#RSAC: The Most Dangerous Attacks of 2022

  • The SANS Institute-led Top Most Dangerous Attack Techniques session is among the most popular keynote sessions at any RSA Conference.

    The 2022 edition was a bit more somber than past editions, following the passing of SANS founder Alan Paller who moderated the panel for over a decade. Ed Skoudis, fellow and director at SANS Institute, started the 2022 panel with a moving tribute to Paller, who was mentioned more than once during the session as the inspiration for how cybersecurity education can and should continue to improve.

    (From left to right) Ed Skoudis, Katie Nickels, Johannes Ullrich, Heather Mahalik and Rob T. Lee

    Living Off the Cloud

    The first big attack vector was detailed by Katie Nickels, certified instructor and director of intelligence at SANS Institute. In years past, SANS panels have detailed so-called living off the land (LotL) attacks, in which hackers use tools already present in an organization. With living off the cloud attacks, adversaries are now using cloud services that organizations are using to exploit unsuspecting users.

    “As a defender looking at network traffic, it’s tough for me to tell if certain cloud traffic is an attack or benign,” Nickels said. “We all use cloud services legitimately in our organizations, and stuff goes right through firewalls and proxies.”

    Nickels suggests that organizations be aware of normal cloud behaviors and look for potential outliers to spot risks.

    Multi-Factor Authentication Bypass

    Nickels noted that multi-factor authentication (MFA) is an incredibly powerful force for security, but it is increasingly being abused by attackers.

    Attackers are able to bypass MFA with several different methods, including abusing an approach known as – fail open. With fail open, in cases where a system can not reach the MFA service, it will ‘fail open’ and allow access without the use of the MFA credential. Nickels suggests that organizations have multiple MFA backup options to limit the risk.

    Backups have Vulnerabilities

    Johannes Ullrich, dean of research at SANS Institute, identified backups as being a potentially dangerous attack vector.

    Heather Mahalik warned that stalkerware and worms are still concerns for users

    Ullrich explained that backup systems have access to endpoints and servers across an enterprise and represent an attractive target for attackers. He noted that attackers are looking for known vulnerabilities in backup systems in order to exploit them.

    To mitigate the risk of a backup system, Ullrich suggests that organizations be diligent in patching and ensuring that access to the backup system is secured.

    Stalkerware and Worms are Still a Risk

    Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute, warned that what’s old is new again in security as stalkerware and worms are still concerns for users.

    Stalkerware is software that tracks users and has become a big issue again with the emergence of Pegasus in 2021. Computer worms which are among the old form of cybersecurity risk, also remain an issue, according to Mahalik.

    “Do not let the shiny APT (advanced persistent threat) distract you from what is really hiding there and just waiting to attack you,” she said.

    In terms of protecting against stalkerware and worms, Mahalik recommends basic cybersecurity hygiene, which includes regular patching, backups and anti-malware tools. She also advises that users make effective use of multi-factor authentication.

    The Risk is in Space

    Rob Lee, chief curriculum director and faculty lead at SANS Institute warned that an emerging risk comes from securing non-terrestrial internet communications.

    With the current war in Ukraine, among the earliest targets was the internet infrastructure on the ground. Elon Musk stepped up and helped supply Ukraine with Starlink satellite internet, which has helped provide communications access. In the future, Lee warns that adversaries will increasingly target satellite systems for internet and terrestrial systems.

    Lee noted that organizations need to consider how to make sure that they can continue operations, even in the absence of internet access.

    Overall, for IT security practitioners, Mahalik suggested that individuals need to be passionate to be successful with cybersecurity regardless of the threat vector.

    “We were discussing Alan Paller and remembering him and someone said it was hard to tell when Alan was working, and when he was having fun,” she said. “That is where you should hope to be, so find your passion and live it.”