4 Months Access with OnDemand Content + Special Offers Available Now: iPad mini, Surface Go 2, or $300 Off

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Free and Open Source Software

Featuring 11 Papers as of June 25, 2020

  • Improving Analyst Efficiency in Office365 Business Email Compromise Investigation Scenarios Through the Implementation of Open Source Tools SANS.edu Graduate Student Research
    by Aaron Elyard - June 25, 2020 

    Working within Microsoft’s browser-based O365 Graphical User Interface (GUI) can be challenging for DFIR practitioners when time is of the essence. PowerShell-based cmdlets are often preferred due to their flexibility, speed, and efficiency compared to a browser-based approach. However, in his professional career, the author has observed that more junior analysts may not feel comfortable using command line tools. Additionally, they may not have devoted the appropriate time to learning the various options needed to obtain the data they need for their investigations. This paper explores a tool the author created to bridge the gap between the browser-based GUI and raw PowerShell. It examines the impact of the use of such a tool on the analyst’s efficiency, measured in the number of interactive actions an analyst must take.

  • PyFunnels: Data Normalization for InfoSec Workflows SANS.edu Graduate Student Research
    by TJ Nicholls - February 1, 2019 

    Information security professionals cannot afford delays in their workflow due to the challenge of integrating data. For example, when data is gathered using multiple tools, the varying output formats must be normalized before automation can occur. This research details a Python library to normalize output from industry standard tools and act as a consolidation point for that functionality. Information security professionals should collaborate using a centralized resource that facilitates easy access to output data. Doing so will bypass extraneous tasks and jump straight to the application of practical data.

  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.

  • Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation SANS.edu Graduate Student Research
    by Jeremiah Hainly - March 15, 2017 

    Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.

  • Full Packet Capture Infrastructure Based on Docker Containers SANS.edu Graduate Student Research
    by Mauricio Espinosa Gomez - May 6, 2016 

    In today’s world, it is common to hear news about organizations being breached by malicious actors, even in highly protected environments; the risk of being exploited is always present, when an incident has already occurred, a full packet capture provides invaluable information to effectively backtrack the event in question.

  • ISE6100 GIAC Enterprises Final Lessons Learned SANS.edu Graduate Student Research
    by - April 29, 2016 

    The following is Lessons Learned from the ISE 6100 project which commenced on March 22nd 2016. The objective of this project was to evaluate, select, and implement an open source Security Information and Event Management (SIEM) solution for the fictional corporation known as GIAC Enterprises. GIAC Enterprises is in the business of collecting fortunes from direct employees and contractors. These fortunes are GIAC Enterprises intellectual property. The ideal SIEM will enhance the detective capacity of GIAC Enterprises.

  • ISE6100 GIAC Enterprises Final Presentation SANS.edu Graduate Student Research
    by - April 29, 2016 


  • ISE6100 GIAC Enterprises Final Step By Step Description SANS.edu Graduate Student Research
    by Alyssa Robinson, David Fletcher, and Wes Whitteker - April 29, 2016 

    GIAC Enterprises, a small to medium size business, has grown to a point where their current manual log analysis process is no longer efficient or effective. As such, GIAC Enterprises was forced to look for a SIEM solution that automates the correlation and analysis of system logs. GIAC Enterprises had a significant financial constraint, which required them to focus their investigation on several open source solution options. After investigation, GIAC Enterprises settled on AlienVault’s OSSIM product for their solution. The result of this research is the following OSSIM implementation guide.

  • ISE6100 GIAC Enterprises - Open Source SIEM - Read Me First SANS.edu Graduate Student Research
    by - April 29, 2016 

    Forward by Stephen Northcutt. Three students from the SANS Technology Institute, (Alyssa Robinson, David Fletcher, and Wes Whitteker) were assigned the following project for their ISE-M 6100 coursework. There are three files, a Step by Step, a presentation, and a Lessons Learned document.

  • Security through Configuration Control at Scale – An Introduction to Ansible SANS.edu Graduate Student Research
    by Patrick Neise - February 4, 2016 

    As new technologies and concepts are developed there is usually a noticeable change in the use and employment of existing technologies. For example, there is a current growth trend of concepts such as cloud computing, the merging of development and operations (DevOps), microservice based architectures, agile development, and continuous integration.

  • Security Systems Engineering Approach in Evaluating Commercial and Open Source Software Products SANS.edu Graduate Student Research
    by Jesus Abelarde - January 29, 2016 

    Almost all systems currently in development leverage some type of commercial and/or free open source software (FOSS), either in the development environment or integrated into the system.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.