4 Months Access with OnDemand Content + Special Offers Available Now: iPad mini, Surface Go 2, or $300 Off

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of September 20, 2020

  • Detecting Malicious Activity in Large Enterprises Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 8, 2020 in Security Awareness, Security Trends, Threats/Vulnerabilities

    As they grow, organizations need to detect threats amid an alarming assortment of unexpected and complex conditions, often with a blend of legacy and current technologies. This paper explores options for advanced threat detections at enterprise scale.


  • 2020 SANS Enterprise Cloud Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Dale - September 14, 2020 in Cloud Security, Security Trends

    Our 2020 Enterprise Cloud Incident Response Survey investigated the data sources and services that organizations are leveraging to detect, respond to and remediate incidents in the multi-cloud world. This report on the survey focuses less on which cloud service organizations are using, and more on what data sources they are taking advantage of, what services they find useful, and what methods are working in their programs.


  • Fashion Industry (Securely) 4.0ward SANS.edu Graduate Student Research
    by Shawna Turner - September 9, 2020 in Industrial Control Systems / SCADA

    The fashion market segment is going through a significant technological upgrade. The need to meet modern consumer expectations and desires requires wholesale changes in the way the fashion ecosystem has historically shared information and manufactured products. Fashion cannot use existing security guidance due to the consumer expectations that a fashion product provides a unified physical experience. The addition of significant new technology increases the risk of intellectual property loss. The fashion industry requires a list of minimum-security controls that address the entire ecosystem of fashion from the fashion houses to the supply chain to the factory floor to address information security concerns. This paper begins the process of developing a minimum viable list of controls by combining controls from the Purdue model with recommended controls from the Verizon 2019 Data Breach Investigation Report (DBIR). The paper focuses on proposed controls for the fashion sector; however, they apply to any manufacturing pivoting to Industry 4.0.


  • You've Had the Power All Along: Process Forensics With Native Tools SANS.edu Graduate Student Research
    by Trevor McAfee - August 27, 2020 in Incident Handling

    Many organizations are interested in standing up threat response teams but are unable, or unwilling, to provide funding or approval for third-party tools. This lack of support requires threat response teams to utilize built-in, OS-specific tools, to investigate suspicious processes and files. These tools can provide a significant amount of useful information when scrutinizing a suspicious process or file. However, these tools and their output are often unwieldy. A lack of cohesiveness requires running multiple similar commands to gather all the data for an investigation, and then manually combining and correlating that data. This paper examines the data of interest during an incident response and the native Microsoft Windows tools used to obtain it. This paper also discusses how to use PowerShell to automate the collection and compilation of this important data.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures SANS.edu Graduate Student Research
    by Daniel Carbonaro - November 7, 2019 in Standards

    Organizations’ supply chains are growing increasingly interdependent and complex, the result of which is an ever-increasing attack surface that must be defended. Current supply chain security frameworks offer effective guidance to organizations to help mitigate their supply chains from attack. However, they are limited in their scope and impact and can be extremely complex for organizations to adopt effectively. To further complicate issues, the ability of an organization to identify the scope of their supply chains may be a complicated endeavor. This paper seeks to give context not only to the challenges facing security within the ICT Supply Chain, but attempts to give a hybrid framework for any business regardless of size or function to follow when attempting to mitigate threats both to and from within their supply chain.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Incident Response in a Security Operation Center by Josh Higgason - August 27, 2020 in Incident Handling

    Cybercrime dates back to the late 1700s and remains a threat today. By observing current threats, such as phishing and data compromise, a better understanding may be gained regarding cyber campaigns and threat actors. Consequently, efforts must be made to prevent the continuous siphoning of millions of dollars from the economic system caused by cybercrime. Because the highly skilled personnel working with Incident Response in a Security Operation Center face many challenges, teamwork is essential to overcome the threats associated with cybercrime. Additional factors, such as working across multiple time zones with varying time shifts, personality differences, and unique technical skill levels and abilities, affect the ability to work as a team. Working through these differences brings cohesion and strength to the team. The security operations center learns to accomplish more with the time and resources at their disposal. To thwart cybercrime, the personnel in the Security Operations Center must address current issues, devise innovative plans, and adopt a new perspective to overcome the complicated problems they encounter.


  • Physical Security and Why It Is Important SANS.edu Graduate Student Research
    by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • The OSI Model: An Overview by Rachelle Miller - September 13, 2001 in Standards

    This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Data Leakage - Threats and Mitigation by Peter Gordon - October 24, 2007 in Security Awareness

    This paper explores data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged.


  • Case Study: Critical Controls that Could Have Prevented Target Breach SANS.edu Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Benefits and Adoption Rate of TLS 1.3 SANS.edu Graduate Student Research
    by Ben Weber - July 28, 2020 in Encryption & VPNs

    The cybersecurity industry is often reluctant to adopt new technologies due to perceived complications, assumed dependencies, and unclear information about the benefits. Digital communication protections are not exempt from this phenomenon and are often overlooked when maintaining a secure environment. Adopting new technologies is essential to utilize recent advancements in speed, security, and other newly available features. RFC 8446, better known as TLS 1.3, was released in August of 2018 and included enhancements to the speed and security of a TLS session. Older versions of TLS that still exist, however, fall short when compared to TLS 1.3. This paper provides data testing the speed and security of TLS 1.3 compared to TLS 1.2 across major TLS libraries and a point-in-time measurement of TLS 1.3 adoption across the top 500 websites in the business, retail, technology, and news sectors.


  • Hunting for Ghosts in Fileless Attacks by Buddy Tancio - May 13, 2019 in Malicious Code

    Hunting for a fileless threat can be a tedious and labor-intensive task for any analyst. It is, most often than not, extremely time-consuming and requires a significant amount of data gathering. On top of that, the traditional tools, methods, and defenses seem to be less effective when dealing with these almost invisible threats. Threat actors are frequently using attack techniques that work directly from the memory or using legitimate tools or services pre-installed in the system to achieve their goals (Trend Micro, 2017). It is a popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat – cryptocurrency miners. In some incidents, searching for a malicious file that resides in the hard drive seems to be insufficient. This study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.


  • Incident Response in a Zero Trust World SANS.edu Graduate Student Research
    by Heath Lawson - February 27, 2020 in Incident Handling

    Zero Trust Networks is a new security model that enables organizations to provide continuously verified access to assets and are becoming more common as organizations adopt cloud resources (Rose, S., Borchert, O., Mitchell, S., & Connelly, S., 2019). This new model enables organizations to achieve much tighter control over access to their resources by using a variety of signals that provide great insight to validate access requests. As this approach is increasingly adopted, incident responders must understand how Zero Trust Networks can enhance their existing processes. This paper provides a comparison of incident response capabilities in Zero Trust Networks compared to traditional perimeter-centric models, and guidance for incident responders tasked with managing incidents using this new paradigm.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • 60870-5-104 protocol snort rule customization by Adrian Aron - August 10, 2020 in Industrial Control Systems / SCADA

    OT Security emerges as a necessity due to its flat network implementation and criticality of systems operated over the network. Supervisory Control And Data Acquisition (SCADA) 60870-5-104 is widely used in Europe by most Utility operators, making it a target for attackers. While IDS signatures for SCADA IEC104 have been developed, most of its signatures are generic and bind to the standard protocol itself, not to the specific implementation of each customer. For example, an interrogation command telegram in a customer environment might be harmless, while others might be critical information. This paper explains the underlying construct of an IEC104 telegram and how to customize standard snort rules for that specific telegram. In this way, each SCADA command can be interpreted, evaluated for permit/monitor/deny to any controlled device, for each particular SCADA implementation.


  • Detection of Malicious Documents Utilizing XMP Identifiers SANS.edu Graduate Student Research
    by Josiah Smith - August 27, 2020 in Security Analytics and Intelligence

    Modern digital documents are often composed of multiple other documents and images. Malware authors often produce malicious documents while reutilizing graphical assets or other components that can be uniquely identified with the Adobe Extensible Metadata Platform (XMP). XMP IDs define a standard for mapping asset relationships and can be utilized to track, pivot, and cluster malicious campaigns, identify new TTPs, and possibly provide attribution against adversaries.


  • ATT&CK-Based Live Response for GCP CentOS Instances SANS.edu Graduate Student Research
    by Allen Cox - July 22, 2020 in Cloud Security

    As organizations increasingly invest in cloud service providers to host data, applications, and services, incident responders must detect and respond to malicious activity across several major platforms. With nearly one-third of the cloud infrastructure market share, Amazon Web Services (AWS) dominates the information security scientific literature. However, of the other major cloud providers, Google Cloud Platform (GCP) experienced the most significant annual growth in 2019 (Canalys, 2020), and as a result, defenders can expect to respond more frequently to incidents in GCP. This research examines the data sources available to responders on GCP CentOS compute instances and within the cloud platform. Using MITRE ATT&CK to identify attacker tactics and Red Canary’s Atomic Red Team to generate test data, this research proposes a live response script to collect the essential data that responders will need to identify the discussed tactics.


  • Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications SANS.edu Graduate Student Research
    by Alexander Fry - April 30, 2019 in Application and Database Security

    Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left - identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all - it must be trialed to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio.


  • Hardening OpenShift Containers to complement Incident Handling by Kurtis Holland - November 2, 2018 in Incident Handling

    Incident Responders are always faced with not knowing if they have adequate information on a server is appropriately security controls hardened or susceptible to attack. There is no such thing as 100% security. You're under attack and now are scrambling to understand your risks and threat surface should a hacker gain a foot hold in your environment. You want a mix of commercial and open source tools in place to manage this threat. This paper will dive into the processes and demonstrate a design using tools available for managing Linux controls for Open Shift containers and how you scan the multiple products and layers involved in the development operations processes. The guess work by Incident Handlers will be minimized and a simple "eyes on glass" solution for the entire environment will be at your disposal so you can assess the software inventory, version levels, security scan reports, and assist identification and containment options.


  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - May 27, 2018 in Malicious Code

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.