SANS lists bad backups, cloud abuse as top cyberthreats

SAN FRANCISCO -- Stolen authentication tokens, cloud abuse and vulnerable backups are all issues enterprises need to account for in the coming months, according to SANS Institute experts.

Speaking during an RSA Conference 2022 keynote titled "The Five Most Dangerous New Attack Techniques," the experts weighed in on some of the top cyberthreats facing network administrators and security teams. The veteran researchers and security analysts touched on some of the most overlooked risks that companies are currently facing when it comes to information security.

Katie Nickels, SANS instructor and director of intelligence at threat detection vendor Red Canary, told attendees that one of the top cyberthreats was the growing trend of attackers abusing of public cloud services as a cheap way to get attack infrastructure up and running as well as to blend in and bypass network security. Nickels likened the phenomena to the "living off the land" approach to hacking, where threat actors use system management tools to move laterally and maintain persistent access.

"Now we have to worry about something else called living off the cloud," Nickels said. "Adversaries are using cloud services of different types for a lot of reasons."

Another area that multiple panelists agreed was a risk is multifactor authentication. In particular, Johannes Ullrich, director of the SANS Internet Storm Center, discussed how companies should respond when a user loses their primary method of receiving their multifactor code.

"One of the things I see missed when people implement multifactor authentication is: How are you dealing with lost or stolen factors?" he said. "A lot of people don't register multiple second factors."

Ullrich said that one particularly overlooked area of risk is in data backups. While many companies are looking to safeguard their active data, Ullrich noted that backups are often left unguarded despite containing much of the same corporate data.

"Backups are boring. Boring is good; keep it boring," Ullrich said. "Make sure they are backed up to where you want to have them backed up to."

Speaking to SearchSecurity after the panel discussion, Ullrich said that companies also need to pay attention to the techniques employed by nation-state attackers, even if they are not likely to be targeted.

"Some of these attacks tend to trickle down," he explained. "This year it's a nation-state attacker. In five years, there will be hackers using it. In 10 years, it will be script kiddies."

Rob Lee, chief curriculum director at SANS, noted that there are also lessons to be learned from the invasion of Ukraine, particularly in the way services such as Starlink not only provide communications during a crisis, but do so in a way that can circumvent monitoring and censorship measures taken by oppressive governments.

"You take a look at the implications of what Starlink is doing, and it has serious implications," Lee said. "This is really changing the way we think about what is nation-state access."

For Heather Mahalik, senior director of digital intelligence at SANS, one challenge network defenders face is how to approach the changes in attack techniques. In some cases, Mahalik said, attackers are not always using cutting-edge intrusion techniques.

"As technology changes and how things change for users, how does that change attacks?" Mahalik asked the audience. "Are they relying on new techniques or are they relying on what works? Why would you change the wheel?"