Highlights of Recent Research
In addition to pursuing class and lab exercises, SANS Master's program candidates are always conducting research. Here are some highlights of their recent findings. You can follow the links in each of the titles to find a complete copy of their research paper, and you can visit the SANS Reading room to view these and other student's research results.
Intrusion Detection Through Relationship Analysis
By Patrick Neise
October 24, 2016
- With the average time to detection of a network intrusion in enterprise networks assessed to be 6-8 months, network defenders require additional tools and techniques to shorten detection time. Perimeter, endpoint, and network traffic detection methods today are mainly focused on detecting individual incidents while security incident and event management (SIEM) products are then used to correlate the isolated events. Although proven to be able to detect network intrusions, these methods can be resource intensive in both time and personnel. Through the use of network flows and graph database technologies, analysts can rapidly gain insight into which hosts are communicating with each other and identify abnormal behavior such as a single client machine communicating with other clients via Server Message Block (SMB). Combining the power of tools such as Bro, a network analysis framework, and neo4j, a native graph database that is built to examine data and its relationships, rapid detection of anomalous behavior within the network becomes possible. This paper will identify the tools and techniques necessary to extract relevant network information, create the data model within a graph database, and query the resulting data to identify potential malicious activity.
Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response
By Gordon Fraser
September 21, 2016
- A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.
Using Vagrant to Build a Manageable and Sharable Intrusion Detection Lab
By Shaun McCullough
September 20, 2016
- This paper investigates how the Vagrant software application can be used by Information Security (InfoSec) professionals looking to provide their audience with an infrastructure environment to accompany their research. InfoSec professionals conducting research or publishing write-ups can provide opportunities for their audience to replicate or walk through the research themselves in their own environment. Vagrant is a popular DevOps tool for providing portable and repeatable production environments for application developers, and may solve the needs of the InfoSec professional. This paper will investigate how Vagrant works, the pros and cons of the technology, and how it is typically used. The paper describes how to build or repurpose three environments, highlighting different features of Vagrant. Finally, the paper will discuss lessons learned.
Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership
By Preston S. Ackerman
September 20, 2016
- The notion that IT security is a serious issue is non-controversial. The market for cybersecurity spending topped $75 billion in 2015, and analysts expect it to exceed $170 billion by 2020 (Morgan 2016). With the advent of cloud computing, the explosion of mobile devices, and the emergence of increasingly sophisticated adversaries from organized crime and nation-state actors, businesses and the industry as a whole will require the vision of great leaders to keep pace with the threats. We can look to the industry's rich history to see examples of such transformational leadership in the past. An enlightening case study is the Microsoft Trustworthy Computing initiative, launched by an insightful and stimulating memo Bill Gates sent on January 15, 2002. The initiative would not only transform culture, procedures, and policy surrounding security at Microsoft, but would in fact cause a dramatic shift for the entire industry. The idealized influence in the leadership shown by Gates can serve as a model for today's leaders.
Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2
By Ryan Firth
September 19, 2016
- Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.
In but not Out: Protecting Confidentiality during Penetration Testing
By Andrew Andrasik
August 22, 2016
- Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a company's network from an attacker's perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources.
Introduction to Rundeck for Secure Script Executions
By John Becker
August 11, 2016
- Many organizations today support physical, virtual, and cloud-based systems across a wide range of operating systems. Providing least privilege access to systems can be a complex mesh of sudoers files, profiles, policies, and firewall rules. While configuration management tools such as Puppet or Chef help ensure consistency, they do not inherently simplify the process for users or administrators. Additionally, current DevOps teams are pushing changes faster than ever. Keeping pace with new services and applications often force sysadmins to use more general access rules and thus expose broader access than necessary. Rundeck is a web-based orchestration platform with powerful ACLs and ssh-based connectivity to a wide range of operating systems and devices. The simple user interface for Rundeck couples with DevOps-friendly REST APIs and YAML or XML configuration files. Using Rundeck for server access improves security while keeping pace with rapidly changing environments.
Legal Aspects of Privacy and Security: A Case- Study of Apple versus FBI Arguments
By Muzamil Riffat
June 3, 2016
- The debate regarding privacy versus security has been going on for some time now. The matter is complicated due to the fact that the concept of privacy is a subjective phenomenon, shaped by several factors such as cultural norms or geographical location. In a paradoxical situation, rapid advancements in technology are fast making the technology both the guardian and invader of the privacy. Governments and organizations around the globe are using technology to achieve their objectives in the name of security and convenience. It appears that sporadic fights of the proponents of privacy and security had eventually found an avenue to express their opinions i.e. the USA court system. In February 2016, FBI was able to obtain a court order requiring Apple to modify the security features of an iPhone to enable the law enforcement agency access the contents of the device. Apple, backed by other leading technology firms, had vehemently opposed the idea and intended to file a legal appeal against the court order. Before both parties could present their arguments in the court, the case was dropped by FBI as it claimed that it was able to access the contents of the device without Apple's assistance. By using FBI vs. Apple as a case-study, this paper discusses different legal aspects of the opinions of both parties. With the pervasiveness of advanced technology, it can be reasonably anticipated that such requests by law enforcement and government agencies will become more frequent. The paper presents the privacy concerns that should be taken into consideration regarding all such requests.
Under The Ocean of the Internet - The Deep Web
By Brett Hawkins
May 27, 2016
- The Internet was a revolutionary invention, and its use continues to evolve. People around the world use the Internet every day for things such as social media, shopping, email, reading news, and much more. However, this only makes up a very small piece of the Internet, and the rest is filled by an area called The Deep Web.
Securing Jenkins CI Systems
By Allen Jeng
April 8, 2016
- With over 100,000 active installations worldwide, Jenkins became the top choice for continuous integration and automation. A survey conducted by Cloudbees during the 2012 Jenkins Users Conference concluded that 83 percent of the respondents consider Jenkins to be mission critical. The November 2015 remotely exploitable Java deserialization vulnerability stresses the need to lock down and monitor Jenkins systems. Exploitation of this weakness enables hackers to gain access to critical assets such as source code that Jenkins manages. Enabling password security is the general recommendations for securing Jenkins. Unfortunately, this necessary security measure can easily be defeated with a packet sniffer because passwords are transmitted over the wire as clear text. This paper will look at ways to secure Jenkins system as well as the deployment of intrusion detection systems to monitor critical assets controlled by Jenkins CI systems.
Dont Always Judge a Packet by Its Cover
By Gabriel Sanchez
February 16, 2016
- Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective. Packets can contain viruses, malware, and botnets which necessitates the need to detect them fast. However, chasing every packet often becomes unmanageable and can often lead to many dead ends. Traditional approaches to this problem rely on heuristics or signatures with a known bad which tend to be ineffective to the advanced attacker. Instead, this paper will go beyond the known bad and describe a general approach of honing in on packets of interest utilizing the behavior and profiling of a network. The use of behavior analysis and profiling for packets that ordinarily traverse a network can shine light on the shadows that the enemy lurks in that bypass traditional detection. This behavior analysis and profiling is especially imperative since knowing the characteristics of your packets can certainly reveal their true intentions.
Secure Network Design: Micro Segmentation
By Brandon Peterson
February 29, 2016
- Hackers, once on to a network, often go undetected as they freely move from system to
system looking for valuable information to steal. Credentials, intellectual property, and
personal information are all at risk. It is generally accepted that the attacker has the
upper hand and can eventually penetrate most networks. A secure network design that
focuses on micro segmentation can slow the rate at which an attacker moves through a
network and provide more opportunities for detecting that movement. Organizations that
implement a secure network design will find that the added cost and complexity of micro
segmentation is more than offset by a reduction in the number and severity of incidents.
In fact, the effort extended in learning, classifying, and segmenting the network adds
value and strengthens all of the organization’s controls.
Selling Your Information Security Strategy
By David Todd
February 18, 2016
Infrastructure Security Architecture for Effective Security Monitoring
By Luciana Obregon
December 11, 2015
- Many organizations struggle to architect and implement adequate network infrastructures to
optimize network security monitoring. This challenge often leads to data loss with regards to
monitored traffic and security events, increased cost in new hardware and technology needed to
address monitoring gaps, and additional Information Security personnel to keep up with the
overwhelming number of security alerts. Organizations spend a lot of time, effort, and money
deploying the latest and greatest tools without ever addressing the fundamental problem of
adequate network security design.
This paper provides a best practice approach to designing and building scalable and repeatable
infrastructure security architectures to optimize network security monitoring. It will expand on
four network security domains including network segmentation, intrusion detection and
prevention, security event logging, and packet capturing. The goal is a visual representation of an
infrastructure security architecture that will allow stakeholders to understand how to architect
their networks to address monitoring gaps and protect their organizations.
Cybersecurity Inventory at Home
By Glen Roberts
January 7, 2016
- Consumers need better home network security guidance for taking stock of the hardware and software applications installed on their network and devices. The primary sources of
information security advice for the average person are TV, magazines, newspapers,
websites and social media. Unfortunately, these sources typically repeat the same advice,
provide limited guidance and miss key areas of security that should be taken into
consideration when securing home networks. On the other hand, enterprises receive
comprehensive, prioritized guidance such as the Critical Security Controls from The
Center for Internet Security. Unfortunately, these controls were not designed with
securing home networks in mind. The wide gap between consumer-media advice
columns and highly professional corporate security controls needs to be bridged. This can
be done by using the Critical Security Controls as a comprehensive foundation from
which to craft an authoritative yet easy-to-understand set of home network security
recommendations for individuals. The first step is distilling the guidance for inventorying
hardware and software applications.
Security Systems Engineering Approach in Evaluating Commercial and Open Source Software Products
By Jesus Abelarde
January 29, 2016
- The use of commercial and free open source software (FOSS) is becoming more common in commercial, corporate, and government settings as they develop complex systems. This carries a set of risks until the system is retired or replaced. Unfortunately during project development, the amount of security resources and time necessary to accommodate proper security evaluations is usually underestimated. Also, there is no widely used or standardized evaluation process that engineers and scientists can utilize as a guideline. Therefore, the evaluation process usually ends up lacking or widely different from project to project and company to company. This paper provides a suggested evaluation process and a set of methodologies, along with associated costs and risks that projects can utilize as a guideline when they integrate commercial and FOSS products during system development life cycle (SDLC).
Network Forensics and HTTP/2
By Stefan Winkel
January 18, 2016
- Last May, a major new version of the HTTP protocol, HTTP/2, has been published and finalized in RFC 7540. HTTP/2, based on the SPDY protocol, which was primarily developed by Google, is a multiplexed, binary protocol where TLS has become the de- facto mandatory standard. Most of the modern web browsers (e.g. Chrome, Firefox, Edge) are now supporting HTTP/2 and some Fortune 500 companies like Google, Facebook and Twitter have enabled HTTP/2 traffic to and from their servers already. We also have seen a recent uptake in security breaches related to HTTP data compression (e.g. Crime, Beast) which is part of HTTP/2. From a network perspective there is currently limited support for analyzing HTTP/2 traffic. This paper will explore how best to analyze such traffic and discuss how the new version might change the future of network forensics.
There's No Going it Alone: Disrupting Well Organized Cyber Crime
By John Garris
November 23, 2015
- The identification and eventual disruption of a sophisticated criminal enterprise, requiring
on-the-fly problem solving and groundbreaking international collaboration, offers a
model of how an international cooperative effort can succeed. The efforts that ultimately
brought down Rove Digital, an Estonian-based criminal operation that compromised
millions of computers, provides just such an example. The approach taken by law
enforcement from several countries, coupled with the important roles played by security
researchers, can be built upon to address burgeoning threats that can only be tackled
Web Application File Upload Vulnerabilities
By Matthew Koch
December 7, 2015
- Uploading files to a web application can be a key feature to many web applications.
Without it cloud backup services, photograph sharing and other functions would not be
Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
By Christian Moldes
December 9, 2015
- The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant. In this paper, the author conducts a detailed analysis of why this is still occurring and proposes changes companies should adopt to avoid a security breach.
A Network Analysis of a Web Server Compromise
By Kiel Wadner
September 8, 2015
- Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From the initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is assumptions about the attackers’ reasons are avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.
Coding For Incident Response: Solving the Language Dilemma
By Shelly Giesbrecht
July 28, 2015
- Incident responders frequently are faced with the reality of "doing more with less"
due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.
Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification
By David Fletcher
August 10, 2015
- The objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.
Accessing the inaccessible: Incident investigation in a world of embedded devices
By Eric Jodoin
June 24, 2015
- There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.
Breaking the Ice: Gaining Initial Access
By Phillip Bosco
August 28, 2015
- While companies are spending an increasing amount of resources on security equipment, attackers are still successful at finding ways to breach networks. This is a compounded problem with many moving parts, due to misinformation within the security industry and companies placing focus on areas of security that yield unimpressive results. A company cannot properly defend and protect against what they do not adequately understand, which tends to be a misunderstanding of their own security defense systems and relevant attacks that cyber criminals commonly use today. These misunderstandings result in attackers bypassing even the most seemingly robust security systems using the simplest methods. The author will outline the common misconceptions within the security industry that ultimately lead to insecure networks. Such misconceptions include a company’s misallocation of their security budget, while other misconceptions include the controversies regarding which methods are most effective at fending off an attacker. Common attack vectors and misconfigurations that are devastating, but are highly preventable, are also detailed.
Honeytokens and honeypots for web ID and IH
By Rich Graves
May 14, 2015
- Honeypots and honey tokens can be useful tools for examining follow-up to phishing attacks. In this exercise, we respond using valid email addresses that actually received the phish, and wrong passwords. We demonstrate using custom single sign-on code to redirect logins with those fake passwords and any other logins from presumed attacker source IP addresses to a dedicated phishing-victim web honeypot. Although the proof-of- concept described did not become a production deployment, it provided insight into current attacks.
Ransomware Response Project Plan
By Phillip Bosco & Stephen Deck
- In 2015 and 2016, ransomware attacks have drastically increased. The GIAC Enterprises information security team was engaged to provide controls to mitigate the risk of ransomware. This guide contains step-by-step instructions to implement these countermeasures.
Download: ransomware-response-project-plan.zip - 7.5MB
Endpoint Security through Device Configuration, Policy and Network Isolation
By Barbara Filkins & Jonathan Risto
July 15, 2016
- Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.