As has long been the tradition at the annual RSA Conference, the final panel event is the Top 5 Most Dangerous New Attack Techniques session, and the virtual 2021 edition of the conference was no exception.
Ed Skoudis, fellow and director at SANS Institute, identified undermining software integrity as one of the biggest attack vectors that he is seeing today. Software integrity includes supply chain security for all the embedded libraries and components that make up a modern application.
“Our software development and distribution processes today are focused on speed, getting new code and features out faster,” Skoudis said. “They’re not focused on trust and cybersecurity, and this is a pretty profound problem.”
According to Skoudis, there is no single solution to the problem of software integrity and software supply chain management. The first thing that needs to happen is organizations need to know what software they have in their environments so that they can defend it. The next step is to have a software bill of materials, which essentially identifies all the components that make up a given set of software applications. Skoudis also recommends that organizations integrate threat-hunting activities into their workflows as well to help actively look for potential risks.
You may not be able to solve every challenge, but don’t get overwhelmed – start somewhere.Katie Nickels
The Risk of Improper Session Handling
Heather Mahalik, director of digital intelligence at SANS Institute, identified improper session handling as a top risk.
Every time a user logs in to an application or a service, some form of access token is granted to enable access to the session. Mahalik warned that some sessions don’t properly secure tokens, opening up the possibility that data could be leaked or manipulated.
The risk of improper session handling can be reduced with a number of simple steps. The most obvious that Mahalik suggested is for users to log out of devices and application sessions when they are done.
“Many of us like to leave our screen open, we like to leave our devices available, and we will check the box saying use this access for the next seven days, but that’s not secure,” Mahalik said. “Developers, I encourage you to make tokens that expire and kick people off the network.”
Beware of Artificial Intelligence
Johannes Ullrich, dean of research, SANS Technology Institute, warned that a potential risk comes from artificial intelligence and machine learning that is used for malicious purposes. Ullrich warned that attackers could influence or manipulate machine learning training data sets, which would impact what actions an artificial intelligence system would take.
“Your training data matters, and you need to understand these models,” Ullrich said. “So, figure out what they’re doing, and figure out how to tune them.”
Ransomware Is More Than an Availability Problem
Katie Nickels, certified instructor and director of intelligence at SANS Institute, warned that while ransomware isn’t a new threat, the ransomware of 2021 is in fact introducing new risk.
She noted that, historically, ransomware has been discussed as an availability problem. That is, data is encrypted by an attacker, and the user can’t get access to the data. In her view, ransomware is no longer just an availability concern; it’s also increasingly being linked to data exfiltration. Nickels explained that attackers are now also taking the data and then using it for different purposes, before encrypting data and holding it for ransom.
“In fact, in the fourth quarter of 2020 we found that over 70% of ransomware cases involved some kind of exfiltration and extortion,” Nickels said. “This is one of the most dangerous new attack techniques because this is the new normal, thinking about not just the availability, but also the confidentiality of your data, and realizing that adversaries are very likely to exfiltrate and then export your data.”
As ransomware has shifted from being just an availability issue, so too have the recommendations on what organizations should do to defend themselves. Simply having an offline backup is not sufficient, according to Nickels. Organizations should also be taking preventative measures like disallowing any file-sharing tools that aren’t needed in a network, which can help to prevent some exfiltration from happening.
With the pressures of the pandemic and a seemingly never-ending array of threats that defenders need to be concerned about, Nickels provided an aspirational and inspirational suggestion. She noted that former US president Theodore Roosevelt once said, ”Do what you can with what you have, where you are.” In her view, that suggestion is an idea that resonates well for IT security professionals.
“You may not be able to solve every challenge, but don’t get overwhelmed – start somewhere. Start with improving your detections, whatever that means for your organization,” Nickels said. “Do what you can with what you have, where you are, whether it’s in cybersecurity or in life.”