Final Week to get an iPad Pro or Surface Pro with Online Training!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

How mature is your CTI Program? Take SANS survey at and enter to win a $400 Amazon gift card or free pass to the SANS CTI Summit.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,740 original computer security white papers in 105 different categories.

Latest 25 Papers Added to the Reading Room

  • Data Mining in the Dark: Darknet Intelligence Automation STI Graduate Student Research
    by Brian Nafziger - November 17, 2017 in Threat Intelligence

    Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework.

  • Leverage Risk Focused Teams to Strengthen Resilience against Cyber Risks STI Graduate Student Research
    by Dave Bishop - November 17, 2017 in Disaster Recovery

    Information security, risk management, audit and business continuity teams must continue to evolve and mature to combat the growing cyber risks impacting business operations. Each team has standards and frameworks, but they often dont speak the same language or understand how each group intersects in protecting the organization. This research identifies opportunities to reduce resource duplication and integrate information security and risk-focused teams to strengthen the organizations resilience against cyber risks.

  • The State of Honeypots: Understanding the Use of Honey Technologies Today STI Graduate Student Research
    by Andrea Dominguez, - November 17, 2017 in Intrusion Detection

    The aim of this study is to fill in the gaps in data on the real-world use of honey technologies. The goal has also been to better understand information security professionals views and attitudes towards them. While there is a wealth of academic research in cutting-edge honey technologies, there is a dearth of data related to the practical use of these technologies outside of research laboratories. The data for this research was collected via a survey which was distributed to information security professionals. This research paper includes details on the design of the survey, its distribution, analysis of the results, insights, lessons learned and two appendices: the survey in its entirety and a summary of the data collected.

  • Cyber Defense Challenges from the Small and Medium-Sized Business Perspective STI Graduate Student Research
    by Aric Asti - November 17, 2017 in Home & Small Office

    With 5.7 million SMBs in the United States, it is essential that the risks involving cybersecurity events are identified. Small and medium-sized businesses (SMBs) face different challenges than large enterprises in regard to cybersecurity. The goal of this project was to survey SMBs and reveal organizational barriers that impact the cybersecurity posture of SMBs. An online survey was administered with a final sample size of 22 SMBs. Significant results showed that the top challenges were finances to pay talent, regulatory compliance and professionally available talent. As a result of inadequate information technology (IT) and cybersecurity staffing, 64% of respondents were unaware if a successful cyber-attack had taken place. The significant challenge SMBs face is their security posture and knowing if they have been or are being targeted against a cyber-attack. The main objective of this project was to show the security profile of the typical SMB. Educational, software and hardware tools should be promoted to increase the security posture of SMBs. Further research might focus more on the staffing and dedicated hours of IT and cybersecurity employees.

  • Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi STI Graduate Student Research
    by Scott Perry - November 17, 2017 in Best Practices, Forensics, Incident Handling

    As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate. Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi.

  • Cyber Threat Intelligence Support to Incident Handling STI Graduate Student Research
    by Brian Kime - November 17, 2017 in Threat Intelligence

    Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning.

  • Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court STI Graduate Student Research
    by John Garris - November 17, 2017 in Forensics, Legal Issues

    The creation of a restrictive digital evidence search protocol by the U.S. Ninth Circuit Court of Appeals - the most stringent in the United States - triggered intense legal debate and caused significant turmoil regarding digital forensics procedures and practices in law enforcement operations. Understanding the Court's legal reasoning and the U.S. Department of Justice's counter-arguments regarding this protocol is critical in appreciating how the tension between privacy concerns and the challenges to law enforcement stand at the center of this unique Information Age issue. By focusing on the Court's core assumption that the seizure and search of electronically stored information are inherently overly intrusive, digital forensics practitioners have a worthy target to focus their efforts in the advancement of digital forensics processes, procedures, techniques, and tool-sets. This paper provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the Court's decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement.

  • Supplementing Windows Audit, Alerting, and Remediation with PowerShell by Daniel Owen - November 16, 2017 in Information Assurance, Microsoft Windows, Scripting Tips

    This paper outlines the use of PowerShell to supplement audit, alerting, and remediation platform for Windows environments. This answers the question of why use PowerShell for these purposes. Several examples of using PowerShell are included to start the thought process on why PowerShell should be the security multi-tool of first resort. Coverage includes how to implement these checks in a secure, automatable way. To demonstrate the concepts discussed, small code segments are included. The intent of the included code segments is to inspire the reader's creativity and create a desire to use PowerShell to address challenges in their environment. Finally, a short section includes resources for code examples and learning tools. While some knowledge of PowerShell will aid the reader, the intended audience of this paper is the PowerShell novice.

  • Threat Rigidity in Cybersecurity STI Graduate Student Research
    by Mike Weeks - November 3, 2017 in Critical Controls

    Fear Uncertainty and Doubt (FUD) works as an influence strategy by amateur cybersecurity professionals over an organization, and as a result, FUD Fatigue develops causing a negative impact on their credibility (Anderson 2014). Is there a better way to effect change while maintaining credibility? A social science theory called Threat Rigidity (Staw et al.,1980) addresses organizational responses to threats by describing a constriction in control and a restriction in information processing. The theory of Threat Rigidity theory and its concepts describes FUD Fatigue in that FUD is utilized to spur the threat-rigidity response and will cause a decrement in performance when the level of response is inappropriate for the threat. Threat Rigidity leveraged by a competent cybersecurity professional allows for not only the management of a threat but also the ability to implement critical controls to safeguard the organization from future attacks and move the organization back into an innovative state.

  • Creating a Logging Infrastructure STI Graduate Student Research
    by Brian Todd - November 3, 2017 in Logging Technology and Techniques

    Logs are an essential aspect of understanding what is occurring in a company's network infrastructure and a company's applications. Log events help analysts to understand the health of the network and give insight into many types of issues. This paper explains how to set up a logging infrastructure by covering log formats and data sources. Then the discussion includes different ways to collect logs and transmit them. This paper then goes over how to pick relevant log sources and events to enable for collection. A company-wide architecture describes the process of collecting logs from offices across the world. Once the company-wide architecture is set up, the paper goes over some correlations using data from a real production network. The paper finishes by reviewing tools that are used to process, index, and correlate all the events that are received.

  • Building the Airplane in Mid-Flight: Bringing Cyber Security Structure to Special Operations Units STI Graduate Student Research
    by Adam Baker - November 3, 2017 in Getting Started/InfoSec

    Special operations units, born in the fire of urgency and required to be dynamically flexible, may operate for many years without a single cyber security representative. Once hired mid-stream into such a construct, a cyber security professional can be immediately overwhelmed with the breadth of the challenge before him or her: how to overcome cultural and technical challenges to introduce a comprehensive cyber security program into the ad-hoc structure of multi-classification, multi-network, multi-agency information systems and personnel. However, when armed with the lessons from cyber professionals from similar units who were thrown into a similar cauldron and succeeded, a newly-hired information security officer or manager can bring order to the unconventional chaos and ensure continued mission success. This paper will examine the experiences of cyber security professionals who overcame the challenges of securing information systems and personnel in units decidedly different from the rigid DoD structure or the corporate world. After reading, new information security professionals will have practical principles for securing their systems and soldiers, staying out of jail, and enjoying their jobs!

  • Cloud Security: Defense in Detail if Not in Depth Analyst Paper
    by Dave Shackleford - October 31, 2017 in Cloud Computing

    Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.

  • Closing the Skills Gap with Analytics and Machine Learning Analyst Paper
    by Ahmed Tantawy - October 30, 2017 in Security Analytics and Intelligence, Threat Hunting

    It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.

  • Blueprint for CIS Control Application: Securing the Oracle E-Business Suite Analyst Paper
    by Barbara Filkins - October 26, 2017 in Security Awareness, Best Practices, Threats/Vulnerabilities

    This paper looks at how the Critical Security Controls can be used to secure Oracle's E-Business Suite (EBS), using an approach that considers application- as well as network-related issues.

  • Privacy and the Internet of Things by Peter Milley - October 25, 2017 in Internet of Things, Digital Privacy

    The Internet of Things has gotten a lot of attention over the past year or so, and for good reason. From a security perspective, Internet-connected devices are easy targets, especially when they are not designed with security in mind. But, in addition to the concerns of botnets and DoS attacks, some newer devices also raise information privacy concerns.

  • 2017 State of Application Security: Balancing Speed and Risk Analyst Paper
    by Jim Bird - October 24, 2017 in Application and Database Security

    Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.

  • Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark STI Graduate Student Research
    by Gabriel Sanchez - October 20, 2017 in Industrial Control Systems / SCADA

    Though attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years have highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a slow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase in attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to quickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary defenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple virtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will be used to illustrate and compare normal Modbus TCP communications between the Master and PLC workstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that manipulates the Modbus TCP communications against both workstations.

  • Enhance Your Investigations with Network Data by Matt Bromiley - October 19, 2017 in Breaches, Forensics

    Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach. In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations.

  • Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform Analyst Paper
    by Dave Shackleford - October 17, 2017 in Security Awareness, Threats/Vulnerabilities, Tools

    SANS Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.

  • Online Safety in a Foreign Language - Connecting with Teens by Chris Elgee - October 16, 2017 in Security Awareness

    The inescapable dangers of our increasingly connected world are likely most threatening to our young adults. Teens, especially, see social media and related online platforms as inextricable from their public and private personas. These digital natives have grown up being comfortable with sharing all aspects of their lives with the Internet - without the healthy suspicion and caution of those who have seen the technology grow over the years. The importance of protecting our teenage Internet denizens apparent, it falls to parents, teachers, and industry professionals to effectively educate this group. What follow are tested methods and associated research on relating to and informing teenagers so they might understand and properly mitigate the risks they face. Importantly, this paper explores these topics in a way that doesn't overstate the dangers or attempt to upheave the norms of communication so organic to this generation.

  • Can the "Gorilla" Deliver? Assessing the Security of Google's New "Thread" Internet of Things (IoT) Protocol STI Graduate Student Research
    by Kenneth Strayer - October 6, 2017 in Internet of Things

    Security incidents associated with Internet of Things (IoT) devices have recently gained high visibility, such as the Mirai botnet that exploited vulnerabilities in remote cameras and home routers. Currently, no industry standard exists to provide the right combination of security and ease-of-use in a low-power, low-bandwidth environment. In 2014, the Thread Group, Inc. released the new Thread networking protocol. Google's Nest Labs recently open-sourced their implementation of Thread in an attempt to become a market standard for the home automation environment. The Thread Group claims that Thread provides improved security for IoT devices. But in what way is this claim true, and how does Thread help address the most significant security risks associated with IoT devices? This paper assesses the new IEEE 802.15.4 "Thread" protocol for IoT devices to determine its potential contributions in mitigating the OWASP Top 10 IoT Security Concerns. It provides developers and security professionals a better understanding of what risks Thread addresses and what challenges remain.

  • AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis Analyst Paper
    by Jim Bird - October 4, 2017 in Application and Database Security

    In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.

  • Cyber Security and Data Integrity Problems Within the GAMP 5 Validation Process by Jason Young - September 26, 2017 in HIPAA

    When addressing the pharmaceutical industry's computerized systems risk within manufacturing, the International Society for Pharmaceutical Engineering (ISPE) has created the Good Automated Manufacturing Process (GAMP) as a leading industry standard. It is a validation process based on user requirements and product quality that applies information security through its computer systems validation (CSV) guidance. Problems arise due to information security roles, methodologies and technical controls not being clearly defined within GAMP guidance. These gaps within the CSV process are further exacerbated by cultural issues within the quality unit because they manage all aspects of information security and do not apply industry best business practices used in other industries. Finally, these gaps result in systems which do not incorporate the most basic protections for systems and data that should be expected from this industry. When compared to other industries like the Payment Card Industry (PCI), the security measures are woefully inadequate given the criticality of information processed by these life science systems. Because the production of pharmaceuticals is drastically different than other industries due the level of regulation on activities outside of computerized systems, relying on the International Standards Organization (ISO) or the United States National Institute of Science and Technology (NIST) as recommended by the ISPE is not adequate. Specialized guidance on how information security principles must be modified to fit within this model must be explored to provide relevance to the CSV process.

  • Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecture STI Graduate Student Research
    by Christopher Jarko - September 22, 2017 in Critical Controls

    The increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.

  • Botnet Resiliency via Private Blockchains STI Graduate Student Research
    by Jonny Sweeny - September 22, 2017 in Covert Channels

    Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.