SANS Information Security Reading Roomhttps://www.sans.org/reading-room/Last 25 Computer Security Papers added to the Reading RoomKohanaPHPAdapting AppSec to a DevOps Worldhttps://www.sans.org/reading-room/whitepapers/application/adapting-appsec-devops-world-38305DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and as often as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand.Tue, 20 Feb 2018 00:00:00 +0000Immutability Disrupts the Linux Kill Chainhttps://www.sans.org/reading-room/whitepapers/analyst/immutability-disrupts-linux-kill-chain-38300New exploits aimed at Linux systems are able to succeed by achieving root access to the OS. But what if you could lock down the OS and enforce security policies from outside of it? This Spotlight Paper explores the concept of ‘immutability’ as a way of interdicting the Linux kill chain.Tue, 20 Feb 2018 00:00:00 +0000Automating Static File Analysis and Metadata Collection Using Laika BOSShttps://www.sans.org/reading-room/whitepapers/malicious/automating-static-file-analysis-metadata-collection-laika-boss-38295Laika BOSS is a file-centric recursive object scanning framework developed by Lockheed Martin that provides automation of common analysis tasks, generation of rich file object metadata and the ability to easily apply file-based signature detections to identify malicious files through static analysis. While performing triage and analysis of malware, analysts typically perform repeatable tasks using a variety of standalone utilities and use these tools to gather information that will be useful in understanding adversary tools and in developing future detections. This paper will provide guidance to analysts by reviewing concepts core to the Laika BOSS framework, integrating custom Yara rules for file-based detections, searching and filtering scan object metadata, and describing how to develop, test and implement new Laika BOSS modules to extend and automate new functionality and capabilities into the framework. As part of performing this research, new modules and tools will be released to the security community that will enhance the capabilities and value obtained by using the Laika BOSS framework to perform static malware analysis and metadata collection. Mon, 19 Feb 2018 00:00:00 +0000NOC/SOC Integration: Opportunities for Increased Efficiency in Incident Response within Cyber-Securityhttps://www.sans.org/reading-room/whitepapers/incident/noc-soc-integration-opportunities-increased-efficiency-incident-response-cyber-security-38290Managing, monitoring and defending enterprise networks with siloed Network Operation Centers (NOC) and Security Operation Centers (SOC) is a challenge. Each team running 24/7 incident response, event monitoring/correlation, generating/escalating trouble tickets and up channeling communications which provide an opportunity to integrate NOC and SOC functions. Integrating both teams at the first tier through cross-training, rewriting Standard Operating Procedures (SOP's) with coordination points, standardizing shared and coordinated communications, sharing and integrating dashboards and other data tools as cybersecurity continues to evolve. Adoption of integration as an industry best practice can capitalize on federated data, improve communication, increase visibility and situational awareness, optimize resource sharing and increase efficiencies.Wed, 14 Feb 2018 00:00:00 +0000CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Surveyhttps://www.sans.org/reading-room/whitepapers/threatintelligence/cti-security-operations-2018-cyber-threat-intelligence-survey-38285The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.Mon, 05 Feb 2018 00:00:00 +0000Building a Custom SIEM Integration for an API-Based Log Source Azure AD Graph Sign-In Eventshttps://www.sans.org/reading-room/whitepapers/logging/building-custom-siem-integration-api-based-log-source-azure-ad-graph-sign-in-events-38280Enterprise security breaches can quickly paralyze operations and cripple the ability to do business if security teams are not adequately equipped to collect all critical log data from the services an organization uses. Vendors lead us to believe that we are comprehensively covered with their "out-of-the box" log source integrations. It can be challenging for security professionals to find issues with these integrations and it is usually not until a security incident that we realize that crucial log data is missing. This paper takes a critical look at a hidden gap in "out-of-the-box" integrations in SIEM platforms for API log sources, which we, as security professionals, rely on for our detection and analysis of security incidents. As organizations turn from on premises log sources with push style log delivery methods to cloud-based solutions where logs are pulled from an API endpoint, new issues arise that have not been seen before. These issues can lead to undetected gaps of missing data between the true record of API log data and what is found in the SIEM platform.Sat, 03 Feb 2018 00:00:00 +0000Learning Cryptography by Doing It Wrong: Cryptanalysis of the Vigenere Cipherhttps://www.sans.org/reading-room/whitepapers/vpns/learning-cryptography-wrong-cryptanalysis-vigenere-cipher-38275When studying complex ideas, it may help to begin with a simpler example to better understand its concepts. Modern cryptography and cryptanalysis are exceptionally complex, so a case study from classical cryptography can aid understanding. The Vigenere Cipher is a good example. Vigenere was widely considered to be a secure cipher for three centuries. It is non-trivial to cryptanalyze, offering a stretch goal for beginners, but not impossible to comprehend. Vigenere provides practice of multiple techniques such as statistical analysis, histograms, and Index of Coincidence. Statistical properties of files before and after encryption can be compared to show attributes that allow encrypted files to be detected. A method of detecting the encryption key length for a Vigenre cipher will be introduced. Ultimately, a strategy to recover the key for JPEG encrypted files will be demonstrated. To help the reader follow this analysis, open source software will be provided that performs encryption, decryption, and cryptanalysis. Besides learning about classical ciphers and having fun, we will reinforce the importance of proper cipher choice for the modern InfoSec professional. Sat, 03 Feb 2018 00:00:00 +0000DNS: An Asset, Not a Liabilityhttps://www.sans.org/reading-room/whitepapers/intrusion/dns-asset-liability-38270The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.Tue, 30 Jan 2018 00:00:00 +0000High Assurance File Filtering, It's Not Magichttps://www.sans.org/reading-room/whitepapers/dlp/high-assurance-file-filtering-it-039-s-magic-38265This paper examines file type identification techniques to inform further research to improve the security of cross domain solutions (CDS), which are regarded as the most reliable technologies of high-assurance file filtering solutions. Traditionally only used in highly classified government environments, CDS are slowly being adopted by other institutions in the financial, healthcare and mining sectors due to the increasing recognition of the value and importance of the protection of intellectual property (IP). The portable document format (PDF) is one of the primary document formats in which IP is shared and distributed. By using PDFs as a case study, this paper proposes recommendations specifically for software file format specification creators to develop file type sub-specifications that can be easily validated for the purposes of IP control and security. The recommendations herein will conceptually apply to all file types, although it should be noted that not all techniques and recommendations will be applicable to every file type due to unique properties that exist in different classes of file types. Mon, 29 Jan 2018 00:00:00 +0000Increase the Value of Static Analysis by Enhancing its Rule Sethttps://www.sans.org/reading-room/whitepapers/securecode/increase-static-analysis-enhancing-rule-set-38260Static analysis tool vendors are debating whether to allow their customers a rule-set tailored to their environment. There is no empirical evidence to support each argument or counter-argument. Veracode does not accept custom rules and argues that lock-down is in their customers best interest. Checkmarx enables their customer to customize a rule-set under very special license agreements, while open-source tools such as SonarQube allow for complete customization. Putting vendor concerns and priorities aside, should the enterprise add a tailored rule-set by adding rules that enforce its secure coding standards too? More importantly, does a tailored rule-set increase the value of static code analysis to the business? In this study, four different static analysis tools Veracode, IBM AppScan, Burp Proxy Scanner and SonarQube scan a JavaScript application. After showing the limitations of the default rule-set for each scanner, the research study adds rules that cover the distinct design and coding standards of the sample application. It is not possible to add a custom rule-set to every scanner. For that reason, the experiment adds the tailored rule-set to the SonarQube platform and combines the results of the two scanning tools: the one tool enforces security standards while the other finds common flaws in the code. While prior research shows that combining the strengths of multiple code analysis tools deliver better results in general, this research study proves that a tailored rule-set improves the outcome even more. The research undertaking recommends practical steps to increase the coverage of automated static analysis and maximize its value to the enterprise. Mon, 29 Jan 2018 00:00:00 +0000Building the New Network Security Architecture for the Futurehttps://www.sans.org/reading-room/whitepapers/dataprotection/building-network-security-architecture-future-38255With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.Mon, 22 Jan 2018 00:00:00 +0000Bug Bounty Programs: Enterprise Implementationhttps://www.sans.org/reading-room/whitepapers/application/bug-bounty-programs-enterprise-implementation-38250Bug bounty programs are incentivized, results-focused programs that encourage security researchers to report security issues to the sponsoring organization. These programs create a cooperative relationship between security researchers and organizations that allow the researchers to receive rewards for identifying application vulnerabilities. Bug bounty programs have gone from obscurity to being embraced as a best practice in just a few years: application security maturity models have added bug bounty programs and there are standards for vulnerability disclosure best practices. Through leveraging a global community of researchers available 24 hours a day, 7 days a week, information security teams can continuously deliver application security assessments keeping pace with agile development and continuous integration deployments complementing existing controls such as penetration testing and source code reviews. Wed, 17 Jan 2018 00:00:00 +0000Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environmentshttps://www.sans.org/reading-room/whitepapers/detection/container-intrusions-assessing-efficacy-intrusion-detection-analysis-methods-linux-container-environments-38245The unique and intrinsic methods by which Linux application containers are created, deployed, networked, and operated do not lend themselves well to the conventional application of methods for conducting intrusion detection and analysis in traditional physical and virtual machine networks. While similarities exist in some of the methods used to perform intrusion detection and analysis in conventional networks as compared to container networks, the effectiveness between the two has not been thoroughly measured and assessed: this presents a gap in application container security knowledge. By researching the efficacy of these methods as implemented in container networks compared to traditional networks, this research will provide empirical evidence to identify the gap, and provide data useful for identifying and developing new and more effective methods to secure application container networks Sat, 13 Jan 2018 00:00:00 +0000Looking Under the Rock: Deployment Strategies for TLS Decryptionhttps://www.sans.org/reading-room/whitepapers/dlp/rock-deployment-strategies-tls-decryption-38240Attackers can freely exfiltrate confidential information all while under the guise of ordinary web traffic. A remedy for businesses concerned about these risks is to decrypt the communication to inspect the traffic, then block it if it presents a risk to the organization. However, these solutions can be challenging to implement. Existing infrastructure, privacy and legal concerns, latency, and differing monitoring tool requirements are a few of the obstacles facing organizations wishing to monitor encrypted traffic. TLS decryption projects can be successful with proper scope definition, an understanding of the architectural challenges presented by decryption, and the options available for overcoming those obstacles. Sat, 13 Jan 2018 00:00:00 +0000Digital Forensic Analysis of Amazon Linux EC2 Instanceshttps://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235Companies continue to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2). With demand for skilled security engineers at an all-time high, many organizations do not have the capability to do an adequate forensic analysis to determine the root cause of an intrusion or to identify indicators of compromise. To help organizations improve their incident response capability, this paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS Finding Malware Step by Step process for Microsoft Windows. Sat, 13 Jan 2018 00:00:00 +0000BYOD Security Implementation for Small Organizationshttps://www.sans.org/reading-room/whitepapers/mobile/byod-security-implementation-small-organizations-38230The exponential improvement of the mobile industry has caused a shift in the way organizations work across all industry sectors. Bring your own device (BYOD) is a current industry trend that allows employees to use their personal devices such as laptops, tablets, mobile phones and other devices, to connect to the internal network. The number of external devices that can now connect to a company that implements a BYOD policy has allowed for a proliferation of security risks. The National Institute of Standards and Technology lists these high-level threats and vulnerabilities of mobile devices: lack of physical security controls, use of untrusted mobile devices, use of untrusted networks, use of untrusted applications, interaction with other systems, use of untrusted content, and use of location services. A well implemented Mobile Device Management (MDM) tool combined with network access controls can be used to mitigate the risks associated with a BYOD policy. Fri, 15 Dec 2017 00:00:00 +0000SOC Automation-Deliverance or Disasterhttps://www.sans.org/reading-room/whitepapers/threats/soc-automation-deliverance-disaster-38225Learn how to strike a balance between security alerts that can be automated with minimal impact and the higher-risk alerts that need to be handled by analysts. Mon, 11 Dec 2017 00:00:00 +0000The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environmenthttps://www.sans.org/reading-room/whitepapers/threathunting/effectiveness-tools-detecting-maleficent-seven-privileges-windows-environment-38220Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell. Tue, 05 Dec 2017 00:00:00 +0000 Minerva Labs: Using Anti-Evasion to Block the Stealth Attacks Other Defenses Misshttps://www.sans.org/reading-room/whitepapers/attacking/minerva-labs-anti-evasion-block-stealth-attacks-defenses-38215Attackers routinely use evasion to evade baseline anti-malware tools and ultimately compromise endpoints. How can enterprises prevent such intrusions without relying on after-the-fact detection? This paper explores a unique approach to preventing evasive malware from infecting endpoints, using Minerva's Anti-Evasion Platform to automatically block threats without ever scanning files or processes. SANS Reviewer Eric Cole, PhD, shares his findings regarding the ability of Minerva's Anti-Evasion Platform to block such evasive threats.Mon, 04 Dec 2017 00:00:00 +0000Security and Operations - An Overlooked But Necessary Partnershiphttps://www.sans.org/reading-room/whitepapers/threats/security-operations-overlooked-partnership-38210This paper explores ways to foster cooperation between Security and Operations groups for better visibility into threats and threat pathways, while improving overall protection and network hygiene. Mon, 04 Dec 2017 00:00:00 +0000Who's in the Zone? A Qualitative Proof-of-Concept for Improving Remote Access Least-Privilege in ICS-SCADA Environmentshttps://www.sans.org/reading-room/whitepapers/scada/zone-qualitative-proof-of-concept-improving-remote-access-least-privilege-ics-scada-environments-38205Remote access control in many ICS-SCADA environments is of limited effectiveness leading to excessive privilege for staff who have responsibilities bounded by region, site, or device. Inability to implement more restrictive least-privilege access controls may result in unacceptable residual risk from internal and external threats. Security vendors and ICS cybersecurity practitioners have recognized this issue and provide options to address these concerns, such as inline security appliances, network authentication, and user-network based access control. Each of these solutions reduces privileges but has tradeoffs. This paper evaluates network-based access control combined with security zones and its benefits for existing ICS-SCADA environments. A Proof-of-Concept (PoC) evaluates a promising option that is not widely known or deployed in ICS-SCADA. Mon, 04 Dec 2017 00:00:00 +0000Updated: Out with the Old, In with the New: Replacing Traditional Antivirushttps://www.sans.org/reading-room/whitepapers/leadership/updated-old-new-replacing-traditional-antivirus-38200This updated version of the 2016 paper that included the SANS guide to evaluating next-generation antivirus provides the background information organizations need to assist them in their efforts to procure next-generation antivirus. Review this document to establish your overall road map and help resolve any questions you may have on the procurement process after reading the companion piece: "SANS Step-by-Step Guide for Procuring Next-Generation Antivirus".Fri, 01 Dec 2017 00:00:00 +0000NGAV RFP Evaluation Master Templatehttps://www.sans.org/reading-room/whitepapers/leadership/ngav-rfp-evaluation-master-template-38195Click on the link in this file to access the Excel spreadsheet designed to help you compare the vendors from whom you have collected RFP information.Thu, 30 Nov 2017 00:00:00 +0000NGAV RFPhttps://www.sans.org/reading-room/whitepapers/firewalls/ngav-rfp-38190This document is a standalone RFP for selecting a next-generation antivirus (NGAV) solution. For more information on how to procure NGAV, be sure to access the Step by Step Guide for Procuring Next-Generation Antivirus. Thu, 30 Nov 2017 00:00:00 +0000Step by Step Guide for Procuring Next-Generation Antivirushttps://www.sans.org/reading-room/whitepapers/analyst/step-step-guide-procuring-next-generation-antivirus-38185This document outlines a procurement process you can use and customize when upgrading to NGAV. The key steps to successful procurement do not change and should apply to any NGAV procurement project. Thu, 30 Nov 2017 00:00:00 +0000