At RSACTM 2025, the SANS Institute once again delivered one of the most highly anticipated keynote sessions: The Five Most Dangerous New Attack Techniques… and What to Do About Each.
Moderated by Ed Skoudis, President of the SANS Technology Institute, the session brought together leading cybersecurity experts to unpack the most urgent threats on the horizon and provide advice to strengthen defenses.
Historically, SANS’s RSAC keynotes have forecasted major shifts like the weaponization of mobile malware, cloud-targeted attacks, and the use of artificial intelligence (AI) in ransomware well before they hit headlines. This year, the panel sounded a new alarm: defenders must prepare for threats that blend technical sophistication, operational disruption, and legal uncertainty.
Here’s a breakdown of the five attack techniques every organization must be ready to counter:
1. Authorization Sprawl: The Silent Threat in the Cloud
The cloud promised agility, but it’s also ushered in hidden risks.
According to Joshua Wright, authorization sprawl across cloud and software as a service (SaaS) platforms is becoming a major vulnerability. As organizations grant users overlapping or excessive permissions, attackers find countless ways to escalate privileges and move undetected.
To rein in authorization sprawl, enterprises must tighten access controls, enhance endpoint visibility, and establish robust cloud logging practices. Without decisive action, sprawling permissions will continue to be a silent enabler of major breaches.
2. ICS Ransomware: Automation’s Double-Edged Sword
Operational technology (OT) environments are increasingly under siege.
Tim Conway, Technical Director of SANS Industrial Control Systems (ICS) and SCADA programs, warned that ransomware actors are targeting industrial systems, where automation, ironically intended to reduce risk, has removed manual recovery options.
Organizations must recognize that the digital transformation has created a fragile OT environment. To defend critical infrastructure, Conway emphasized bridging the traditional IT-OT divide, strengthening resilience strategies, and developing recovery plans that assume system-wide disruption.
3. Destructive ICS Attacks: From Disruption to Real-World Damage
Ransomware is no longer the worst-case scenario.
Conway also spotlighted the rise of attacks on industrial systems, targeting safety mechanisms to cause real-world physical consequences. Nation-state adversaries are investing in attacks that don’t just disrupt operations but aim for catastrophic damage.
This evolution demands a new mindset. ICS defenders must expand beyond traditional IT monitoring, revalidate the integrity of safety protocols, and involve executive leadership in scenario planning for operational cyber crises.
4. Vanishing Evidence: The New Challenge in Digital Forensics
In the world of incident response, missing evidence is becoming the norm.
Heather Mahalik Barnhart, Digital Forensics and Incident Response (DFIR) Curriculum Lead at SANS, highlighted how modern threat actors are perfecting techniques to erase or prevent the creation of forensic artifacts. This shift makes post-attack investigations slower, murkier, and less reliable.
Organizations need to rethink how they collect and preserve forensic data, emphasizing high-fidelity logging, resilient evidence capture, and developing team expertise in working with limited digital breadcrumbs. Tomorrow’s incident responders must be ready to solve cases where key evidence is deliberately missing.
5. AI Regulatory Threats: The Hidden Compliance Risk for Defenders
AI is a double-edged sword, not just in cyber offense, but in defense.
Rob T. Lee, SANS Chief of Research, warned that emerging AI regulations could unintentionally weaken cybersecurity operations. New laws around data privacy and AI transparency may restrict defenders' ability to monitor systems effectively, even as attackers increasingly weaponize AI.
The solution isn’t abandoning AI tools, it’s building smart governance. Enterprises must proactively navigate the regulatory landscape, balancing compliance with operational security to ensure defenders don’t find themselves fighting blind in a world of AI-accelerated threats.
Preparing for a Future That’s Already Here
This year’s SANS keynote wasn’t just a glimpse into possible future threats, it was a reality check.
The message was clear: organizations that treat cybersecurity purely as a technical issue will fall behind. Defending against these emerging attacks requires leadership-level commitment, integrated risk management, and a shift toward building resilience, not just prevention.
If you want to equip your team with the skills and strategic foresight to defend against what’s next, don’t wait. Speak with a SANS Training Advisor today and explore the training paths designed to help your organization navigate an increasingly complex threat landscape.
