Final Week - Get a GIAC Certification Attempt Included with OnDemand or vLive Training!

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community and receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule. †




Featuring the 25 most popular papers within the past month as of February 18, 2018

  • Building the New Network Security Architecture for the Future Analyst Paper
    by Sonny Sarai - January 22, 2018 in Cloud Computing, Data Protection, Internet of Things

    With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • DNS: An Asset, Not a Liability Analyst Paper
    by Matt Bromiley - January 30, 2018 in Attacking Attackers, Intrusion Detection, Intrusion Prevention

    The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.


  • CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Analyst Paper
    by Dave Shackleford - February 5, 2018 in Threat Intelligence, Threats/Vulnerabilities

    The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • Bug Bounty Programs: Enterprise Implementation STI Graduate Student Research
    by Jason Pubal - January 17, 2018 in Application and Database Security

    Bug bounty programs are incentivized, results-focused programs that encourage security researchers to report security issues to the sponsoring organization. These programs create a cooperative relationship between security researchers and organizations that allow the researchers to receive rewards for identifying application vulnerabilities. Bug bounty programs have gone from obscurity to being embraced as a best practice in just a few years: application security maturity models have added bug bounty programs and there are standards for vulnerability disclosure best practices. Through leveraging a global community of researchers available 24 hours a day, 7 days a week, information security teams can continuously deliver application security assessments keeping pace with agile development and continuous integration deployments complementing existing controls such as penetration testing and source code reviews.


  • Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environments STI Graduate Student Research
    by Alfredo Hickman - January 13, 2018 in Intrusion Detection

    The unique and intrinsic methods by which Linux application containers are created, deployed, networked, and operated do not lend themselves well to the conventional application of methods for conducting intrusion detection and analysis in traditional physical and virtual machine networks. While similarities exist in some of the methods used to perform intrusion detection and analysis in conventional networks as compared to container networks, the effectiveness between the two has not been thoroughly measured and assessed: this presents a gap in application container security knowledge. By researching the efficacy of these methods as implemented in container networks compared to traditional networks, this research will provide empirical evidence to identify the gap, and provide data useful for identifying and developing new and more effective methods to secure application container networks


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Learning Cryptography by Doing It Wrong: Cryptanalysis of the Vigenere Cipher by Jeremy Druin - February 3, 2018 in Encryption & VPNs

    When studying complex ideas, it may help to begin with a simpler example to better understand its concepts. Modern cryptography and cryptanalysis are exceptionally complex, so a case study from classical cryptography can aid understanding. The Vigenere Cipher is a good example. Vigenere was widely considered to be a secure cipher for three centuries. It is non-trivial to cryptanalyze, offering a stretch goal for beginners, but not impossible to comprehend. Vigenere provides practice of multiple techniques such as statistical analysis, histograms, and Index of Coincidence. Statistical properties of files before and after encryption can be compared to show attributes that allow encrypted files to be detected. A method of detecting the encryption key length for a Vigenre cipher will be introduced. Ultimately, a strategy to recover the key for JPEG encrypted files will be demonstrated. To help the reader follow this analysis, open source software will be provided that performs encryption, decryption, and cryptanalysis. Besides learning about classical ciphers and having fun, we will reinforce the importance of proper cipher choice for the modern InfoSec professional.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Building a Custom SIEM Integration for an API-Based Log Source Azure AD Graph Sign-In Events by Jason Mihalow - February 3, 2018 in Logging Technology and Techniques

    Enterprise security breaches can quickly paralyze operations and cripple the ability to do business if security teams are not adequately equipped to collect all critical log data from the services an organization uses. Vendors lead us to believe that we are comprehensively covered with their "out-of-the box" log source integrations. It can be challenging for security professionals to find issues with these integrations and it is usually not until a security incident that we realize that crucial log data is missing. This paper takes a critical look at a hidden gap in "out-of-the-box" integrations in SIEM platforms for API log sources, which we, as security professionals, rely on for our detection and analysis of security incidents. As organizations turn from on premises log sources with push style log delivery methods to cloud-based solutions where logs are pulled from an API endpoint, new issues arise that have not been seen before. These issues can lead to undetected gaps of missing data between the true record of API log data and what is found in the SIEM platform.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: ďIf you do not document it, it did not happen.Ē (Smith, LeBlanc & Lam, 2004)


  • Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper
    by Benjamin Wright - March 7, 2017 in Data Protection, Legal Issues

    The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.


  • Looking Under the Rock: Deployment Strategies for TLS Decryption STI Graduate Student Research
    by Chris Farrell - January 13, 2018 in Data Loss Prevention

    Attackers can freely exfiltrate confidential information all while under the guise of ordinary web traffic. A remedy for businesses concerned about these risks is to decrypt the communication to inspect the traffic, then block it if it presents a risk to the organization. However, these solutions can be challenging to implement. Existing infrastructure, privacy and legal concerns, latency, and differing monitoring tool requirements are a few of the obstacles facing organizations wishing to monitor encrypted traffic. TLS decryption projects can be successful with proper scope definition, an understanding of the architectural challenges presented by decryption, and the options available for overcoming those obstacles.


  • Digital Forensic Analysis of Amazon Linux EC2 Instances STI Graduate Student Research
    by Ken Hartman - January 13, 2018 in Cloud Computing

    Companies continue to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2). With demand for skilled security engineers at an all-time high, many organizations do not have the capability to do an adequate forensic analysis to determine the root cause of an intrusion or to identify indicators of compromise. To help organizations improve their incident response capability, this paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS Finding Malware Step by Step process for Microsoft Windows.


  • High Assurance File Filtering, Itís Not Magic STI Graduate Student Research
    by Adam Gould - January 29, 2018 in Data Loss Prevention

    This paper examines file type identification techniques to inform further research to improve the security of cross domain solutions (CDS), which are regarded as the most reliable technologies of high-assurance file filtering solutions. Traditionally only used in highly classified government environments, CDS are slowly being adopted by other institutions in the financial, healthcare and mining sectors due to the increasing recognition of the value and importance of the protection of intellectual property (IP). The portable document format (PDF) is one of the primary document formats in which IP is shared and distributed. By using PDFs as a case study, this paper proposes recommendations specifically for software file format specification creators to develop file type sub-specifications that can be easily validated for the purposes of IP control and security. The recommendations herein will conceptually apply to all file types, although it should be noted that not all techniques and recommendations will be applicable to every file type due to unique properties that exist in different classes of file types.


  • Detecting Crypto Currency Mining in Corporate Environments by Jan D'Herdt - February 4, 2015 in Threats/Vulnerabilities

    Crypto currencies [1] such as Bitcoin, Dogecoin, Primecoin, Litecoin, Riecoin and many others are digital currencies that do not follow the normal set of rules for currencies as we know them.


  • An Introduction to Information System Risk Management by Steve Elky - June 6, 2006 in Auditing & Assessment

    Key elements of information security risk, offering insight into risk assessment methodologies.


  • SOC Automation-Deliverance or Disaster Analyst Paper
    by Eric Cole, PhD - December 11, 2017 in Best Practices, Incident Handling, Threats/Vulnerabilities

    Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts.


  • IT Security Spending Trends Analyst Paper
    by Barbara Filkins - February 2, 2016 in Management & Leadership

    This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.


  • The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment STI Graduate Student Research
    by Tobais McCurry - December 5, 2017 in System Administration, Threat Hunting

    Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell.


  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 in Malicious Code, Tools

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.