Save $400 on 4-6 Day Cyber Security Courses at SANS Baltimore Fall 2018. Ends 7/18.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,800 original computer security white papers in 107 different categories.

Latest 25 Papers Added to the Reading Room

  • Times Change and Your Training Data Should Too: The Effect of Training Data Recency on Twitter Classifiers STI Graduate Student Research
    by Ryan O'Grady - July 11, 2018 in Artificial Intelligence

    Sophisticated adversaries are moving their botnet command and control infrastructure to social media microblogging sites such as Twitter. As security practitioners work to identify new methods for detecting and disrupting such botnets, including machine-learning approaches, we must better understand what effect training data recency has on classifier performance. This research investigates the performance of several binary classifiers and their ability to distinguish between non-verified and verified tweets as the offset between the age of the training data and test data changed. Classifiers were trained on three feature sets: tweet-only features, user-only features, and all features. Key findings show that classifiers perform best at +0 offset, feature importance changes over time, and more features are not necessarily better. Classifiers using user-only features performed best, with a mean Matthews correlation coefficient of 0.95 ± 0.04 at +0 offset, 0.58 ± 0.43 at -8 offset, and 0.51 ± 0.21 at +8 offset. The R2 values are 0.90, 0.34, and 0.26, respectively. Thus, the classifiers tested with +0 offset accounted for 56% to 64% more variance than those tested with −8 and +8 offset. These results suggest that classifier performance is sensitive to the recency of the training data relative to the test data. Further research is needed to replicate this experiment with botnet vs. non-botnet tweets to determine if similar classifier performance is possible and the degree to which performance is sensitive to training data recency.

  • Content Security Policy in Practice by Varghese Palathuruthil - July 6, 2018 in Securing Code

    The implementation of Content Security Policy to leverage web browser capability in protecting a web application from cross-site scripting attack has been a challenge for many legacy web applications. Typical web applications maintained over the years accumulate a number of web pages that do not follow a consistent design. There are no widely available tools to quickly transform legacy web pages to adopt Content Security Policy. The results of this research cover the outcome of implementing a set of tools to address this need.

  • One-Click Forensic Analysis: A SANS Review of EnCase Forensic Analyst Paper
    by Jake Williams - June 27, 2018 in Application and Database Security, Tools

    When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.

  • Using Image Excerpts to Jumpstart Windows Forensic Analysis by John Brown - June 25, 2018 in Forensics

    There are many options available for acquiring, processing and analyzing forensic disk images. Choices range from feature-rich commercial tools that provide all-in-one solutions, to open source scripts for carrying out specific tasks. The availability of these tools and the hard work of those who contribute to the forensic community have made the job of the examiner much easier. Even with recent advances, analysis can still be time-consuming, particularly in the acquisition and processing of Windows full disk images. One alternative is to extract and analyze the files historically known to contain the most relevant data first. In many cases, a relatively small number of files contain the majority of information needed to perform a forensic examination. Tests were performed on Windows images to analyze some of these high-value artifacts to find an efficient approach for selectively acquiring and extracting different types of metadata. A script was then written to automate repetitive steps and leverage open source tools found on most recent Linux version of the SANS Sift virtual machine.

  • Cloud Security: Are You Ready? Analyst Paper
    by Dave Shackleford - June 18, 2018 in Application and Database Security, Best Practices

    As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.

  • Windows 10 as a Forensic Platform STI Graduate Student Research
    by Ferenc Kovacs - June 15, 2018 in Forensics

    Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations.

  • Stopping IoT-based Attacks on Enterprise Networks Analyst Paper
    by G. W. Ray Davidson - June 14, 2018 

    The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.

  • Endpoint Protection and Response: A SANS Survey Analyst Paper
    by Lee Neely - June 12, 2018 in Clients and Endpoints

    Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.

  • Back to Basics: Building a Foundation for Cyber Integrity Analyst Paper
    by Barbara Filkins - June 6, 2018 in Security Awareness

    File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.

  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 in Intrusion Detection, Industrial Control Systems / SCADA, Tools

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.

  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - May 27, 2018 in Malicious Code

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.

  • Hunting Threats Inside Packet Captures by Muhammad Alharmeel - May 23, 2018 in Threat Hunting

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.

  • Extracting Timely Sign-in Data from Office 365 Logs by Mark Lucas - May 22, 2018 in Logging Technology and Techniques

    Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole.

  • Methods for the Controlled Deployment and Operation of a Virtual Patching Program STI Graduate Student Research
    by William Vink - May 20, 2018 in Threats/Vulnerabilities

    In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches.

  • Automated Detection and Analysis using Mathematical Calculations by Lionel Teo - May 17, 2018 in Intrusion Detection

    A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.

  • Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform Analyst Paper
    by Ahmed Tantawy - May 10, 2018 in Intrusion Detection

    In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.

  • 10 Endpoint Security Problems Solved by the Cloud Analyst Paper
    by Deb Radcliff - May 4, 2018 in Best Practices, Threats/Vulnerabilities

    SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.

  • Agile Security Patching by Michael Hoehl - May 3, 2018 in Best Practices, Project Management

    Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.

  • Do Random IP Lookups Mean Anything? by Jay Yaneza - May 2, 2018 in Intrusion Detection, Malicious Code

    Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.

  • Tailoring Intelligence for Automated Response Analyst Paper
    by Sonny Sarai - May 2, 2018 in Application and Database Security, Tools

    Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.

  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper
    by John Pescatore - May 1, 2018 in Security Trends

    Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.

  • Security Testing and Vendor Selection with BreakingPoint Analyst Paper
    by Serge Borso - April 30, 2018 in Security Modeling

    In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs.

  • Understanding Mobile Device Wi-Fi Traffic Analysis by Erik Choron - April 24, 2018 in Intrusion Detection, Mobile Security

    Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology.

  • Learning CBC Bit-flipping Through Gamification by Jeremy Druin - April 24, 2018 in Penetration Testing, Encryption & VPNs

    Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment.

  • Securing the Corporate WLAN in a Healthcare Regulated Organization STI Graduate Student Research
    by Jim Pomeroy - April 6, 2018 in Compliance

    Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.