SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsSANS experts give an update on the five attack techniques shared at RSA Conference 2022.
For over a decade, top SANS experts have presented a keynote at RSA Conference detailing that year’s most dangerous cyber-attack techniques. This year’s conference was no different, and months after the event, our cybersecurity experts reconvened to offer an update on these attack techniques.
In case you missed it, our panel of experts evaluated whether the techniques sustained their relevance, looked at what’s coming next as we move into 2023, and discussed what organizations can do now to prepare.
Seeing as how the cloud has become part of our everyday lives, adversaries are targeting cloud environments more than ever, said Katie Nickels, SANS Certified Instructor and Director of Intelligence for Red Canary. While living off the land attack tactics continue to be in use, our cloudy present state has drawn adversaries up into the clouds as well.
Bad actors target cloud environments with these types of cyber attacks because this tactic is cheap and easy to set up, deceives users and defenders by blending in with legitimate cloud services, and more easily bypasses firewalls and proxies. “Adversaries know that users recognize cloud infrastructure,” Katie said in her update.
To detect and respond to these types of cyber attack methods, adopt a mindset of “Know normal, find evil,” Katie said. In other words, know what is normal for your environment so that when something anomalous occurs, it’s easier to identify the adversaries. Other approaches that will help you get ahead of these attacks include putting more resources into user education and also working with cloud providers by reporting abuse of their platforms and brands.
With this technique, a likely scenario is that an adversary gains access to a user account that wasn’t properly disabled and re-enrolls their illegitimate device so that they can bypass multi-factor authentication.
But keep using MFA, Katie said. Just like the first technique, key to getting ahead of this cyber-attack tactic is to channel that same “Know normal, find evil” mindset. Counter-measures involve monitoring for unusual user behaviors and login sources as well as ensuring that all inactive accounts are disabled uniformly on Active Directory and MFA systems, Katie advised.
Our third most dangerous attack technique is something that we refer to as “Ghost Backup” attacks, as Dr. Johannes Ullrich, Dean of Research at SANS Technology Institute, said in his update.
With this approach, an attacker first breaches a controller, then adds a malicious backup job that exfiltrates data to their own attacker-controlled storage.
Practicing good backup security includes:
“How stalkable are you?” asked Heather Mahalik, SANS DFIR Curriculum Lead and Cellebrite Sr. Director of Digital Intelligence, in her update. “Be aware of everything you’re putting out there.”
While this isn’t a new tactic, practicing poor security hygiene can have devastating outcomes, as adversaries will capitalize on missteps. Consider sophisticated mobile malware that self-installs and self-destructs. Zero-click exploits for iOS and Android allows bad actors to get in and get out undetected, leaving little to no trace behind that is recoverable via forensic analysis.
Simply put, cyber hygiene matters, Heather said. We must be aware. A few tactics we should all adopt include:
In today’s political environment with increasing global tensions, such as with the situation in Russia and Ukraine, attacks that seem more likely to make up the plot of a James Bond movie are, in fact, very real possibilities, said Rob T. Lee, Chief Curriculum Director and Faculty Lead at SANS Institute.
“The boundaries of civilian and military blur, and Internet and apps can fundamentally change intelligence and military outcomes,” Rob said. Just look to civilian company Starlink’s $80 million investment in Ukraine communications infrastructure as an example.
Be aware that with such lines blurring and geopolitical tensions being what they are currently, we run the risk of having a single bad actor decide they're "going to support that war, but from their basement,” Rob said. There’s a new digital high ground, in which open-source, publicly written technologies can be leveraged in military operations.
These cyber threats are all very real, and the best way to prepare for them is to arm yourself with the skills and knowledge necessary to fight against them. Find upcoming training courses and events here, and demo as many courses as you like with roughly an hour of free content available for each.
The time to get ahead of the most dangerous attack techniques is now.
Launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.
Read more about SANS Institute