SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPMethods for the Controlled Deployment and Operation of a Virtual Patching Programhttps://www.sans.org/reading-room/whitepapers/threats/methods-controlled-deployment-operation-virtual-patching-program-38430In today’s rapidly changing IT environments, new vulnerabilities are identified at an increasing pace and attackers are becoming more sophisticated in their ability to exploit these vulnerabilities. At the same time, systems have become more complex and are still used in conjunction with older technologies which results in challenges in testing and deploying traditional patches. Sun, 20 May 2018 00:00:00 +0000Automated Detection and Analysis using Mathematical Calculationshttps://www.sans.org/reading-room/whitepapers/detection/automated-detection-analysis-mathematical-calculations-38425A compromised system usually shows some form of anomalous behaviour. Examples include new processes, services, or outbound traffic. In an ideal environment, rules are configured to alert on such anomalies, where an analyst would perform further analysis to determine a possible compromise. However, the real-world situation is less than ideal; new processes, outbound traffic, or other anomalies often blend into legitimate activities. A large network can generate terabytes of data daily, causing the task of developing efficient detection capabilities a bit challenging. Mathematical calculations can enhance detection capability by emulating the human confidence level on assessment and analysis. Mathematical analysis can help understand the context of the event, establishing fidelity of the initial investigation automatically. By incorporating automated analysis to handle false positives, human errors and false negative can be avoided, resulting in a greater detection and monitoring capability.Thu, 17 May 2018 00:00:00 +0000Automate Threat Detection and Incident Response: SANS Review of RSA NetWitness Platformhttps://www.sans.org/reading-room/whitepapers/detection/automate-threat-detection-incident-response-review-rsa-netwitness-platform-38420In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.Thu, 10 May 2018 00:00:00 +000010 Endpoint Security Problems Solved by the Cloudhttps://www.sans.org/reading-room/whitepapers/threats/10-endpoint-security-problems-solved-cloud-38415SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.Fri, 04 May 2018 00:00:00 +0000Agile Security Patchinghttps://www.sans.org/reading-room/whitepapers/projectmanagement/agile-security-patching-38410Security Patch Management is one of the biggest security and compliance challenges for organizations to sustain. History reveals that many of the large data breaches were successful because of a missing critical security update. Further, the frequency an d scope of patching continue to grow. This paper presents a new approach to security patching following Agile and NIST methodology.Thu, 03 May 2018 00:00:00 +0000Do Random IP Lookups Mean Anything?https://www.sans.org/reading-room/whitepapers/malicious/random-ip-lookups-anything-38405Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable. Wed, 02 May 2018 00:00:00 +0000Tailoring Intelligence for Automated Responsehttps://www.sans.org/reading-room/whitepapers/analyst/tailoring-intelligence-automated-response-38400Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.Wed, 02 May 2018 00:00:00 +0000Back to Basics: Focus on the First Six CIS Critical Security Controlshttps://www.sans.org/reading-room/whitepapers/securitytrends/basics-focus-first-cis-critical-security-controls-38395Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.Tue, 01 May 2018 00:00:00 +0000Security Testing and Vendor Selection with BreakingPointhttps://www.sans.org/reading-room/whitepapers/modeling/security-testing-vendor-selection-breakingpoint-38390In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs. Mon, 30 Apr 2018 00:00:00 +0000Reverse Engineering of WannaCry Worm and Anti Exploit Snort Ruleshttps://www.sans.org/reading-room/whitepapers/malicious/reverse-engineering-wannacry-worm-anti-exploit-snort-rules-38385Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results. Fri, 27 Apr 2018 00:00:00 +0000Understanding Mobile Device Wi-Fi Traffic Analysishttps://www.sans.org/reading-room/whitepapers/mobile/understanding-mobile-device-wi-fi-traffic-analysis-38380Mobile devices have become more than just a portable vehicle to place phone calls in locations previously deprived of traditional phone service. In addition to versatile phone service, mobile devices include the capability of utilizing the internet through the Mobile Internet Protocol (IP). This can cause a problem whenever a device is roaming through different points of the cellular network. The IP handoff that takes place during the transfer between cellular towers can result in a degraded performance which can possibly impede traffic analysis. A thorough understanding of Wi-Fi traffic and Mobile IP technology could benefit network and system administrators and defenders by heightening awareness in a field that is surpassing more commonly understood technology. Tue, 24 Apr 2018 00:00:00 +0000Learning CBC Bit-flipping Through Gamificationhttps://www.sans.org/reading-room/whitepapers/vpns/learning-cbc-bit-flipping-gamification-38375Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment. Tue, 24 Apr 2018 00:00:00 +0000Securing the Corporate WLAN in a Healthcare Regulated Organizationhttps://www.sans.org/reading-room/whitepapers/compliance/securing-corporate-wlan-healthcare-regulated-organization-38370Wireless networks are a crucial component in the technology infrastructures of modern medical practices and have become an enabler of patient services in the healthcare industry. Healthcare organizations deploy wireless diagnostic devices to provide critical information at the point of care. These devices provide data to medical decision-makers in real time to improve patient outcomes. One of the challenges of integrating these new devices and services into the wireless networks of medical practices is wireless network security. Wireless networks have inherent risks, ranging from data leakage to availability issues in the event of a DoS (Denial of Service) attack or outage. It is critical to secure a patient’s personal information termed electronic protected healthcare information (ePHI) at all times. Protecting ePHI is a primary goal in designing wireless networks for a healthcare-focused organization. Wireless implementations must be designed to protect patient health information from breach or theft, while at the same time providing needed services to patients and clients. The primary goal of this research project was to provide a healthcare-focused consulting organization with a secure and compliant wireless network. The network is to enable employee collaboration, facilitate client engagement, and accomplish the primary security goal of protecting the company’s ePHI. Fri, 06 Apr 2018 00:00:00 +0000Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaperhttps://www.sans.org/reading-room/whitepapers/cloud/securing-hybrid-cloud-traditional-vs-tools-strategies-whitepaper-38365This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.Mon, 02 Apr 2018 00:00:00 +0000Evaluation of Comprehensive Taxonomies for Information Technology Threatshttps://www.sans.org/reading-room/whitepapers/threatintelligence/evaluation-comprehensive-taxonomies-information-technology-threats-38360Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation. Mon, 26 Mar 2018 00:00:00 +0000An Evaluator's Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirushttps://www.sans.org/reading-room/whitepapers/analyst/evaluators-guide-cloud-based-ngav-guide-evaluating-next-generation-antivirus-38355The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.Mon, 26 Mar 2018 00:00:00 +0000Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platformhttps://www.sans.org/reading-room/whitepapers/analyst/stopping-advanced-malware-pre-post-execution-review-ensilos-comprehensive-endpoint-security-platform-38350Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.Tue, 20 Mar 2018 00:00:00 +0000Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Toolshttps://www.sans.org/reading-room/whitepapers/forensics/pick-tool-tool-developing-practical-typology-selecting-digital-forensics-tools-38345One of the most common challenges for a digital forensic examiner is tool selection. In recent years, examiners have enjoyed a significant expansion of the digital forensic toolbox – in both commercial and open source software. However, the increase of digital forensics tools did not come with a corresponding organizational structure for the toolbox. As a result, examiners must conduct their own research and experiment with tools to find one appropriate for a particular task. This study collects input from forty six practicing digital forensic examiners to develop a Digital Forensics Tools Typology, an organized collection of tool characteristics that can be used as selection criteria in a simple search engine. In addition, a novel method is proposed for depicting quantifiable digital forensic tool characteristics.Fri, 16 Mar 2018 00:00:00 +0000PCI DSS and Security Breaches: Preparing for a Security Breach that Affects Cardholder Datahttps://www.sans.org/reading-room/whitepapers/compliance/pci-dss-security-breaches-preparing-security-breach-affects-cardholder-data-38340Organizations that transmit, process or store cardholder data are contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). They may be tempted to assume that once they are certified compliant, they are immune to security breaches, and as a result, may be inadequately prepared when such events occur. Regardless of their compliance status, organizations that fail to prepare could face long investigations, expensive forensic services, staff terminations, and loss of business and reputation. This research/paper provides detailed guidelines on how to prepare for a security breach, the documentation needed to facilitate forensic investigations and containment, and how to minimize the consequences and impact of a security breach. Fri, 16 Mar 2018 00:00:00 +0000PCAP Next Generation: Is Your Sniffer Up to Snuff?https://www.sans.org/reading-room/whitepapers/detection/pcap-generation-sniffer-snuff-38335The PCAP file format is widely used for packet capture within the network and security industry, but it is not the only standard. The PCAP Next Generation (PCAPng) Capture File Format is a refreshing improvement that adds extensibility, portability, and the ability to merge and append data to a wire trace. While Wireshark has led the way in supporting the new format, other tools have been slow to follow. With advantages such as the ability to capture from multiple interfaces, improved time resolution, and the ability to add per-packet comments, support for the PCAPng format should be developing more quickly than it has. This paper describes the new standard, displays methods to take advantage of new features, introduces scripting that can make the format useable, and makes the argument that migration to PCAPng is necessary. Fri, 16 Mar 2018 00:00:00 +0000Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Securityhttps://www.sans.org/reading-room/whitepapers/clients/pinpoint-remediate-unknown-threats-review-encase-endpoint-security-38330With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.Thu, 15 Mar 2018 00:00:00 +0000VMRay Analyzer: Rapid Malware Analysis for Incident Response (IR) Teamshttps://www.sans.org/reading-room/whitepapers/analyst/vmray-analyzer-rapid-malware-analysis-incident-response-ir-teams-38325In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.Mon, 12 Mar 2018 00:00:00 +0000Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analyticshttps://www.sans.org/reading-room/whitepapers/breaches/managing-user-risk-review-logrhythm-cloudai-user-entity-behavior-analytics-38320In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.Mon, 26 Feb 2018 00:00:00 +0000Disrupting the Empire: Identifying PowerShell Empire Command and Control Activityhttps://www.sans.org/reading-room/whitepapers/forensics/disrupting-empire-identifying-powershell-empire-command-control-activity-38315Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire. Fri, 23 Feb 2018 00:00:00 +0000Using Windows 10 and Windows Server 2016 to create an Endpoint Detection and Response solutionhttps://www.sans.org/reading-room/whitepapers/detection/windows-10-windows-server-2016-create-endpoint-detection-response-solution-38310It has been established best practice to supplement Microsoft Windows with third-party endpoint security solutions that defend against viruses, malware, internet-based, and other threats. With each iteration of Windows, Microsoft has added security measures that are native to the OS like Windows Defender, Security policy editor, and more. Microsoft has made many noticeable advances in Windows 10 and Windows Server 2016 that improves the overall security posture of endpoints. This new modern Windows enterprise ecosystem, when utilized properly, can be leveraged like an Endpoint Detection and Response capability. This capability can be achieved without third party software and can reduce costs to the enterprise that can be reinvested into other projects. Wed, 21 Feb 2018 00:00:00 +0000