3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Threat Hunting

Featuring 44 Papers as of April 21, 2021

  • How to Use Historical Passive DNS for Defense Investigations and Risk Assessments Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 20, 2021 

    Passive DNS offers a wealth of historical DNS records analysts can use to gain valuable insight into changes over time, changes that can provide them with valuable context in their threat hunting investigations. In this paper, SANS Analyst Dave Shackleford explores Farsight Security's Passive DNS Database (DNSDB) as a tool for identifying threats, reducing risk, and resolving incidents. In addition to sharing his experiences of what it's like to work with DNSDB database, Shackleford walks through five real-world use cases that demonstrate how to conduct searches, limit query results, and use the context of those results to reduce risks and resolve incidents.

  • Network Security: Protecting Your Organization Against Supply Chain Attacks Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 31, 2021 

    Recent supply chain attacks have proven that third parties are an unexpected, yet trusted, entry vector into an organization. By utilizing legitimate methods to breach an organization, threat actors can hide under the radar with escalated privileges. Furthermore, attackers have shown that they are security-savvy, knowledgeable of enterprise defenses and their workarounds. Enterprise defense should be structured around BOTH system and network data; without, you will never see the full picture. With this webcast, we will outline NDR capabilities and how bringing endpoint and network together will prove to be a one-two punch to bring down even advanced attackers. We will specifically outline how to mitigate common third-party attack surfaces, what could have been done differently in the wake of the attack, and have the recent attacks provided enough reason to consider changes in implementation.

  • Hunting in Network Telemetry Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley - March 5, 2021 

    An extension of Chris Crowley's 2020 paper "20/20 Vision for Implementing a Security Operations Center" about technology deployment of the triad of host, network, and correlation capabilities; this webcast will outline how Vectra enables hunting within network telemetry data. Hunting is looking at data available throughout the environment with the assumption that previously developed detection engineering has failed, yet compromise relevant data is present. Hunting is different from investigation as it does not begin with an indicator, rather it starts with a hypothesis. Hunting presumes latent, undiscovered compromise. With this in mind, we'll discuss how Vectra can be used to identify problematic systems based on unexpected or unauthorized network activity. Specifically, this webcast will focus on using the Vectra tool for initial discovery. (The next webcast in the series will be held April 28th and will cover discovering the scope of the intrusion after the discovery of a compromise.)

  • Verifying Universal Windows Platform (UWP) Signatures at Scale SANS.edu Graduate Student Research
    by Joal Mendonsa - October 28, 2020 

    Enterprise security teams often use native Windows tools, like PowerShell, to check signatures and quickly establish where a binary is a known-good or is unknown and worthy of further investigation. Unfortunately, a new and growing class of applications – Universal Windows Platform (UWP) applications – incorrectly appear to be unsigned when checked using traditional methods. This paper will demonstrate a way to efficiently validate UWP applications in a networked environment, strictly using Microsoft tools, and without placing additional binaries on remote systems.

  • The All-Seeing Eye of Sauron: A PowerShell tool for data collection and threat hunting SANS.edu Graduate Student Research
    by Timothy Hoffman - October 14, 2020 

    The cost of a data breach directly relates to the time it takes to detect, contain, and eradicate it. According to a study by the Ponemon Institute, the average time to identify a breach in 2019 was 206 days (Ponemon Institute, 2019). Reducing this timeframe is paramount to reducing the overall timeline of removing a breach, and the costs associated with it. With ever-evolving adversaries creating new ways of compromising organizations, preventive security measures are essential, but not enough. Organizations should not assume they will be compromised, but instead that they already have been. Finding and removing these already existing breaches can be difficult. To find existing breaches, organizations need to conduct threat hunting, which seeks to uncover the presence of an attacker in an environment not previously discovered by existing detection technologies (Gunter & Seitz, 2018). This paper looks at the PowerShell tool, Eye of Sauron, which can be used for threat hunting by identifying indicators of compromise (IOCs), as well as anomaly detection using data stacking in a Windows environment. Its' capability to detect the presence of IOCs is tested in two scenarios, first in a simulated attack, and second after the introduction of malware.

  • All for One, One for All: Bringing Data Together with Devo Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - August 19, 2020 

    Many organizations have an assortment of security tools that have been cobbled together over the years. In this review, SANS instructor Matt Bromiley examines a solution to the problem of bringing multiple tools together: Devo Security Operations. He puts Security Operations through its paces as a tool that provides enterprisewide insight, seamless investigation and hunting, automated data correlation and enrichment, and more so that analysts can get back to business of responding to threats.

  • Real-Time Honeypot Forensic Investigation on a German Organized Crime Network SANS.edu Graduate Student Research
    by Karim Lalji - June 23, 2020 

    German police raided a military-grade NATO bunker in the fall of 2019, believed to have been associated with a dark web hosting operation supporting a variety of cybercrimes. The organized crime group has gone by the aliases of CyberBunker, ZYZtm, and Calibour (Dannewitz, 2019). While most of the group's assets were seized during the initial raid, the IP address space remained and was later sold to Legaco Networks. Before being shut down, Legaco Networks temporarily redirected the traffic to the SANS Internet Storm Center honeypots for examination. The intention behind this examination was to identify malicious traffic patterns or evidence of illegal activity to assist the information security community in understanding the techniques of a known adversary. Analysis of the network traffic revealed substantial residual botnet activity, phishing sites, ad networks, pornography, and evidence of potential Denial of Service (DoS) attacks. The investigation uncovered a possible instance of Gaudox Malware, IRC botnets, and a wide variety of reconnaissance activities related to Mirai variant IoT exploits. A survey of the network activity has been provided with an emphasis on potential botnet activity and Command and Control (C&C) communication.

  • Applying the Scientific Method to Threat Hunting by Jeremy Kerwin - May 28, 2020 

    Threat hunting is a proactive approach to discover attackers within an organization. Without the use of a repeatable framework, the practice of threat hunting is challenging and time-consuming for an analyst. The scientific method, used in fields such as medicine and physics is a repeatable methodology that can be applied to threat hunting to detect threats to an organization.

  • Is Your Threat Hunting Working? A New SANS Survey for 2020 Analyst Paper (requires membership in SANS.org community)
    by Mathias Fuchs - May 26, 2020 

    Although threat hunting has become a mandatory task to establish an acceptable level of security, the demand for skilled hunters far exceeds the number of available specialists. In this new research, SANS queried organizations about how they approach threat hunting, the barriers to success and how they measure their efforts. This paper explores what exactly leads to the shortage of suitable personnel and how it affects security organizations’ capabilities to utilize threat hunting teams.

  • Birthday Hunting by Jack Burgess - May 4, 2020 

    The Birthday Problem has a number of applications to incident response. Existing tools can both narrow the focus of the incident response team and limit their experience to a small subset of alerts. This leaves specialized tools to do the analysis before anything is investigated, imposing a range of biases. We show the use of randomly selected investigation of nodes in the environment has a significant likelihood of finding the adversary. This allows for the evaluation of threat hunting and security operations. The approach is then extended to the evaluation of cybersecurity machine learning products. These products may be complicated and opaque. The approach presented avoids the need to understand the internals, shifting analyst focus to business as usual operations.

  • 2020 SANS Network Visibility and Threat Detection Survey Analyst Paper (requires membership in SANS.org community)
    by Ian Reynolds - March 31, 2020 

    Organizations have untapped opportunities to strengthen the way they analyze network data and increase visibility. Visibility brings increased situational awareness, allowing for rapid threat identification and investigation for faster resolution of internal performance issues and security breaches. Investing time in understanding how and where to capitalize on these opportunities will bring real and measurable benefits.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - March 17, 2020 

    Deception technologies significantly improve security teams' capabilities to quickly and accurately detect attackers that intentionally avoid looking malicious. But how do these cyber technologies work to address key security concerns? This paper explores how to collect threat intelligence and attack attribution information associated with malicious behaviors that fly under the radar in an attempt to carry out Active Directory and ransomware attacks, phishing and credential hijacking, vulnerable applications, and more.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - February 18, 2020 

    Deception technologies can significantly improve an organization's capability to quickly and accurately detect attackers that intentionally avoid looking malicious. At the same time, deception technologies can collect threat intelligence and attack attribution information to improve response effectiveness. Implemented as network-accessible resources, on endpoints and even in cloud implementations, deception technologies can cover major attack surfaces to assist with attack malicious behaviors like account hijacking, phishing, vulnerable applications, and more.

  • Implementer's Guide to Deception Technologies Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - February 5, 2020 

    Deception technologies can significantly improve an organization's capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness. By deploying decoy lures, misdirections, and systems to attract and snare attackers, organizations can take back the advantage on today's digital battlefield. All it takes for the attacker to touch one deceptive resource.

  • Threat Hunting and Discovery: A SANS Review of Vectra Cognito Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 15, 2020 

    Vectra's Cognito security analytics platform aims to address modern attacks by analyzingmany of the attacker behaviors outlined in MITRE's ATT&CK matrix, which thoroughly describes an attack campaign and its phases. Security teams are facing pressure to detect attacks and respond to them more rapidly, which is difficult when trying to find evidence of lateral movement, reconnaissance, privilege escalation and other stealthy behavior. SANS reviewed the Cognito platform to understand how it can be used to rapidly analyze network data and provide a behavior-focused model of detection and response.

  • Threat Hunting with Consistency Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - December 8, 2019 

    A proposed alternative language to threat hunting, based on the existing MITRE ATT&CK language, this white paper outlines a stronger internal process that builds a security team that views their environment holistically and relies on evidence-based security research. Through a uniformed vocabulary, greater efficiencies and stronger borders against threats can be developed.

  • How to Build a Threat Hunting Capability in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - December 3, 2019 

    Threat hunting is more of an art than a science, in that its approach and implementation can differ substantially among enterprises and still be successful. In cloud environments, where the threat landscape is always changing, security teams must know what data to collect and how to analyze it in order to tease out suspicious anomalies. In addition to these topics, this whitepaper walks you through the threat hunting process, describing tools and techniques you can use to find and neutralize threats.

  • Someone to Watch Over You: A Review of CrowdStrike’s Falcon OverWatch Analyst Paper (requires membership in SANS.org community)
    by Joe Sullivan - November 19, 2019 

    Technology alone cannot stop 100% of threats against endpoints. Ensuring security requires that people and processes be an integral part of threat hunting. That’s where CrowdStrike’s Falcon OverWatch comes in--with a team of live, trained threat hunting analysts whose job it is to alert you to advanced attack techniques that can go undetected by automated tools. In this review, SANS puts OverWatch through its paces to detect and alert on sophisticated attacks like credential theft, defense evasion and lateral movement, making it possible for on-premises security teams to respond to threats immediately.

  • How to Build a Threat Detection Strategy in Amazon Web Services (AWS) Analyst Paper (requires membership in SANS.org community)
    by David Szili - September 10, 2019 

    Threat detection and continuous security monitoring in the cloud must integrate traditional on-premises system monitoring with the cloud network infrastructure and cloud management plane. A successful, cloud-based threat detection strategy will collect data from systems, networks and the cloud environment in a central platform for analysis and alerting. This paper describes how to build a threat detection strategy that automates common tasks like data collection and analysis.

  • Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 5, 2019 

    In this final part of a two-part review, Matt Bromiley continues his review of the Fidelis Elevate platform, shifting focus to endpoint security. He examines how Fidelis Endpoint provides endpoint insight and response, highlighting capabilities such as behavioral monitoring and detections, enterprisewide threat hunting, and response automation, as well as ease of integration with Fidelis Elevate to bring networks and endpoints together. With this kind of holistic visibility, the job of securing modern enterprises becomes significantly easier and more achievable.

  • Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 5, 2019 

    Security teams cannot defend complex networks without holistic, correlative insight into the environment. In this first part of a two-part review, Matt Bromiley reviews the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats and deception. Not only does the Fidelis platform allow for holistic visibility, but it also makes it easy for organizations to move toward threat hunting, shortening their time to detect and uncover intrusions.

  • Building and Maturing Your Threat Hunting Program Analyst Paper (requires membership in SANS.org community)
    by David Szili - June 24, 2019 

    Building an effective threat hunting program can be daunting. This paper addresses how to get started and covers building a team, what a typical hunt might look like and constructing a knowledge base for later use. It also covers how to create a test lab and use effective metrics.

  • Thinking like a Hunter: Implementing a Threat Hunting Program Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 21, 2019 
    • Sponsored By: IBM

    A successful threat hunting program should identify previously unknown or ongoing threats within the environment and facilitate a deeper understanding of the organization's technical landscape. This paper focuses on bridging the gap between those two objectives and discusses the whats, whys and hows of threat hunting. The paper presents techniques that can be immediately applied to your environment to help you either build a new hunt team or hone your existing one.

  • Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - March 14, 2019 

    Endpoint security remains a top security priority for most organizations. SANS reviews the CB Predictive Security Cloud (PSC), which focuses on securing endpoints by using a single lightweight agent that provides security professionals with actionable insights about cyberattacks. It uses behavioral analytics and big data in the cloud to prevent emerging threats; helps with vulnerability assessment and compliance reporting; and assists in threat hunting and incident response.

  • Hunting and Gathering with PowerShell by Troy Wojewoda - March 13, 2019 

    PowerShell has been used extensively over the years by both malware authors and information security professionals to carry out disparate objectives. This paper will focus on the latter by detailing various techniques and use-cases for digital defenders. There is no "one-size fits all" model that encompasses a dedicated blue-team. Roles and responsibilities will differ from organization to organization. Therefore, topics covered will range from system administration to digital forensics, incident response as well as threat hunting. Using the latest in the PowerShell framework, system variables will be collected for the purpose of establishing baselines as well as useful datasets for hunting operations. The focus will then shift to use-cases and techniques for incident responders and threat hunters.

  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity SANS.edu Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.

  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.

  • Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - November 26, 2018 

    While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.

  • SANS 2018 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and Rob T. Lee - September 18, 2018 

    Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.

  • The Need for Speed: Integrated Threat Response A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 10, 2018 

    This paper addresses the concepts of security automation and integration and provides recommendations on how to use technology to make your team faster and more efficient. It not only emphasizes the need for security automation and integration, but also shows how they are enhancements to, rather than replacements for, a security program.

  • Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments by Dan Gunter - July 23, 2018 

    Threat hunting provides an organization a proactive opportunity to discover hidden attackers and to evaluate and improve the security posture of the environment. While existing research focuses on technical methods for threat hunting, a way to assess the rigor and completeness of threat hunting activities remains unexplored. This research examines several methods that can be implemented/used to calculate coverage of threat hunts. Coverage calculation methods include kill chain coverage, attacker tactic, technique and procedure coverage and threat intelligence coverage. This research also explores how to automate the calculation of threat hunt coverage. By following the process outlined by this research, analysts can ensure that planned threat hunts remain relevant to the overall goal of the hunt and that these hunts can maximize the chance of adversary detection success.

  • AI Hunting with the Cybereason Platform: A SANS Review Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 23, 2018 

    SANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments.

  • Hunting Threats Inside Packet Captures by Muhammad Alharmeel - May 23, 2018 

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.

  • Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - March 20, 2018 

    Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.

  • The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment SANS.edu Graduate Student Research
    by Tobais McCurry - December 5, 2017 

    Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell.

  • Closing the Skills Gap with Analytics and Machine Learning Analyst Paper (requires membership in SANS.org community)
    by Ahmed Tantawy - October 30, 2017 

    It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.

  • Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense SANS.edu Graduate Student Research
    by Matthew Hosburgh - July 21, 2017 

    Today's adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. One of the largest breaches of classified information was carried out by an insider. Months after the incident had occurred, the Department of Defense (DoD) only began to realize the implications of the leak. The damage did not solely rest with the United States. A cascade of consequences was felt in many parts of the world, resulting from this breach. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools such as the Web Bug Server and Molehunt can be leveraged as a means to proactively hunt insider threats. To keep up with the continually evolving human adversary, defenders must employ these offensive tactics to annoy and attribute their adversaries.

  • The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey Analyst Paper (requires membership in SANS.org community)
    by Rob Lee and Robert M. Lee - April 25, 2017 

    Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.

  • The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it by Deepak Bellani - April 20, 2017 

    Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information.

  • Taking Action Against the Insider Threat Analyst Paper (requires membership in SANS.org community)
    by Eric Cole, PhD - October 5, 2016 

    Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?

  • Threat Intelligence: What It Is, and How to Use It Effectively Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 19, 2016 

    In today’s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today’s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.

  • Automated Analysis of “abuse” mailbox for employees with the help of Malzoo by Niels Heijmans - August 23, 2016 

    For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.

  • Generating Hypotheses for Successful Threat Hunting Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and David Bianco - August 15, 2016 

    Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.

  • The Who, What, Where, When, Why and How of Effective Threat Hunting Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and Rob Lee - March 1, 2016 

    The chances are very high that hidden threats are already in your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.