Highlights of Recent Research
In addition to pursuing class and lab exercises, SANS Master's program candidates are always conducting research. Here are some highlights of their recent findings. You can follow the links in each of the titles to find a complete copy of their research paper, and you can visit the SANS Reading room to view these and other student's research results.
Dont Always Judge a Packet by Its Cover
By Gabriel Sanchez
February 16, 2016
- Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective. Packets can contain viruses, malware, and botnets which necessitates the need to detect them fast. However, chasing every packet often becomes unmanageable and can often lead to many dead ends. Traditional approaches to this problem rely on heuristics or signatures with a known bad which tend to be ineffective to the advanced attacker. Instead, this paper will go beyond the known bad and describe a general approach of honing in on packets of interest utilizing the behavior and profiling of a network. The use of behavior analysis and profiling for packets that ordinarily traverse a network can shine light on the shadows that the enemy lurks in that bypass traditional detection. This behavior analysis and profiling is especially imperative since knowing the characteristics of your packets can certainly reveal their true intentions.
Secure Network Design: Micro Segmentation
By Brandon Peterson
February 29, 2016
- Hackers, once on to a network, often go undetected as they freely move from system to
system looking for valuable information to steal. Credentials, intellectual property, and
personal information are all at risk. It is generally accepted that the attacker has the
upper hand and can eventually penetrate most networks. A secure network design that
focuses on micro segmentation can slow the rate at which an attacker moves through a
network and provide more opportunities for detecting that movement. Organizations that
implement a secure network design will find that the added cost and complexity of micro
segmentation is more than offset by a reduction in the number and severity of incidents.
In fact, the effort extended in learning, classifying, and segmenting the network adds
value and strengthens all of the organizations controls.
Selling Your Information Security Strategy
By David Todd
February 18, 2016
Infrastructure Security Architecture for Effective Security Monitoring
By Luciana Obregon
December 11, 2015
- Many organizations struggle to architect and implement adequate network infrastructures to
optimize network security monitoring. This challenge often leads to data loss with regards to
monitored traffic and security events, increased cost in new hardware and technology needed to
address monitoring gaps, and additional Information Security personnel to keep up with the
overwhelming number of security alerts. Organizations spend a lot of time, effort, and money
deploying the latest and greatest tools without ever addressing the fundamental problem of
adequate network security design.
This paper provides a best practice approach to designing and building scalable and repeatable
infrastructure security architectures to optimize network security monitoring. It will expand on
four network security domains including network segmentation, intrusion detection and
prevention, security event logging, and packet capturing. The goal is a visual representation of an
infrastructure security architecture that will allow stakeholders to understand how to architect
their networks to address monitoring gaps and protect their organizations.
Cybersecurity Inventory at Home
By Glen Roberts
January 7, 2016
- Consumers need better home network security guidance for taking stock of the hardware and software applications installed on their network and devices. The primary sources of
information security advice for the average person are TV, magazines, newspapers,
websites and social media. Unfortunately, these sources typically repeat the same advice,
provide limited guidance and miss key areas of security that should be taken into
consideration when securing home networks. On the other hand, enterprises receive
comprehensive, prioritized guidance such as the Critical Security Controls from The
Center for Internet Security. Unfortunately, these controls were not designed with
securing home networks in mind. The wide gap between consumer-media advice
columns and highly professional corporate security controls needs to be bridged. This can
be done by using the Critical Security Controls as a comprehensive foundation from
which to craft an authoritative yet easy-to-understand set of home network security
recommendations for individuals. The first step is distilling the guidance for inventorying
hardware and software applications.
Security Systems Engineering Approach in Evaluating Commercial and Open Source Software Products
By Jesus Abelarde
January 29, 2016
- The use of commercial and free open source software (FOSS) is becoming more common in commercial, corporate, and government settings as they develop complex systems. This carries a set of risks until the system is retired or replaced. Unfortunately during project development, the amount of security resources and time necessary to accommodate proper security evaluations is usually underestimated. Also, there is no widely used or standardized evaluation process that engineers and scientists can utilize as a guideline. Therefore, the evaluation process usually ends up lacking or widely different from project to project and company to company. This paper provides a suggested evaluation process and a set of methodologies, along with associated costs and risks that projects can utilize as a guideline when they integrate commercial and FOSS products during system development life cycle (SDLC).
Network Forensics and HTTP/2
By Stefan Winkel
January 18, 2016
- Last May, a major new version of the HTTP protocol, HTTP/2, has been published and finalized in RFC 7540. HTTP/2, based on the SPDY protocol, which was primarily developed by Google, is a multiplexed, binary protocol where TLS has become the de- facto mandatory standard. Most of the modern web browsers (e.g. Chrome, Firefox, Edge) are now supporting HTTP/2 and some Fortune 500 companies like Google, Facebook and Twitter have enabled HTTP/2 traffic to and from their servers already. We also have seen a recent uptake in security breaches related to HTTP data compression (e.g. Crime, Beast) which is part of HTTP/2. From a network perspective there is currently limited support for analyzing HTTP/2 traffic. This paper will explore how best to analyze such traffic and discuss how the new version might change the future of network forensics.
There's No Going it Alone: Disrupting Well Organized Cyber Crime
By John Garris
November 23, 2015
- The identification and eventual disruption of a sophisticated criminal enterprise, requiring
on-the-fly problem solving and groundbreaking international collaboration, offers a
model of how an international cooperative effort can succeed. The efforts that ultimately
brought down Rove Digital, an Estonian-based criminal operation that compromised
millions of computers, provides just such an example. The approach taken by law
enforcement from several countries, coupled with the important roles played by security
researchers, can be built upon to address burgeoning threats that can only be tackled
Web Application File Upload Vulnerabilities
By Matthew Koch
December 7, 2015
- Uploading files to a web application can be a key feature to many web applications.
Without it cloud backup services, photograph sharing and other functions would not be
Compliant but not Secure: Why PCI-Certified Companies Are Being Breached
By Christian Moldes
December 9, 2015
- The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant. In this paper, the author conducts a detailed analysis of why this is still occurring and proposes changes companies should adopt to avoid a security breach.
A Network Analysis of a Web Server Compromise
By Kiel Wadner
September 8, 2015
- Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From the initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is assumptions about the attackers reasons are avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.
Coding For Incident Response: Solving the Language Dilemma
By Shelly Giesbrecht
July 28, 2015
- Incident responders frequently are faced with the reality of "doing more with less"
due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.
Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification
By David Fletcher
August 10, 2015
- The objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.
Accessing the inaccessible: Incident investigation in a world of embedded devices
By Eric Jodoin
June 24, 2015
- There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.
Breaking the Ice: Gaining Initial Access
By Phillip Bosco
August 28, 2015
- While companies are spending an increasing amount of resources on security equipment, attackers are still successful at finding ways to breach networks. This is a compounded problem with many moving parts, due to misinformation within the security industry and companies placing focus on areas of security that yield unimpressive results. A company cannot properly defend and protect against what they do not adequately understand, which tends to be a misunderstanding of their own security defense systems and relevant attacks that cyber criminals commonly use today. These misunderstandings result in attackers bypassing even the most seemingly robust security systems using the simplest methods. The author will outline the common misconceptions within the security industry that ultimately lead to insecure networks. Such misconceptions include a companys misallocation of their security budget, while other misconceptions include the controversies regarding which methods are most effective at fending off an attacker. Common attack vectors and misconfigurations that are devastating, but are highly preventable, are also detailed.
Honeytokens and honeypots for web ID and IH
By Rich Graves
May 14, 2015
- Honeypots and honey tokens can be useful tools for examining follow-up to phishing attacks. In this exercise, we respond using valid email addresses that actually received the phish, and wrong passwords. We demonstrate using custom single sign-on code to redirect logins with those fake passwords and any other logins from presumed attacker source IP addresses to a dedicated phishing-victim web honeypot. Although the proof-of- concept described did not become a production deployment, it provided insight into current attacks.