Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past month as of April 20, 2019

  • Threat Intel Processing at Scale by Don Franke - March 27, 2019 in Threat Intelligence

    This paper examines the common but flawed practice of implicitly assigning trust to threat indicators (or "intel") that are shared by external providers. These indicators are often deployed automatically to security controls without adequate vetting, resulting in false positives and a false sense of security. This paper proposes a solution for how to implement an intel analysis process that separates noise from useful indicators, can handle a large volume of information received regularly and is scalable despite limited analyst resources.


  • Security Monitoring of Windows Containers STI Graduate Student Research
    by Peter Di Giorgio - March 27, 2019 in Secure Monitoring

    The information technology community has utilized container technology since the LXC project began in 2008 (Hildred, 2015). Containers are a form of virtualization that package application code and its dependencies together. Containers share the operating system kernel but maintain isolated processes. Until recently, it was not possible for the Windows operating system to share its kernel. As such, developers were long unable to package many Windows-specific applications into containers. However, after ten years of waiting, Microsoft finally delivered Windows containers in 2018. Today, container security best practices focus on container integrity and container host security. The industry is just beginning to consider techniques to monitor Windows containers. This research focuses on the possibility of using known techniques and open source tools to extract Windows event logs, processes, services, and registry data from containers to observe attacks.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.



  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • The Foundation of Continuous Host Monitoring Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 2, 2019 in Forensics, Incident Handling

  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • How to Automate Compliance and Risk Management for Cloud Workloads Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 27, 2019 in Automation, Cloud Computing

    There seems to be a constant battle between how fast businesses can grow and whether they can secure their customers' data. Many organizations get so wrapped up in trying to expand and scale for customer access that they make quick- re, ad hoc decisions that negatively impact the security of the data of those very same customers. Complicating matters, the explosion of cloud-based services and offerings has led many organizations to quickly adopt services whose risks, quite frankly, they may not understand.


  • Logon Banners by Keelan Stewart - March 20, 2019 in Legal Issues

    Logon banners have been a common feature of operating systems and applications for many years. Organizations have adopted logon banners for a myriad of purposes, from threatening unauthorized users with severe repercussions to informing employees that they should not have an expectation of privacy on workstations. The impetus for logon banners typically comes from executive leadership or the legal department, often in response to an incident or lawsuit where such a disclaimer could have aided their stance. Drafting a comprehensive logon banner is daunting, especially when assigned to an arbitrary department with an expectation of quick completion. Understanding the common elements of a logon banner and having a framework to identify requirements, select elements, and write the text allows anybody tasked with implementing a logon banner to do so correctly the first time. This paper considers laws and legal topics from the perspective of the United States and may not be applicable to other jurisdictions.


  • Gaining Endpoint Log Visibility in ICS Environments STI Graduate Student Research
    by Michael Hoffman - March 11, 2019 in Industrial Control Systems / SCADA

    Security event logging is a base IT security practice and is referenced in Industrial Control Security (ICS) standards and best practices. Although there are many techniques and tools available to gather event logs and provide visibility to SOC analysis in the IT realm, there are limited resources available that discuss this topic specifically within the context of the ICS industry. As many in the ICS community struggle with gaining logging visibility in their environments and understanding collection methodologies, logging implementation guidance is further needed to address this concern. Logging methods used in ICS, such as WMI, Syslog, and Windows Event Forwarding (WEF), are common to the IT industry. This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations. The comparison between the two logging methods is made in an ICS lab representing automation equipment commonly found in energy facilities.


  • Empowering Incident Response via Automation Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 20, 2019 in Automation, Incident Handling

  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • SSL/TLS Interception Challenge from the Shadow to the Light by Ngoc Huy Nguyen - March 25, 2019 in Covert Channels

    Secure Sockets Layer and Transport Layer Security (SSL/TLS) protocols are created to provide confidentiality for sensitive information exchange over the Internet. They can be used to protect privacy and confidentiality but can also be used to hide malicious activities. Organizations are currently facing traffic inspection challenges due to growing encrypted SSL/TLS traffic on the Internet. From criminal perspectives, attackers are moving more and more to encrypted traffic to hide their nefarious activities. Data exfiltration, malicious communication with Command and Control (C&C) and malicious downloads use SSL/TLS encrypted traffic. SSL/TLS interception is a double-edged sword that could be used to prevent and detect abnormal communications. This paper explains how organizations and security analysts can manage these challenges. It describes how to overcome them with advantages and drawbacks.


  • Detecting DNS Tunneling STI Graduate Student Research
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.


  • Hunting and Gathering with PowerShell by Troy Wojewoda - March 13, 2019 in Threat Hunting

    PowerShell has been used extensively over the years by both malware authors and information security professionals to carry out disparate objectives. This paper will focus on the latter by detailing various techniques and use-cases for digital defenders. There is no "one-size fits all" model that encompasses a dedicated blue-team. Roles and responsibilities will differ from organization to organization. Therefore, topics covered will range from system administration to digital forensics, incident response as well as threat hunting. Using the latest in the PowerShell framework, system variables will be collected for the purpose of establishing baselines as well as useful datasets for hunting operations. The focus will then shift to use-cases and techniques for incident responders and threat hunters.


  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity STI Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 in Intrusion Detection, Forensics, Logging Technology and Techniques, Threat Hunting

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.


  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 in Security Basics, Forensics, Incident Handling, Linux Issues, Free and Open Source Software

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.


  • PDF Metadata Extraction with Python by Christopher A. Plaisance - February 5, 2019 in Forensics

    This paper explores techniques for programmatically extracting metadata from PDF files using Python. It begins by detailing the internal structure of PDF documents, focusing on the internal system of indirect references and objects within the PDF binary, the document information dictionary metadata type, and the XMP metadata type contained in the file’s metadata streams. Next, the paper explores the most common means of accessing PDF metadata with Python, the high-level PyPDF and PyPDF2 libraries. This examination discovers deficiencies in the methodologies used by these modules, making them inappropriate for use in digital forensics investigations. An alternative low-level technique of carving the PDF binary directly with Python, using the re module from the standard library is described, and found to accurately and completely extract all of the pertinent metadata from the PDF file with a degree of completeness suitable for digital forensics use cases. These low-level techniques are built into a stand-alone open source Linux utility, pdf-metadata, which is discussed in the paper’s final section.


  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 in Security Awareness, Threats/Vulnerabilities

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.