Save $350 on Cyber Security Training at SANS Anaheim 2019. Ends 12/19!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection. The SANS Reading Room features over 2,840 original computer security white papers in 108 different categories.

Analyst Papers: To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Latest 25 Papers Added to the Reading Room

  • Don't Knock Bro STI Graduate Student Research
    by Brian Nafziger - December 12, 2018 in Incident Handling

    Today's defenders often focus detections on host-level tools and techniques thereby requiring host logging setup and management. However, network-level techniques may provide an alternative without host changes. The Bro Network Security Monitor (NSM) tool allows today's defenders to focus detection techniques at the network-level. An old method for controlling a concealed backdoor on a system using a defined sequence of packets to various ports is known as port-knocking. Unsurprisingly, old methods still offer value and malware, defenders, and attackers still use port-knocking. Current port-knocking detection relies on traffic data mining techniques that only exist in academia writing without any applicable tools. Since Bro is a network-level tool, it should be possible to adapt these data mining techniques to detect port-knocking within Bro. This research will document the process of creating and confirming a port-knocking network-level detection with Bro that will provide an immediate and accessible detection technique for organizations.


  • Automating Detection and Response: A SANS Review of Swimlane Analyst Paper (requires membership in SANS.org community)
    by Alissa Torres - December 11, 2018 in Automation, Security Analytics and Intelligence, Security Trends

    This paper highlights the best-in-breed features of Swimlane: its ease of use, customizability, role-based access control and current technology integrations. We put Swimlane through its paces in a triage of a typical phishing email, applying the concept of componential workflow automation.


  • Protecting Data To, From and In the Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 11, 2018 in Cloud Computing, Data Protection

    Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.


  • An Evaluator's Guide to NextGen SIEM Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - December 6, 2018 in Logging Technology and Techniques, Threats/Vulnerabilities

    A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 in Threat Hunting

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.


  • Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - November 26, 2018 in Threat Hunting, Threats/Vulnerabilities

    While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.


  • SDN Southbound Threats by Mohamed Mahdy - November 20, 2018 in Network Security

    SDN (Software-Defined Networks) technologies are based on three pillars: decoupling control and forwarding planes; centralized management with a programmable network; and commodity switches. As with every new technology, the primary concern is always around security. Security concerns are on the rise due to exposing and forwarding internal communications to the network layer. For example, as a result of connecting overseas devices as a single data center or LAN, SDN infrastructure is exposed to external threats. Strategies used for SDN security are similar to legacy networks: defining the perimeters, trust areas, and stakeholders. Monitoring, including logging processes and user activity, is critical to secure the SDN components. Protection against Southbound and Northbound attacks is vital to keep the SDN deployment secured. Due to the concerns about evolving SDN threats and the different components included in their deployment, more informative penetration testing frameworks are needed to test SDN deployment security. The DELTA project (SDN evaluation framework to recognize attack cases against SDN elements and assist in identifying unknown security problems) developed by KAIST (Korea Advanced Institute of Science and Technology) students, is one such project discussed in this paper.


  • A Swipe and a Tap: Does Marketing Easier 2FA Increase Adoption? STI Graduate Student Research
    by Preston Ackerman - November 19, 2018 in Authentication, Security Awareness, Home & Small Office

    Data breaches and Internet-enabled fraud remain a costly and troubling issue for businesses and home end-users alike. Two-factor authentication (2FA) has long held promise as one of the most viable solutions that enables ordinary users to implement extraordinary protection. A security industry push for widespread 2FA availability has resulted in the service being offered free of charge on most major platforms; however, user adoption remains low. A previous study (Ackerman, 2017) indicated that awareness videos can influence user behavior by providing a clear message which outlines personal risks, offers a mitigation strategy, and demonstrates the ease of implementing the mitigating measure. Building on that previous work, this study, focused on younger millennials between 21 and 26 years of age, seeks to reveal additional insights by designing experiments around the following key questions: 1) Does including a real-time implementation demonstration increase user adoption? 2) Does marketing the convenient push notification form of 2FA, rather than the popular SMS text method, increase user adoption? To address these questions, a two-phase study exposed groups of users to different video messages advocating use of 2FA. Each phase of the survey collected data measuring self-efficacy, fear, response costs and efficacy, perceived threat vulnerability and severity, and behavioral intent. The second phase also collected survey data regarding actual 2FA adoption. The insights derived from subsequent analysis could be applicable not just to increasing 2FA adoption but to security awareness programs more generally.


  • 2018 Secure DevOps: Fact or Fiction? Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Barbara Filkins - November 5, 2018 in Cloud Computing, Security Trends

    A new SANS survey indicates that fewer than half (46%) of survey respondents are confronting security risks up front in requirements and service design in 2018--and only half of respondents are fixing major vulnerabilities. This report chronicles how security practitioners are managing the collaborative, agile nature of DevOps and weave it seamlessly into the development process.


  • Network Architecture with Security in Mind Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 2, 2018 in Network Access Control, Security Awareness

    This paper looks at how efficient and security-minded network routing and security tool utilization can shorten detection and response times.


  • Microsoft DNS Logs Parsing and Analysis: Establishing a Standard Toolset and Methodology for Incident Responders STI Graduate Student Research
    by Shelly Giesbrecht - November 2, 2018 in Tools

    Microsoft DNS request and response event logs are frequently ignored by incident responders within an investigation due to a historical reputation of being hard to parse and analyze. The fundamental importance of DNS to networking and the functioning of the Internet suggests this oversight could lead to a lack of crucial contextual information in an investigative timeline. This paper seeks to define a best practice for parsing, exporting and analyzing Microsoft DNS Debug and Analytical logs through the comparison of existing tool combinations to DNSplice, a purpose-built utility coded during the development of this paper. Findings suggest that DNSplice is superior to other toolsets tested where time to completion is a critical factor in the investigative process. Further research is required to determine if the findings are still valid on larger datasets or different analysis hardware.


  • Secure Internet Gateways: Backing Down from a Fight by Seth Polley - November 2, 2018 in Firewalls & Perimeter Protection

    When does a security agent become a double agent? On-premise corporate devices are protected by a stack of security products, whereas remote clients have traditionally relied on DNS, Proxy, and/or VPN solutions to obtain the same levels of protections. These remote clients typically utilize lightweight agents that run on the devices with the intention of enforcing security and/or policy-based protections - no matter which offsite networks the corporate device connects to. Frequently though, there are provisions to deactivate the agent when the computer connects to the local network. As the security professional charged with protecting your company's remote assets - do you know the extent of these 'back-off' scenarios? This Gold Paper will discuss some of the commonly known scenarios, but will delve further into the unknowns which may surprise you.


  • Hardening OpenShift Containers to complement Incident Handling by Kurtis Holland - November 2, 2018 in Incident Handling

    Incident Responders are always faced with not knowing if they have adequate information on a server is appropriately security controls hardened or susceptible to attack. There is no such thing as 100% security. You're under attack and now are scrambling to understand your risks and threat surface should a hacker gain a foot hold in your environment. You want a mix of commercial and open source tools in place to manage this threat. This paper will dive into the processes and demonstrate a design using tools available for managing Linux controls for Open Shift containers and how you scan the multiple products and layers involved in the development operations processes. The guess work by Incident Handlers will be minimized and a simple "eyes on glass" solution for the entire environment will be at your disposal so you can assess the software inventory, version levels, security scan reports, and assist identification and containment options.


  • It's Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 30, 2018 in Incident Handling, Security Trends

    A new SANS survey finds that incident response (IR) teams are stanching serious data breaches faster in 2018--but they haven't managed to improve on a major hurdle that they reported in 2017: visibility into incidents. This report explores how organizations have structured their incident response functions, what systems they are conducting investigations on, and how they're uncovering threats.


  • Tearing up Smart Contract Botnets STI Graduate Student Research
    by Jonathan Sweeny - October 22, 2018 in Information Warfare

    The distributed resiliency of smart contracts on private blockchains is enticing to bot herders as a method of maintaining a capable communications channel with the members of a botnet. This research explores the weaknesses that are inherent to this approach of botnet management. These weaknesses, when targeted properly by law enforcement or malware researchers, could limit the capabilities and effectiveness of the botnet. Depending on the weakness targeted, the results vary from partial takedown to total dismantlement of the botnet.


  • To Block or not to Block? Impact and Analysis of Actively Blocking Shodan Scans STI Graduate Student Research
    by Andre Shori - October 22, 2018 in Network Security

    This paper details an experiment constructed to evaluate the effectiveness of blocking Shodan search engine scans in reducing overall attack traffic volumes. Shodan is considered to be part of an attacker’s toolset, and there is a persistent perception that blocking Shodan Scans will reduce an organization’s attack surface. An attempt was made to determine what effect, if any, such a block would result in by comparing attacker traffic before and after implementing a block on Shodan scans, and by determining the complexity of performing such a block. The analysis here may provide defenders and managers with useful data when deciding on whether or not to devote resources to blocking Shodan or other similar internet-connected device search engines.


  • The Algorithm of You: Defeating Attackers by Being Yourself Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 17, 2018 in Authentication

    Yesterday's defense mechanisms--such as tokens, one-time passwords and even fingerprint readers--are not adequately protecting our devices, data and networks. SANS author and DFIR expert Matt Bromiley examined a relatively new authentication method, behavioral biometrics, as implemented in a product from BehavioSec. This SANS Product Review chronicles Matts experience as he put BehavioSec's product through the paces, and it explores what behavioral biometrics is, how it works and the role it plays in authentication.


  • Generating Anomalies Improves Return on Investment: A Case Study for Implementing Honeytokens STI Graduate Student Research
    by Wes Earnest - October 11, 2018 in Logging Technology and Techniques

    Putting the right information security architecture into practice within an organization can be a daunting challenge. Many organizations have implemented a Security Information and Event Management (SIEM) to comply with the logging requirements of various security standards, only to find that it does not meet their information security expectations. According to a recent survey, more than half of respondents say they are not satisfied with their organization's SIEM. The following case study deconstructs these logging requirements and the assumptions that lead to a typical SIEM implementation, and discusses an alternative approach focused on improving the organization’s return on investment, decreasing security risk, and decreasing mean time to detection of a potential security breach.


  • Testing Web Application Security Scanners against a Web 2.0 Vulnerable Web Application STI Graduate Student Research
    by Edmund Foster - October 11, 2018 in Tools

    Web application security scanners are used to perform proactive security testing of web applications. Their effectiveness is far from certain, and few studies have tested them against modern ‘Web 2.0' technologies which present significant challenges to scanners. In this study three web application security scanners are tested in 'point-and-shoot' mode against a Web 2.0 vulnerable web application with AJAX and HTML use cases. Significant variations in performance were observed and almost three-quarters of vulnerabilities went undetected. The web application security scanners did not identify Stored XSS, OS Command, Remote File Inclusion, and Integer Overflow vulnerabilities. This study supports the recommendation to combine multiple web application security scanners and use them in conjunction with a specific scanning strategy.


  • Investigate East-West Attacks on Critical Assets with Network Traffic Analysis Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 3, 2018 in Intrusion Detection, Security Analytics and Intelligence

    Once attackers compromise a network, they attempt to maintain a persistent presence in the network and focus on data access and exfiltration. Such east-west attacks can be challenging to detect and remediate. SANS reviewed ExtraHop Networks Reveal(x) network traffic analysis platform, which aims to address the east-west challenge. Read on to learn more.


  • Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged - Discover and Defend Your Assets Analyst Paper (requires membership in SANS.org community)
    by Doug Wylie and Dean Parsons - September 26, 2018 in Internet of Things, Risk Management, Security Trends

    The benefits derived from information technology (IT) and operational technology (OT) convergence are enabling more effective management of contemporary control systems. However, the unique challenges of IT/OT convergence make managing and securing an industrial control system (ICS) more difficult. This paper explores how industrial and information system administrators can build stronger cybersecurity programs to protect IT/OT systems.


  • Automating Open Source Security: A SANS Review of WhiteSource Analyst Paper (requires membership in SANS.org community)
    by Serge Borso - September 25, 2018 in Automation, Threats/Vulnerabilities

    This paper takes a close look at how the WhiteSource solution can handle the myriad of open source vulnerabilities through real-time detection and remediation.


  • All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System STI Graduate Student Research
    by David Kennel - September 21, 2018 in Linux Issues, Logging Technology and Techniques

    The Linux kernel auditing system provides powerful capabilities for monitoring system activity. While the auditing system is well documented, the manual pages, user guides, and much of the published writings on the audit system fail to provide guidance on the types of attacker-related activities that are, and are not, likely to be logged by the auditing system. This paper uses simulated attacks and analyzes logged artifacts for the Linux kernel auditing system in its default state and when configured using the Controlled Access Protection Profile (CAPP) and the Defense Information Systems Agency’s (DISA) Security Implementation Guide (STIG) auditing rules. This analysis provides a clearer understanding of the capabilities and limitations of the Linux audit system in detecting various types of attacker activity and helps to guide defenders on how to best utilize the Linux auditing system.


  • SANS 2018 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and Rob T. Lee - September 18, 2018 in Security Trends, Threat Hunting, Threats/Vulnerabilities

    Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.