Featuring 23 Papers as of September 16, 2016
Practical Attack Detection, Analysis, and Response using Big Data, Semantics, and Kill Chains within the OODA Loop Masters
by Brian Nafziger - June 3, 2015
The traditional approach to using toolsets is to treat them as independent entities – detect an event on a device with one tool, analyze the event and device with a second tool, and finally respond against the device with a third tool. The independent detection, analysis, and response processes are traditionally static, slow, and disjointed.
Cyberspace: America's New Battleground by Maxwell Chi - November 20, 2014
In 2010, Nick Percoco, head of the cyber security team at IT security service provider TrustWave Holdings Inc., was called out to the headquarters of a leading U.S. defense contractor to investigate some anomalies (Taylor, 2011). The anomalies seemed innocent at first. A few employees had reported peculiar behavior by their PCs when they clicked on an innocuous-looking email attachment they had received.
A Practical Big Data Kill Chain Framework Masters
by Brian Nafziger - October 2, 2014
Traditional toolsets using atomic syntactic-based detection methods have slowly lost the ability, in and of themselves, to detect and respond to today's well-planned, multi-phased, multi-asset, and multi-day attacks thereby leaving a gap in detecting these attacks.
Simulating Cyber Operations: A Cyber Security Training Framework by Bryan K. Fite - February 14, 2014
The current shortage (Finkle & Randewich, 2012) of trained and experienced Cyber Operations Specialist coupled with the increasing threat (Sophos, 2013) posed by targeted attacks (Verizon, 2013) suggest more effective training methods must be considered.
Securing the “Internet of Things” Survey Analyst Paper
by John Pescatore - January 15, 2014
- Associated Webcasts: SANS Analyst Webcast: SANS Survey on Securing The Internet of Things
- Sponsored By: Codenomicon Norse
Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.
Tools and Standards for Cyber Threat Intelligence Projects Masters
by Greg Farnham - October 22, 2013
Effective use of cyber threat intelligence (CTI) is an important tool for defending against malicious actors on the Internet.
InfoWar: Cyber Terrorism in the 21st Century Can SCADA Systems Be Successfully Defended, or are They Our "Achilles Heel"? by Michael Ratledge - March 28, 2013
While reading Erbschloe’s Information Warfare – How to Survive Cyber Attacks in early 2001, with his detailed descriptions of the potential and how to protect ourselves against the same; it became painfully apparent that given the current state-of-affairs, we were both unprepared and severely incognizant of exactly where the weaknesses in our corporate, government and military infrastructure were located.
Results of the SANS SCADA Security Survey Analyst Paper
by Matthew Luallen - February 20, 2013
- Associated Webcasts: Results of the SANS SCADA Security Survey
- Sponsored By: Splunk ABB Industrial Defender
In-depth survey of SCADA system operators to determine their risk awareness and security practices.
Defense in Depth: An Impractical Strategy for a Cyber World by Prescott Small - February 20, 2012
Defense in Depth was developed to defend a kinetic or real world military or strategic assets by creating layers of defense that compel the attacker to expend a large amount of resources, while straining supply lines.
The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare Masters
by Terrence OConnor - February 14, 2012
We live in an era where a single soldier can digitally leak thousands of classified documents (possibly changing the course of war), attackers can compromise unmanned drone control software and intercept unencrypted video feeds, and recreational hackers can steal and release personal information from members of cyber think-tanks.
Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization Masters
by Joseph Faust - October 7, 2011
There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.
Solution Architecture for Cyber Deterrence by Thomas Mowbray - April 29, 2010
The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).
Security for Critical Infrastructure SCADA Systems by Andrew Hildick-Smith - August 24, 2005
Supervisory Control and Data Acquisition (SCADA) systems and other similar control systems are widely used by utilities and industries that are considered critical to the functioning of countries around the world.
Federal Intrusion Detection, Cyber Early Warning and the Federal Response by Brian Fuller - June 19, 2003
This paper evaluates Priority One of the National Strategy to Secure Cyberspace, entitled "Priority 1: A National Cyberspace Security Response System," through a contextual analysis of the evolution of cyber early warning in the United States and an evaluation of the underlying technical model.
Redefining the Role of Information Warfare in Chinese Strategy by Edward Sobiesk - April 5, 2003
In this paper, a theory is introduced that China is currently executing a patient and deceptive form of information warfare that redefines the boundaries of Western definitions of the concept.
Implementing a Local Security Program to Protect National Infrastructure System Companies and Facili by Mark Loos - April 8, 2002
The purpose of this paper is to review the macro-level issues involved in the need for a national level infrastructure protection program and then focus on those pertinent threats and developments that drive the need for specific security programs at the local infrastructure company level.
Information Warfare: An Analysis of the Threat of Cyberterrorism Towards the US Critical Infrastruct by Shannon Lawson - February 19, 2002
The purpose of this paper is to explore the possibility of a terrorist group launching an information warfare attack against our infrastructure and to answer the question: Is the US ready to defend against a cyber attack?
Can Cyberterrorists Actually Kill People? by Scott Newton - January 30, 2002
Instead of simply causing annoying service disruptions, catastrophic data loss, or even the fall of a technology-dependent society, could cyber terrorists and information warriors use computers to actually kill people directly?
The Future of Information Warfare by Carter Gilmer - December 28, 2001
The present war against terrorism, precipitated by the decidedly low-tech use of airplanes on September 11, is raising the awareness of corporations and individuals in regards to the security of business and personal information.
Information Warfare - It's Everybody's Battle by Charles Coffey - October 3, 2001
Major companies and government agencies have been fighting a vicious battle for years to defend their automated information systems.
The China Syndrome by Charles Bacon - July 22, 2001
Though estimates vary, the ensuing "Cyberwar" between U.S. and Chinese hackers ultimately affected some 1,100 American web sites and 1,600 Chinese sites.1
Information Warfare: The Unconventional Art In A Digital World by Eric Hrovat - June 30, 2001
Information warfare is the new art of subverting your enemy in the new battles of the 20th century and beyond.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.