One More Day to get a GIAC Cert Attempt Included or $350 Off with Online Training!

The Five Most Dangerous New Attack Techniques

RSA Webcast: 2018 Keynote Update

Every March at the RSA Conference, SANS presents an essential summary of the newest, most significant attack techniques in use. The 2018 list offered unnervingly accurate predictions of the most dangerous new threats we’ve seen in the wild—including chip-level hardware attacks, weaponization of big data, the latest crypto mining attacks, malware that undermines Industrial Control System safety infrastructures, and cloud-based breaches.

This video—filmed December 5, 2018—reexamines the attacks discussed during the 2018 RSA keynote. Watch it now to see how these threats have evolved, and how we can defeat them.

Moderator: Alan Paller, Director of Research, SANS Institute

Panelists: Ed Skoudis, James Lyne, Johannes Ullrich

Stay up to date:

  • RSA 2019 attendees: On March 7, attend the SANS keynote for a fast-paced briefing on the current "Five Most Dangerous New Attack Techniques" including how they work and how to stop them.
  • For regular updates on the latest attacks, subscribe to NewsBites and check regularly for updates at the Internet Storm Center.

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

RSA 2018 Keynote and Webcast Session: The Rest of the Story

Watch the RSA 2018 keynote to get a detailed summary on the five most dangerous new attack techniques. How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced briefing will provide answers from the three people best positioned to know the answers. The webcast answers all of your questions regarding these new attack techniques.

Moderator: Alan Paller, Director of Research, SANS Institute


RSA Keynote

Webcast Session: The Rest of the Story

Below are the top five attack techniques identified by three of SANS leading instructors and contributors:

Ed Skoudis

What Ed feels most fortunate to have created: SANS SEC504 - The Incident Handling and Cyber Exploits course that launched 20,000 cyber security careers.

  • The go-to person to analyze techniques used and vulnerabilities exploited for most major national attacks
  • Created NetWars & CyberCity Cyber Ranges and Training Simulators
  • Curriculum Lead for SANS Pen Testing and Hacker Exploits Immersion Training Programs
  • Author of CounterHack Reloaded
  • Learn more about Ed Skoudis and find out where he's teaching next

Repositories and Cloud Storage Data Leakage

Software today is built in a very different way than it was 10 or even 5 years ago, with vast online code repositories for collaboration and cloud data storage hosting mission-critical applications. However, attackers are increasingly targeting such infrastructures, looking for passwords, crypto keys, access tokens, and terabytes of sensitive data in such repositories and cloud storage. Defenders need to focus on data inventories, appointing a data curator for their organization and educating system architects and developers about how to secure data assets in the cloud. Additionally, the big cloud companies have each launched an AI service to help classify and defend data in their infrastructures. Finally, a variety of free tools can help prevent and detect leakage of secrets through code repositories.

Big Data Analytics, De-Anonymization, and Correlation

In the past, we battled attackers who were trying to get access to our machines to steal data for criminal use. Now the battle is shifting from hacking machines to hacking data - gathering data from disparate sources and fusing it together to de-anonymize users, find business weaknesses and opportunities, or otherwise undermine an organization's mission. Yes, we still need to prevent attackers from gaining shell on targets to steal data. But defenders also need to start analyzing risks associated with how their seemingly innocuous data can be combined with data from other sources to introduce business risk, all while carefully considering the privacy implications of their data and its potential to tarnish a brand or invite regulatory scrutiny.

James Lyne

What James feels most fortunate to have created: CyberStart, which finds people with natural cyber security talent and inspires them.

  • Head of Research and Development, Certified Instructor, and Creator of CyberStart for SANS
  • Leading global keynote speaker on cyber security and cyber crime, including TED talks and appearances on CNN, NBC, and BBC News
  • Global Research Advisor at Sophos
  • Learn more about James Lyne and find out where he's teaching next.

Exploitability in ICS/SCADA: Intent & Method

Day to day the grand majority of malicious code has undeniably been focused on fraud and profit. Yet, with the relentless deployment of technology in our society the opportunity for political or even military influence only grows greater. Rare, publicly visible attacks like Triton/TriSYS show capability and intent to compromise some of the highest risk components of industrial environments - the assurances of safety that are one of the major backstops before life and limb impact occurs. Perhaps this translates to an increase in the number of active campaigns, or more adversaries developing backup disruption capabilities. Regardless this domain is growing in importance to us all and in focus and relevance for attackers. Unlike mainstream computing, forged in the fires of focus of cyber criminals for many years, many systems in this domain lack the mitigations of modern operating systems and applications. The reliance on obscurity or isolation (both increasingly untrue) do not position them optimally to withstand this heightened focus, which as an industry we need to address. More so, attackers have demonstrated they have the inclination and resource to diversify their attacks, such as to the aforementioned SIS, which opens up new and concerning possibilities. The sensors themselves provide data to the controllers, of traditional target. With the increasing number of sensors and complexity, what happens when attackers pursue the sensors for compromise? When your source of truth lies to you you end up with very challenging to detect attacks, in systems more and more of our world relies upon.

Johannes Ullrich

What Johannes feels most fortunate to have created: The worldwide network of Internet Storm Center volunteer experts.

  • Director of SANS Internet Storm Center - the early warning system for the Internet
  • Daily podcast to 35,000 technical cybersecurity leaders on overnight attacks/developments in cybersecurity
  • Dean of Research at SANS Technology Institute - SANS' Graduate School
  • Learn more about Dr. Johannes Ullrich and find out where he's teaching next

Attackers Monetize Compromised Systems Using Crypto-Miners

Last year, we talked about how ransomware was used to sell data back to its owner. Crypto-currencies were the tool of choice to pay for ransom. More recently, we found that attackers will no longer bother with data. Due to the flood of stolen data offered for sale, most commonly stolen data like credit card numbers of PII has dropped significantly in value. Attackers will instead install crypto coin miners. These attacks are more stealthy and less likely to be discovered. Attackers can earn tens of thousands of dollars a month from crypto coin miners. Defenders need to learn to detect these miners and to identify the vulnerabilities exploited to install them.

Hardware Flaws

Software developers often assume that hardware is flawless. This is a dangerous assumption. Hardware is no less complex then software and mistakes have been made just as they are made in software. Patching hardware is a lot more difficult and often not possible without replacing entire systems or suffering significant performance penalties. Developers need to learn to create software without relying on hardware. Similar to how software uses encryption on untrusted networks, software needs to authenticate and encrypt data within the system. Some emerging homomorphic encryption algorithms may allow developers to operate on encrypted data without having to decrypt it first.