In this SANS session from RSAC 2025, top cybersecurity experts shared five of the most dangerous and emerging attack techniques based on real-world field intelligence, with actionable defense strategies for each. Below are the key takeaways from each segment:
About Speaker:
1) Heather Barnhart - DFIR Curriculum Lead and Sr. Director, SANS Institute and Cellebrite
2) Tim Conway - ICS Curriculum Lead , SANS Institute
3) Rob T Lee - Chief of Research & Head of Faculty, SANS Institute
4) Ed Skoudis - President, SANS Technology Institute College
5) Joshua Wright - Faculty Fellow and Senior Technical Director, SANS Institute and Counter Hack Innovations
Executive Summary:
1. Authorization Sprawl & Identity Abuse
Speaker: Joshua Wright
Attackers are exploiting centralized identity platforms (IDPs) without deploying malware. Instead, they leverage pre-approved access from compromised user accounts to move laterally across systems—on-prem and cloud—accessing services like Jira, Confluence, Microsoft 365, GitHub, and Snowflake.
Tactic in Focus: This technique, termed “Authorization Sprawl”, has been notably used by the threat actor Scattered Spider, who favors stealthy access over persistence mechanisms.
Mitigations:
-
Enforce cross-platform privilege mapping
-
Demand improved cloud logging (as per NSA’s guidance)
-
Enhance browser visibility with in-browser monitoring tools
2. Ransomware Targeting ICS/OT Environments
Speaker: Tim Conway (Part 1)
Ransomware attacks are now targeting operational technology (OT) and industrial control systems (ICS), affecting vital sectors like fuel, food, and manufacturing (e.g., Colonial Pipeline, JBS Foods). These attacks often originate in IT systems and spread to operational layers.
Key Issue: Many organizations lack visibility into the OT/ICS layer and its connectivity with IT systems, making them prime targets.
Mitigations:
-
Conduct thorough asset and risk assessments
-
Apply five critical controls for ICS
-
Adopt Cyber-Informed Engineering (CCE) from Idaho National Lab for mature defenses
3. Nation-State Attacks on Critical Infrastructure
Speaker: Tim Conway (Part 2)
State-sponsored actors are increasingly launching ICS/OT-targeted attacks for geopolitical influence, deterrence, or destruction. These operations mirror advanced persistent threats (APTs), leveraging initial IT compromise to cause disruption or destruction of physical systems (e.g., Ukraine power grid attacks).
Strategy Shift: These actors misuse legitimate ICS tools rather than introducing malware, making detection harder.
Mitigations:
-
Prepare for assumed breaches in IT
-
Prioritize segmentation and monitoring of OT environments
-
Conduct impact modeling to plan for worst-case scenarios
4. Lack of Logging – The “Darkness” Threat
Speaker: Heather Mahalik Barnhart
A recurring self-inflicted vulnerability is inadequate logging. Without proper data, even world-class responders can’t investigate incidents or attribute attacks. Attackers are learning to look normal—and when logs don’t exist, it’s like investigating in the dark.
Real-World Impact: Cases like Bybit demonstrate how attackers evade AI-driven threat detection by mimicking normal behavior.
Mitigations:
-
Ensure comprehensive logging across on-prem and cloud
-
Train AI models to detect deviations from ‘normal’
-
Conduct periodic log reviews and red teaming exercises
5. AI-Powered Normalization of Attacks (Previewed)
The next discussion hints at the evolution of AI being used to mask attacker behavior as “normal,” complicating detection and response further.
Final Thought
This session is a wake-up call for defenders to shift from passive monitoring to active threat anticipation. The common theme? Attackers are adapting faster—using access and weaknesses already in place. As defenders, we must improve visibility, reduce trust assumptions, and prepare for both stealthy and destructive threats.
Comments