Final Days to get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training - Register by 9/27!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

How mature is your CTI Program? Take SANS survey at www.surveymonkey.com/r/2018SANSCTISurvey and enter to win a $400 Amazon gift card or free pass to the SANS CTI Summit.

More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,720 original computer security white papers in 105 different categories.

Latest 25 Papers Added to the Reading Room

  • Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecture STI Graduate Student Research
    by Christopher Jarko - September 22, 2017 in Critical Controls

    The increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.


  • Botnet Resiliency via Private Blockchains STI Graduate Student Research
    by Jonny Sweeny - September 22, 2017 in Covert Channels

    Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts.


  • OSSIM: CIS Critical Security Controls Assessment in a Windows Environment. STI Graduate Student Research
    by Kevin Geil - September 22, 2017 in Logging Technology and Techniques

    Use of a Security Information and Event Management (SIEM) or log management platform is a recommendation common to several of the “CIS Critical Security Controls For Effective Cyber Defense” (2016). Because the CIS Critical Security Controls (CSC) focus on automation, measurement and continuous improvement of control application, a SIEM is a valuable tool. Alienvault's Open Source SIEM (OSSIM) is free and capable, making it a popular choice for administrators seeking experience with SIEM. While there is a great deal of documentation on OSSIM, specific information that focuses on exactly what events to examine, and then how to report findings is not readily accessible. This paper uses a demo environment to provide specific examples and instructions for using OSSIM to assess a CIS Critical Security Controls implementation in a common environment: A Windows Active Directory domain. The 20 Critical Security Controls can be mapped to other controls in most compliance frameworks and guidelines; therefore, the techniques in this document should be applicable across a wide variety of control implementations.


  • Trust No One: A Gap Analysis of Moving IP-Based Network Perimeters to A Zero Trust Network Architecture STI Graduate Student Research
    by John Becker - September 22, 2017 in Firewalls & Perimeter Protection

    Traditional IP-based access controls (e.g., firewall rules based on source and destination addresses) have defined the network perimeter for decades. Threats have evolved to evade and bypass these IP restrictions using techniques such as spear phishing, malware, credential theft, and lateral movement. As these threats evolve, so have the demands from end users for increased accessibility. Remote employees require secure access to internal resources. Cloud services have moved the perimeter outside of the enterprise network. The DevOps movement has emphasized speed and agility over up front network designs. This paper identifies gaps to implementation for organizations in the discovery phase of migrating to identity-based access controls as described by leading cloud companies.


  • A Spicy Approach to WebSockets: Enhancing Bro’s WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy STI Graduate Student Research
    by Jennifer Gates - September 22, 2017 in Intrusion Detection

    Although the Request for Comments (RFC) defining WebSockets was released in 2011, there has been little focus on using the Bro Intrusion Detection System (IDS) to analyze WebSockets traffic. However, there has been progress in exploiting the WebSockets protocol. The ability to customize and expand Bro’s capabilities to analyze new protocols is one of its chief benefits. The developers of Bro are also working on a new framework called Spicy that allows security professionals to generate new protocol parsers. This paper focuses on the development of Spicy and Bro scripts that allow visibility into WebSockets traffic. The research conducted compared the data that can be logged with existing Bro protocol analyzers to data that can be logged after writing a WebSockets protocol analyzer in Spicy. The research shows increased effectiveness in detecting malicious WebSockets traffic using Bro when the traffic is parsed with a Spicy script. Writing Bro logging scripts tailored to a particular WebSockets application further increases their effectiveness.


  • Does Network Micro-segmentation Provide Additional Security? STI Graduate Student Research
    by Steve Jaworski - September 15, 2017 in Network Security

    Network segmentation is a concept of taking a large group of hosts and creating smaller groups of hosts that can communicate with each other without traversing a security control. The smaller groups of hosts each have defined security controls, and groups are independent of each other. Network micro-segmentation takes the smaller group of hosts by configuring controls around individual hosts. The goal of network microsegmentation is to provide more granular security and reduce an attackers capability to easily compromise an entire network. If an attacker is successful in compromising a host, he or she is limited to only the network segment on which the host resides. If the host resides in a micro-segment, then the attacker is restricted to only that host. This paper will discuss what network and network micro-segmentation is, where it applies, any additional layer of security including levels of complexity.


  • ComBAT Phishing with Email Automation STI Graduate Student Research
    by Seth Polley - September 15, 2017 in Email Issues

    An analysis of organizations' email reporting processes reveals two challenges facing cyber security departments: successful administration of the managed mailbox provided for user's suspicious email reporting (automation) and effective security awareness training tailored to the business groups based on the type of email received. An effective defense requires an organization to be informed by actual attacks (knowing the enemy) and awareness of internal shortcomings (knowing yourself) so that implemented protections and training are applicable to the threats faced (strategy and tactics).


  • Tackling DoD Cyber Red Team Deficiencies Through Systems Engineering STI Graduate Student Research
    by John Schab - September 15, 2017 in Penetration Testing

    Red teaming is an essential capability in preparing and assessing the Department of Defense's (DoD) ability to execute their mission in a contested cyber environment. The identified deficiencies in DoD's overall red team capability resulting from their adhoc implementation creates unknown mission risk to the Combatant Commands and Services leading to a significant threat to national security. Unfortunately, many senior DoD officials are citing a lack of resources as the reason for the deficiencies and believe an increase in funding will solve the issues. However, funding alone is not scalable to address DoD's gaps in red team capability, and throwing more money to the existing adhoc process is quickly becoming a huge money pit for the DoD. This paper analyzes the deficiencies and concludes the primary cause to be a lack of a structured process needed to define, design, build, and sustain the required DoD red team capability. The solution presented is to treat the overall DoD cyber red team function as a complex system operating within a system of systems and apply the systems engineering process. Implementing a systems engineering process will eliminate some of the identified deficiencies through design and will identify feasible solutions or alternatives to the deficient areas which design cannot eliminate. The systems engineering process can help DoD build an effective and efficient red team capability which is needed to ensure the military can successfully execute its missions in the contestant cyber environment.


  • Next-Gen Protection for the Endpoint: SANS Review of Carbon Black Cb Defense Analyst Paper
    by Jerry Shenk - September 14, 2017 in Tools

    In today’s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of. Our review shows that Carbon Black’s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn’t otherwise see with traditional antivirus tools. Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface—through drill-down and pivot—to determine whether a threat was a false positive or real.


  • HL7 Data Interfaces in Medical Environments: Attacking and Defending the Achille's Heel of Healthcare STI Graduate Student Research
    by Dallas Haselhorst - September 12, 2017 in HIPAA, Encryption & VPNs

    On any given day, a hospital operating room can be chaotic. The atmosphere can make one’s head spin with split-second decisions. In the same hospital environment, medical data also whizzes around, albeit virtually. Beyond the headlines involving medical device insecurities and hospital breaches, healthcare communication standards are equally as insecure. This fundamental design flaw places patient data at risk in nearly every hospital worldwide. Without protections in place, a hospital visit today could become a patient’s worst nightmare tomorrow. Could an attacker collect the data and sell it to the highest bidder for credit card or tax fraud? Or perhaps they have far more malicious plans such as causing bodily harm? Regardless of their intentions, healthcare data is under attack and it is highly vulnerable. This research focuses on attacking and defending HL7, the unencrypted and unverified data standard used in healthcare for nearly all system-to-system communications.


  • HL7 Data Interfaces in Medical Environments: Understanding the Fundamental Flaw in Healthcare STI Graduate Student Research
    by Dallas Haselhorst - September 12, 2017 in HIPAA, Encryption & VPNs

    Ask healthcare IT professionals where the sensitive data resides and most will inevitably direct attention to a hardened server or database with large amounts of protected health information (PHI). The respondent might even know details about data storage, backup plans, etc. Asked the same question, a penetration tester or security expert may provide a similar answer before discussing database or operating system vulnerabilities. Fortunately, there is likely nothing wrong with the data at that point in its lifetime. It potentially sits on a fully encrypted disk protected by usernames, passwords, and it might have audit-level tracking enabled. The server may also have some level of segmentation from non-critical servers or access restrictions based on source IP addresses. But how did those bits and bytes of healthcare data get to that hardened server? Typically, in a way no one would ever expect... 100% unencrypted and unverified. HL7 is the fundamentally flawed, insecure standard used throughout healthcare for nearly all system-to-system communications. This research examines the HL7 standard, potential attacks on the standard, and why medical records require better protection than current efforts provide.


  • Securing Against the Most Common Vectors of Cyber Attacks STI Graduate Student Research
    by Richard Hummel - September 12, 2017 in Risk Management

    Advanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit vulnerabilities either through holes in an organization's security implementation or by targeting the human element which often uses social engineering. Financially motivated actors indiscriminately send mass spam emails in credential harvesting campaigns or deploy ransomware. These attack vectors are the most common against organizations of any size, but often have a greater impact on small to medium-sized business that may not have a robust security posture. As a security practitioner, it is imperative to posture an organization to prevent and mitigate the risk posed by these attacks. The Critical Security Controls (CSC) is the industry standard for securing an environment but may be costly and time-consuming to implement; also, some of them may not be as applicable to all organizations. In this study, the controls for Email and Web Browser Protection (#7) and Security Skills Assessment and Appropriate Training to Fill Gaps (CSC #17) are examined to secure against threats seeking to take advantage of end users, the most common entry point for an attacker. This paper examines multiple real-world threats and how the CSCs can be applied to prevent compromises. The goal of this research is to inform and educate security practitioners at any stage of the business on best practices and to aid in implementing controls directly applicable to their end users.


  • Challenges to Implementing Network Access Control STI Graduate Student Research
    by Joseph Matthews - September 12, 2017 in Network Access Control

    Network Access Control had always offered the hope of solving so many network security problems but has proven quite difficult to implement. NAC was to solve the issues of visibility, control, and compliance enforcement. This paper seeks to demonstrate through research and implementation an effective and practical way for small to medium- sized businesses to move to NAC and take advantage of the security benefits of a 3-6 month implementation plan.


  • IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks STI Graduate Student Research
    by Brandon Peterson - September 12, 2017 in Network Security

    Most modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment.


  • When a picture is worth a thousand products: Image protection in a digital age STI Graduate Student Research
    by Shawna Turner - September 12, 2017 in Security Trends

    Today, a lack of fashion industry specific information security controls and legal protection puts fashion industry companies at significant risk of Intellectual Property theft and counterfeiting. This risk is only growing as traditional methods of manufacturing are rapidly evolving toward digital models of design and mass production, using Industrial Control System (ICS) approaches for mass production. As mass production moves to digital manufacturing, the effect of losing new product 2D and 3D imagery, as well as the speed and lack of traceability around those losses could significantly impact corporate bottom lines and risk profiles.


  • Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications Analyst Paper
    by Barbara Filkins - September 12, 2017 in Application and Database Security, Tools

    Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.


  • Security Tools for the SMB and SME Segments by James Waite - September 11, 2017 in Intrusion Detection

    Modern small and medium businesses (SMBs) operate with limited staff and budgets. Today's business environment requires businesses to do more with less. Businesses also have information that they need to protect. This protection is either mandated by law (HIPAA), industry requirements (PCI) or best practices (NIST). What are the recommended policies and tools an SMB should have in place to provide adequate and responsible information security? What tools should an SMB concentrate their time, effort and money towards? Should these tools be network-based tools, monitoring both inline and spanned traffic? Should these tools be end point tools that provide the same functionality and minimize the network tool components? Or should there be a mix of tools? Are certain tools required on end points, in the network or both? What are an SMB's regulatory requirements and how does this affect the choice in tools? These are the difficult questions that require thoughtful, concise and researched guidance.


  • A Technical Approach at Securing SaaS using Cloud Access Security Brokers STI Graduate Student Research
    by Luciana Obregon - September 6, 2017 in Cloud Computing

    The adoption of cloud services allows organizations to become more agile in the way they conduct business, providing scalable, reliable, and highly available services or solutions for their employees and customers. Cloud adoption significantly reduces total cost of ownership (TCO) and minimizes hardware footprint in data centers. This paradigm shift has left security professionals securing abstract environments for which conventional security products are no longer effective. The goal of this paper is to analyze a set of cloud security controls and security deployment models for SaaS applications that are purely technical in nature while developing practical applications of such controls to solve real-world problems facing most organizations. The paper will also provide an overview of the threats targeting SaaS, present use cases for SaaS security controls, test cases to assess effectiveness, and reference architectures to visually represent the implementation of cloud security controls.


  • The Efficiency of Context: Review of WireX Systems Incident Response Platform Analyst Paper
    by Jerry Shenk - September 5, 2017 in Incident Handling

    WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.


  • Sensitive Data at Risk: The SANS 2017 Data Protection Survey Analyst Paper
    by Barbara Filkins - September 5, 2017 in Data Protection, Threats/Vulnerabilities

    Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.


  • Triaging Alerts with Threat Indicators by Gregory Pickett - August 25, 2017 in Threat Intelligence

    Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don't know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn't enough time to get to them all. What if analysts could skip over those alerts that aren't a threat and just focus their time on those that are? If they were able to do that, they just might have enough time in the day to get through all of them. The answer to this question is Threat Indicators. Using past behavior, as measured by Threat Indicators, security analysts can determine how likely an adversary in an alert is a threat. Those that are less threatening can then be skipped over in favor of those that are allowing an analyst to get through their alerts much more quickly. It may even be quick enough for them to get through them all. This paper explores the use of Threat Indicators in through both theory and practice. Finally, it will measure its success through its use in the analysis of actual alerts to determine how effective this approach is in identifying threats and through this identification whether or not analysts able to get through their alerts more quickly.


  • Cracking Active Directory Passwords or "How to Cook AD Crack" by Martin Boller - August 23, 2017 in Penetration Testing

    It is too early to write the obituary on passwords, and they are still the most prevalent form of authentication for most corporations. You may be using Multi-Factor Authentication for some users, but there's still a password in use somewhere. Many end-users and IT Pros does not understand the art of creating and maintaining good passwords, and most organizations utilize Active Directory, which stores unsalted passwords using a weak hashing algorithm, further weakening their security. This paper discusses several methods to acquire the password hashes from Active Directory, how to use them in Pass the Hash attacks, and how to crack them, revealing the clear text passwords they represent. It ends with a short discussion on how to report on the password security of the organization tested.


  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 in Automation, Incident Handling, Threat Intelligence

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.


  • Artificial Intelligence and Law Enforcement by John Wulff - August 21, 2017 in Threat Intelligence

    After the 9/11 terrorist attacks against the United States, law enforcement, and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for information dissemination was State Fusion Centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) is the preferred technology for analyzing data to recognize behavioral patterns and create a method for the sharing of data in the fight against crime and terrorism. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. The use of AI can directly affect the cost of operations. Criminal activity locations can be predicted by AI so equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development and testing of these applications so that the options available to law enforcement and the intelligence communities can be increased.


  • A Practical Example of Incident Response to a Network Based Attack STI Graduate Student Research
    by Gordon Fraser - August 16, 2017 in Incident Handling

    A commonly accepted Incident Response (IR) process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This paper examines this process in the context of a practical working example of a network based attack. It begins with the identification of a potential incident, followed by the detailed analysis of the network traffic to reconstruct the actions of the attacker, and leads up to determining indicators of compromise that can be used to identify other victims. This paper provides a practical example of responding to a network based incident.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.