Each year, the SANS Institute’s must-see keynote session at RSA Conference delivers a forward-looking briefing on the most critical and emerging attack vectors in cybersecurity. The 2025 session surfaced five new attack techniques that are reshaping how enterprises must think about cyber risk. Moderated by SANS Technology Institute President Ed Skoudis, the 45-minute session brought together top SANS experts to assess how today’s attackers are escalating both their technical sophistication and impact on business operations.
With a real-time pulse on the cyber threat landscape, SANS experts have historically raised awareness of emerging attack techniques well before they become mainstream. For example:
- In 2017, Ed Skoudis anticipated how ransomware combined with cryptocurrencies would become a powerful tool for threat actors. In 2019, he analyzed the rise of attacks from the cloud against the cloud.
- In 2020, Heather Barnhart predicted the rise in weaponized malware utilized by nation states against mobile devices, as we saw with Pegasus spyware.
- In 2018, James Lyne discussed growing trends in malware attacks focused on disrupting Industrial Control Systems (ICS) and utilities.
- In 2023, Stephen Sims warned that threat actors would manipulate AI tools to amplify the velocity of ransomware campaigns and identify zero-day vulnerabilities in complex systems.
The following five attack techniques highlighted in this year’s keynote session reveal a troubling convergence of misconfigured cloud environments, rising operational risk in industrial control systems, complex regulatory dynamics around artificial intelligence (AI), and more. Attendees left with critical insights and actionable recommendations to help their organizations anticipate threats, mitigate risk, and strengthen resilience across cloud, operational, and regulatory domains in 2025.
Attack Technique #1: Authorization Sprawl in Cloud and SaaS Environments
Presented by Joshua Wright, SANS Faculty Fellow
As enterprise cloud adoption accelerates, so too does the complexity of identity and access management. Authorization sprawl—where users hold redundant or excessive permissions across cloud, SaaS, and hybrid environments—has become a critical vulnerability. These overextended privileges create hidden attack paths that adversaries can exploit without raising immediate alarms.
The inability to accurately map and monitor access across a distributed cloud environment weakens detection and response efforts. Security leaders must address this risk by deploying browser-level endpoint controls, enabling visibility across cloud silos, and enforcing disciplined logging practices that support forensic investigations and real-time decision-making.
Attack Technique #2: ICS Ransomware
Presented by Tim Conway, SANS Technical Director of ICS and SCADA programs
Ransomware actors are increasingly targeting the foundations of critical infrastructure. As organizations shift to automation in operational technology (OT) environments to streamline workflows and reduce human error, they often eliminate the manual fallbacks required to recover from system failures. This creates single points of failure that adversaries can exploit to disrupt essential services.
Fragmentation between IT and OT teams further compounds the issue, as a lack of coordination undermines the effectiveness of incident response and recovery efforts. Enterprises with industrial footprints must establish cohesive strategies that align cybersecurity, operational resilience, and cross-functional governance to mitigate this growing threat.
Attack Technique #3: Destructive ICS Attacks
Presented by Tim Conway, SANS Technical Director of ICS and SCADA programs
Nation-state adversaries are increasingly targeting ICS systems with the intent of destruction that causes real-world harm. These attacks focus on manipulating critical safety systems to create physical consequences, often by identifying and exploiting minute technical flaws that evade standard monitoring.
The evolutionary nature of ICS threats demands a strategic shift in how critical infrastructure entities approach cyber defense. It is no longer sufficient to defend against traditional malware; organizations must prepare for kinetic threats with broad operational impact. This includes improving visibility into control systems, reevaluating safety protocol integrity, and building executive-level contingency plans for sustained disruption scenarios.
Attack Technique #4: Erased Forensic Artifacts
Presented by Heather Mahalik Barnhart, SANS DFIR Curriculum Lead and Senior Director of Community Engagement at Cellebrite
Advanced threat actors are deliberately erasing or avoiding the creation of digital forensic artifacts, making post-breach analysis significantly more difficult. When forensic data is missing, incident response teams face delayed investigations and limited ability to understand how the breach occurred or how far it spread.
Despite the increasing sophistication of attacks, many organizations fail to adapt their detection strategies accordingly. To close this gap, enterprises must elevate their incident response maturity by ensuring that systems are configured to capture high-fidelity data, adopting advanced DFIR tools, and continuously training teams to operate in data-constrained environments.
Attack Technique #5: AI Regulatory Threats
Presented by Rob T. Lee, SANS Chief of Research and Head of Faculty
As AI becomes increasingly embedded in cybersecurity operations, it also introduces a new category of risk—compliance. Security teams use AI to identify threats faster and more efficiently, but proposed AI-related data privacy laws may inadvertently limit their ability to do so by treating certain AI-driven monitoring practices as unauthorized data processing.
This regulatory tension puts defenders at a disadvantage, especially as adversaries continue to weaponize AI for more advanced campaigns. Enterprises must anticipate and navigate these legal developments to avoid compromising their ability to defend against AI-driven threats. A proactive approach to AI governance and legal compliance will be key to maintaining security posture without regulatory disruption.
A Strategic Imperative for Enterprise Leadership
The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: cybersecurity is no longer confined to the security operations center—it’s a leadership issue that impacts every layer of the enterprise. The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.