OnDemand + GIAC - Get your Certification Attempt Included for a Limited Time!

The Seven Most Dangerous New Attack Techniques

RSA 2017 Keynote Session
February 15, 2017

Moderator: Alan Paller, Director of Research, SANS Institute


  • Ed Skoudis
  • Michael Assante
  • Johannes Ullrich

Press questions: apaller@sans.org

Ed Skoudis

  • The go-to person to analyze techniques used and vulnerabilities exploited for most major national attacks
  • Created NetWars & CyberCity Cyber Ranges and Training Simulators
  • Leads SANS Pen Testing and Hacker Exploits Immersion Training Programs
  • Author of CounterHack Reloaded

Rampant Ransomware

The RSA Conference was founded as a celebration of how applied cryptography can enhance commerce, communication, and privacy. But ransomware combined with crypto currencies for paying extortion are ideal uses of cryptography to benefit the bad guys. Ransomware is highly efficient for attackers, because it requires no command and control channel, no exfiltration, and no contact initiated by the attacker. Instead, the ransomware "customers" reach out to the attacker for "help" recovering from the infection. We're seeing a huge increase in the number of ransomware attacks and their economic impact on not just individuals, but also enterprises. Today, ransomware is increasingly targeting network file servers, backups, and big databases, substantially amplifying its impact on enterprises.

Internet of Things Attacks Evolve

In previous years, the smart devices that make up the IoT, including light bulbs, thermostats, webcams, and more have been viewed as targets, allowing an attacker to turn on or off groups of devices to impact consumers. But, increasingly, the IoT is becoming an attack platform rather than just a target. With large-scale, open-source worms such as mirai spreading to tens of millions of IoT devices, attackers can leverage these systems to create massive floods to take nearly any organization off of the Internet. These widespread IoT attack platforms could be leveraged for attacks other than floods, including stealthy theft of information and password cracking.

Ransomware and IoT Collide

Criminal organizations are making significant money on ransomware and are investing some of their profits to make their attacks more powerful, widespread, and impactful. By combining the ransomware threat with IoT, attackers will be able to have much more impact than through denial of service floods. By encrypting configurations and control infrastructures, attackers could hold thermostats, lighting infrastructures, or even automobiles for ransom. If you want your car to start or your lights to come on, you may have to pay ransom or reconfigure and reinstall all the firmware in your devices, a painful process. The threat is even more pronounced in the Industrial Internet of Things (IIoT), where a factory's ability to manufacture or utility's ability to provide service could be held hostage based on a ransomware threat.

Michael Assante

  • Technical Director for the U.S. National team helping the Ukraine in the aftermath of the attacks causing widespread blackouts
  • Was VP and CISO of American Electric Power and of NERC (the North American Electric Power Corp)
  • Directed Idaho National Laboratory's Electric Power Cybersecurity Program
  • Testified before US House and Senate
  • Directs SANS ICS Training Programs

Industrial Controls Systems Attacks Turn Off the Power and Disable Recovery and Smooth Operations

Attacks against ICS have taken an ugly turn as the fangs come out. Critical life-line infrastructures are being attacked at their vulnerable operational core. Recent attacks have not only disrupted the provision of essential service, such as electric power, but they have been punitive by damaging the automation systems that enable their recovery and smooth operation. The attacks in 2015 and 2016 causing power outages in Ukraine were planned and highly coordinated. The attackers were successful in hijacking automation systems to cause outages followed by a series of well sequenced and damaging payloads unleashed on workstations, servers, and embedded devices. The attacks left their targets with little confidence in relying on their remaining automation; forcing them to operate in a degraded manual state.

Why it matters: Future attacks maybe very difficult to recover from causing outages and disruptions to be measured in days vice hours. Attacks of this type force infrastructure organizations to consider how to operate while under attack and make critical trade off decisions to operate with their intelligent systems or shut them down. Finally, these attacks were conducted against civilian infrastructures during seasons that have extreme and dangerous weather conditions raising the stakes for leaving cyber conflicts unchecked.

Johannes Ullrich

  • Director of SANS Internet Storm Center - the early warning system for the Internet
  • Daily podcast to 35,000 technical cybersecurity leaders on overnight attacks/developments in cybersecurity
  • Dean of Research at SANS Technology Institute - SANS' Graduate School

Weak Random Number Generators

Creating good random numbers is a challenging problem. Small devices make it difficult to collect enough random events to initialize the algorithms used to create random numbers. Recent research has shown how this can be exploited to break WPA2 encryption. But the problem reaches well beyond Wi-Fi and WPA2. Encryption without good random numbers will put a wide range of security related algorithms at risk.

Why it matters: Most wireless protocols, not just Wi-Fi, rely on good random numbers to encrypt connections. Without good random numbers, these connections are not secure.

Reliance on Web Services as a Software Component

Last year, we talked about how insecure software components put software at risk; how it is important for developers to track which libraries they use, and to keep libraries patched. But developers are no longer limited to using components like libraries that are downloaded and installed. Instead they are increasingly relying on remote web services instead of downloaded software libraries. New technologies like containers and server-less cloud computing enable services that exist only while they are being used. The reliance on remote services exposes software to new risks. Services need to be carefully authenticated, and data received needs to be validated. Ad-hoc services are difficult to inventory and security scans must consider that the service will only be started as needed.

Why it matters: A large fraction of software developers rely remote network services instead of libraries for critical functions. In particular mobile applications rely heavily on network services. Without properly validating those services, and without testing and monitoring the services, these applications are at increasing risk.

Threats Against NoSQL Databases

Security aware developers have, for many years, known about and mitigated threats against traditional SQL databases. They relied on prepared statements and on proper configuration of user accounts. But for newer NoSQL databases like MongoDB or Elastic Search, some of these options don't exist, or new threats must be considered. Complex data types like JSON and XML expose new deserialization threats and developers as well as system administrators are generally not yet skilled in securing these databases and in safely passing data to them.

Why it matters: Our Internet Storm Center DShield sensor network, that reports on traffic received by more than one million active IP addresses, observes a continuous stream of scans for vulnerable "nosql" databases. Several thousand nosql databases have already been compromised or erased. A vulnerable instance of a nosql database will be discovered within hours of being exposed to the Internet.