Free GIAC Certification attempt with associated Live Online course purchase. Offer ends tomorrow!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 3,020 original computer security white papers in 111 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 29, 2020 in Security Policy Issues, Risk Management

    Organizations are taking advantage of digital transformation in their quest to boost agility and shrink infrastructure costs. However, this transformation often comes at a cost: a larger, more complex security attack surface. Guardicore Centra aims to provide a simpler, faster way to reduce attack surfaces and prevent lateral movement in an IT environment via micro-segmentation security policies. In this product review, SANS analyst Dave Shackleford shares his experience of putting Centra through its paces.


  • Improving Analyst Efficiency in Office365 Business Email Compromise Investigation Scenarios Through the Implementation of Open Source Tools SANS.edu Graduate Student Research
    by Aaron Elyard - June 25, 2020 in Free and Open Source Software

    Working within Microsoft’s browser-based O365 Graphical User Interface (GUI) can be challenging for DFIR practitioners when time is of the essence. PowerShell-based cmdlets are often preferred due to their flexibility, speed, and efficiency compared to a browser-based approach. However, in his professional career, the author has observed that more junior analysts may not feel comfortable using command line tools. Additionally, they may not have devoted the appropriate time to learning the various options needed to obtain the data they need for their investigations. This paper explores a tool the author created to bridge the gap between the browser-based GUI and raw PowerShell. It examines the impact of the use of such a tool on the analyst’s efficiency, measured in the number of interactive actions an analyst must take.


  • ICS Asset Identification: It's More Than Just Security Analyst Paper (requires membership in SANS.org community)
    by Mark Bristow - June 24, 2020 in Industrial Control Systems / SCADA, Risk Management

    Historically, asset identification has been associated with time-consuming and costly cybersecurity efforts. In this new SANS report, Mark Bristow, SANS ICS Active Defense and Incident Response certified instructor, explores critical resources needed to start an asset identification program. The author also explains how asset Identification can enhance ROI through such benefits as improved maintenance, reduced mean-time-to-repair, and increased availability.


  • Natural Language Processing for the Security Analyst SANS.edu Graduate Student Research
    by Daniel Severance - June 24, 2020 in Security Analytics and Intelligence

    Data science is an emerging multidisciplinary field that offers multiple benefits to information security. Within this field, there is an inherent ability to do anomaly detection at scale. Recently there are increased efforts in applied data sciences in the field of information security and assurance, however there can be a high barrier to entry due to the mathematics required. Nonetheless, topics such as natural language processing can be and have been integrated into security toolsets successfully. These computational linguistic methods can effectively be used to empower analysis techniques. This paper examines the viability of applying these language techniques in security anomaly detection and the ability to integrate with existing security tools.


  • Real-Time Honeypot Forensic Investigation on a German Organized Crime Network SANS.edu Graduate Student Research
    by Karim Lalji - June 23, 2020 in Threat Hunting

    German police raided a military-grade NATO bunker in the fall of 2019, believed to have been associated with a dark web hosting operation supporting a variety of cybercrimes. The organized crime group has gone by the aliases of CyberBunker, ZYZtm, and Calibour (Dannewitz, 2019). While most of the group's assets were seized during the initial raid, the IP address space remained and was later sold to Legaco Networks. Before being shut down, Legaco Networks temporarily redirected the traffic to the SANS Internet Storm Center honeypots for examination. The intention behind this examination was to identify malicious traffic patterns or evidence of illegal activity to assist the information security community in understanding the techniques of a known adversary. Analysis of the network traffic revealed substantial residual botnet activity, phishing sites, ad networks, pornography, and evidence of potential Denial of Service (DoS) attacks. The investigation uncovered a possible instance of Gaudox Malware, IRC botnets, and a wide variety of reconnaissance activities related to Mirai variant IoT exploits. A survey of the network activity has been provided with an emphasis on potential botnet activity and Command and Control (C&C) communication.


  • Securing the Soft Underbelly of a Supercomputer with BPF Probes SANS.edu Graduate Student Research
    by Billy Wilson - June 18, 2020 in Intrusion Detection, Linux Issues

    High-performance computing (HPC) sites have a mission to help researchers obtain results as quickly as possible, but research contracts often require security controls that degrade performance. One standard solution is to secure a set of login nodes that mediate access to an enclave of lightly monitored compute nodes, referred to as “the soft underbelly of a supercomputer” by one DoD representative (National, 2016). Recent advances in the BPF subsystem, a Linux tracing technology, have provided a new means to monitor compute nodes with minimal performance degradation. Well-crafted BPF traces can detect malicious activity on an HPC cluster without slowing down systems or the researchers that depend on them. In this paper, a series of low-profile attacks are conducted against a compute cluster under heavy computational load, and BPF probes are attached to detect the attacks. The probes successfully log all attacks, and performance loss is less than one percent for all benchmarks save for one inconclusive set.


  • How to Use NERC-CIP: An Overview of the Standards and Their Deployment with Fortinet Analyst Paper (requires membership in SANS.org community)
    by Tim Conway and Ted Gutierrez - June 17, 2020 in Industrial Control Systems / SCADA

    This paper is a unique review of a few key Fortinet products and how those products align with existing NERC CIP regulation requirements. It also examines how those products might aid an organization in the process of maintaining compliance and explores the product features that will help defend the organization's program during an audit.


  • Recognizing Suspicious Network Connections with Python SANS.edu Graduate Student Research
    by Gregory Melton - June 17, 2020 in Active Defense

    Endpoint protection solutions tend to focus on system indicators and known malicious code to defend both enterprise and Small Office-Home Office (SOHO) users. In the absence of a Security Operations Center (SOC) or paid antivirus services, there are few proactive defense options for hobbyists and SOHO owners. A significant problem is how advanced persistent threat (APT) actors’ Tactics, Techniques, and Procedures (TTPs) have changed over the years; it is common for advanced actors to exploit poorly defended subcontractors and seemingly less relevant targets. This brings the Small Office-Home Office into the picture as a pivotal defense point against advanced attackers. This research intends to focus on attackers using Shell, terminal, or Remote Access Tool (RAT) connections to SOHO endpoints. This research seeks to block interactive connections with system-level network logging and blacklist automation. This method will recognize malicious connections and automatically block them in near real-time.


  • Answering the Unanswerable Question: How Secure Are We? SANS.edu Graduate Student Research
    by Jason Bohreer - June 3, 2020 in Metrics and Visualization

    Business environments consist of invisible or ill-defined risk factors which create challenges with prioritization for business owners, systems owners, and IT/Security teams in their goal to improve their security position. The security of the environment relies upon the appropriate people understanding and addressing the risks. However, they typically do not have the relevant understanding, and therefore, the capability to act, due to the complexities of the defense-in-depth strategies. Security professionals have a good understanding of the relationships between the various controls and have numerous tools to consolidate logs and network traffic. However, while many of these tools are “best-of-breed” and operate within their information silos, they lack native methods to populate external systems to aggregate the findings in a risk-based approach which business stakeholders require to make decisions. By designing a framework to collect and measure different aspects of security, this research explores how to remove the operational fog that obscures our vision of our environments. With layers of fog removed, the improved clarity allows us to make quantitative assessments of our security by examining how security controls relate to one another.


  • Remote Workers Poll Analyst Paper (requires membership in SANS.org community)
    by Heather Mahalik - June 3, 2020 in Case Studies, Telecommuting

    Remote work has quickly become the "new normal" with the COVID-19 pandemic. Organizations have been forced to rethink how they will get work done with their employees mandated to stay home. How are organizations handling working from home? How well were companies prepared for remote work? How have technological needs changed with this shift? How are teams communicating? How are devices and communications being secured? When a time like this does not allow for the mission to halt, employees and employers have scrambled to keep the work going. Ensuring that teams are equipped, communicating, and are safe at home is key during this time. This webinar, led by Heather Mahalik SANS Senior Instructor, Author and Senior Director of Digital Intelligence at Cellebrite, covers how companies have adjusted to this new landscape as a workforce. How have things changed and how are we coping and keeping the ball rolling forward from home.


  • Applying the Scientific Method to Threat Hunting by Jeremy Kerwin - May 28, 2020 in Threat Hunting

    Threat hunting is a proactive approach to discover attackers within an organization. Without the use of a repeatable framework, the practice of threat hunting is challenging and time-consuming for an analyst. The scientific method, used in fields such as medicine and physics is a repeatable methodology that can be applied to threat hunting to detect threats to an organization.


  • Factoring Enterprise IoT Devices into Detection and Response Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 27, 2020 in Intrusion Detection, Internet of Things

    With the advent of the cloud, corporate networks are becoming more complex. There is a constant state of change with new types of devices installed daily. To keep pace, you will need an approach to threat detection and response that enables your team’s full visibility so it can quickly adapt and include enterprise IoT devices in its response plans. This paper explores the growth of enterprise IoT devices inside corporate networks and how they change the shape of incident detection and response. The enterprise device landscape is dynamic; it’s prudent for your information security team to track changes to understand the effects on your network.


  • Is Your Threat Hunting Working? A New SANS Survey for 2020 Analyst Paper (requires membership in SANS.org community)
    by Mathias Fuchs - May 26, 2020 in Threat Hunting

    Although threat hunting has become a mandatory task to establish an acceptable level of security, the demand for skilled hunters far exceeds the number of available specialists. In this new research, SANS queried organizations about how they approach threat hunting, the barriers to success and how they measure their efforts. This paper explores what exactly leads to the shortage of suitable personnel and how it affects security organizations’ capabilities to utilize threat hunting teams.


  • Responding to Incidents in Industrial Control Systems: Identifying Threats/Reactions and Developing the IR Process Analyst Paper (requires membership in SANS.org community)
    by Don C. Weber - May 21, 2020 in Industrial Control Systems / SCADA, Threats/Vulnerabilities

    Threats, attacks and incidents are not decreasing. Industrial control systems (ICS) have become increasingly vulnerable as cyber criminals discover that OT environments are viable targets. This paper outlines the incident response process in OT environments, and provide examples of the pitfalls of being unprepared.


  • QUIC & The Dead: Which of the Most Common IDS/IPS Tools Can Best Identify QUIC Traffic? SANS.edu Graduate Student Research
    by Lehlan Decker - May 20, 2020 in Intrusion Detection

    The QUIC protocol created by Google for use in their popular browser Chrome has begun to be adopted by other browsers. Some organizations have a robust strategy to handle TLS with HTTP2. However, QUIC (HTTP/2 over UDP) lacks visibility via crucial information security tools such as Wireshark, Zeek, Suricata, and Snort. Lack of visibility is due to both its use of TLS 1.3 for encryption and UDP for communication. The defender is at a disadvantage as selective blocking of QUIC isn’t always possible. Moreover, some QUIC traffic may be legitimate, and so outright blocking of endpoints that use QUIC is likely to cause more issues than it solves. To complicate matters further, QUIC has begun to appear in Command and Control (C2) frameworks like Merlin as an additional means of hiding traffic.


  • Quantifying Threat Actor Assessments SANS.edu Graduate Student Research
    by Andy Piazza - May 20, 2020 in Threat Intelligence

    The cyber threat landscape is a complex mix of adversaries, vulnerabilities, and emerging capabilities. Within this environment, Chief Information Security Officers (CISOs) must prioritize resources and projects to maximize their defenses against the most significant threats. The challenge, though, lies in assessing threats to an organization in a meaningful way. By assessing threat actors’ intent to target a specific organization for certain attack types, information security leaders can determine which malicious actors are most likely to target their enterprise. The assessment of the threat actors’ documented capabilities for those specific attack types allows leaders to wade through the fear, uncertainty, and doubt (FUD) of vendor marketing and nation-state saber-rattling to prioritize capabilities for defensive posturing. This paper introduces the Threat Box, a Cartesian coordinate system, which portrays threat actors’ intent and capabilities as an executive communication tool for information security leaders to depict the prioritization of threat actors.


  • Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative? SANS.edu Graduate Student Research
    by Dennis Taggart - May 18, 2020 in Cloud Computing

    The basic tenets of information security remain relatively unchanged even while specific examples of security-related tools, processes, and procedures may shift in popularity over time. Deciding what to prioritize and recommend as a security professional can be challenging, but the most straightforward cases are those justified by the quantitative reduction of risk. In this search for quantitative risk reduction, it is worthwhile for security professionals to consider that the methods used to fulfill basic security needs in one environment may not provide the same benefit in another. The 2019 version of the Cloud Security Alliance's Top Threats to Cloud Computing document warns of critical security issues facing public cloud consumers (Cloud Security Alliance, 2019, p.40). The CSA also acknowledges their work concentrates less on some of the more traditional security threats like “vulnerabilities and malware”, while calling for further research (Cloud Security Alliance, 2019, p.40). This whitepaper inhabits the category of additional research and also occupies a space parallel, but perhaps not identical to classical security views. This research assumes a slightly-less-traditional approach by not taking the value of flow logging, or its costs in the cloud, for granted. It further asserts that given limited resources, there may be more directly valuable logging sources available. This paper establishes a quantitative methodology for judging the effectiveness of flow and non-flow logging as applied in a public cloud environment. It exercises this methodology by simulating top cloud computing threats and examining the capabilities of each.


  • 2020 SANS Automation and Integration Survey Analyst Paper (requires membership in SANS.org community)
    by Don Murdoch - May 18, 2020 in Automation, Security Trends

    This year's Automation and Integration Survey aimed to quantify automation experiences and more concretely understand how organizations are able to maximize their security investment and improve operations through automation efforts. This paper explores what automation activities have been successful, why they have been successful, and how organizations set up their automation activities to achieve meaningful results.


  • How to Implement a Software-Defined Network Security Fabric in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 18, 2020 in Network Access Control, Cloud Computing

    Maintaining control and visibility of network assets in hybrid networks creates many security challenges. In this paper, you'll learn proven strategies such as building a control stack of cloud-native and third-party controls to ensure confidentiality and availability of assets; using SD-WAN and cloud security-as-a-service to provide edge security in a unified network fabric; and leveraging infrastructure-as-code for automation and management of infrastructure.


  • Efficacy of UNIX HIDS SANS.edu Graduate Student Research
    by Janusz Pazgier - May 15, 2020 in Intrusion Detection

    There has been an increase in UNIX-based adversarial activity, as enterprises and users shift towards the platform (WatchGuard, 2017). The focus of this paper is to demonstrate the effectiveness of three separately installed host-based intrusion detection systems (HIDS): OSSEC, Samhain, and Auditd, and their ability to detect specific MITRE ATT&CK tactics. Custom scripts implement the ATT&CK tactics of privilege escalation, persistence, and data exfiltration. The goal is to inform security professionals about the pros and cons of implementing each of these HIDS.


  • Dealing with DoH: Methods to Increase DNS Visibility as DoH Gains Traction SANS.edu Graduate Student Research
    by Scott Fether - May 6, 2020 in Intrusion Detection, DNS Issues

    Microsoft is planning to implement DNS over HTTPS (DoH) in the native Windows DNS Client (Jensen, Pashov, & Montenegro, 2019). Firefox and Chrome have already implemented this protocol in their browsers. Because of DoH’s encrypted nature and use of port 443, security analysts will need to adjust their log collection and analysis techniques. Much of the literature available regarding DoH suggests either preventing the use of DoH (Hjelm, 2019, p. 20) or utilizing SSL/TLS proxies to inspect the queries (Middlehurst, 2018). Firefox can generate host logs on DoH resolution, which includes unencrypted queries and answers. This research will explore various inspection and logging techniques that will identify the most effective approach to analyzing DoH.


  • All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 6, 2020 in Intrusion Prevention, Threats/Vulnerabilities

    As organizations move to the cloud, browser dependency becomes more prevalent. That's why we say the browser is the new endpoint. By limiting the impact a browser can have on a victim system, organizations can prevent web code from reaching the endpoint. Find out how browser isolation works, key factors to consider when evaluating, implementing and testing solutions, and how to integrate browser isolation into your security posture to stop attacks earlier.


  • Cyber Range – The Future of Cyber Security Training by Carlos Perez Gonzalez - May 5, 2020 in Training

    Both the private and government sectors are looking for talent. Thousands of vacancies are going unfilled as the industry struggles with a shortage of adequately trained professionals. According to the latest forecasts, there will be 3.5 million unfilled cybersecurity jobs by 2021. The challenges related to finding talent are not new, and this problem has grown in the last years with an increase in cyber-attacks.


  • Birthday Hunting by Jack Burgess - May 4, 2020 in Incident Handling, Threat Hunting

    The Birthday Problem has a number of applications to incident response. Existing tools can both narrow the focus of the incident response team and limit their experience to a small subset of alerts. This leaves specialized tools to do the analysis before anything is investigated, imposing a range of biases. We show the use of randomly selected investigation of nodes in the environment has a significant likelihood of finding the adversary. This allows for the evaluation of threat hunting and security operations. The approach is then extended to the evaluation of cybersecurity machine learning products. These products may be complicated and opaque. The approach presented avoids the need to understand the internals, shifting analyst focus to business as usual operations.


  • Detecting DLL Search Order Hijacking: How using a purple team approach can help create better defensive techniques and a more tactical SIEM by Lasse Hauballe Jensen - May 4, 2020 in Logging Technology and Techniques

    Many SIEM analysts will recognize the feeling of being overwhelmed with security logs and alerts, and having to deal with them using a SIEM that gets slower and slower. For many, it may even seem that the SIEM has transitioned into being an overpriced log storage system. Figuring out how to make the SIEM faster, more tactical, and defensive-oriented will also be a way to make the analysts better and happier. It will also provide more accurate reporting for managers, and lastly, it will reduce storage and processing requirements reducing the overall cost of running a SIEM.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.