Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?
In February 2024, after building trust over two years with project maintainers by making a significant volume of legitimate contributions, GitHub user "JiaT75" self-merged a version of the XZ Utils project containing a highly sophisticated well-disguised backdoor targeting sshd processes running on systems with the backdoored package installed.
sans-beneath-mask-ruby-nealon (PDF, 1.18MB)
13 May 2025Related Content
From Alert to Evidence: Evaluating AI Agents for Cyber Forensic Triage
Research PaperCyber defense teams are beginning to experiment with large language models in security operations, but their usefulness in digital forensics and incident triage is still uncertain.
- 11 Jun 2026
- Connor Blackard
Know Your Blind Spots: Better Visibility Through EDR Policy Hardening
Research PaperEndpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.
- 9 Jun 2026
- Joshuah Williams
Leveraging Large Language Models for Cross-Vendor Firewall Configuration Migration: A Comparative Case Study of Claude and ChatGPT
Research PaperThis paper investigates how two current-generation large language models (LLMs) perform on a single, representative firewall migration task.
- 12 May 2026
- Omar Zaman
AI-Driven SecOps: Unifying Controls, Automating Response, and Advancing the Modern SOC Using Cortex XSIAM
Research PaperNew research from IDC reveals the tangible business value of rigorous, practitioner-led training from SANS: faster threat detection and response, reduced operational risk, stronger team cohesion, and millions in annual cost savings.
- 29 Jul 2025
- Dave Shackleford
Trust But Verify: Evaluating the Accuracy of LLMs in Normalizing Threat Data Feeds
Research PaperThis paper examines whether Large Language Models (LLMs) can be reliably applied to the normalization of Indicators of Compromise (IOCs) into Structured Threat Information Expression (STIX) format.
- 16 Jul 2025
- Nicholas Peterson
Do AI Coding Assistants Make Bad Coders Worse? A Security Evaluation of GitHub Copilot
Research PaperThis paper examines whether the overall security posture of a project affects the quality of the code produced by Copilot.
- 11 Jul 2025
- Andrew Hannaford
Dropzone AI Can Make Internal SOC Teams More Effective
Research PaperIn this paper, SANS Certified Instructor Mark Jeanmougin examines how Dropzone AI can integrate into existing security stacks and help SOC teams stay focused on high-impact decisions.
- 17 Jun 2025
- Mark Jeanmougin
SANS 2025 CTI Survey Webcast & Forum: Navigating Uncertainty in Today’s Threat Landscape
Research PaperThis paper explores results from the SANS 2025 CTI Survey, with insights into how cybersecurity...
- 20 May 2025
- Rebekah Brown, Andreas Sfakianakis
AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance
Research PaperThe increasing reliance on AI-generated technical guidance for IT system configuration introduces significant security risks. This study assesses these risks through a case study: setting up an Apache web server on a Rocky Linux system using instructions from seven AI models.
- 13 May 2025
- Edward Abbott
Catching the Hand in the Cookie Jar: Canary Session Cookies
Research PaperThis project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.
- 17 Apr 2025
- Caleb Patten
A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments
Research PaperLog fidelity is crucial for Incident Response Teams to investigate and contain cyber incidents but can be difficult to optimize in containerized environments.
- 17 Apr 2025
- Zach Salva
Leveraging Large Language Models for Security-Focused Code Reviews
Research PaperThis study investigates the potential application of Large Language Models (LLMs) in enhancing software security through automated vulnerability detection during the code review process.
- 26 Mar 2025
- Daniel McQuade
SANS 2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges
Research PaperThe 2025 SANS Threat Hunting Survey marks a decade of tracking how organizations evolve their threat hunting capabilities.
- 13 Mar 2025
- Josh Lemon
Empowering Responders with Automated Investigation
Research PaperThis white paper investigates how Binalyze’s AIR platform reduces the overhead of forensic investigations by automating the process of collecting artifacts, triaging the data, and identifying next steps.
- 18 Feb 2025
- Megan Roddie-Fonseca
Beyond Detection: Using Real Phishing Data to Gauge Security Training Program Success
Research PaperThis paper defines one method of network security monitoring in an organization to find these existing indicators.
- 7 Jan 2025
- Cory Keller
MITRE ATT&CK Labeling of Cyber Threat Intelligence via LLM
Research PaperThis paper explores the effectiveness of various online and locally hosted LLMs in classifying an arbitrary statement as containing an MITRE ATT&CK Framework (MAF) technique or not and then producing the technique number if it does.
- 7 Jan 2025
- Terence O’Brien
Hunting the Hound of Hades: Kerberos Delegation Attacks, Detections and Defenses
Research PaperWhen misconfigured, Kerberos delegation in an Active Directory environment can lead to complete domain compromise.
- 23 Dec 2024
- Ben Boyle
Threat Intelligence-Driven Attack Surface Management
Research PaperDefenders struggle to keep up with the pace of digital transformation in the face of an expanding...
- 9 Aug 2022
- Jonathan Matkowsky
How to Build and Use an Incident Response Playbook Effectively
Research PaperAn effective incident response playbook provides structure and clarity during high-pressure security events.
- 25 Jul 2022
- Andreas Seiler
Windows 10 vs. Windows 11, What Has Changed?
Research PaperWindows 10 was released on July 29, 2015. It has since become the most installed desktop operating...
- 25 Jul 2022
- Andrew Rathbun