Last Day to Save up to $400 on Cyber Security Training at SANSFIRE 2018 in Washington DC!

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of May 23, 2018

  • Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platform Analyst Paper
    by Ahmed Tantawy - May 10, 2018 in Intrusion Detection
    • Sponsored By: RSA

    In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.


  • 10 Endpoint Security Problems Solved by the Cloud Analyst Paper
    by Deb Radcliff - May 4, 2018 in Best Practices, Threats/Vulnerabilities

    SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.


  • Automated Detection and Analysis using Mathematical Calculations by Lionel Teo - May 17, 2018 in Intrusion Detection

    A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 in Best Practices, Penetration Testing

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)


  • Agile Security Patching by Michael Hoehl - May 3, 2018 in Best Practices, Project Management

    Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.


  • Tailoring Intelligence for Automated Response Analyst Paper
    by Sonny Sarai - May 2, 2018 in Application and Database Security, Tools

    Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.


  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • Building a World-Class Security Operations Center: A Roadmap Analyst Paper
    by Alissa Torres - April 15, 2015 
    • Sponsored By: RSA

    Explore how you can build a world-class security operations center (SOC) by focusing on the triad of people, process and technology.


  • Do Random IP Lookups Mean Anything? by Jay Yaneza - May 2, 2018 in Intrusion Detection, Malicious Code

    Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.


  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper
    by John Pescatore - May 1, 2018 in Security Trends

    Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - April 27, 2018 in Malicious Code

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.


  • Personal Proxy - Online Privacy Protection for Home Users by Tony Yao - September 10, 2002 in Digital Privacy

    This paper describes certain online information collection methods and related privacy issues and introduces several personal proxy tools, particularly WebWasher in detail, to secure home users' online privacy.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • Methods for the Controlled Deployment and Operation of a Virtual Patching Program STI Graduate Student Research
    by William Vink - May 20, 2018 in Threats/Vulnerabilities

    In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches.


  • Understanding Mobile Device Wi-Fi Traffic Analysis by Erik Choron - April 24, 2018 in Intrusion Detection, Mobile Security

    Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology.


  • Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper
    by Benjamin Wright - March 7, 2017 in Data Protection, Legal Issues

    The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.


  • PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Data STI Graduate Student Research
    by Christian J. Moldes - March 16, 2018 in Breaches, Compliance, Incident Handling

    Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach.


  • An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper
    by Barbara Filkins - March 26, 2018 in Clients and Endpoints, Cloud Computing

    The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.


  • IT Security Spending Trends Analyst Paper
    by Barbara Filkins - February 2, 2016 in Management & Leadership

    This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.


  • Detecting Malware and Sandbox Evasion Techniques by Dilshan Keragala - January 20, 2016 in Forensics

    The Internet has revolutionized the operations of businesses, the manner in which transactions are conducted, education programs are administered, and how research works are handled; these are a few of the benefits it has afforded society.


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.