SAN FRANCISCO — Stolen authentication tokens, cloud abuse, and vulnerable backups are all issues businesses can expect to face in the coming months, experts at SANS Institute say.
During a keynote at the RSA 2022 conference, titled “The Five Most Dangerous Emerging Attack Techniques,” experts discussed some of the top cyber threats facing network administrators and security teams. The veteran researchers and security analysts addressed some of the most overlooked risks organizations are currently facing when it comes to information security.
Katie Nickels, SANS instructor and director of intelligence at threat detection provider Red Canary, told attendees that one of the biggest cyber threats is the growing trend of attackers abusing public cloud services as a cheap way to get the attack infrastructure to work themselves and bypass network security. Nickels likened the phenomenon to the “live off the land” approach to hacking, in which threat actors use system management tools to move laterally and maintain persistent access.
“Now we have to do something else called life from the cloud,” Nickels said. “Opponents use different types of cloud services for many reasons.”
Another area that several panelists agreed poses a risk is multi-factor authentication. In particular dr Johannes Ulrich, director of the SANS Internet Storm Center, discussed how organizations should respond when a user loses their primary method of obtaining their multifactor code.
“One of the things I miss when people implement multifactor authentication is how you deal with lost or stolen factors,” he said. “A lot of people don’t register multiple second factors.”
Ulrich said one particularly overlooked area of risk is in data backup. While many companies try to protect their active data, Ulrich found that backups often go unguarded even though they contain much of the same company data.
“Backups are boring, boring is good, stay boring,” said Ulrich. “Make sure they are backed up where you want them backed up.”
Speaking to SearchSecurity after the panel, Ulrich said organizations also need to be mindful of the techniques employed by nation-state attackers, even if they are unlikely to be targeted.
“Some of these attacks tend to trickle down,” he explained. “This year it is a nation-state attacker. In five years it will be used by hackers. In 10 years it will be script kiddies.”
Rob Lee, Chief Curriculum Director at SANS, noted that there are also lessons to be learned from the invasion of Ukraine, particularly in relation to the way services like Starlink communicate not only during a crisis, but in a way do that can bypass surveillance and censorship by repressive governments.
“You look at the implications of what Starlink is doing and it’s having a serious impact,” Lee said. “This is really changing the way we think about what nation-state access is.”
For Heather Mahalik, senior director of digital intelligence at SANS, one of the challenges facing network defenders is how to deal with the changes in attack techniques. In some cases, Mahalik says, attackers don’t always use cutting-edge intrusion techniques.
“As the technology changes and how things change for users, how does the attack change,” Mahalik asked the audience. “Do they rely on new techniques or rely on what works? Why would you change wheels?”