Last Day to get a GIAC Cert Attempt Included or $350 Off with OnDemand and vLive Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,860 original computer security white papers in 109 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • PowerShell Security: Is it Enough? STI Graduate Student Research
    by Timothy Hoffman - February 20, 2019 in Microsoft Windows

    PowerShell is a core component of any modern Microsoft Windows environment and is used daily by administrators around the world. However, it has also become an “attacker’s tool of choice when conducting fileless malware attacks” (O’Connor, 2017). According to a study by Symantec, the number of prevented PowerShell attacks increased by over 600% between the last half of 2017 and the first half of 2018 (Wueest, 2018). This is a staggering number of prevented attacks, but the more concerning problem is the unknown number of undetected attacks that occurred during this time. Modern attackers often prefer to “live off the land,” using native tools already in an environment to prevent detection; PowerShell is a prime example of this is. These statistics lead to a suggestion that current PowerShell security may not be effective enough, or organizations are improperly implementing it. This paper investigates the efficiency of PowerShell security, analyzing the success of security features like execution policies, language modes, and Windows Defender, as well as the vulnerabilities introduced by leaving PowerShell 2.0 enabled in an environment. Multiple attack campaigns will be conducted against these security features while implemented individually and collectively to validate their effectiveness in preventing PowerShell from being used maliciously.


  • Continuous Security Monitoring in non-Active Directory Environments by Blair Gillam - February 20, 2019 in Secure Monitoring

    Active Directory-centric monitoring techniques, tools, and methodologies have dominated information security conferences in recent years. Many alternative centralized directory services, including FreeIPA and OpenLDAP, are found in modern enterprises. Diagnostic and performance monitoring for these alternatives is well documented; however, security-related events can be recorded in different formats and multiple locations across both directory servers and clients. This paper investigates continuous security monitoring techniques for FreeIPA that can be leveraged by defenders to analyze and visualize common directory service security events in non-Active Directory environments. It explores change detection rules that can be applied at the user, group, and directory levels and presents example security metrics for detecting anomalous activity.


  • Cyber Threats to the Bioengineering Supply Chain STI Graduate Student Research
    by Scott Nawrocki - February 12, 2019 in Threats/Vulnerabilities

    Biotechnology and pharmaceutical companies rely on the sequencing of DNA to conduct research, develop new drug therapies, solve environmental challenges and study emerging infectious diseases. Synthetic biology combines biology and computer engineering disciplines to read, synthetically write and store DNA sequences utilizing bioinformatics applications. Bioengineers begin with a computerized genetic model and turn that model into a living cell (2011, Smolke). Genetic editing is making headlines as there are rumors that a genetically modified human, immune to HIV, was born in China. As the soil on our farms becomes depleted of nitrogen, genetic research is focusing on applications as a means to reintroduce nitrogen into the ground. Reliance on oil and pollution has paved the way for research into bio-fuels. Genomic research advances have outpaced the security of these applications and technology which leaves them vulnerable to attack (2017, Ney). As information security professionals, we must keep pace with these advances. This research will demonstrate the stages of a network-based attack, recommend Critical Security Controls countermeasures and introduce the concept of a Bioengineering Systems Kill Chain.


  • PDF Metadata Extraction with Python by Christopher A. Plaisance - February 5, 2019 in Forensics

    This paper explores techniques for programmatically extracting metadata from PDF files using Python. It begins by detailing the internal structure of PDF documents, focusing on the internal system of indirect references and objects within the PDF binary, the document information dictionary metadata type, and the XMP metadata type contained in the file’s metadata streams. Next, the paper explores the most common means of accessing PDF metadata with Python, the high-level PyPDF and PyPDF2 libraries. This examination discovers deficiencies in the methodologies used by these modules, making them inappropriate for use in digital forensics investigations. An alternative low-level technique of carving the PDF binary directly with Python, using the re module from the standard library is described, and found to accurately and completely extract all of the pertinent metadata from the PDF file with a degree of completeness suitable for digital forensics use cases. These low-level techniques are built into a stand-alone open source Linux utility, pdf-metadata, which is discussed in the paper’s final section.


  • Intrusion Prevention System Signature Management Theory by Joshua Levine - February 5, 2019 in Intrusion Prevention

    The intrusion prevention system (IPS) serves as one of the critical components for a defense-in-depth solution. IPS appliances allow for active, inline protection for known and unknown threats passing across a network segment at all layers of the OSI model. The employment, tuning, and upkeep of signatures on an IPS may lead to a negative impact on production traffic if not properly maintained. This document serves as baseline guidance to help shape the development of an organizational IPS signature management policy. Concepts are presented to address the lifecycle of an IPS signature from employment to expiration. Through proper maintenance, placement, and tuning of signatures, an unwanted impact to network traffic can be kept to a minimum while also achieving an optimal balance of security and network performance. By understanding the tenants of effective IPS signature evaluation, employment, tuning, and expiration, organizations can maintain an acceptable network security posture along with adequate levels of network performance.


  • The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey Analyst Paper (requires membership in SANS.org community)
    by Rebekah Brown and Robert M. Lee - February 4, 2019 in Security Trends, Threats/Vulnerabilities

    In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.


  • PyFunnels: Data Normalization for InfoSec Workflows STI Graduate Student Research
    by TJ Nicholls - February 1, 2019 in Free and Open Source Software

    Information security professionals cannot afford delays in their workflow due to the challenge of integrating data. For example, when data is gathered using multiple tools, the varying output formats must be normalized before automation can occur. This research details a Python library to normalize output from industry standard tools and act as a consolidation point for that functionality. Information security professionals should collaborate using a centralized resource that facilitates easy access to output data. Doing so will bypass extraneous tasks and jump straight to the application of practical data.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 in Security Basics, Forensics, Incident Handling, Linux Issues, Free and Open Source Software

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.


  • ICS Layered Threat Modeling by Mounir Kamal - January 22, 2019 in Industrial Control Systems / SCADA

    The ultimate goal of building cybersecurity architecture is to protect systems from potential threats that can cause imminent harm to the institution. Often, we hear a common expression in the information security world “security by design,” which is a deeper terminology than it looks, as it requires compiling a list of possible threats against targeted systems. Building a threat model will guide us on how to build a secure architecture and achieve the security by design concept, and this is what precisely the paper aims to explore. This paper is an intensive study to collect accurate and plausible threat models that can help to secure ICS architecture by design.


  • Enterprise Security with a Fluid Perimeter Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - January 22, 2019 in Intrusion Detection

    Between BYOD, the cloud, third-party providers and a fluctuating mobile workforce, it is growing more difficult to maintain a rigid security policy. This paper examines critical techniques to addressing this issue, including the role of baselining, integrating and automating response, and defending against attacks more quickly--as well as specific action items for better protection.


  • Evolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - January 7, 2019 in Automation, Security Awareness, Security Trends

    This paper looks at micro-segmentation as a new way to approach network security. The paper proposes ways to implement effective cyber hygiene, examines the role of automation, and explores ways to add security to workflows.


  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity STI Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 in Intrusion Detection, Forensics, Logging Technology and Techniques, Threat Hunting

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.


  • Defend Your Business Against Insider Threats Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - January 4, 2019 in Best Practices, Data Loss Prevention

    Your business faces a security risk that may not even be on your radar. Looming from within are insider threats, which pose a significant risk to small- and medium-sized businesses (SMBs). Matt Bromiley breaks down the two types of insider threats and provides specific, actionable steps and user education tips you can implement today to protect and defend your business against threats from the inside.


  • Defend Your Business Against Phishing Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - January 4, 2019 in Best Practices, Social Engineering

    Phishing is an ever-evolving and pervasive method of attack against small- and medium-sized businesses (SMBs). Don't let your business be an easy target! After walking you through the phishing techniques that attackers commonly use, Matt Bromiley shares proven strategies and specific, actionable steps you can take today to reduce your risk. No matter your budget or level of expertise, you can defend against phishing attacks.


  • Gaining Visibility on the Network with Security Onion: A Cyber Threat Intelligence Based Approach STI Graduate Student Research
    by Alfredo Hickman - January 2, 2019 in Network Security

    Generating threat intelligence, detecting network intrusions, and preventing cyber threat actors from executing their objectives are critical measures for preserving cybersecurity. Network breaches of organizations such as the U.S. Office of Personnel Management, Target, Anthem, and many others, are proving that individuals and organizations of all sizes and backgrounds are targets of cyber threat actors. Another reality is that not everybody is equipped and funded to leverage threat intelligence to detect network intrusions and respond accordingly.


  • Don't Knock Bro STI Graduate Student Research
    by Brian Nafziger - December 12, 2018 in Incident Handling

    Today's defenders often focus detections on host-level tools and techniques thereby requiring host logging setup and management. However, network-level techniques may provide an alternative without host changes. The Bro Network Security Monitor (NSM) tool allows today's defenders to focus detection techniques at the network-level. An old method for controlling a concealed backdoor on a system using a defined sequence of packets to various ports is known as port-knocking. Unsurprisingly, old methods still offer value and malware, defenders, and attackers still use port-knocking. Current port-knocking detection relies on traffic data mining techniques that only exist in academia writing without any applicable tools. Since Bro is a network-level tool, it should be possible to adapt these data mining techniques to detect port-knocking within Bro. This research will document the process of creating and confirming a port-knocking network-level detection with Bro that will provide an immediate and accessible detection technique for organizations.


  • Automating Detection and Response: A SANS Review of Swimlane Analyst Paper (requires membership in SANS.org community)
    by Alissa Torres - December 11, 2018 in Automation, Security Analytics and Intelligence, Security Trends

    This paper highlights the best-in-breed features of Swimlane: its ease of use, customizability, role-based access control and current technology integrations. We put Swimlane through its paces in a triage of a typical phishing email, applying the concept of componential workflow automation.


  • Protecting Data To, From and In the Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 11, 2018 in Cloud Computing, Data Protection

    Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.


  • An Evaluator's Guide to NextGen SIEM Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - December 6, 2018 in Logging Technology and Techniques, Threats/Vulnerabilities

    A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 in Threat Hunting

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.


  • Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - November 26, 2018 in Threat Hunting, Threats/Vulnerabilities

    While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.


  • SDN Southbound Threats by Mohamed Mahdy - November 20, 2018 in Network Security

    SDN (Software-Defined Networks) technologies are based on three pillars: decoupling control and forwarding planes; centralized management with a programmable network; and commodity switches. As with every new technology, the primary concern is always around security. Security concerns are on the rise due to exposing and forwarding internal communications to the network layer. For example, as a result of connecting overseas devices as a single data center or LAN, SDN infrastructure is exposed to external threats. Strategies used for SDN security are similar to legacy networks: defining the perimeters, trust areas, and stakeholders. Monitoring, including logging processes and user activity, is critical to secure the SDN components. Protection against Southbound and Northbound attacks is vital to keep the SDN deployment secured. Due to the concerns about evolving SDN threats and the different components included in their deployment, more informative penetration testing frameworks are needed to test SDN deployment security. The DELTA project (SDN evaluation framework to recognize attack cases against SDN elements and assist in identifying unknown security problems) developed by KAIST (Korea Advanced Institute of Science and Technology) students, is one such project discussed in this paper.


  • A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? STI Graduate Student Research
    by Preston Ackerman - November 19, 2018 in Authentication, Security Awareness, Home & Small Office

    Data breaches and Internet-enabled fraud remain a costly and troubling issue for businesses and home end-users alike. Two-factor authentication (2FA) has long held promise as one of the most viable solutions that enables ordinary users to implement extraordinary protection. A security industry push for widespread 2FA availability has resulted in the service being offered free of charge on most major platforms; however, user adoption remains low. A previous study (Ackerman, 2017) indicated that awareness videos can influence user behavior by providing a clear message which outlines personal risks, offers a mitigation strategy, and demonstrates the ease of implementing the mitigating measure. Building on that previous work, this study, focused on younger millennials between 21 and 26 years of age, seeks to reveal additional insights by designing experiments around the following key questions: 1) Does including a real-time implementation demonstration increase user adoption? 2) Does marketing the convenient push notification form of 2FA, rather than the popular SMS text method, increase user adoption? To address these questions, a two-phase study exposed groups of users to different video messages advocating use of 2FA. Each phase of the survey collected data measuring self-efficacy, fear, response costs and efficacy, perceived threat vulnerability and severity, and behavioral intent. The second phase also collected survey data regarding actual 2FA adoption. The insights derived from subsequent analysis could be applicable not just to increasing 2FA adoption but to security awareness programs more generally.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.