Ed Skoudis moderates a panel at RSA Conference 2022 with Katie Nickels, Johannes Ullrich, Heather Mahalik and James Lyne, all of the SANS Institute.

Jun 10 2022

RSA Conference 2022: Everything Old Is New Again for Hackers

Cybersecurity experts have noticed that cybercriminals are employing familiar techniques to compromise organizations in new ways.

What goes around comes around. Everything old is new again. Pick your recycled cliché, and it probably applies to the tactics being employed by cybercriminals today.

A panel convened by the SANS Institute at RSA Conference 2022 offered some insights on the most dangerous new attack techniques being used by threat actors. Moderated by Ed Skoudis, president of the SANS Technology Institute, the presentation revealed that the latest trends in cybercrime are tried-and-tested tactics being employed in new ways or directed at new targets and platforms.

For example, the sudden migration to the cloud and the proliferation of connected devices have influenced attackers to find new uses for some familiar techniques.

Click the banner below to receive exclusive industry content when you register as an Insider.

Attackers Are Redirecting Their Efforts to the Cloud

Katie Nickels, a SANS-certified instructor and director of intelligence at the Red Canary, presented two techniques cybercriminals have adapted for use in the cloud. “Back in 2020 — it seems like so long ago — my colleague, Ed Skoudis, talked to you all about this technique, living off the land, using built-in binaries and operating systems. And that’s something we still have to worry about. But now I would argue we have to worry about something else that I’m calling living off the cloud.”

Nickels posited that threat actors are using the cloud for the same reason any other organization does. “Simple, it’s easy, it’s cheap, it’s convenient to set up infrastructure, right? Adversaries can really easily spin up infrastructure to compromise our organizations,” she said.

She also pointed out how much easier it is for attackers to blend in. She described how difficult it is for defenders to differentiate between legitimate cloud traffic and malignant activity. “We all use cloud services legitimately in our organizations. That stuff goes right through those firewalls and proxies.”

Her advice in defending against these attacks begins with another classic security cliché: Know normal, find evil. And when malignant activity is identified, it’s critical to report it to the cloud provider.

READ MORE: Learn about the latest trends in cloud adoption and how they can benefit your business.

Attackers Are Recycling Old Tactics for New Uses

Nickels mentioned another trendy yet dangerous attack technique: multifactor authentication bypass. She related the story of a Russian hacker who was able to evade MFA by correctly guessing the password of an unused account that hadn’t been disabled in the company’s Active Directory. The attacker re-enabled the account through Active Directory and then bypassed the company’s MFA service by enrolling a new device.

Johannes Ullrich, dean of research at the SANS Technology Institute, agreed with Nickels in stressing the value of MFA along with the need to be mindful of the details. “One of the things that I often see missing when people implement multifactor authentication is, how are you dealing with lost, broken or stolen second factors? How are you recovering them?”

Ullrich also emphasized the importance of backups, even though he called them boring. “In some ways, boring is good for security. I love security when it's boring. Usually, security gets bad when it gets exciting.”

He expressed concern for the many organizations that suddenly find themselves implementing multiple backup solutions for various environments. Remote users might be backing up on a USB device, while the company is still using some on-premises backups. Now, cloud backups are being added to the mix. “And for each one of these backup solutions, we have some unique attacks that could be launched against those solutions,” Ullrich said. All of these varied solutions leave an organization’s backup system vulnerable because an attacker could reconfigure your backup solution to a different destination.

Heather Mahalik
You need proper hygiene when it comes to anything cyber, everything from backups, to using your phones, to your watches — all of these things.”

Heather Mahalik Digital Forensics and Incident Response Curriculum Lead, SANS Institute and Senior Director of Digital Intelligence, Cellebrite

Rebuilding Trust Will Require Accountability for Companies

Heather Mahalik, digital forensics and incident response curriculum lead for the SANS Institute and senior director of digital intelligence at Cellebrite, joined in warning against old techniques. Specifically, she noted the use of stalkerware, which appears in its most malevolent form as Pegasus. The spyware can target an individual’s device, self-install to control it, and then self-destruct to prevent being tracked. While she noted that Pegasus is very expensive and is being used primarily to target politicians and celebrities, its capabilities are intimidating.

Mahalik also spoke about the renewed use of worms. A proliferation of newly connected devices combined with users’ lax attitudes toward security can open vulnerabilities. “You need proper hygiene when it comes to anything cyber, everything from backups, to using your phones, to your watches — all of these things,” she said. “We also have to make sure we’re updating our devices, we’re using passcodes, we’re using multifactor authentication.”

She stressed the importance of users educating themselves. “Cloud is huge. There’s a lot of education available for cloud. Train yourself, review documentation, reboot your devices, create your backups, use mobile device management, and do not blindly click on things if you don’t know what they are.”

Keep this page bookmarked for articles and videos from the event, and follow us on Twitter @BizTechMagazine and the official conference Twitter feed, @RSAConference.

Photography by Joe Kuehne

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT