The Five Most Dangerous New Attack Techniques

Posted on in Presentations

Each year at RSA Conference, SANS provides the authoritative briefing on the most dangerous new attack techniques in use today, what's coming next, and what organizations can do to prepare. This session gives organizations a chance to prioritize upcoming attack vectors and to get ahead of them.

Video Transcript

>> ANNOUNCER: Please welcome, Vice President RSA Conference, Linda Gray Martin.


>> LINDA GRAY MARTIN: Good morning.


On November 9th last year we learned with great sadness that Alan Paller passed away. Alan was an early, influential advocate for cybersecurity. He championed diversity, and he was incredibly passionate about mentorship and educating the next generation of cyber warriors. He was also instrumental in bringing the annual SANS panel to RSA Conference and was our moderator for over a decade, turning it into one of our most popular sessions. I know how many people here today knew Alan, respected him, and most importantly loved him.


Let's have a look at how some of those people remember him.


>> ANNOUNCER: Please welcome, research director and founder SANS Institute, Alan Paller.


>> ALAN PALLER: Good afternoon. This is my favorite session of the year because this is the time when I find out what the really dangerous new things are that people are going to have to deal with.


>> NEWS ANCHOR: Companies are also committing economic espionage, is what you are saying?


>> ALAN PALLER:  Companies are committing, on a large scale, as are other governments. Many governments are using the same techniques that they are using for military espionage to learn enough to get enough to get an advantage in an economic transaction that they are undertaking.


>> TONY SAGER: Alan was a natural magnet for attention because he was always so action orientated. But no one was quicker to create a hero than Alan, to find someone else and put them in the spotlight.


>> ALAN PALLER:  What was the best part of the competition?


>> CONTESTANT: It was probably hacking the score server. I compromised a Twitter feed, and that

>> ALAN PALLER:  So you compromised the score, and you gave yourself points?


>> CONTESTANT: Yeah, ten thousand.


>> ALAN PALLER: Ten thousand.


>> JAMES LYNE: For years, every weekend, Alan would call and, for hours, share new ideas he had for the cybersecurity community and how to make things better for our students. He was a rare form of wonderfully relentless.


>> NEWS ANCHOR: Alan Paller is the Director of Research for the SANS Institute. He joins us this half hour. Give us an example of how cybersecurity would relate both to information analysis and infrastructure?


>> ALAN PALLER:  If you look around the kitchen you have electricity coming in, you’ve got a telephone line coming in, you may have the Internet coming in, you have water coming in. Thirty years ago all of those services were managed by people with valves. Today all of those services are managed by computers.


>> HEATHER MAHALIK: He would raise you to levels you didn't think were possible. He would encourage your work and encourage you to keep driving further.


>> ED SKOUDIS: He wanted to help people achieve their best. He was inspirational, truly motivational, and he touched the lives of tens of thousands of people.


>> LINDA GRAY MARTIN: Alan is the recipient of the RSA Conference 2022 lifetime achievement award, very deservedly. Please welcome, the President of the SANS Technology Institute College, Ed Skoudis. Who is accepting the award on behalf of Alan and his family.




>> ED SKOUDIS: Alan's wife, Marsha, and his daughters, Brooke and Channing wanted to say a heartfelt thank you. What an honor it is for Alan to receive this lifetime award for the work he so passionately believed in and spent his life focused on. And if Alan were here today, we all know he would thank RSA Conference and all of you who continue to work so hard, every single day, to make cybersecurity better. To help make the world a safer, more secure place.


As you know, Alan was focused on cybersecurity education and training up the workforce to fight the good fight. One of the last projects Alan worked on was the incredible National Cyber Scholarship Foundation. It's an organization dedicated to identifying and bringing up the next level of cybersecurity practitioners to keep us all safe.


I urge you to look at the National Cyber Scholarship Foundation. It's just a fantastic thing. So, Linda and RSA Conference, on behalf of Alan and his family, we thank you so much for this award.


>> LINDA GRAY MARTIN: Thank you.




>> ED SKOUDIS: Another great part of Alan Paller's legacy was helping to equip cybersecurity professionals, people like you, people like me, with the information, knowledge, and tools you need to help keep us all safe. One part of that was the SANS keynote panel each year at the RSA Conference. Alan was dedicated to this panel, and it meant so much to him.


So in his honor, and as part of his legacy, we are going to prepare and present this panel for you today. So I would like to welcome our panelists up here on stage. I will briefly introduce each one of them and then you can clap for them.


First up, we have Katie Nickels. Katie is a certified SANS instructor and Director of Intelligence at Red Canary.


We have Johannes Ullrich, he is the Dean of Research at the SANS Technology Institute, that’s the college, and he also runs the Internet Storm Center.


We next have Heather Mahalik. Heather Mahalik is the Director of Intelligence -- Senior Director of Intelligence at Cellebrite and a SANS fellow.


And finally, we have Rob T. Lee. Rob T. Lee is the Chief of Curriculum and Faculty at the SANS Institute. Each one of these individuals has great insights to share. Let's give them a round of applause.





So, one of my favorite parts of this panel, just like for Alan, is these are the people that I look to, and so many of us look to, to give us insights on what to expect next. What we should focus on in keeping cyberspace secure. And I got to tell you, each year, a few times I pick up the phone and I call these folks and I say, hey, this thing is going on and it looks pretty big, is it?  And what do we need to do about it? Or sometimes I will see something happening, just in my client base or with some of my friends, some hack, or some bad thing. And I want to know, is this a big deal? And I will call these folks on the phone and ask them. And they give me ideas. They give me instruction. They teach me. So I learn from them every year.


Now, we would like you all to be able to call them on the phone and ask them for the same kind of thing, but we realize that doesn't scale so well. So instead, we do this panel each year. So I hope you are ready to take some notes on the top five attack trends that we all need to focus on each year.


Our first speaker is going to be Katie Nickels. Katie is a force of nature, absolutely amazing, certified SANS instructor. And she is the kind of instructor that is focused on making sure the people she is talking with are learning. Not an instructor that’s just there to show off. She really cares deeply about imparting knowledge.


Last year was Katie's first year on our panel. She joined us virtually on this panel last year, I'm sure some of you have seen it, and no offense to our fellow panelists here, but last year Katie knocked it out of the park. She was the best. She did a better presentation than I did. She was just the best. So I mentioned this last night to all of our co‑panelists and they all said we are going to step it up this year, and Katie said I guess I got to step it up this year as well.


So let's all give a round of applause for Katie Nickels.


>> KATIE NICKELS: Wonderful. Thank you so much for that kind introduction, Ed. Let's throw the gauntlet and dive right in.


I'm going to talk to you about two different new attack techniques that I think everyone needs to be paying attention to. Let's dive right in here.


Back in 2020, it seems like so long ago, my colleague Ed Skoudis talked to you all about this technique, living off the land, using built-in binaries and operating systems. And this is something we still have to worry about. But now I would argue, we have to worry about something else that I'm calling living off the Cloud.


As that image suggests, it's not just enough to pay attention to the operating systems, the end points, adversaries and a lot of their intrusions are using Cloud services of different types for a lot of really good reasons.


Now, it's important to note we are talking about new attacks, and admittedly this is one that's been around for a few years, but I think what's new here is the levels to which use of Cloud Services has risen. And I think sometimes we have shiny object syndrome, right. The new thing. But sometimes new means new levels.


So why do adversaries do this, why do they use the Cloud, why do they live off the Cloud? The same reason many of us use the Cloud. It's simple, it's easy, it's cheap, it's convenient to set up infrastructure, right. Adversaries can really easily spin up infrastructure to compromise our organizations. It also makes it easier for them to blend in. As a defender looking at network traffic it's tough for me to tell, is this Cloud traffic legit or benign. Really difficult.


And lastly, we all use Cloud Services legitimately in our organizations. That stuff goes right through those firewalls and proxies. So this is one of the reasons adversaries are doing this living off the Cloud.


Here's an example, and I have to give example from Jared Stroud from LaceWork for this one, living off the SaaS Software as a Service, NGROK is a really useful software where, say I'm a developer and I’m working on some code; I want to share it out but want to bother with domain hosting. Well, I can use NGROK software to really easily get a URL that anyone can access. Goes right through the firewall, instant URL sharing out.


It's great for me if I'm a developer. It's also great for adversaries. So adversaries have started using Ngrok and what they can do, they get this legitimate looking domain on the legit Ngrok domain and maybe they send that through in a phishing email. Of course email is easy to get past firewalls. A user, maybe they have heard of Ngrok, or their org uses it, so they go ahead and click on the Ngrok link. What happens is Ngrok sets up a tunnel, a reverse proxy that goes right through that firewall. Making it really easy for adversaries to send their malicious payload right through.


It's not just SaaS though. Infrastructure as a service, services like OneDrive. This is an example from an awesome researcher Brad Duncan of a phishing email that would deliver Q-bot, or quackbot, malware.

What have we trained users to do? Look at that link. OneDrive dot I recognize that. No problem, click, and you get Q-bot.


     It's a user training challenge we have to shift, as adversaries are living off the IaaS, the infrastructure as a service. How do we deal with this? How does detection response need to change? Well, one thing that I still hear from some people is let's just block all of the bad domains, all of the bad infrastructure. Let's find all of those indicators and block them. Well, you can't really do that, Ngrok is legitimate, OneDrive is legit. So rather let's shift to that ‘Know Normal: Find Evil,’ the classic SANS poster. It still works, know what's normal for Cloud Services in your environment to help you identify the bad stuff.


     And lastly, really important, when you find abuse of these Cloud Services, it's not the Cloud provider's fault, right. This just happens. Report it to them. This is a great reply from Ngrok when Jerad was talking about this technique at Attack Con. They replied and said, hey, thanks for letting us know about this abuse; we all need to work together to improve counter measures. So report this abuse so Cloud providers can help make this better. That's the first technique, living off the Cloud.


    The next one may be a little more shiny object here. Multifactor Authentication, quote, bypass. And I say ‘bypass’ because, well, it's really just taking advantage of how Multifactor Authentication is configured. Multifactor Authentication remains an incredibly powerful force for security, and you should still use it, but in this case, this is from a U.S. cert CISA report from last year, a Russian state sponsored actor bruit forced their way into an account. They guessed the password and got control. This account was a little old, so it turns out the company had done a great job disabling that in the Multifactor Authentication service, but unfortunately, they forgot to disable that account in active directory. So the adversary was actually able to go from active directory, reenable that Multifactor Authentication service, and then essentially bypass Multifactor Authentication by reenabling it and enrolling a new device.


    Just because adversaries can bypass doesn't mean you should stop using Multifactor Authentication, it prevents 99% of issues. Keep using it but be thoughtful in how you implement it. For example, make sure if you disable an account in your multifactor service, disable it in active directory. Last but not least, going back to knowing normal to find evil. Know what's normal for user accounts, tried and true method is going to help you with this technique Multifactor Authentication bypass, as well as the first one, living off the Cloud.


     Thank you so much.




>> ED SKOUDIS: Thank you, Katie. Very, very interesting. Thank you so much.


So our next speaker is going to be Dr. Johannes Ullrich. As I mentioned before, Johannes is the Dean of Research at the SANS Technology Institute College. He also runs the Internet Storm Center which has over 40 incident handlers active monitoring for things that go bump in the night on the Internet. They publish a daily diary of things we all need to know about. Johannes works really hard at wrangling all of those handlers; he is a handler wrangler. But really, he is one of the top people I call when something doesn't look right. And he gives so much to the community, just a tremendous, tremendous resource. Also, he is the editor of a research journal from the SANS Technology Institute. So he is also kind of paying it forward to the next generation, where he works with his students to ensure that they are doing really positive research to help advance the state of cybersecurity.


So let’s welcome Johannes Ullrich.




>> JOHANNES ULLRICH: Thanks for allowing me to speak here again, and thanks, everybody, for coming and listening.


Now, I just want to follow up a little bit on the Multifactor Authentication discussion that Katie had. I'm excited by a lot of things that happen with Multifactor Authentication. I guess I'm weird like that, FIDO2 and some of these things, but one of the things I often see missed when people implement Multifactor Authentication is how are you dealing with lost, broken, stolen second factors? How are you recovering them? You are having a hard enough time just to do good password reset techniques, but resetting your second factor, that tends to be a problem. And one little tip here I want to give you before moving to the next topic is, allow people to register multiple second factors. In particular if you are doing something like WebAuthn, FIDO2, where you have a hardware authenticator. Give people a chance to move from one authenticator to another by allowing them to register multiple authenticators, so they have a backup authenticator.


And talking about backups, that’s what I really want to talk about; the threats that come with backups. A few years ago I was walking my dog at the time, she was the best dog, but we walked down an alley and there was abandoned garages, and people kept dumping stuff in those garages, and what I found there were two big drums full of backup tapes. I never got to read them, but there were some labels from a medical lab or such. Well, it's about 11:30 here on a Wednesday, do you know where your backups are? Maybe they are in my alley? No, but backups often forgotten like this.


Backups are boring. And in some ways, boring is good for security. I love security when it's boring. Usually security gets bad when it gets exciting. So let's make backups a little bit exciting here. Let's talk about how backups can get exciting.


Your little sketch, sort of your standard network, you have backups all over the place. Most organizations have sort of a fairly diverse set of backup technologies. You have home users who have limited and capped internet connectivity, so maybe you give them some kind of USB backup device. You have some on premise backup. And everything is better, particularly for the attacker, if it's in the Cloud. So we also have some Cloud backups, in particular of our systems that are running in the Cloud, and for each one of these backup solutions we have some unique attacks that could be launched against those solutions.


Okay. Nothing new. Lost backups. Now, we talked about it for years. There also usually is a management solution that comes with these backups. That allows you to decide what to back up, where to back up. And, well, that’s another one of those boring things we don't really look at. We configure it, we hope it works, and then we walk away from it. But for the attacker you just built sort of a great resource here. Talk about living off the land and such.


You built sort of one key for the attacker to get to your data. So how would an attacker do this? Are there other vulnerabilities? This is not a complete list. This is just a quick list I assembled for this, different backup solutions, vulnerabilities they had over the last year or so. So how would an attacker possibly take advantage of either a vulnerability or a misconfiguration?


Strong passwords, why do we need that for a backup solution? It's boring so they will just stay with admin/admin, good stuff like that. Well, like I said, you instrumented your network for the attacker. All the attacker now has to do is take advantage of that instrumentation. And this is where I'm sort of looking a little bit forward. So what's the attacker going to do when people stop clicking on attachments and what's a more stealthy way, it also begins with living off the Cloud kind of idea, to exfiltrate your data.


Go into your backup solution and just config a second destination. Hey, for extra credit, let's use the same Cloud solution you are using for your Cloud backups to make it even more tricky to really identify that something odd is going on. And if you are running any kind of more detailed network monitoring systems, some proxies or whatever, you probably sort of exempted those backups because it's a ton of data that you probably really don't want to deal with here.


The second thing you built for the attacker is you installed agents on all of your end points. And those agents, well, they need to at least read all of your files and particularly important ones that you need to back up. Secondly, those agents often encrypt, and if you have any ransomware solution that detects if there is software running that all of a sudden starts encrypting a lot of files, well, you may have already gotten false positives here from your backup agent if it wasn't sort of excluded and allow listed by default. So another thing we built for the attacker to really take advantage of us.


So what are we going to do about it? Well, start paying attention. Backups are boring. Boring is good. Keep it boring. Make sure that only things are backed up that we want to back up, that they are backed up where you want to have them backed up to.


And with that, I will hand it over to Heather.


>> ED SKOUDIS: Thank you, Johannes.


So next up we have Heather Mahalik. And Heather really is incredible. When it comes to mobile device forensics, and security more generally, she is the go‑to person for so many people. I understand that senior law enforcement officials call her, sometimes while she is on vacation when they need urgent help on a late‑breaking case or some major attack that is under way. She is a curriculum lead for digital forensics and incident response with the SANS Institute and works diligently in making sure that the instructors and the classes are just the best they can be to help equip us all with what we need to know.


So let's give a round of applause to Heather Mahalik.


>> HEATHER MAHALIK: Thank you, Ed.

It is great to be back in person. I realize we are probably all overwhelmed after hiding for about two years, so welcome back. It's good to have you here.


Something else I want to mention that's probably been glaring to you, we are discussing more than five attacks. But we can't help ourselves. Like Ed said, when we know something, we want to share it with you. So that's what we are here to do.


I am going to also try to keep this a little bit boring. I want us to go back in time. Attackers are using old techniques to do newer fancy things. Think about what Katie talked to you about. Cloud. How are they getting into Cloud? They are getting into it the same way they have done with living off the land. So when we look at old versus new, back to the basics. If I say to you go back to the basics, how are you going to hire for that? Are you going to hire people who have done legacy attacks, or are you going to hire the newest generation who are chasing the latest and greatest things? It's difficult. I want you to think about that during my entire time with you here on the stage.


The next thing, technology is constantly changing. Apple just did their big announcement, so think about as technology changes and as things change for us as users, how does that impact the attacks? Are attackers using new techniques or are they always relying on things that work? Why would you reinvent the wheel? If you are an attacker and you want access, why wouldn't not use what simply works already? 


The first one I am going talk about when we advance in is stalkerware. And what I want you to think about is new techniques on old attacks. We are all stalkable. I said this on the stage two years ago. Do not think that you aren't important enough. Stalkerware is very targeted. Most stalkerware is cheap. You can use things that are used for good to do evil on these devices.

As Katie was saying, know good find evil. The same thing is with stalkerware.


     Most often with these devices someone wants to monitor you, continuously monitor you and control you. Stalkerware is easy to find, but everyone thinks they are stalked all of the time. Your phone rings it acts weird, the computer is acting weird, it's not always something like that. You have to educate yourself on what this looks like.


     Traditionally, with stalkerware, you needed access to that device, but keep in mind, access could be as simple as tricking someone into clicking something. Johannes was just saying don't click, don't do things. You have to know what you are looking at. So this is an issue. However most of us are like no one is touching my device, I'm not going to click on anything, I'm smarter than that. Enter the flying horse.


     So Pegasus, not a good thing. I’m sure most of you have heard of Pegasus. It is the most prevalent APT malware that impacts not only iOS devices but Android. It can be any device running these two operating systems. Apple had their work cut out for them and has done a fantastic job at continuously patching. Pegasus is not cheap. So I want you to keep that in mind. When I say about the targets and my final thing that will show up in red here, it can be alarming. It's usually high profile, think politicians, people in the media who are attacked by Pegasus.


     The issue, it's zero click. You have to do nothing except be a target. Someone wants on your device; they will get on your device. This attack literally flies through the air, lands on your iOS or Android device, you don't click it and it immediately self‑installs. Where my job becomes very difficult, it also self‑destructs. So it takes away all evidence with it. So how are you going to find this? That is one thing that is extremely difficult.


     Now, the scary thought if Pegasus is coming your way, it's not what if, it's when. Once you are targeted, it's going to happen. So you have to educate yourself on how to get beyond this. For worms, old school, right. People are like, worms? I remember the first mobile malware I ever worked with was an annoying worm. Worms are annoying, but they still are in existence. According to the Red Canary 2022 cyber threat report, worms are number 31. Why? It's a past threat. It's working still.


     Now the issue, when we think of our employees and our staff, are people only chasing the new things or are they going to focus on the boring like Johannes said. It may not be the sexiest thing on the planet to be like I'm going to evaluate a worm, but guess what, WannaCry is still impacting end points. From 2017. It's an issue.


     Adversaries will let things be dormant, just dormant until they are ready to kick up again. Are you going to be prepared for it? These are often worms. Don't let the shiny APTs distract you from what is really hiding there and waiting to attack, you have to be very careful with this. How worms land; poor security hygiene.


     Look at this. See no evil, hear no evil, speak no evil, oops, but not on my phone. We do stupid things on mobile devices, all of us do. So we need to be aware of it.


     How you can mitigate. You need proper hygiene when it comes to anything cyber. Everything from backups to using your phones, to your watches. All of these things, we have to consider this. We also have to make sure we are updating our devices, we're using pass codes, using Multifactor Authentication, you are hackable.


     This is super important. Educate yourself. Cloud is huge, there is lots of education available for Cloud. Train yourself. Review documentation. When we think of Pegasus, there is a Pegasus project, read it, learn about it, understand if you have been attacked.


     Google has the forced entry, which is essentially the sister of Pegasus, read it. Update your devices, reboot devices, create backups, use mobile device management, and do not blindly click on things you don't know what they are.


>> ED SKOUDIS: Thank you, Heather, we appreciate that.


So in just a couple of minutes we are going to have some questions and answers with our panel. We have actually surveyed many different people in cybersecurity space from all walks of life, some people brand new, some people seasoned experts, and we have a series of questions for our panelists that’s coming up right after our final panelist presentation. And that will be from Rob T. Lee.


Rob, he is really quite amazing. I have known Rob for way over 20 years and when I first got to know Rob, I actually got a phone call from Alan Paller. So Alan called me and said, hey, we’ve got this new guy coming to SANS and he is incredible. He does digital forensics and incident response, and he is going to change that entire industry. He is incredibly motivated, he is passionate, he knows the stuff inside and out, and he is going to be a great addition. I was excited to meet him for the first time. And Alan was 100% right.


Rob worked originally at the Air Force Office of Special Investigations and did some incredible work there. He is well trained in space operations, not cyberspace, but space operations as well as from a cyberspace perspective focused on adversary emulation, focused on offensive operations. And also early on in his career, doing vulnerability discovery.

But since then, he has worked diligently in digital for forensics. And now he heads up the SANS curriculum, the various curriculum leads look to him for leadership in determining what kinds of things people need to know about today and how to craft cybersecurity education around that.


Let's welcome Rob T. Lee to the stage.




>> ROB LEE: Hi, Ed. I really appreciate that. It's been years. It's been over 20 years when I first sat in your class, and I remember we were down in Orlando and I was in awe, you know, Ed Skoudis came up and talked to me. And I remember telling a couple of my co‑workers, Ed talked to me. It was one of these amazing things.


At that point in time I was with the Air Force Office of Special Investigations, and you may be wondering exactly why I got into that. This will tie back to what is old is new again theme we are working on here. I get the pleasure of the topic today right now, which is going to be talking about really oogy boogy future trending things. But the thing that really ties back to is the early part of my career.


He mentioned I majored in space operations, and of course I'm not doing a damn thing about it, not even touching satellites or anything. And the key reason why, you may not know this, is I'm color blind. Now, you probably look at my clothes right now and I actually don't know if I'm wearing green pants and red shoes or steel gray and brown shoes. That's how bad it is for me right now. So anyone who has ever done the color charts and it shows the numbers, yeah, I don't see any numbers. I just see a bunch of dots.


So at that point in time I was like what am I going to do with my career? And I read a book, and the book was authored by Winn Schwartau, who coined the term digital Pearl Harbor. And that is one of the themes that comes into the talk today which really ties into this theory of what is the digital high ground? What is currently going on out there, that a lot of you are noticing, that's going to tie back into the way that we are looking at things into the future? Case in point, what's going on in Ukraine right now has a lot of people, well, let me take that another level, a lot of nation states sitting up and taking notice.


Roll back about, I don't know, eight years. The Ukrainian military started to adopt a technique called GIS ARTA, short for art for artillery. And essentially this concept was you would be able to target, like you are in your Uber, here I am at the Moscone Center and say I need a ride and Uber will triangulate the closest Uber vehicle to you. The same thing they are doing with artillery, drones, infantry units in Ukraine now.


They have been command and control to get on there and click on the target and it says here you go, rush in, and hit that target. The key idea here, though, is that the time to trigger from initial targeting to steel on target was reduced from hours to seconds. And this was amazing, well, up until the beginning of the war when Russia cyber assets took out the Viasat modems using a network called acid rain, which basically wiped the operating system on those modems and disabled them. Not only disabled them, but they disabled half of Europe's, some in Germany, some wind turbines and a bunch of other things that basically crosses those nation state lines.


Enter, a few weeks later, Elon Musk saying hey, we have Starlink, we could turn it on for you guys, what do you think?  And everyone went like this. And in public private partnership between U.S. Agency of International Development and Space X, they started shipping thousands of Starlink terminals into the Ukraine to reactivate GIS Art for Artillery. And this also enabled Ukrainian military services to have point‑to‑point encrypted communications that was impenetrable by Russian cyber forces that were out there. In fact, you take a look at news reports that are out there and of course space X claims they are able to withstand a Russian attack with just a single line of code that was able to this thwart their attacks.


The main point here is that you take a look at the implications of what Starlink is doing, and tying that into military application, but it has far reaching applications. How many of you out there Googled it and said, hey, I have a trailer or camper, I want to put this thing on because I'm going to go camping and I would love to have Internet access while sitting next to a lake.


What about financial services? What about those wind turbines? This is changing the way that a lot of us are thinking about what has traditionally been nation state run Internet access. If it's sitting up in space, there is no nation that truly controls that. So where is the great wall of China, firewall of China going to be able to block that?  They are not.


They now have looked at this and started to target Starlink as part of how do we take it out at the beginning of a war? If we go to war, if something happens in Taiwan, who knows. I guarantee and based on the reports that just came out in the past few days they have released some of the stuff.


Back to 1996, the second seminal book that I read was a book by Heidi and Alvin Tofler. They were futurists back then, and they wrote a book called The Third Wave. The basic concept of this is first wave societies are agricultural and they fight over agro resources, second wave industrial, third wave information. And we talk about where we really are today, the high ground is control of that information. And the highest ground that we are looking at out there, currently, is satellites. And satellites in Starlink and the implications to warfare, consumer, private, public, across the board is going to be with us for some time.


Thank you.


>> ED SKOUDIS: Thank you, Rob. Very thought provoking. Thank you to all the panelists. Now it’s time for questions and answers. How about we start with Katie.


Katie, you mentioned MFA bypass. Very important topic, Johannes also touched on it. Are there other MFA bypasses we should be looking out for? Other techniques?


>> KATIE NICKELS: Yeah. In that same US cert report I mentioned about a Russian advanced actor, which I think this is an example of an actually advanced persistent threat. They used the one I talked about, re-enablement. But they also used a Multifactor bypass called failing open.


So if you think about it, if you use multifactor, right, you log in with your password and then you get a pop up on your phone, your second factor, and you click it to log in. Imagine you do your password log in, and then you find out that your multifactor service is down. And maybe you are like, okay, well, one option is you can't log in at all. Imagine how mad you would be like what the heck, multifactor server is down, and I can't log in. So because of that, because you don't want a whole lot of mad users, a configuration in most multifactor services is what's called failing open. Basically what happens is if the multifactor request can't reach its intended server it says, oh, maybe the server is down for down time, it says, okay, just bypass multifactor. You don't need the second factor.


So this is the failing open. Which at first, I was like, oh my gosh, all adversaries have to do is redirect this. In the Russian APT example they redirected, once they had access to the network, they redirected the legit multifactor server to local host and so then all of the Multifactor Authentication requests were freaking out, they’re like I can't find my server, failed open. So the adversaries effectively disabled Multifactor Authentication. Which was really interesting. And again, it's just fascinating to look at how they take advantage of the built in configurations.


So going back to what Heather said, reading documentation, understanding how these implementations work.


>> ED SKOUDIS: Failed open, what could go wrong.


Next up, Dr. Johannes Ullrich, this is sort of an architectural question based on what is happening in the world today. People are working from home, right. It's just a reality we face. For employees working from home, should backups be kept local or remote or Cloud‑based or what is your advice on that?


>> JOHANNES ULLRICH: My advice is always it depends, and you have to look at your threat models, what are you most afraid of. These days with more and more people working from home, it is often not really an option to do these remote backups we all like just because of data caps that ISPs implement, and just connectivity in general is not always as great as it should be. So you may end up with sort of a hybrid situation where you keep some local backups on the desktops.


And again, think of your threat model. That USB drive, it’s usually some form of USB drive, getting lost is about as high as the actual desktop or laptop they are using getting lost. Keep your encryption strong and your encryption keys close. That's probably the best option you have here no matter whether you are doing it local or whether you are doing it remote in the Cloud.


>> ED SKOUDIS: So there are lots of options and it's all about the threat model ultimately, isn’t it?


>> JOHANNES ULLRICH: Threat model and in particular you are talking about encryption at rest. There is no one size fits all. You really have to think about what your threat is and be realistic about that.


>> HEATHER MAHALIK: And if anybody wants to read up on what Johannes was just saying with the hybrid approach, Lee and I work with the SANS analyst program. It's free to you, you can go out and we talked about the different ways to back up, leverage Cloud, hybrid approaches, securing them. So if you just Google that, you can find it.


>> ED SKOUDIS: Good advice.


So Heather, you are next. You said it's not a matter of if, but when. Very scary stuff. So how could somebody know if they are targeted by malware like this Pegasus thing?


>> HEATHER MAHALIK: Pegasus is a big deal. We will talk about Pegasus and forced entry together. Google and Android -- or Android and iOS. It's not something that I would target Rob with. Or pay that money. It's a lot of money to be targeted by this. The issue is it's going to be so well crafted to get you. And that's why it sounds terrible to say it's not what if, it's when. The easiest way is to prepare in advance.


So if you are running for a public office, or you know that your group is going to be under scrutiny, maybe your company is being bought, implement security measures in advance. Make sure anything that is installed automatically on the device is targeted or alerted through a mobile device management. Make sure your mobile device management does not prohibit updates. Updating is huge. You could also, if your company or the person uses an Apple product, disable iMessage and disable Facetime. Because the apps that are targeted the most for the stealing are the ones that are always on that device. So they are not going to target things like WhatsApp or Signal, they are going to target iMessage because we all use iMessage and it's all there.


So educate yourself, read what's publicly available and just be aware.


>> ED SKOUDIS: And lower your attack surface. Yeah, turning stuff off. That’s great.


So, Rob, here is a big one for you. Interesting stuff you talked about. So we have seen these satellites coming under attack, and surely a lot of people are focused on trying to make them more secure. Trying to make the satellites not hackable. So do you foresee the security of these devices in space rapidly increasing over years, and will this be one of the most deadly attacks in coming years?  Is this one here to stay, does it have legs?


>> ROB LEE: Great question.


Honestly, it comes back down to there is a lot of research going into it right now. There is the the hackasat, if you go to, there’s competitions out there that are focusing in on it. A lot of the research right now is going into disabling the capabilities and they are almost primarily targeting the terrestrial terminals. And that also ties into a lot of the malware. That's the easiest thing to access.


If you are looking at kinetic, that gets really problematic pretty quickly and that could escalate the conflict pretty fast. Jamming is another option. And through jamming, it requires a lot of high power, and it's very localized. It's not, you know, if you take a look at the amount of Starlink satellites that are being planned in v2; 30,000 of them. I mean you sit there and look at that, that is a resilient backup of how the Internet was designed so if one goes down, everything else is still going to survive.


So a lot of the stuff right now is focusing on how do we take out the end user from being able to access the extra-terrestrial assets.


>> ED SKOUDIS: So it does seem this has legs.


>> JOHANNES ULLRICH: I think one issue here is also being ready for the outage. One thing with the Viasat case was that the windmills still kept operating. So how do your systems fail if connectivity disappears? Try to think that through before you deploy something like this.


>> KATIE NICKELS: In that way maybe it was a success for cyber resilience, the windmills kept spinning even though the satellite internet was down.


>> ED SKOUDIS: Let's do a lightning round, you ready?


So Katie, your whole talk about living off the Cloud was very startling. What other Cloud Services do adversaries utilize to undermine environments?


>> KATIE NICKELS: Almost all of them is the real answer. Google Drive used by crimeware families, Slack, discord. I don't know that any Cloud service is really immune from this. So I think the takeaway there is, rather than trying to point fingers at the Cloud services adversaries are abusing, it’s your service it’s your fault, realize this is something they are doing. And going back to know normal finding evil, what is legitimately needed for your business operations in your org. If not, maybe consider monitoring or blocking that stuff.


>> ED SKOUDIS: Good advice. Awesome.


Dr. Johannes Ullrich, this ghost backup thing you talked about sounds really spooky, literally, are there network defense tools that can detect that happening?


>> JOHANNES ULLRICH: That's where it gets tricky, and it comes back to know your network. Know your traffic. One thing a lot of defenders don't do is they don't look at network traffic when everything is normal and sort of do that baselining. So if you do the baselining so you know how much traffic you expect going where, and that way you may be able to detect some of these attacks but also some attacks that Katie talked about. And review the configuration of your backup tools to make sure they didn't get tampered with.


>> ED SKOUDIS: Heather, you ready for your lightning round here? All right.


So you know the industry so well, right, digital forensics and such. So many people are trained on doing forensics on computer systems and increasingly on the Cloud, but mobile is kind of a different beast. How ready are we to do forensics on that at scale versus what we can do with, say, a Windows or Linux environment?


>> HEATHER MAHALIK: Mobile is fast paced. Cloud is also drastically fast paced. Anyone who is authoring or writing these courses, you need to be current, up‑to‑date and up to speed. Something that I think the hiring managers, or anyone who does incident response, mobile is probably the last thought on many people's minds. And I know a lot of people have reached out to me saying can we 1099 you just in case something happens and it involves mobile. And I'm dealing with a situation like that. So have at least one person on your team that has an inkling or knows a smart person they can reach out to for help. But also, don't be afraid to just hire an expert to come in and assist your already in place team as needed.


>> ED SKOUDIS: Augmentation. Absolutely.


So, Rob, final lightning round question for you. If you buy into the attribution of the attack associated with the Ukraine situation. Why were so many devices outside of the Ukraine impacted by it?


>> ROB LEE: Great question.


Targeting any type of malware, trying to localize it hit a single target, is almost impossible. Too many things are interlinked at this point. Attribution to that, whether or not you go back to the geopolitical arena, everyone says Russia just attacked Ukraine, it's likely Russia. Good, glad we got there, but that's hypothesis. It takes forensics to analyze the code. And even some of that code literally had UK OP written on it. And then it was tied back to Russian cyber operatives. And that attribution, full nation state attribution, came out just last May. Even though those attacks happened in February. In terms of everyone is on the same page and says, yes, we have enough information to fully attribute it back.


>> ED SKOUDIS: Interesting attribution is always tough. We have 30 seconds for each of you, so be focused.


What would you like to impart on this RSA Conference audience for them to take home and think about going forward? 30 seconds, go. Rob first.


>> ROB LEE: We have been doing this for a long time, folks. And I hate to tell it but when we are talking about a lot of things they talked about up here from the Cloud, backups and everything else, there are a lot of us out there that even though we are the old school veterans, we actually need more training on this. We need to go back and re‑educate ourselves on this. Cloud and mobile devices and satellites, all of these different technologies most of us in here would barely be able to rub two nickels against and be able to talk about what true implications are, or even how to analyze it.

Just start to focus on that and start to say do I need to go through cyber reskilling in order to keep up with the latest technologies.


>> ED SKOUDIS: Good to know.




>> HEATHER MAHALIK: We need to be passionate to be successful. With all of these threats and everything coming into play, we need to truly care about the work, and it has to be something you enjoy. Last night we were discussing Alan and remembering him, and someone said it was hard to tell when Alan was working and when he was having fun. That is where you should hope to be, and honestly, if cybersecurity isn't it for you, it's never too late. So find your passion and live it.


>> ED SKOUDIS: I love that.


Johannes, real quick.


>> JOHANNES ULLRICH: I think a lot of the problems we are having is because we are data hoarders. We collect too much data and too much bad data, that is sort of also the fake news problem. Focus on data quality, not on data quantity, and I think a lot of the problems will become easier that you are trying to solve.


>> ED SKOUDIS: That's a big idea. That's important. And last but not least, Katie.


>> KATIE NICKELS: This week can be a lot, the expo floor. There is a lot happening, racecars, lights, I would say refocus. We all have a role to play in this community, remember, and I think this is Alan Paller's legacy, we all can make a difference, so go out and make the difference you can make in the cybersecurity community.


>> ED SKOUDIS: Thank you for that. Thank you for representing Alan Paller's legacy.


Folks let's give our panel a round of applause.




Thank you so much and thank you all. Enjoy the rest of the conference!

Ed Skoudis


President, SANS Technology Institute

Rob T. Lee


Chief Curriculum Director and Faculty Lead, SANS Institute

Heather Mahalik


DFIR Curriculum Lead and Sr. Director of Digital Intelligence, SANS Institute and Cellebrite

Katie Nickels


Certified Instructor and Director of Intelligence, SANS Institute and Red Canary

Johannes Ullrich


Dean of Research, SANS Technology Institute

Hackers & Threats

hackers & threats



Share With Your Community