7 days left to get a GIAC Cert Attempt or $350 Off with OnDemand and vLive Training

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of December 19, 2018

  • Don't Knock Bro STI Graduate Student Research
    by Brian Nafziger - December 12, 2018 in Incident Handling

    Today's defenders often focus detections on host-level tools and techniques thereby requiring host logging setup and management. However, network-level techniques may provide an alternative without host changes. The Bro Network Security Monitor (NSM) tool allows today's defenders to focus detection techniques at the network-level. An old method for controlling a concealed backdoor on a system using a defined sequence of packets to various ports is known as port-knocking. Unsurprisingly, old methods still offer value and malware, defenders, and attackers still use port-knocking. Current port-knocking detection relies on traffic data mining techniques that only exist in academia writing without any applicable tools. Since Bro is a network-level tool, it should be possible to adapt these data mining techniques to detect port-knocking within Bro. This research will document the process of creating and confirming a port-knocking network-level detection with Bro that will provide an immediate and accessible detection technique for organizations.


  • Protecting Data To, From and In the Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 11, 2018 in Cloud Computing, Data Protection

    Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Detecting DNS Tunneling STI Graduate Student Research
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? STI Graduate Student Research
    by Preston Ackerman - November 19, 2018 in Authentication, Security Awareness, Home & Small Office

    Data breaches and Internet-enabled fraud remain a costly and troubling issue for businesses and home end-users alike. Two-factor authentication (2FA) has long held promise as one of the most viable solutions that enables ordinary users to implement extraordinary protection. A security industry push for widespread 2FA availability has resulted in the service being offered free of charge on most major platforms; however, user adoption remains low. A previous study (Ackerman, 2017) indicated that awareness videos can influence user behavior by providing a clear message which outlines personal risks, offers a mitigation strategy, and demonstrates the ease of implementing the mitigating measure. Building on that previous work, this study, focused on younger millennials between 21 and 26 years of age, seeks to reveal additional insights by designing experiments around the following key questions: 1) Does including a real-time implementation demonstration increase user adoption? 2) Does marketing the convenient push notification form of 2FA, rather than the popular SMS text method, increase user adoption? To address these questions, a two-phase study exposed groups of users to different video messages advocating use of 2FA. Each phase of the survey collected data measuring self-efficacy, fear, response costs and efficacy, perceived threat vulnerability and severity, and behavioral intent. The second phase also collected survey data regarding actual 2FA adoption. The insights derived from subsequent analysis could be applicable not just to increasing 2FA adoption but to security awareness programs more generally.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 in Threat Hunting

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • A Black-Box Approach to Embedded Systems Vulnerability Assessment by Michael Horkan - December 5, 2016 in Security Basics, Risk Management

    Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device's design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device's security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described. The health status of the device under test will be monitored remotely over a network connection. I include a discussion of an IoT test platform, implemented for Raspberry Pi, and how to approach the evaluation of IoT using this device as an example.


  • A Practical Methodology for Implementing a Patch management Process by Daniel Voldal - September 26, 2003 in Best Practices

    This paper presents one methodology for identifying, evaluating and applying security patches in a real world environment along with descriptions of some useful tools that can be used to automate the process.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • A Security Checklist for Web Application Design by Gail Bayse - May 2, 2004 in Securing Code

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.


  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 in Security Awareness, Threats/Vulnerabilities

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.


  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 in Forensics, Incident Handling, Malicious Code

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.


  • An Evaluator's Guide to NextGen SIEM Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - December 6, 2018 in Logging Technology and Techniques, Threats/Vulnerabilities

    A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.


  • The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee - October 5, 2015 in Industrial Control Systems / SCADA

    Read this paper to gain an understanding of an adversary's campaign against ICS. The first two parts of the paper introduce the two stages of the ICS Cyber Kill Chain. The third section uses the Havex and Stuxnet case studies to demonstrate the ICS Cyber Kill Chain in action.


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • Generating Hypotheses for Successful Threat Hunting Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and David Bianco - August 15, 2016 in Threat Hunting, Threats/Vulnerabilities

    Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.