For over a decade, top SANS experts have presented a keynote at RSA Conference detailing that year’s most dangerous cyber-attack techniques. This year’s conference was no different, and months after the event, our cybersecurity experts reconvened to offer an update on these attack techniques.
In case you missed it, our panel of experts evaluated whether the techniques sustained their relevance, looked at what’s coming next as we move into 2023, and discussed what organizations can do now to prepare. Here’s a look at where things stand.
1. Living Off the Cloud
Seeing as how the cloud has become part of our everyday lives, adversaries are targeting cloud environments more than ever, said Katie Nickels, SANS Certified Instructor and Director of Intelligence for Red Canary. While living off the land attack tactics continue to be in use, our cloudy present state has drawn adversaries up into the clouds as well.
Bad actors target cloud environments with these attacks because this tactic is cheap and easy to set up, deceives users and defenders by blending in with legitimate cloud services, and more easily bypasses firewalls and proxies. “Adversaries know that users recognize cloud infrastructure,” Katie said in her update.
To detect and respond to these attack methods, adopt a mindset of “Know normal, find evil,” Katie said. In other words, know what is normal for your environment so that when something anomalous occurs, it’s easier to identify the adversaries. Other approaches that will help you get ahead of these attacks include putting more resources into user education and also working with cloud providers by reporting abuse of their platforms and brands.
2. MFA “Bypass”
With this technique, a likely scenario is that an adversary gains access to a user account that wasn’t properly disabled and re-enrolls their illegitimate device so that they can bypass multi-factor authentication.
But keep using MFA, Katie said. Just like the first technique, key to getting ahead of this cyber-attack tactic is to channel that same “Know normal, find evil” mindset. Counter-measures involve monitoring for unusual user behaviors and login sources as well as ensuring that all inactive accounts are disabled uniformly on Active Directory and MFA systems, Katie advised.
3. “Ghost Backup” Attack
Our third most dangerous attack technique is something that we refer to as “Ghost Backup” attacks, as Dr. Johannes Ullrich, Dean of Research at SANS Technology Institute, said in his update.
With this approach, an attacker first breaches a controller, then adds a malicious backup job that exfiltrates data to their own attacker-controlled storage.
Practicing good backup security includes:
- Perform regular inventorying
- Implement data retention policies
- Ensure there is a plan in place to patch agents
- Secure access to the central management console
- Deploy end-to-end encryption
4. Stalkerware – Same Methods, Greater Access
“How stalkable are you?” asked Heather Mahalik, SANS DFIR Curriculum Lead and Cellebrite Sr. Director of Digital Intelligence, in her update. “Be aware of everything you’re putting out there.”
While this isn’t a new tactic, practicing poor security hygiene can have devastating outcomes, as adversaries will capitalize on missteps. Consider sophisticated mobile malware that self-installs and self-destructs. Zero-click exploits for iOS and Android allows bad actors to get in and get out undetected, leaving little to no trace behind that is recoverable via forensic analysis.
Simply put, cyber hygiene matters, Heather said. We must be aware. A few tactics we should all adopt include:
- Change passwords on all devices regularly
- Reboot your devices frequently
- Don’t click on random links
5. Cyber Warfare
In today’s political environment with increasing global tensions, such as with the situation in Russia and Ukraine, attacks that seem more likely to make up the plot of a James Bond movie are, in fact, very real possibilities, said Rob T. Lee, Chief Curriculum Director and Faculty Lead at SANS Institute.
“The boundaries of civilian and military blur, and Internet and apps can fundamentally change intelligence and military outcomes,” Rob said. Just look to civilian company Starlink’s $80 million investment in Ukraine communications infrastructure as an example.
Be aware that with such lines blurring and geopolitical tensions being what they are currently, we run the risk of having a single bad actor decide they're "going to support that war, but from their basement,” Rob said. There’s a new digital high ground, in which open-source, publicly written technologies can be leveraged in military operations.
What Action to Take
These threats are all very real, and the best way to prepare for them is to arm yourself with the skills and knowledge necessary to fight against them. Find upcoming training courses and events here, and demo as many courses as you like with roughly an hour of free content available for each.
The time to get ahead of the most dangerous attack techniques is now.