Administrators will have to stop trusting antimalware machine learning, limit the life of session cookies and take a long look at software dependencies.
That was the advice from a panel of instructors and researchers at the SANS Institute, who helped to close out the 2021 RSA Conference with a discussion on what the most pressing threats and emerging trends currently are in the market. As typical for the final day of the conference, "The Five Most Dangerous New Attack Techniques" panel gave attendees predictions of what's to come, and what infosec professionals should prepare for.
Malware writers poison the machine learning well
As any data scientist will often say, machine learning (ML) systems are only as good as the data pool they draw from, and with many antimalware vendors turning to ML for their detection engines, Johannes Ullrich sees the potential for exploitation.
Ullrich, dean of research and fellow at SANS, noted that by employing the crop of known malware as their data set, ML systems are indirectly placing themselves at the mercy of the very malware writers they seek to root out.
Because an ML algorithm trains itself on the malware samples it receives, Ullrich said there is potential for an attacker to intentionally mislead the learning model and train it to look for malware the attacker will not actually use to infiltrate a network.
Using this retraining technique, which is referred at data or ML 'poisoning,' the bad actor could flood the target network with attempts to exploit macros in Microsoft Word documents. As the detection engine increasingly trains itself to spot those types of malware and exploits, the attacker would then take a completely different tactic to get around detection.
"Now your classifier is becoming really focused on Office macros and is missing new samples," Ullrich explained. "The attacker was successful in training your machine learning model to recognize malware that is still malware, but does not matter."
Ransomware moves to the extortion game
The 2019 rise of the Maze ransomware brought about a new method for criminals to drain the coffers of businesses in the form of extortion on threats of data leaks. Unlike previous ransomware attacks, where the victim was told to pay up in order to simply have access to encrypted data, Maze went a step further and threatened companies with a public dump of everything the attacker had accessed and copied prior to encryption.
"So many groups have realized that this extortion thing works," said SANS director of intelligence Katie Nickels. "This is one of the most dangerous new attack techniques, because this is the new normal."
As criminals change up their approach, so too should the businesses they target, Nickels said. Rather than just focus on how to respond to a ransomware infection, they should take a broader view of how attacks play out, seeking to catch the attackers before they are able to exfiltrate the stolen data out of the network.
While catching a malicious hacker in the act is not always an easy task, there are some telltale signs of exfiltration, such as the appearance of utilities and applications such as Rclone that are either left in the open or poorly disguised as other applications.
Buying new software? Maybe ask for a BOM
With supply chain attacks coming into fashion, SANS Institute fellow and director Ed Skoudis suggests that companies pay closer attention to not only who is developing their software and services, but who the developers are drawing their code from.
Skoudis notes that incidents such as the SolarWinds breach have exposed a fundamental flaw in the way we handle trust and the assumption that the software we use has not been poisoned even before the vendor gets it to market.
"Zero trust is a great concept, it is a great architecture, but how do you do that? Via software," Skoudis explained. "If you update using mechanisms that do not verify the integrity of that software, you are in trouble."
Taking the idea a step further, Skoudis noted that dependencies in software, both open source and closed source, present a security weakness as they allow an attacker to infect software by infiltrating a piece of third-party code.
To that end, he suggested that executives and administrators may soon ask for a software bill-of-materials, or a list of the various components and dependencies an application relies on, so they can make sure they are protected from vulnerabilities on those pieces as well.
Cut your sessions short
For Heather Mahalik, digital forensics and incident response curriculum lead at SANS, access tokens are a soft spot in many defense strategies.
As workers have gone remote and opted for their own PCs and devices at their work-from-home setups, securing those access sessions has become a top priority. Something as simple as a laptop left open or a browser session left active can give an attacker an open door into an enterprise.
This means that administrators may have to sacrifice some end-user convenience by making sure session tokens have shorter lifespans and applications request authentication more frequently.
"We have to consider how we are securing these apps, how much we rely on them and whether they are actually safe," Mahalik said.
Even the security of the tokens themselves should be examined, and companies should make sure strong encryption methods are in place.
"There are known vulnerabilities and we talk about this every year," Mahalik noted. "All of these token generators want to be the one-stop shop, but the issue is you just have to verify and ensure the cryptography is not broken."