data analysis, are powerful tools available to the K-12 Network Security Analyst

  • Echelon: The Danger of Communication in the 21ST Century by Chad Yancey - February 1, 2002 

    How governments are using Echelon to gain and collect information on not only political or military interests, but that they are suspected of using this system on common citizens

  • Information Assurance at the PC Level by Carlton Bowen - December 10, 2001 

    This paper contemplates a bottom up approach to information security, where attention is given to information assurance at the PC level initially, rather than as an after thought.

  • First Step Data Capture - Key Stroke Loggers by Nigel Lewis - August 15, 2001 

    An examination of software and hardware keystroke logging, with mention of malicious keystroke logging, and keylogger detection options.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.