Cyber Skills Training at SANS Seattle Fall 2018. Save $400 thru 8/22!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,810 original computer security white papers in 108 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • The Definition of SOC-cess? SANS 2018 Security Operations Center Survey Analyst Paper (requires membership in SANS.org community)
    by Christopher Crowley and John Pescatore - August 13, 2018 in Security Trends, SOC

    Although SOCs are maturing, staffing and retention issues continue to vex critical SOC support functions. In this paper, learn how respondents to our 2018 SOC survey are staffing their SOCs, the value of cloud-based services to augment staff and technology, and respondents' level of satisfaction with the architectures they've deployed.


  • Processing experimental protocols against IDS by Tommy Adams - August 10, 2018 in Intrusion Detection

    Experimental protocols such as TCP Fastopen, QUIC, and Multipath TCP are not uncommon on Internet-connected networks. If a network has modern operating systems and browsers, it is a near certainty that experimental protocols are traversing the network. This paper will examine potential consequences of experimental protocols to current network security monitoring practices and the potential for intrusion detection evasion. This paper will provide a roadmap by which an analyst may process any new, odd, or experimental traffic against their open-source intrusion detection system.


  • Which YARA Rules Rule: Basic or Advanced? STI Graduate Student Research
    by Chris Culling - August 10, 2018 in Tools

    YARA rules, if used effectively, can be a powerful tool in the fight against malware. However, it appears that the majority of individuals who use YARA write only the most basic of rules, instead of taking advantage of YARA’s full functionality. Basic YARA rules, which focus primarily on identifying malware signatures via detection of predetermined strings within the target file, folder, or process, can be evaded as malware variants are created. Advanced YARA rules, on the other hand, which often include signatures as well, also focus on the malware’s behavior and characteristics, such as size and file type. While it is not uncommon for strings within malware to change, it is much rarer that its primary behavior will. After analyzing multiple samples of two different malware strains within the same family, it became clear that using both basic and advanced YARA rules is the most effective way for users and analysts to implement this powerful tool. As there are a large number of advanced capabilities contained within YARA, this paper will focus on easy-to-use, advanced features, including YARA's Portable Execution (PE) module, to highlight some of the more powerful aspects of YARA. While it takes more time and effort to learn and utilize advanced YARA rules, in the long run, this method is a worthwhile investment towards a safer networking environment.


  • Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers by Seth Enoka - August 6, 2018 in Forensics

    The use of application containerisation is on the rise due to the lightweight, portable nature of applications developed with this technology, and the ease with which containers can be administered. Instead of deploying an entire virtual machine to run applications separately from one another, users are now able to create modular, insulated software packages which are not necessarily integrated with the host operating system. This means the packages are able to be configured once, then deployed to many servers, many times, instantiated and then removed without affecting the host in the same way traditional applications would. Because of the portability of the applications, they are more versatile and less resource expensive to deploy and maintain. This also means that containerised applications are somewhat ethereal, and can be run only when required, this can present a challenge for security professionals because these applications do not collaborate with the host operating system in a traditional way. Therefore, they can leave fewer artefacts behind for a forensic investigator to analyse. This analysis can be further impeded by the fact containerisation is being used within virtual private servers hosted in the cloud.


  • PiOT – a small form factor defense for indefensible devices by James Leyte-Vidal - August 2, 2018 in Internet of Things

    For several years, trending observed has shown the ever-increasing growth of network-connected ‘things’ – items like appliances, lighting, controllers and, others that have not typically been network connected in the past. This has resulted in a significant increase in attack surface in networks that connect these devices, as many of these ‘things’ have not been designed or implemented with security in mind. While the industry continues to work with these manufacturers to offer better, more secure alternatives, there are many devices out there today that present a risk. To combat this issue, and to help mitigate this risk, we present PioT. PioT is a RaspberryPi-based device intended to be placed in front of vulnerable IoT devices. In conjunction with traffic monitoring and logging tools, PioT is intended to be a robust, expandable platform for monitoring and responding to attempted access to vulnerable IoT devices. In this paper, we will outline the PioT build process and show the capability to observe access to an IoT device. The total cost for this build is less than $100.


  • How Visibility of the Attack Surface Minimizes Risk Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 30, 2018 in Cloud Computing, Security Trends

    To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? And how do you get it? This paper will help you define visibility for effective security and understand why visibility it is key to determining your exposure and potential vulnerabilities.


  • Understanding the (True) Cost of Endpoint Management Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - July 30, 2018 in Clients and Endpoints

    In this paper, we review the challenges in dealing with complex, ever-changing environments and offer suggestions and recommendations in effective endpoint management. Additionally, we discuss enterprise security as it relates to endpoint management and examine the benefits of integrating endpoint management into your security posture.


  • A Guide to Managing Cloud Security Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 25, 2018 in Cloud Computing, Threats/Vulnerabilities

    While many of the core concepts of vulnerability and threat management remain the same in the world of cloud deployments, we need to adapt our thinking to operate in a hybrid or public cloud deployment model. This paper will help you evaluate cloud vulnerabilities and threat management, and protect your data and assets in a dynamic cloud infrastructure.


  • AI Hunting with the Cybereason Platform: A SANS Review Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 23, 2018 in Threat Hunting

    SANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments.


  • Security Considerations for Team Based Password Managers by Matthew Schumacher - July 23, 2018 in Commercial Software

    Password management applications are a common and practical way to store complex passwords. They use encryption to protect the passwords from attack, but like in any other cryptographic system, they rely on a secret key to encrypt the data. The typical approach is to derive the secret key used to the encrypt the password database from a master password. This eliminates the requirement to store it or protect the secret key; however, this approach doesn’t work well for multi-user password managers, as team based password management applications need to allow for each user having his/her own unique password, and may require other features such as password sharing, fine grained access control, or domain integration. This paper explores a few ways that different password management applications work in a team environment, and the strengths and weaknesses of their implementations. By learning about some of the underlying technologies and principles, then analyzing a few popular software applications, the reader should be better equipped to choose a solution that best fits their functionally and security requirements.


  • Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments by Dan Gunter - July 23, 2018 in Threat Hunting

    Threat hunting provides an organization a proactive opportunity to discover hidden attackers and to evaluate and improve the security posture of the environment. While existing research focuses on technical methods for threat hunting, a way to assess the rigor and completeness of threat hunting activities remains unexplored. This research examines several methods that can be implemented/used to calculate coverage of threat hunts. Coverage calculation methods include kill chain coverage, attacker tactic, technique and procedure coverage and threat intelligence coverage. This research also explores how to automate the calculation of threat hunt coverage. By following the process outlined by this research, analysts can ensure that planned threat hunts remain relevant to the overall goal of the hunt and that these hunts can maximize the chance of adversary detection success.


  • The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - July 18, 2018 in Industrial Control Systems / SCADA, Internet of Things

    IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.


  • Times Change and Your Training Data Should Too: The Effect of Training Data Recency on Twitter Classifiers STI Graduate Student Research
    by Ryan O'Grady - July 11, 2018 in Artificial Intelligence

    Sophisticated adversaries are moving their botnet command and control infrastructure to social media microblogging sites such as Twitter. As security practitioners work to identify new methods for detecting and disrupting such botnets, including machine-learning approaches, we must better understand what effect training data recency has on classifier performance. This research investigates the performance of several binary classifiers and their ability to distinguish between non-verified and verified tweets as the offset between the age of the training data and test data changed. Classifiers were trained on three feature sets: tweet-only features, user-only features, and all features. Key findings show that classifiers perform best at +0 offset, feature importance changes over time, and more features are not necessarily better. Classifiers using user-only features performed best, with a mean Matthews correlation coefficient of 0.95 ± 0.04 at +0 offset, 0.58 ± 0.43 at -8 offset, and 0.51 ± 0.21 at +8 offset. The R2 values are 0.90, 0.34, and 0.26, respectively. Thus, the classifiers tested with +0 offset accounted for 56% to 64% more variance than those tested with −8 and +8 offset. These results suggest that classifier performance is sensitive to the recency of the training data relative to the test data. Further research is needed to replicate this experiment with botnet vs. non-botnet tweets to determine if similar classifier performance is possible and the degree to which performance is sensitive to training data recency.


  • Content Security Policy in Practice by Varghese Palathuruthil - July 6, 2018 in Securing Code

    The implementation of Content Security Policy to leverage web browser capability in protecting a web application from cross-site scripting attack has been a challenge for many legacy web applications. Typical web applications maintained over the years accumulate a number of web pages that do not follow a consistent design. There are no widely available tools to quickly transform legacy web pages to adopt Content Security Policy. The results of this research cover the outcome of implementing a set of tools to address this need.


  • One-Click Forensic Analysis: A SANS Review of EnCase Forensic Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - June 27, 2018 in Application and Database Security, Tools

    When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.


  • Using Image Excerpts to Jumpstart Windows Forensic Analysis by John Brown - June 25, 2018 in Forensics

    There are many options available for acquiring, processing and analyzing forensic disk images. Choices range from feature-rich commercial tools that provide all-in-one solutions, to open source scripts for carrying out specific tasks. The availability of these tools and the hard work of those who contribute to the forensic community have made the job of the examiner much easier. Even with recent advances, analysis can still be time-consuming, particularly in the acquisition and processing of Windows full disk images. One alternative is to extract and analyze the files historically known to contain the most relevant data first. In many cases, a relatively small number of files contain the majority of information needed to perform a forensic examination. Tests were performed on Windows images to analyze some of these high-value artifacts to find an efficient approach for selectively acquiring and extracting different types of metadata. A script was then written to automate repetitive steps and leverage open source tools found on most recent Linux version of the SANS Sift virtual machine.


  • Cloud Security: Are You Ready? Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 18, 2018 in Application and Database Security, Best Practices

    As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.


  • Windows 10 as a Forensic Platform STI Graduate Student Research
    by Ferenc Kovacs - June 15, 2018 in Forensics

    Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations.


  • Stopping IoT-based Attacks on Enterprise Networks Analyst Paper (requires membership in SANS.org community)
    by G. W. Ray Davidson - June 14, 2018 

    The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.


  • Endpoint Protection and Response: A SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Lee Neely - June 12, 2018 in Clients and Endpoints

    Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.


  • Back to Basics: Building a Foundation for Cyber Integrity Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - June 6, 2018 in Security Awareness

    File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.


  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 in Intrusion Detection, Industrial Control Systems / SCADA, Tools

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.


  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - May 27, 2018 in Malicious Code

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.


  • Hunting Threats Inside Packet Captures by Muhammad Alharmeel - May 23, 2018 in Threat Hunting

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.


  • Extracting Timely Sign-in Data from Office 365 Logs by Mark Lucas - May 22, 2018 in Logging Technology and Techniques

    Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.