Beyond Detection: Using Real Phishing Data to Gauge Security Training Program Success
Identification of phishing emails can be cumbersome, accomplished by rule-based filters, machine learning, user-submitted, and other automated analyses. User submission is the cheapest and easiest to implement but a much more time-intensive process, adding overhead to already burdened staff.
Analysts digging through these reported emails are likely overwhelmed with ticket work, often leading to missed opportunities to find a malicious email and remediate the email’s threat before any user replies, clicks on URLs, and submits credentials. Usually, the only course of action is scheduled or remedial user awareness training. By searching for malicious indicators in phishing emails, these metrics can be built based on phishing tactics seen in organizations.
This paper defines one method of network security monitoring in an organization to find these existing indicators. It covers the tools utilized, assuming organizational prerequisites are met to analyze decrypted packet captures with network security monitoring.
SANS_Cory_Keller-Final-Beyond-Detection (PDF, 0.72MB)
7 Jan 2025Related Content
Measuring Malware Obfuscation: Evaluating CNN- Based Detection for Real-World Resilience
Research PaperThis study examined how layered obfuscation affects image-based convolutional neural network (CNN) detectors and introduces a novel, reproducible framework for measuring obfuscation itself.
- 19 Nov 2025
Structural Vulnerability: Autodesk Revit Server WAN Exposure Versus Cost of Autodesk Construction Cloud
Research PaperAutodesk Revit Server, a critical collaboration tool in the architecture, engineering, and construction (AEC) industry, was designed to operate within trusted networks.
- 7 Nov 2025
Scrutinizing A Web-Based LLM in Private Browsing Mode: An Analysis of Memory Artifacts and Privacy Implications
Research PaperUsing web-based LLMs such as ChatGPT has changed the web browsing landscape to become part of the typical everyday experience.
- 7 Nov 2025
Adversary-Aware IOC Retention: Analyzing Time-to-Live Patterns by Threat Actor Attribution
Research PaperAfter analyzing hundreds of IOCs across three unique Advanced Persistent Threats (APTs) from disparate regions, it can be confirmed that not only do threat actors cycle their IOCs at different rates, but those rates can be tracked. This paper introduces an enhanced decay model incorporating a threat actor variable that accounts for these differences in sophistication and hygiene.
- 23 Oct 2025
Breaking Time: Methods, Artifacts, and Forensic Detection of Timestomping on FAT32, Ext3, and Ext4 File Systems
Research PaperThis paper explores the diverse methods used to timestomp files on FAT, Ext3, and Ext4 file systems, focusing on how adversaries adapt their approaches based on available system access and permissions.
- 23 Oct 2025
Breaking Through Deception: Addressing Barriers in the Adoption of Cyber Deception Technologies
Research PaperDespite the increasing sophistication of cyber threats and the need for organizations to employ innovative defense strategies, cyber deception technologies, tools designed to mislead attackers and gain a defensive advantage, remain significantly underutilized across organizational cybersecurity programs.
- 23 Oct 2025
Privacy Protections: Are Stronger Laws Changing What We Reveal?
Research PaperAs U.S. states enact privacy laws aimed at giving consumers more control over their personal data, little is known about whether privacy legislation influences individuals’ willingness to disclose their identity on public platforms.
- 26 Sep 2025
Forensic Investigation of Bluetooth-Based Credit Card Skimmers
Research PaperHidden Bluetooth Low Energy (BLE) credit skimmers are a growing threat to credit card fraud. Criminals can set up practical and inexpensive systems built on top of modules, such as the HM-19, to collect and transmit stolen data covertly across wireless channels.
- 3 Sep 2025
Catching the Hand in the Cookie Jar: Canary Session Cookies
Research PaperThis project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.
- 17 Apr 2025
A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments
Research PaperLog fidelity is crucial for Incident Response Teams to investigate and contain cyber incidents but...
- 17 Apr 2025
Unveiling the Dependency on Network Telemetry: Optimizing Lateral Movement Detection
Research PaperThis study investigates the dependency on network and endpoint telemetry for identifying lateral...
- 17 Jan 2025
Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords
Research PaperAs digital threats grow increasingly sophisticated, traditional password-based authentication...
- 23 Dec 2024
- Rich Greene
Protecting the Poor: A Deep Dive into EBT Skimming and Solutions to Combat It
Research PaperElectronic Benefits Transfer (EBT) cards provide individuals receiving government assistance for...
- 23 Dec 2024
Hunting the Hound of Hades: Kerberos Delegation Attacks, Detections and Defenses
Research PaperWhen misconfigured, Kerberos delegation in an Active Directory environment can lead to complete...
- 23 Dec 2024
The Open-Source Trap: Unraveling Open-Source Threats in the Software Supply Chain
Research PaperThe risk to the software supply chain is increasingly clear, as breaches like SolarWinds, Equifax,...
- 5 Dec 2024
Rapid Incident Response on macOS: Actionable Insights in Under an Hour
Research PaperThe increasing use of macOS in enterprises requires fast, effective incident response (IR)...
- 5 Dec 2024
Hook, Line, and Sinker: The Best Free Tools to Catch Phishing
Research PaperPhishing has become a widespread threat that organizations and IT security teams face daily. As...
- 5 Dec 2024
SANS 2024 State of ICS/OT Cybersecurity
Research PaperThis white paper, SANS Certified Instructor Jason Christopher explores the growing trends in cyber...
- 9 Oct 2024
- SANS Institute
SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes
Research PaperThis white paper offers invaluable knowledge to help you navigate the complexities of securing...
- 27 Aug 2024
- Kenneth G. Hartman
Cheap Malware Calls for Cheap Defense: Shellcode and Defense Tools on an SMB Security Budget
Research PaperThis research will examine the varieties of free and open-source tooling available for...
- 16 Aug 2024