Get a Free GIAC Certification Attempt or $350 Off with OnDemand and vLive Training!

Reading Room: Most Popular Papers

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Featuring the 25 most popular papers within the past week as of May 20, 2019

  • Hunting for Ghosts in Fileless Attacks by Buddy Tancio - May 13, 2019 in Malicious Code

    Hunting for a fileless threat can be a tedious and labor-intensive task for any analyst. It is, most often than not, extremely time-consuming and requires a significant amount of data gathering. On top of that, the traditional tools, methods, and defenses seem to be less effective when dealing with these almost invisible threats. Threat actors are frequently using attack techniques that work directly from the memory or using legitimate tools or services pre-installed in the system to achieve their goals (Trend Micro, 2017). It is a popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat Ė cryptocurrency miners. In some incidents, searching for a malicious file that resides in the hard drive seems to be insufficient. This study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.


  • How to Protect a Modern Web Application in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - May 9, 2019 in Cloud Computing, Threats/Vulnerabilities

  • Incident Handler's Handbook by Patrick Kral - February 21, 2012 in Incident Handling

    An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.


  • The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey Analyst Paper (requires membership in SANS.org community)
    by Rebekah Brown and Robert M. Lee - February 4, 2019 in Security Trends, Threats/Vulnerabilities

    In order to use cyber threat intelligence (CTI) effectively, organizations must know what intelligence to apply and where to get that intelligence. This paper delves into the results of the SANS 2019 Cyber Threat Intelligence Survey and explores the value of CTI, CTI requirements, how respondents are currently using CTI--and what the future holds.


  • Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications STI Graduate Student Research
    by Alexander Fry - April 30, 2019 in Application and Database Security

    Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left - identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all - it must be trialed to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio.


  • Physical Security and Why It Is Important by David Hutter - July 28, 2016 in Physical Security

    Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks.


  • Implementing a Vulnerability Management Process by Tom Palmaers - April 9, 2013 in Threats/Vulnerabilities

    A vulnerability is defined in the ISO 27002 standard as "A weakness of an asset or group of assets that can be exploited by one or more threats" (International Organization for Standardization, 2005).


  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 in Intrusion Detection, Forensics, Incident Handling

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.


  • Passive Isnít Good Enough: Moving into Active EDR Analyst Paper (requires membership in SANS.org community)
    by Justin Henderson - May 17, 2019 in Clients and Endpoints, Intrusion Prevention

  • An Overview of Threat and Risk Assessment by James Bayne - January 22, 2002 in Auditing & Assessment

    The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment


  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 in Intrusion Detection, Incident Handling, Intrusion Prevention, Penetration Testing, Threats/Vulnerabilities

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.


  • Case Study: Critical Controls that Could Have Prevented Target Breach STI Graduate Student Research
    by Teri Radichel - September 12, 2014 in Case Studies

    Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen (Krebs, 2013f) by accessing data on point of sale (POS) systems (Krebs, 2014b).


  • Security Considerations for Voice over Wi-Fi (VoWiFi) Systems STI Graduate Student Research
    by Joel Chapman - April 30, 2019 in Telephone Issues, VOIP Issues

    As the world pivots from Public Switched Telephony Networks (PSTN) to Voice over Internet Protocol (VoIP)-based telephony architectures, users are employing VoIP-based solutions in more situations. Mobile devices have become a ubiquitous part of a person's identity in the developed world. In the United States in 2017, there were an estimated 224.3 million smartphone users, representing about 68% of the total population. The ability to route telephone call traffic over Wi-Fi networks will continue to expand the coverage area of mobile devices, especially into urban areas where high-density construction has previously caused high signal attenuation. Estimates show that by 2020, Wi-Fi-based calling will make up 53% of mobile IP voice service usage (roughly 9 trillion minutes per year) (Xie, 2018). In contrast to the more traditional VoIP solutions, however, the standards for carrier-based Voice over Wi-Fi (VoWiFi) are often proprietary and have not been well-publicized or vetted. This paper examines the vulnerabilities of VoWiFi calling, assesses what common and less well-known attacks are able to exploit those vulnerabilities, and then proposes technological or procedural security protocols to harden telephony systems against adversary exploitation.


  • Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 in Auditing & Assessment, Security Awareness, Security Basics, Management & Leadership, Security Policy Issues, Protocols

    Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.


  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 in Automation, Incident Handling, Malicious Code

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.


  • Detecting DNS Tunneling STI Graduate Student Research
    by Greg Farnham - March 19, 2013 in DNS Issues

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.


  • A Security Checklist for Web Application Design by Gail Bayse - May 2, 2004 in Securing Code

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.


  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 in Forensics

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.


  • Disaster Recovery Plan Strategies and Processes by Bryan Martin - March 5, 2002 in Disaster Recovery

    This paper discusses the development, maintenance and testing of the Disaster Recovery Plan, as well as addressing employee education and management procedures to insure provable recovery capability.


  • SSL and TLS: A Beginners Guide by Holly McKinley - May 12, 2003 in Protocols

    This paper particularly serves as a resource to those who are new to the information assurance field, and provides an insight to two common protocols used in Internet security.


  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 in Forensics, Incident Handling, Malicious Code

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.


  • Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering STI Graduate Student Research
    by Roderick Currie - June 20, 2017 in Security Awareness, Threats/Vulnerabilities

    The modern automobile is an increasingly complex network of computer systems. Cars are no longer analog, mechanical contraptions. Today, even the most fundamental vehicular functions have become computerized. And at the core of this complexity is the Controller Area Network, or CAN bus. The CAN bus is a modern vehicle's central nervous system upon which the majority of intra-vehicular communication takes place. Unfortunately, the CAN bus is also inherently insecure. Designed more than 30 years ago, the CAN bus fails to implement even the most basic security principles. Prior scholarly research has demonstrated that an attacker can gain remote access to a vehicle's CAN bus with relative ease. This paper, therefore, seeks to examine how an attacker already inside a vehicle's network could manipulate the vehicle by reverse engineering CAN bus communications. By providing a reproducible methodology for CAN bus reverse engineering, this paper also serves as a basic guide for penetration testers and automotive security researchers. The techniques described in this paper can be used by security researchers to uncover vulnerabilities in existing automotive architectures, thereby encouraging automakers to produce more secure systems going forward.


  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity STI Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 in Intrusion Detection, Forensics, Logging Technology and Techniques, Threat Hunting

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.


  • Security Monitoring of Windows Containers STI Graduate Student Research
    by Peter Di Giorgio - March 27, 2019 in Secure Monitoring

    The information technology community has utilized container technology since the LXC project began in 2008 (Hildred, 2015). Containers are a form of virtualization that package application code and its dependencies together. Containers share the operating system kernel but maintain isolated processes. Until recently, it was not possible for the Windows operating system to share its kernel. As such, developers were long unable to package many Windows-specific applications into containers. However, after ten years of waiting, Microsoft finally delivered Windows containers in 2018. Today, container security best practices focus on container integrity and container host security. The industry is just beginning to consider techniques to monitor Windows containers. This research focuses on the possibility of using known techniques and open source tools to extract Windows event logs, processes, services, and registry data from containers to observe attacks.


  • Secure Architecture for Industrial Control Systems STI Graduate Student Research
    by Luciana Obregon - October 15, 2015 in Industrial Control Systems / SCADA

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organizationís support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.


All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.