Highlights of Recent Research
In addition to pursuing class and lab exercises, SANS Master's program candidates are always conducting research. Here are some highlights of their recent findings. You can follow the links in each of the titles to find a complete copy of their research paper, and you can visit the SANS Reading room to view these and other student's research results.
A Network Analysis of a Web Server Compromise
By Kiel Wadner
- Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is that assumptions about the attackers' reasoning can be avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.
CODING FOR INCIDENT RESPONSE: Solving the Language Dilemma
By Shelly Giesbrecht
- The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is: what language should they learn that will be the most useful in their work? This paper examines several coding languages used in writing tools and the scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, the paper discusses why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.
Forensic Timeline Analysis using Wireshark
By David Fletcher
- This research demonstrates the conversion of timeline evidence produced using The Sleuth Kit (TSK) and Log2Timeline into Packet Capture (PCAP) format. Once in this format the capabilities of the Wireshark tool were used to explore for applicability to forensic timeline analysis. The underlying hypothesis being that Wireshark can provide a suitable interface for enhancing analyst ability. This was accomplished through use of built-in features. Timeline evidence was converted with a python script using the Scapy library. During execution, each timeline entry was parsed and used to construct individual packets to form a single packet capture (Pcap) file. The resulting Pcap file was then loaded into Wireshark for analysis. The resulting capability provides an analysis interface that is both dynamic and flexible. Full functionality of the Wireshark interface and its extensibility is exposed to the analyst.
Accessing the inaccessible: Incident investigation in a world of embedded devices
By Eric Jodoin
- There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere.They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment. Unfortunately, recent events have taught that these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.
Breaking the Ice: Gaining Initial Access
By Phillip Bosco
- While companies are spending an increasing amount of resources on security equipment, attackers are still successful at finding ways to breach networks. A company cannot properly defend and protect against what they do not adequately understand, which tends to be a misunderstanding of their own security defense systems and relevant attacks that cyber criminals commonly use today. These misunderstandings result in attackers bypassing even the most seemingly robust security systems using the simplest methods. The author outlines the common misconceptions within the security industry that ultimately lead to insecure networks. Such misconceptions include a company's misallocation of their security budget, while other misconceptions include the controversies regarding which methods are most effective at fending off an attacker. Common attack vectors and misconfigurations that are devastating, but are highly preventable, are also detailed.
Honeytokens and honeypots for Web ID and IH
By Rich Graves
- Honeypots and honey tokens can be useful tools for examining follow-up to phishing attacks. In this exercise, the author responds using valid email addresses that actually received the phish, and wrong passwords. The paper demonstrates using custom single sign-on code to redirect logins with those fake passwords and any other logins from presumed attacker source IP addresses to a dedicated phishing-victim web honeypot. Although the proof-of-concept described is not indented to be a production deployment, it provided insight into current attacks.